Skip to end of metadata
Go to start of metadata

In this section:

Follow the procedures presented in this page to enable EMS access to the DSC and to configure community directives.

Enabling EMS Access

Enabling the EMS access on the DSC modifies the snmpd configuration (snmpd.conf) and adds a new community string, ins_ems, which allows external and internal access to the system to modify the following Object Identifiers (OIDs):

  • .1.3.6.1.4.1.1556.17.15.306.1.1.9          this is single interval stats files
  • .1.3.6.1.4.1.1556.17.15.306.1.1.11        this is active traps
  • .1.3.6.1.4.1.1556.17.15.306.308.316.1  this is the trap host table

The OIDs are only available for modification after the EMS is enable.

The ins_ems community string is the only external access allowed to the system through SNMP commands. This string is read-only, and, therefore, the OID values cannot be modified.

You can enable EMS access using the following methods:

Note

For the EMS version supported on this platform, see DSC Interoperability Matrix.

Click to read more...

False Positives Security Vulnerabilities

Third party scans such as the Nessus plugins may report some false positives vulnerabilities such as: 

  • SNMP Agent Default Community Name (public)
  • SNMP 'GETBULK' Reflection DDoS

The default community names on the SNMP server can be guessed. An attacker may use this information to gain access to the system or cause a denial of service attack by issuing ‘GETBULK’ requests which returns large amount of data. 

To resolve this issue, and reduce public vulnerability so data can be protected, you can change the default community name string. The procedure to perform this task is documented in the following section.

Naming Convention Limitations for Community Strings

You must comply with some naming convention limitations when configuring the ro and rw community strings for the DSC 8000 and DSC SWe. These limitations are as follows.

  • community strings are limited to 64 characters for backwards compatibility

  • alphanumeric characters are allowed

  • hyphens and underscores are allowed

Configuring snmpv2 Community Directives

The following procedure provides you with the steps to configure snmpv2 community directives

To configure SNMPv2 community directives

  1. From the Main Menu, click IP Networking.

  2. Click SNMP.
       


  3. Enter the required information in the SNMPv2 Read Only Community Name and SNMPv2 Read/Write Community Name

  4. Click Commit.
     

Note

Read/Write Community allows SNMPv2 commands to change a specific set of attributes. These attributes are listed in oid form in the snmpd.conf file. The attributes can only be changed on the local system (localhost).

Read Only Community allows SNMPv2 commands to read any attribute from inside or outside of the system but they are not authorized to make changes. As such, using snmpset commands with this community string type do not work.

  • No labels