Monitor Checkpoint VPN links

[Roy S. Rapoport]

On Wed, Jul 09, 2003 at 06:21:50PM -0400, Rob Nelson wrote:
> It's always an ugly hack, but one can do just about anything with "expect". 
> I'd suggest using ssh keys tho, rather than putting your ssh password in 
> cleartext in the scriptfile.

As a security person, this makes me shudder.

Remember, this is your firewall.  

I won't tell you how to manage your security devices, but the concept of
allowing automated, non-passworded (or passphrased) access to a firewall
scares the bejesus out of me.  I would aruge, with respect to the
requester's experience and knowledge, that it's a Bad Idea.

If you *are* going to do that, for God's sake, make sure that the SSH key
is only authorized for the very minimal actions that you need to monitor
the system -- in other words, you shouldn't just SSH and run some commands
-- you should 'ssh user at fw <command>' and make sure that the SSH key ONLY
allows you to run <command>.

-roy


-------------------------------------------------------
This SF.Net email sponsored by: Parasoft
Error proof Web apps, automate testing & more.
Download & eval WebKing and get a free book.
www.parasoft.com/bulletproofapps
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null