Using SNMP as an alternative to NRPE

Tobias Klausmann klausman at schwarzvogel.de
Thu Jul 13 11:42:19 CEST 2006


Hi! 

On Thu, 13 Jul 2006, Thomas Sluyter wrote:
> Why is it that we insist on using NRPE for this? Of course it's very  
> practical that there's such a thing as the NRPE daemon and the  
> check_nrpe command. It does indeed make things easier for a lot of  
> people who lack deep technical insight.

Yet it's a step away from the KISS principle.

> But what is to keep the expert users from using the SNMP daemon for  
> this practice?

SNMP *can* be a security nightmare. Problem is that the protocoll
allows *writing* to the machine, i.e. config changes. The danger
in an unsecured NRPE is much lower: it's less complex to
configure and if we assume woth the SNMPd and NRPE have no
security problems in their code, a slightly wrong config can
allow an attacker to compromise an SNMP machine. That's nigh
impossible on an NRPE machine. Also, NRPE config is much less
complex and that of an SNMPd.

> There's a bunch of factors that have pushed us away from NRPE and  
> towards SNMP:
> * The SNMP daemon is installed by default on all of our systems.  
> AFAIK it's also part of the default install of just about every OS  
> installation (with the possible exception of Windows).

It isn't installed on *any* of the >1k machines I herd. Not by
active choice. It simply isn't installed because we don't need
it. It's not part of the default install of the Distros and OSs
we use.

> * We are currently already using the SNMP daemon to gather  
> performance info for MRTG and we will be using the SNMP daemon to  
> send traps to Nagios.

That is an entirely different story. I can understand that people
use SNMPds on host machines because SNMP is the way to go for
Ciscos or other network equipment. But we're quite happy with the
way NRPE and NagiosGrapher work together with RRDTool.

Our network guys (who run a nationwide backbone and thus have
their own monitoring solution) use SNMP for their stuff. 

> * Not using NRPE means one less configuration file to maintain, one  
> less port to open up in firewalls and one less binary to patch and  
> upgrade.

Not for use: SNMP isn't a "it's there anyway" resource. Hence, we
opted for the smaller, less complex solution, NRPE.

> Do any of you know of any practical objections to using SNMP as a  
> substitute for NRPE? It might be that we're missing something here,  
> but to us it looks like a very good choice.

Complexity. Both in daemon code and configuration. And that the
SNMP protocol spec allows for writing to a host.

Regards,
Tobias

-- 
You don't need eyes to see, you need vision.


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null





More information about the Users mailing list