remote SMC and security

> I wouldn't want to just open a port in the firewalls

> to push-pull data. How about a separate SMC server in

> the DMZ ... but then how to control that server from

> the internal network?

Well, since there is no such thing as a SunMC proxy server (i.e. like the proxies available for http), you're going to have to open some ports eventually, or always make sure you're on a system within the DMZ.

SunMC Agents can have their ports opened to work through a firewall, but if you'd prefer to have a SunMC Server dedicated to DMZ systems then you have 2 options to use GUI management:

1) As of SunMC 3.6, the Java GUI can be configured to use a restricted range of ports (previously it would use random ports) to communicate with the Server. But you would still have to open a fairly large range (i.e. I think around 100 ports are recommended off the top of my head)

b) The more popular option is to use the SunMC web interface. It can't perform all operations of the Java interface, but it's more than adequate for day-to-day use and viewing alarms. The SunMC web server is a modern Apache Tomcat distribution that uses HTTP and HTTPS. And SSL and port forwarding (or proxing) of HTTP is a solved problem in any modern datacenter.

So, you could get at your DMZ SunMC Server through a browser by opening one port (i.e. 8443 for SunMC SSL). That's a straightforward firewall rule. Or you could get a bit fancier and use any corporate HTTP proxy server you have between yourself and the DMZ network.

> Seems the server wants nfs

> mounts too, which raises a red flag for me."

The SunMC Server has no NFS requirements at all, though it can monitor NFS mounts and NFS services if they exist. The Agents are the same.

Regards,

Mike.Kirk@HalcyonInc.com

Aronek at 2007-7-6 13:23:46 >

> If it is security you're after you'd better forget

> all about the SMC in my opinion. Not only does it

> require a few ports to be accessed remotely,

As mentioned in my previous post, you need to open the port to get at the Apache web server. Using SSL. If that's not an example of an industry standard best-practice procedure, I don't know what is. If that's insecure, you simply can't be pleased :)

> it also

> cannot read any other password hashes than the

> default. Which is something I usually change the

> first thing whenever I need extra security.

Can you tell me more about what you'd like to change? I admit I'm not a Sun certified SE so some Solaris admin stuff is over my head. SunMC uses Solaris user accounts. And Solaris groups. And, if installed, the Sun Solaris encryption pack (SUNWcry package). Any keys used by SNMPv2usec can be changed by the user at any time, the web server uses SSL, and it also supports the new encryption features in SNMPv3.

Are you maybe in the wrong forum and talking about "Solaris Management Console" instead of "Sun Management Center"?

Regards,

Mike.Kirk@HalcyonInc.com

Aronek at 2007-7-6 13:23:46 >