Controlling SNMP access
If you want to allow SNMP managers to access your system, you need to be aware of some security issues.
- Someone who can access your network with SNMP can gather information about your network. Information that you have hidden by using aliases and a domain-name server becomes available to the would-be intruder through SNMP. Additionally, an intruder might use SNMP to alter your network configuration and disrupt your communications.
- SNMP relies on a community name for access. Conceptually, the community name is similar to a password. The community name is not encrypted. Therefore, it is vulnerable to sniffing. Use the Add Community for SNMP (ADDCOMSNMP) command to set the manager internet address (INTNETADR) parameter to one or more specific IP addresses instead of *ANY. You can also set the OBJACC parameter of the ADDCOMSNMP or CHGCOMSNMP commands to *NONE to prevent the managers in a community from accessing any MIB objects. Resetting the OBJACC parameter is intended to just be done temporarily to deny access to managers in a community without removing the community.
As of IBM® i
7.1, a network administrator
can restrict access to MIB objects based on the user names. In addition,
SNMP server supports authentication and privacy of messages. To increase
security, SNMP agent offers the ability to use HMAC-MD5 and HMAC-SHA
encryption protocols for the authentication and CBC-DES encryption
protocol for the privacy when communicating with a Network Manager
System or agent. In order to enable authentication and privacy, use
the Configure TCP/IP SNMP (CFGTCPSNMP) command to work with the users
and their objects based on a community name. In order to achieve this,
you should first use the Change SNMP Attributes (CHGSNMPA) command
specifying *YES for the ALWSNMPV3 parameter to enable SNMPV3 features.