Re: [nv-l] Managing Red Side Routers in DMZ

2002-10-18 04:35:18
Subject: Re: [nv-l] Managing Red Side Routers in DMZ
From: Jane Curry <jane.curry AT skills-1st.co DOT uk>
To: john.j.mackney AT accenture DOT com, NetView mailing list <nv-l AT lists.tivoli DOT com>
Date: Fri, 18 Oct 2002 09:35:18 +0100
Hi John,
In my experience, the one thing firewall administrators are prepared to open is
an SNMP TRAP port from DMZ into the internal network.  If you have a Linux
NetView in your DMZ, you can also configure to use TCP for that TRAP path,
rather than UDP - this wins you more points still.  Your internal NetView will
listen by default, on TCP and UDP/162, so no changes there.  This seems much
simpler than sending TEC events direct from your DMZ NetView.

I have looked several times at running a MLM inside a DMZ and, IMHO, IBM does
not seem to want us to do this.  It won't hack it as-is and no-one else seems
to feel that MLM is worth extending a little to serve in this scenario, so as
Stephen says, your only option is a DMZ NetView.

If you go with DMZ NetView forwarding to internal NetView, there are a couple
of points you need to take care of:

Ensure you have a good DNS, consistent at both NetViews.  Trap forwarding
literally passes a copy of the trap forward.  Your internal NetView will expect
to resolve the name of the device that apparently sent the trap.

Depending on how many devices your Linux NetView is managing, you may want to
do something fancier than simple trap forwarding, especially if you have more
than 1 distributed NetView - there is nothing on a forwarded trap that says
WHICH NetView forwarded the trap.

Your internal NetView won't be able to poll anything beyond the firewall so
won't have any entries in his database or on the topo maps.  This doesn't
affect the event log but that's the ONLY part of your internal NetView that can
report on DMZ devices.


john.j.mackney AT accenture DOT com wrote:

> I have been considering how best to manage the routers on the Red Side of
> our firewall.
> All I actually want to do is poll the routers and send selected events to
> TEC on the Green Side.
> I have considered two options:
> 1) Install an MLM in the DMZ
> 2) Install NetView 7.1.3 on a PC running Linux on the Red Side and
> configure its tecint.conf to send TEC events on a specific port. Open this
> port on the firewall.
> There are problems associated with both of these scenarios
>    I do not think the network managers will allow a firewall rule to open
>    up ports for SNMP.
>    I would have to configure TEC to use a specific port rather than
>    allowing it to use its current RPC communications. This would mean that
>    all TEC adapters would have to be configured to use this port.
> Does anyone have a view on the above.
> OK I might be talking out the back of my head here but.... How about this.
> Tunnel through the firewall using SSH and send SNMP from NetView to MLM
> through this tunnel. Then I would have one NetView, could use MLM and could
> forwarding TEC events via standard RPC.
> Anyone have any views on this?
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise private information.  If you have
> received it in error, please notify the sender immediately and delete the
> original.  Any other use of the email by you is prohibited.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: nv-l-unsubscribe AT lists.tivoli DOT com
> For additional commands, e-mail: nv-l-help AT lists.tivoli DOT com
> *NOTE*
> This is not an Offical Tivoli Support forum. If you need immediate
> assistance from Tivoli please call the IBM Tivoli Software Group
> help line at 1-800-TIVOLI8(848-6548)

Tivoli Certified Consultant & Instructor
Skills 1st Limited, 2 Cedar Chase, Taplow, Bucks, SL6 0EU, UK
Tel: +44 (0)1628 782565
Copyright (c) 2002 Jane Curry <jane.curry AT skills-1st.co DOT uk>.  All rights

<Prev in Thread] Current Thread [Next in Thread>