[Top] [All Lists]

Re: [nv-l] Secure shell (ssh) for traps

To: "Qureshi, Fawad" <Fawad.Qureshi@ssa.gov>
Subject: Re: [nv-l] Secure shell (ssh) for traps
From: John Bruer <ad572@yahoo.com>
Date: 03 Jul 2003 14:41:16 -0500
Cc: nv-l@lists.tivoli.com
Delivered-to: mailing list nv-l@lists.tivoli.com
Delivery-date: Thu, 03 Jul 2003 20:34:26 +0100
Envelope-to: nv-l-archive@lists.skills-1st.co.uk
In-reply-to: <A50FB3411F6ED4118A1E4000501FFCD20A50C73C@s1ffcd2.ba.ssa.gov>
List-help: <mailto:nv-l-help@lists.tivoli.com>
List-post: <mailto:nv-l@lists.tivoli.com>
List-subscribe: <mailto:nv-l-subscribe@lists.tivoli.com>
List-unsubscribe: <mailto:nv-l-unsubscribe@lists.tivoli.com>
Mailing-list: contact nv-l-help@lists.tivoli.com; run by ezmlm
References: <A50FB3411F6ED4118A1E4000501FFCD20A50C73C@s1ffcd2.ba.ssa.gov>
Reply-to: nv-l@lists.tivoli.com
User-agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.6
"Qureshi, Fawad" <Fawad.Qureshi@ssa.gov> writes:

> Netview 7.1.3 on AIX 4.3.3
> Hi,
> We would like to create a ssh between the Netview server and some
> Netscream devices to enable secure reception of traps etc.

Hi Fawad, 

Security note: just because you use SSH in one link of an entire path,
your trap reception doesn't become secure.  There's nothing keeping an
attacker from injecting traps with spoofed IP addresses into your SSH
starting point.  Somewhere you need to have an open snmp trap port
that accepts all traps, and at best you could use tcpwrappers on that
box to lock down to specific ip addresses...but there's nothing
keeping an attacker from spoofing the IP and SNMP  datagrams with
forged IP addresses to pass that filter. 

However, your goals may be humbler (such as encapsulating trap traffic
in a tunnel that pesky firewalls will let you send em through to a
specific host on the other side such as netview). 

> We could do that for TCP port 161, but cannot do this for UDP. Any
> way around this? Is it possible to configure transporting traps over
> TCP rather then UDP?

I don't know...but an SNMP trap proxy of some sort might be able to
convert the transport protocol for you..perhaps look into net-snmp (a
freeware package that can do trap proxying among many other things).
Perhaps it can be used to proxy UDP traps to TCP, then your ssh tunnel
would be a way to get from A to B (ableit with questionable security). 

However, if secure, authenticated trap reception is actually your
goal, SNMPv3 is where you'd need to go, and NetView can't get you
there (currently anyway).


To unsubscribe, e-mail: nv-l-unsubscribe@lists.tivoli.com
For additional commands, e-mail: nv-l-help@lists.tivoli.com

This is not an Offical Tivoli Support forum. If you need immediate
assistance from Tivoli please call the IBM Tivoli Software Group
help line at 1-800-TIVOLI8(848-6548)

<Prev in Thread] Current Thread [Next in Thread>

Archive operated by Skills 1st Ltd

See also: The NetView Web