Chapter 4: Remote Management HTTP and SNMP
Management Passwords
Note: In order to log in with Internet Explorer 7+ or if difficulty occurs when logging in with credentials
known to be valid, firmware prior to October 18
th
, 2007 must be upgraded to ameliorate a new feature
present in IE7 authentication messages. This is also the case with some versions of Opera. Contact the
factory for an upgrade or attempt to login with FireFox, Mozilla, or a browser earlier than IE7+ for
immediate resolution.
The HTTP management statistics page is initially accessible without a password. The HTTP settings page
is initially accessible within the first several minutes after powerup with username
admin
and no password.
If the unit has not had its default password changed, after several minutes the settings page will be locked
for security reasons. It is desirable to change the default password of the unit. For security reasons,
changing the default password of the unit must be done within the first several minutes of powerup. If the
HTTP management password is lost or forgotten, it may be reset by accessing the HTTP management
settings within the first minute after powerup and with no BNC cables attached to the unit.
SNMP statistics may initially be accessed using the read-only community name
public
. Write-community
names and variable access authorization may be set through the HTTP management interface.
Security
Please also refer to the password section above.
HTTP Interface Security
Access to the HTTP management interface statistics and settings pages can be selectively limited to users
knowing the HTTP management password, which is transmitted securely on the network using MD5
encoding. New values of management settings, or modifications of the administrator password are not
encrypted and are visible to users monitoring network packets, as is statistical data requested by an MD5
authorized user or any information visible on a HTTP page.
When logging out from any secure webpage, the browser window should always be closed!
Browsers
typically continue to send administrator credentials continuously even after apparent logout.
SNMP Security
The converter implements SNMPv2c, which is inherently an insecure protocol; however, the converter
enhances security by implementing view-based access management (VACM), which can restrict read or
write access to specific management settings and statistics. When shipped, the converter allows read access
to “safe” SNMP statistics and prohibits read and write access to statistics and settings which could allow
determination of network topology or interfere with normal link traffic. The VACM configuration can be
updated through the HTTP management interface to meet the user's needs, and most SNMP variables can
also be set through the HTTP management interface in a more secure manner than SNMP allows.
– SNMP VACM Security Warning –
As shipped, the default “safe_ro_view” is secure but not private.
View based access model VACM for SNMPv2c provides good restriction
of access to only specified statistics but no data privacy and
minimal user authentication. When a specific variable is enabled
for reading or writing, from a security perspective it should
be considered either public for reading or public for writing.
Alternatively, most configuration parameters can be set through
the HTTP password-protected interface which is secure.
Viewing snmpd.conf exposes it and community names to visibility by
3rd party network sniffers. All SNMPv2c data on the network
is visible. All community names can be "guessed" and, when used,
become visible to sniffers. Source IP addresses of requests
can be forged. Enabling a write community should be considered
insecure with respect to the specific view variables enabled.
10