[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Final MIB security guidelines
Inline
> -----Original Message-----
> From: C. M. Heard [mailto:heard@pobox.com]
> Sent: dinsdag 7 januari 2003 3:51
> To: mibs@ops.ietf.org
> Subject: Re: Final MIB security guidelines
>
>
> >>>>> On Tue, 7 Jan 2003, Wijnen, Bert (Bert) wrote:
>
> Bert> -- for all MIBs you must evaluate
> Bert>
> Bert> Some of the readable objects in this MIB module (i.e., objects
> Bert> with a MAX-ACCESS other than not-accessible) may be considered
> Bert> sensitive or vulnerable in some network environments. It is thus
> Bert> important to control even GET access to these
> objects and possibly
> -----------------------------------^^^^^^^^^^
> Bert> to even encrypt the values of these objects when sending them over
> Bert> the network via SNMP. These are the tables and objects and their
> Bert> sensitivity/vulnerability:
> Bert>
> Bert> <list the tables and objects and state why they are sensitive>
>
> I though we had agreed to say "GET and/or NOTIFY access" here.
>
Yep... sorry that I missed it.
> Bert> Further, deployment of SNMP versions prior to SNMPv3 is NOT
> Bert> RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
> Bert> enable cryptographic security. It is then a customer/operator
> Bert> responsibility to ensure that the SNMP entity giving access to
> Bert> an instance of this MIB module, is properly configured to give
> ---------------------------------------^
> Bert> access to the objects only to those principals (users) that have
> Bert> legitimate rights to indeed GET or SET (change/create/delete) them.
>
> That comma needs to be removed.
>
OK, can do that too, and maybe we already agreed to that as well.
>
> >>>>> On Mon, 6 Jan 2003, Wes Hardaker wrote:
>
> Wes> No references?
>
> I recommend either to refer the reader to the boilerplate or
> to copy the Informative References part from the boilerplate:
>
> y. Informative References
>
> [RFC3410] Case, J., Mundy, R., Partain, D. and B. Stewart,
> "Introduction and Applicability Statements for Internet-
> Standard Management Framework", RFC 3410, December 2002.
>
> Either way should do, because all MIB modules need the boilerplate.
>
I indeed have 3410 added as reference. It will be on the web page
(soon I hope), although the above fixes may take longer.
Bert
> //cmh
>