| T.R | Title | User | Personal
Name | Date | Lines |
|---|
| 930.1 | | SLINK::HOOD | I'd rather be surfing | Mon Apr 25 1994 11:19 | 1 |
| No.
|
| 930.2 | WHAT ARE YOU TRYING TO SECURE? | DELNI::ROUNDS | | Mon Apr 25 1994 18:44 | 4 |
| What is your reason for securing Hubwatch? Is it to secure Hubwatch or
is it to make sure that users DO NOT change any hub settings? You can
set up your hubs so that people cannot alter the configs. GETs only;no
sets.
|
| 930.3 | How to set up read-only community? | ZPOVC::DAIV01::FUNGSIONG | Digital Indonesia - Networks | Wed Jun 15 1994 07:37 | 15 |
| Hi,
Similar question. If I set the SNMP community string to something,
and I set the In-Band Management IP address, other unprivilleged
people who do not know the IP address and SNMP community will not
be allowed to connect. But after I connect, both the IP address
and the community is displayed on the screen, so that someone
who by accident sees the combination can connect to the HUB and
changes the config.
How can I set up a "read-only" community? I don't seem to know
any menu in HUB MANAGER setup menu to do that.
Rgrds,
Fung Siong
|
| 930.4 | it can be done...with a little work. | NACAD::WILSON | | Wed Jun 15 1994 12:07 | 23 |
| There is a MIB variable available in the pcom MIB for read-only community.
It is pcomSnmpAuthReadOnlyCommunity.
In order to set this MIB variable you would need to use some kind of tool.
HUBwatch does not allow you to set this, and there is no option on the DEChub
900 console.
After you make the change to the read-only community string you must do a
reset on the DEChub. This is required in order for the new read-only
community string to be inherited by the modules in the hub.
Then you can start HUBwatch with the read-only community. But, note that
you won't be able make any changes. If you try to set something you
should receive a message stating "Timed out while waiting for SET response
from xxxx. The SET may have failed."
If someone sees your IP address and community string this, to me, means
they were in your office when HUBwatch was up and running. If they have
that kind of access you better trust that they won't do anything that
they shouldn't.
Karen
HUBwatch development
|
| 930.5 | Use POLYCENTER Netview? | ZPOVC::DAIV01::FUNGSIONG | Digital Indonesia - Networks | Wed Jun 15 1994 22:22 | 16 |
| Hi Karen,
Can I use some SNMP Manager to set up this particular MIB variable,
such as POLYCENTER NetView? Is there any plan to include this
functionality in the next release of HUBwatch?
We often demo our hub + HUBwatch (in our operational office network) to
customers; surely they will be able to see the IP/community combination
in the display. It is just nice (and safer) if we can show them a
"read-only" version of the network management in action.
Thanks for your info,
Fung Siong
Digital Indonesia
|
| 930.6 | Restricting SNMP to specified addresses | NACAD2::SLAWRENCE | | Thu Jun 16 1994 09:43 | 18 |
|
Using other variables in the same pcomSnmpAuth group it is possible to
restrict SNMP operations to particular IP addresses. The comments in
the MIB provide a good explantion of how to do this.
You can compile this MIB with PNV and manipulate it that way. I
recommend reading the comments in the MIB carefully before you do
anything.
IP address spoofing is not that hard, but this does provide one more
check (especially if you legitimate NMS is somehow monitoring the net
for others trying to use its address).
The MIB is available from ftp.digital.com in /pub/DEC/hub900/mibs (see
the README file), or from:
http://www-dechub.lkg.dec.com/internal-info/architecture/mibs/pub-common.html
|
| 930.7 | yes and maybe | NACAD::WILSON | | Thu Jun 16 1994 11:20 | 20 |
|
>> Can I use some SNMP Manager to set up this particular MIB variable,
>> such as POLYCENTER NetView?
Yes, if it provides a mechanism for setting a specific MIB variable.
I must admit I haven't used POLYCENTER NetView.
>> Is there any plan to include this
>> functionality in the next release of HUBwatch?
If you mean the ability to set the read-only community for a hub, that
should be provided in HUBwatch V4.0.
But, if you mean the ability of setting any MIB variable for any of the
MIBs, I don't believe that we'll provide that feature. HUBwatch is meant
to be a manager of the DEChub products. It isn't meant to provide all
of the features that you can get from, say, POLYCENTER NetView.
Hope this helps,
Karen
|