Carrier Access Broadmore 1750 User Manual
Page 325
Broadmore 1750 - Release 4.6
12-7
SNMP
Configuration
USM/VACM Configuration
USM provides authentication and privacy services for SNMPv3. USM provides
improved security over SNMPv1 and SNMPv2 by adding encryption and synchronized
time indicators. Although USM uses cryptography to support the underlying protocol,
it is a plain-text service and does not provide the level of data confidentiality or
protection required by FIPS-2. Consequently, it should be treated like any other plain-
text service port.
USM uses loosely synchronized monotonically increasing time indicators to defend
against certain message stream modification attacks. Automatic clock synchronization
mechanisms based on the protocol are specified without dependence on third-party
time sources and concomitant security considerations.
VACM is an architecture for viewing and controlling users. VACM defines the access
control policy that determines which users can access which subset of MIB objects in
the Broadmore. VACM also defines the type of access (Read/Write) over a view.
The Broadmore organizes the USM/VACM into four tables or entities: Views, Users,
Groups, and Access. With each entity, the following actions are associated:
Edit – used to modify an existing User, View, Group or an Access entry
Copy – used to copy the information for an existing User, View, Group or an
Access entry as a basis for a new one
Delete – used to delete an existing User, View, Group or an Access entry
New – used to add a new User, View, Group or an Access entry
Validate Table – used to check table entries for consistency with other tables.
The Communities table supports the coexistence of SNMP v1, v2, and v3 access
described in RFC 2576. The Communities table supports v1/v2 get, set, and trap
requests within USM/VACM.
NOTE:
When configuring USM/VACM, please note the consequences
of selecting certain “Storage Type” parameters in the tables. “Permanent”
entries cannot be deleted except by deleting the entire SNMP configuration
and rebooting. “Read Only” entries can only be edited or removed by
deleting the entire SNMP configuration and rebooting.