[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Final MIB security guidelines


> -----Original Message-----
> From: C. M. Heard [mailto:heard@pobox.com]
> Sent: dinsdag 7 januari 2003 3:51
> To: mibs@ops.ietf.org
> Subject: Re: Final MIB security guidelines
> >>>>> On Tue, 7 Jan 2003, Wijnen, Bert (Bert) wrote:
> Bert> -- for all MIBs you must evaluate
> Bert> 
> Bert>    Some of the readable objects in this MIB module (i.e., objects
> Bert>    with a MAX-ACCESS other than not-accessible) may be considered
> Bert>    sensitive or vulnerable in some network environments.  It is thus
> Bert>    important to control even GET access to these 
> objects and possibly
> -----------------------------------^^^^^^^^^^
> Bert>    to even encrypt the values of these objects when sending them over
> Bert>    the network via SNMP.  These are the tables and objects and their
> Bert>    sensitivity/vulnerability:
> Bert> 
> Bert>     <list the tables and objects and state why they are sensitive>
> I though we had agreed to say "GET and/or NOTIFY access" here.
Yep... sorry that I missed it.

> Bert>    Further, deployment of SNMP versions prior to SNMPv3 is NOT
> Bert>    RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
> Bert>    enable cryptographic security.  It is then a customer/operator
> Bert>    responsibility to ensure that the SNMP entity giving access to
> Bert>    an instance of this MIB module, is properly configured to give
> ---------------------------------------^
> Bert>    access to the objects only to those principals (users) that have
> Bert>    legitimate rights to indeed GET or SET (change/create/delete) them.
> That comma needs to be removed.
OK, can do that too, and maybe we already agreed to that as well.

> >>>>> On Mon, 6 Jan 2003, Wes Hardaker wrote:
> Wes> No references?
> I recommend either to refer the reader to the boilerplate or 
> to copy the Informative References part from the boilerplate:
> y. Informative References
>    [RFC3410] Case, J., Mundy, R., Partain, D. and B. Stewart,
>              "Introduction and Applicability Statements for Internet-
>              Standard Management Framework", RFC 3410, December 2002.
> Either way should do, because all MIB modules need the boilerplate.
I indeed have 3410 added as reference. It will be on the web page
(soon I hope), although the above fixes may take longer.

> //cmh