topic Re: snmp & ntp in Network Security

snmp & ntp

adamgibs7 — Fri, 21 Feb 2020 15:26:51 GMT

Dears,

I Have 3 question here please answer

I have a perimeter firewall which is connecting to the internet ,DR and extranets, I have a switches in DR & some switches kept in other company premises (extranets) which are routing through firewall is it preferable to configure snmp on these switches and get the snmp traffic to my internal LAN.

what is best practice to configure NTP on a perimeter firewall at present it is connected to core and core is acting as a NTP server.

what security precautions has to be taken for the external switches which are connecting to ISP, extranets and many other neighbor building for the connectivity to our internal LAN.

Thanks

Re: snmp & ntp

mvsheik123 — Tue, 27 Feb 2018 00:22:03 GMT

Hi,

Here are few things...

1.preferable to configure snmp on these switches: If possible move SNMP server to DMZ and configure/allow SNMPv3 and from specific source IPs.

2. NTP on a perimeter firewall: If it is at edge of network, then you can use public ntp servers:

https://tf.nist.gov/tf-cgi/servers.cgi

3. security precautions has to be taken for the external switches: Per your post, these appears to be directly connected to ISP and in turn communicates with your LAN: If all these services can be moved from your LAN to DMZ..good. I know there may be lot of challenges in doing that.. so- if you manage those switches- make sure to address vulnerabilities, Vlan based ACLs, limited admin access with SSH only, and last but not least see if you can add additional (port based) ACLs on firewall for incoming traffic.

hth

Re: snmp & ntp

adamgibs7 — Wed, 28 Feb 2018 15:02:55 GMT

Dear,

Its my monitoring server that I cannot keep in the DMZ becz the internal servers and switches are all added in that server

Is it these NTP servers are free.

actually confused between port acl and Vlan acl, I have read the guide but no clear understanding

thanks

Re: snmp & ntp

mvsheik123 — Thu, 01 Mar 2018 11:42:17 GMT

Hi,

-> Yes..I understand the complexity in moving snmp to DMZ. snmp v3 can be used.

-> AFAIK.. all those ntp servers are free.

-> What I meant by Vlan ACL is - normal standard/extended ACLs on Vlan interfaces where you allow required communication within subnets.

Check the below link for vpn filters:

https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html

hth

Re: snmp & ntp

adamgibs7 — Fri, 02 Mar 2018 06:14:39 GMT

Dear,

So for snmp server v3 I should add remote devices which are on WAN & External Internet switches to get them in inside network for snmp trap , is it a best practice , YES or NO

Re: snmp & ntp

mvsheik123 — Fri, 02 Mar 2018 13:58:46 GMT

Hello,

The question is - Are you 100% responsible for managing all those extranet switches and not knowing whats happening with those switches put you in tough spot? If yes... then I would do it with v3 (more secure) by allowing specific IPs v3 traffic only thru fw. Also, I would consider different v3 Pass for different extranet hardware (may be hard to manage but secure).

If the answer is 'no one' question you- then your call.

Or you can consider using any freely available SNMP servers (google for those) and place this new server in DMZ and use only for extranet related gear.

hth