Re: Final MIB security guidelines

["C. M. Heard" <heard@pobox.com>]

>>>>> On Tue, 7 Jan 2003, Wijnen, Bert (Bert) wrote:

Bert> -- for all MIBs you must evaluate
Bert> 
Bert>    Some of the readable objects in this MIB module (i.e., objects
Bert>    with a MAX-ACCESS other than not-accessible) may be considered
Bert>    sensitive or vulnerable in some network environments.  It is thus
Bert>    important to control even GET access to these objects and possibly
-----------------------------------^^^^^^^^^^
Bert>    to even encrypt the values of these objects when sending them over
Bert>    the network via SNMP.  These are the tables and objects and their
Bert>    sensitivity/vulnerability:
Bert> 
Bert>     <list the tables and objects and state why they are sensitive>

I though we had agreed to say "GET and/or NOTIFY access" here.

Bert>    Further, deployment of SNMP versions prior to SNMPv3 is NOT
Bert>    RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
Bert>    enable cryptographic security.  It is then a customer/operator
Bert>    responsibility to ensure that the SNMP entity giving access to
Bert>    an instance of this MIB module, is properly configured to give
---------------------------------------^
Bert>    access to the objects only to those principals (users) that have
Bert>    legitimate rights to indeed GET or SET (change/create/delete) them.

That comma needs to be removed.


>>>>> On Mon, 6 Jan 2003, Wes Hardaker wrote:

Wes> No references?

I recommend either to refer the reader to the boilerplate or to copy the
Informative References part from the boilerplate:

y. Informative References

   [RFC3410] Case, J., Mundy, R., Partain, D. and B. Stewart,
             "Introduction and Applicability Statements for Internet-
             Standard Management Framework", RFC 3410, December 2002.

Either way should do, because all MIB modules need the boilerplate.

//cmh