Snmp management, Ssh (secure shell) management, Snmpv3 secure management – Proxim ORiNOCO AP-700 User Manual

Introduction

AP-700 User Guide

Management and Monitoring Capabilities

16

SNMP Management

In addition to the HTTP and the CLI interfaces, you can also manage and configure an AP using the Simple Network Management Protocol
(SNMP). Note that this requires an SNMP manager program, like HP Openview or Castlerock’s SNMPc. The AP supports several
Management Information Base (MIB) files that describe the parameters that can be viewed and/or configured over SNMP:
•

MIB-II (RFC 1213)

•

Bridge MIB (RFC 1493)

•

Ethernet-like MIB (RFC 1643)

•

802.11 MIB

•

ORiNOCO Enterprise MIB

Proxim provides these MIB files on the CD-ROM included with each Access Point. You need to compile one or more of the above MIBs into
your SNMP program’s database before you can manage an Access Point using SNMP. Refer to the documentation that came with your
SNMP manager for instructions on how to compile MIBs.
The Enterprise MIB defines the read and read-write objects that can be viewed or configured using SNMP. These objects correspond to most
of the settings and statistics that are available with the other management interfaces. Refer to the Enterprise MIB for more information; the
MIB can be opened with any text editor, such as Microsoft Word, Notepad, or WordPad.

SNMPv3 Secure Management

SNMPv3 is based on the existing SNMP framework, but addresses security requirements for device and network management.
The security threats addressed by Secure Management are:
•

Modification of information: An entity could alter an in-transit message generated by an authorized entity in such a way as to effect
unauthorized management operations, including the setting of object values. The essence of this threat is that an unauthorized entity
could change any management parameter, including those related to configuration, operations, and accounting.

•

Masquerade: Management operations that are not authorized for some entity may be attempted by that entity by assuming the identity of
an authorized entity.

•

Message stream modification: SNMP is designed to operate over a connectionless transport protocol. There is a threat that SNMP
messages could be reordered, delayed, or replayed (duplicated) to effect unauthorized management operations. For example, a message
to reboot a device could be copied and replayed later.

•

Disclosure: An entity could observe exchanges between a manager and an agent and thereby could learn of notifiable events and the
values of managed objects. For example, the observation of a set command that changes passwords would enable an attacker to learn
the new passwords.

To address the security threats listed above, SNMPv3 provides the following when secure management is enabled:
•

Authentication: Provides data integrity and data origin authentication.

•

Privacy (a.k.a Encryption): Protects against disclosure of message payload.

•

Access Control: Controls and authorizes access to managed objects.

The default SNMPv3 username is administrator, with SHA authentication, and DES privacy protocol.

SSH (Secure Shell) Management

You may securely also manage the AP using SSH (Secure Shell). The AP supports SSH version 2, for secure remote CLI (Telnet) sessions.
SSH provides strong authentication and encryption of session data.
The SSH server (AP) has host keys - a pair of assymetric keys - a private key that resides on the AP and a public key that is distributed to
clients that need to connect to the AP. As the client has knowledge of the server host keys, the client can verify that it is communicating with
the correct SSH server.

NOTE

The remainder of this guide describes how to configure an AP using the HTTP Web interface or the CLI interface. For information on
how to manage devices using SNMP or SSH, refer to the documentation that came with your SNMP or SSH program. Also, refer to
the MIB files for information on the parameters available via SNMP and SSH.