SNMP agents versus Nagios agents

[Thornton Prime]

> 1) SNMP v1 and v2 have several known security issues (clear text 
> community strings, buffer overflow, patches etc)

I'd argue that the history of SNMP vulnerabilities is no worse than 
Sendmail, Bind, or even Apache. The risks of clear text community 
strings can be managed with ACLs or firewalls, and SNMP v3 has USM with 
stronger authentication and encryption methods.

The real problem with SNMP has historically been under-configuration and 
under-administration. Devices have shipped with obvious default read and 
write community strings or with other security vulnerabilities, and 
administrators haven't bothered to patch and/or configure their SNMP 
securely.

> 2) Object IDs can reindex when a server reboots, resulting in having to 
> reconfigure Nagios (which also happens when new devices are added)

This will normally only happen within the context of a SNMP table, and 
the tables are designed to make it easy to find a piece of information 
even when a row has been added, removed or re-ordered because the system 
has been reconfigured. For example, hrStorageTable is no harder or 
easier to parse than the output of "df", and you run the same level of 
risk from re-ordering if you added or removed volumes, or changed your 
mount order. ifTable is much easier to parse than the output of ifconfig.

thornton



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null