E3Switch DS3 Operating information manual - page 10
Chapter 4: Remote Management HTTP and SNMP
SNMP statistics may initially be accessed using the read-only community name public. Write-community
names and variable access authorization may be set through the HTTP management interface.
Security
Please also refer to the password section above.
HTTP Interface Security
Access to the HTTP management interface statistics and settings pages can be selectively limited to users
knowing the HTTP management password, which is transmitted securely on the network using MD5
encoding. New values of management settings, or modifications of the administrator password are not
encrypted and are visible to users monitoring network packets, as is statistical data requested by an MD5
authorized user or any information visible on a HTTP page.
When logging out from any secure webpage, the browser window should always be closed! Browsers
typically continue to send administrator credentials continuously even after apparent logout.
SNMP Security
The converter implements SNMPv2c, which is inherently an insecure protocol; however, the converter
enhances security by implementing view-based access management (VACM), which can restrict read or
write access to specific management settings and statistics. When shipped, the converter allows read access
to “safe” SNMP statistics and prohibits read and write access to statistics and settings which could allow
determination of network topology or interfere with normal link traffic. The VACM configuration can be
updated through the HTTP management interface to meet the user's needs, and most SNMP variables can
also be set through the HTTP management interface in a more secure manner than SNMP allows.
– SNMP VACM Security Warning –
As shipped, the default “safe_ro_view” is secure but not private.
View based access model VACM for SNMPv2c provides good restriction
of access to only specified statistics but no data privacy and
minimal user authentication. When a specific variable is enabled
for reading or writing, from a security perspective it should
be considered either public for reading or public for writing.
Alternatively, most configuration parameters can be set through
the HTTP password-protected interface which is secure.
Viewing snmpd.conf exposes it and community names to visibility by
3rd party network sniffers. All SNMPv2c data on the network
is visible. All community names can be "guessed" and, when used,
become visible to sniffers. Source IP addresses of requests
can be forged. Enabling a write community should be considered
insecure with respect to the specific view variables enabled.
Variables in the groups: interface, ds3, dot3 & mau, control the
link datapath; allowing write access allows disabling the link.
Specific variables disabled for all write users are secure.
Specific statistics disabled for all read users are invisible
and secure.
HTTP Management
The converter contains a comprehensive, user-friendly HTTP management interface which allows a
manager to monitor bit-error-rates on the DS3/E3 link, lost packets, and user-friendly status messages at a
single, color-coded HTTP screen. A screenshot is available at
www.e3switch.com
. Most settings that can
be modified via SNMP can also be set through the HTTP interface in a more user-friendly manner.
Refer to the configuration section of this document for guidance on specific settings.
10