Chapter 4: Remote Management HTTP and SNMP
the HTTP management password is lost or forgotten, it may be reset by accessing the HTTP management
settings within the first minute after powerup and with no BNC cables attached to the unit.
SNMP statistics may initially be accessed using the read-only community name
public
. Write-community
names and variable access authorization may be set through the HTTP management interface.
Security
Please also refer to the password section above.
HTTP Interface Security
Access to the HTTP management interface statistics and settings pages can be selectively limited to users
knowing the HTTP management password, which is transmitted securely on the network using MD5
encoding. New values of management settings, or modifications of the administrator password are not
encrypted and are visible to users monitoring network packets, as is statistical data requested by an MD5
authorized user or any information visible on a HTTP page.
When logging out from any secure webpage, the browser window should always be closed!
Browsers
typically continue to send administrator credentials continuously even after apparent logout.
SNMP Security
The Monitor implements SNMPv2c, which is inherently an insecure protocol; however, the Monitor
enhances security by implementing view-based access management (VACM), which can restrict read or
write access to specific management settings and statistics. When shipped, the Monitor allows read access
to “safe” SNMP statistics and prohibits read and write access to statistics and settings which could allow
determination of network topology or interfere with normal link traffic. The VACM configuration can be
updated through the HTTP management interface to meet the user's needs, and most SNMP variables can
also be set through the HTTP management interface in a more secure manner than SNMP allows.
– SNMP VACM Security Warning –
As shipped, the default “safe_ro_view” is secure but not private.
View based access model VACM for SNMPv2c provides good restriction
of access to only specified statistics but no data privacy and
minimal user authentication. When a specific variable is enabled
for reading or writing, from a security perspective it should
be considered either public for reading or public for writing.
Alternatively, most configuration parameters can be set through
the HTTP password-protected interface which is secure.
Viewing snmpd.conf exposes it and community names to visibility by
3rd party network sniffers. All SNMPv2c data on the network
is visible. All community names can be "guessed" and, when used,
become visible to sniffers. Source IP addresses of requests
can be forged. Enabling a write community should be considered
insecure with respect to the specific view variables enabled.
Variables in the groups: interface, ds3, dot3 & mau, control the
link datapath; allowing write access allows disabling the link.
Specific variables disabled for all write users are secure.
Specific statistics disabled for all read users are invisible
and secure.
HTTP Management
The Monitor contains a comprehensive, user-friendly HTTP management interface which allows a manager
to monitor bit-error-rates on the DS3/E3 link, lost packets, and user-friendly status messages at a single,
10
