NRPE/NSCA replacement thoughts?

[Kevin Keane]

> -----Original Message-----
> From: Michael Schwartzkopff [mailto:misch at multinet.de]
> Sent: Friday, February 19, 2010 2:28 AM
> To: nagios-users at lists.sourceforge.net
> Subject: Re: [Nagios-users] NRPE/NSCA replacement thoughts?
> 
> Am Freitag, 19. Februar 2010 11:19:30 schrieb Flyinvap:
> > Hi,
> >
> > Le Fri, 19 Feb 2010 09:07:44 +0100,
> >
> > Michael Schwartzkopff <misch at multinet.de> a écrit :
> > > > Should a new protocol be "flat text based" or structured?
> > >
> > > No need for a new protocol.
> >
> > It's possible to replace NRPE by SNMPv1/2 or v3 or SSH. NCSA could
> may
> > be replace by SNMP informs ?
> 
> Yes.

Once you dig into the details, you'll find the devil.. . I don't think SNMP is a good choice; in fact, I think it would be a step backwards from the current protocol. I actually chose NSCA over SNMP in my own configuration because SNMP had too many issues.

SNMP actually is great for what it was designed for, but that is a very different purpose.

Among the issues I can think of:

- You can't run SNMP over the public Internet. That's a killer in my mind.
- SNMP is insecure. CERT recommends disabling SNMP whenever possible because of the many security issues. And the list of vulnerabilities in SNMP is scary.
- No security to speak of in SNMPv1 and v2 (other than the plain text "community string" which is almost always "private").
- SNMP is UDP (although you can make it work over TCP). UDP is bad, very bad, for Nagios' purposes. It makes firewall issues extra tough to deal with. You can't send it through SSH tunnels, you can't wrap it in HTTP requests, you pretty much can't do anything with it except route it.
- UDP is more prone to IP spoofing and DOS attacks than TCP.
- Who is going to assign/manage the OIDs?
- No SNMPv3 on Windows (unless you spend considerable amount installing and configuring net-snmp).

> > > > Would webservices be the best way?
> >
> > It could be but what about performance ? NRPE is very fast but not
> > secure [1], SNMP v1 is slower and insecure. SNMP v3 or SSH are secure
> > but take some resources.
> 
> - SNMPv1 is quite secure if you use ACLs.

ACLs are proprietary Cisco extensions.

> - SNMPv3 should not be any problem for any recent hardware.

SNMPv3 is not universally supported. The biggest issue is that Microsoft doesn't support it (they are pushing their own protocol, MoM instead). You can replace Microsoft's SNMP with net-snmp or others, but that defeats the "supported out of the box" idea. If I have to install something, I'd rather install a traditional NRPE or NSCA client.

> > I made some test with those 4 protocols. To check if a process is
> > running takes by average :
> >  -  27 ms with nrpe (with ssl)
> >  -  62 ms with snmp v1
> >  - 107 ms with snmp v3 (SHA for authentication and AES for privacy)
> >  - 113 ms with SSHv2 (authentication by certifcate)

Seems to me that NRPE beats SNMP to begin with?


------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null