Re: [fw-wiz] Web Server Monitoring
From: Paul Robertson (proberts_at_patriot.net)
Date: 09/14/03
- Previous message: Jeff_Lopes_at_groove.net: "[fw-wiz] Sniffing DSL Connection"
- In reply to: Tony Turner: "[fw-wiz] Web Server Monitoring"
- Next in thread: Vladimir Parkhaev: "Re: [fw-wiz] Web Server Monitoring"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Tony Turner <tnyturner@mindspring.com> Date: Sun, 14 Sep 2003 12:45:35 -0400 (EDT)
On Fri, 12 Sep 2003, Tony Turner wrote:
> We have several web servers that we support throughout the southeast.
> We usually use VNC. I have a few questions for you. How secure is VNC
> and what are some known security risks. What is the best way to monitor
It isn't, perhaps you should read the documentation which comes with VNC,
which (at least last I cheked) had a section on how it wasn't secure. I
believe the authors recommended running it over SSH tunnels.
> these servers? have used large scale monitoring tools that create
> tickets whenever a server or a switch stops responding, but this was all
> on the same network. I am looking at a program called Networkview.
> This product gives me a GUI interface with all of my sites and let's me
> know which are up or down. It will also email me if something goes
> down. It seems that it works great locally, but I need something that I
> can use over the Internet. Networkview will ping these IP addresses,
> but most of these webservers are behind routers or firewalls that block
> ICMP. WIll SNMP work over the internet and is it really necessary to
> block ICMP. How hard is SNMP to set up and where do I start?
SNMP is a secuirty nightmare, and you really, really don't want to expose
current implementations to the Internet at large. If you're worried about
Web services, grab a page every few minutes, and alert on errors for that,
there are plenty of tools to do so, and writing one isn't all that
difficult either.
While out-of-band monitoring is generally a good thing, it's only a good
thing when the channel is private. If you're going to use a public
channel, then do in-band monitoring, since you *have* to expose HTTP to
the world anyway, using it to check the status isn't the increase in risk
that trying to do some other protocol is.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts@patriot.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Jeff_Lopes_at_groove.net: "[fw-wiz] Sniffing DSL Connection"
- In reply to: Tony Turner: "[fw-wiz] Web Server Monitoring"
- Next in thread: Vladimir Parkhaev: "Re: [fw-wiz] Web Server Monitoring"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
