Security Considerations for our MIBs
"R.E. (Robert) Moore (254-4436)" <REMOORE@ralvm6.vnet.ibm.com> Thu, 20 March 1997 20:08 UTC
Received: from cnri by ietf.org id aa00690; 20 Mar 97 15:08 EST
Received: from bubbuh.cisco.com by CNRI.Reston.VA.US id aa17646; 20 Mar 97 15:08 EST
Received: from VNET.IBM.COM (vnet.ibm.com [199.171.26.4]) by bubbuh.cisco.com (8.8.4-Cisco.1/CISCO.GATE.1.1) with SMTP id MAA10998 for <snanaumib@external.cisco.com>; Thu, 20 Mar 1997 12:02:38 -0800 (PST)
Message-Id: <199703202002.MAA10998@bubbuh.cisco.com>
Received: from RALVM6 by VNET.IBM.COM (IBM VM SMTP V2R3) with BSMTP id 3224; Thu, 20 Mar 97 15:02:30 EST
Date: Thu, 20 Mar 1997 14:47:25 -0500
From: "R.E. (Robert) Moore (254-4436)" <REMOORE@ralvm6.vnet.ibm.com>
To: aiw-appn-mibs@raleigh.ibm.com, snanaumib@external.cisco.com
Subject: Security Considerations for our MIBs
Currently only one thing stands in the way of the APPN MIB's going forward to the IESG: a nontrivial Security Considerations section. Both Randy and Deirdre have indicated that we can't slip by under a grandfather clause here. So in the absence of contributions from anyone else, I decided to take a shot at some Security Considerations sections for all three of our current MIBs. The format is the same in all three cases: a generic paragraph saying, in effect, SNMP security is global, not different for each MIB, followed by a quick mention of any particular objects in the MIB that are especially sensitive. The generic part is based on the material from the IETF that I forwarded to you earlier. I'm certainly open to suggestions for improvements, both in the generic text and in the MIB-specific parts. We can wait until next week to fine- tune the sections for the DLUR and HPR MIBs. It would be nice, however, if we could reach agreement on the APPN MIB's Security Considerations by tomorrow, so that BobC (Yes! Finally we have a change that hits his part of a document harder than it does mine:-)) can pull in the text and generate a new Internet-Draft. We could get this draft posted before the IETF 38 blackout, and still have a chance for Deirdre to take the MIB to the IESG before we move to our new area. So take a quick look at this material, and send your responses back to the mailing lists. Thanks, Bob Moore ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Proposed "Security Considerations" Section (APPN MIB): In most cases, MIBs are not themselves security risks; if SNMP security is operating as intended, the use of a MIB to view information about a system, or to change some parameter at the system, is a tool, not a threat. None of the read-only objects in the APPN MIB reports a password, user data, or anything else that is particularly sensitive. Some enterprises view their network configuration itself, as well as information about network usage and performance, as corporate assets; such enterprises may wish to restrict SNMP access to most of the objects in the MIB. Four of the read-write objects in the MIB can affect network operations; it is recommended that SNMP access to these objects be restricted. The four objects are: - appnNodeNnSafeStoreFreq: Setting this object to 0, or to a very large value, effectively turns off safe storing of topology data. - appnPortCommand, appnLsCommand: These two objects allow an APPN port or link station to be activated, deactivated, or recycled via an SNMP operation. The latter two operations may disrupt current users of the network. - appnIsInSessState: Setting this object to 'inactive' causes an active SNA session to be deactivated. Other read-write objects control the gathering of network management data; controlling access to these objects is less critical. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Proposed "Security Considerations" Section (DLUR MIB): In most cases, MIBs are not themselves security risks; if SNMP security is operating as intended, the use of a MIB to view information about a system, or to change some parameter at the system, is a tool, not a threat. None of the read-only objects in the DLUR MIB reports a password, user data, or anything else that is particularly sensitive. Some enterprises view their network configuration itself, as well as information about network usage and performance, as corporate assets; such enterprises may wish to restrict SNMP access to most of the objects in the MIB. There are no read-write objects in the DLUR MIB. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Proposed "Security Considerations" Section (HPR MIB): In most cases, MIBs are not themselves security risks; if SNMP security is operating as intended, the use of a MIB to view information about a system, or to change some parameter at the system, is a tool, not a threat. None of the read-only objects in the HPR MIB reports a password, user data, or anything else that is particularly sensitive. Some enterprises view their network configuration itself, as well as information about network usage and performance, as corporate assets; such enterprises may wish to restrict SNMP access to most of the objects in the MIB. One read-write object in the MIB can affect network operations: - hprRtpPathSwitchTrigger: Setting this object to 'switchPathNow' triggers an immediate path switch attempt. An HPR path switch does not itself disrupt the SNA sessions using the RTP connection undergoing the path switch. However, frequent path switches for many RTP connections can have an adverse impact on overall network performance. It is recommended that SNMP access to this object be restricted. Other read-write objects control the gathering of network management data; controlling access to these objects is less critical.
- Security Considerations for our MIBs R.E. (Robert) Moore (254-4436)