[mrtg] Re: mrtg of Cisco routers via Internet fails

Michael Markstaller mm at elabnet.de
Tue May 11 15:34:55 MEST 2004 

> -----Original Message-----
> From: mrtg-bounce at list.ee.ethz.ch 
> [mailto:mrtg-bounce at list.ee.ethz.ch] On Behalf Of Radick, Don (IHG)
> Sent: Tuesday, May 11, 2004 2:45 PM
> To: mrtg at list.ee.ethz.ch
> Subject: [mrtg] Re: mrtg of Cisco routers via Internet fails
> 
> 
> 
> don't do this.
> SNMP V1 (which is what MRTG / Perl uses) is insecure - 
> if you can run SNMP (v1) to your Internet routers, then 
> anyone else can also, and Cisco SNMP has vulnerabilities. (A 
> cracker can get control of your router pretty easily)

all these vulnerabilities are fixed in current versions.
SNMPv1/2c to a Cisco isn't *that* bad when having a secure surrounding
setup, 
following some practices: input-ACL's only allowing mgmnt-IP's to
router, 
and ACL's for SNMP itself makes it quite secure.
further improvements are defining views with only relevant trees to
monitor in.
what I actually do is in addition to the above is running SNMP only
through IPSec to a loopback wherever possible but this requires a
crypto-image.. at least I wasn't affected by any of the snmp-exploits in
the last few years because they never got through to the router.

> ADVICE: you MUST run SNMP v3 for security, but MRTG / Perl 
> does not support this:

SNMPv3 is definitely nicer, yes. but despite the Cisco-boxes and some
Linux-implemetations it's widely unsupported or at least doesn't work.
that's not mrtg/perl specific..
The few other devices claiming SNMPv3-support --- just try it..


> From: tom.voussure at sita.be [mailto:tom.voussure at sita.be]

now regarding the initial problem ;)
post your cisco config (without comm & real IP's) then I might see whats
the cause.
another thing: are you using a special interface (loopback etc.) for
SNMP ?
there are some recent IOS around 12.3T/X with a bug ignoring the
configured source-interface..

Michael

--
Unsubscribe mailto:mrtg-request at list.ee.ethz.ch?subject=unsubscribe
Archive     http://www.ee.ethz.ch/~slist/mrtg
FAQ         http://faq.mrtg.org    Homepage     http://www.mrtg.org
WebAdmin    http://www.ee.ethz.ch/~slist/lsg2.cgi

More information about the mrtg mailing list