topic Re: SNMP and SIM in Server Management - Systems Insight Manager

SNMP and SIM

Bill L'Hotta — Fri, 02 Dec 2005 19:21:08 GMT

Is there a way to deploy SIM without enabling SNMP on every server you want to view at the SIM console? Our security staff doesn't allow us to enable SNMP.

Thanks in advance.

Re: SNMP and SIM

Aravindh Rajaram — Sat, 03 Dec 2005 04:38:50 GMT

make use of WBEM/WMI. you can get a reasonable amount of data.

Re: SNMP and SIM

Safi — Sat, 03 Dec 2005 06:03:15 GMT

If the problem is security u can define the snmp service to be private(only the group u define can see it).
Any other way(WMI,NTPerfmon,COda) won't get u hardware data.

Re: SNMP and SIM

Rob Buxton — Sun, 04 Dec 2005 19:09:04 GMT

It's not going to be easy.

SNMP can be made a lot more secure, having a blanket policy of the type described on an internal network would be quite restrictive.

SNMP can be configured to only allow connections from selected hosts and you can dispense with the default community names and create your own.
You only need a Read Only SNMP name to get a lot of functionality.

I've heard a few people say SNMP is not secure, but I've never found a definitive reference that says why.

Re: SNMP and SIM

David Claypool — Mon, 05 Dec 2005 01:52:24 GMT

Ask the network infrastructure people if they are allowed to use SNMP and I'll bet the answer is yes.

Re: SNMP and SIM

Stefan Laemmer — Mon, 05 Dec 2005 08:10:00 GMT

Rob:
SNMP & Security: SNMP sends it's requests and answers unencrypted over the wire, so if you have someone sniffing the wire they'll "see" the community, passwords etc. Thats why it's considered unsecured..

Re: SNMP and SIM

David Claypool — Mon, 05 Dec 2005 09:32:51 GMT

Stefan:

First of all, in a corporate LAN environment (not outside the firewall on the wide open Internet), if you have people sniffing your wire, you have a bigger problem than SNMP.

SNMP in and of itself is not evil. HP SIM uses it in a controlled and relatively 'safe' fashion:

- Only read operations are performed by HP SIM using SNMP (any write operation is performed using an HTTP connection with SSL)

- Additionally, the HP Management Agents use SNMP for sending events as SNMP traps

- While the HP Insight Management Agents require a local write string, it is only used for intra-agent communication--it is never used across the wire

If sniffing SNMP tells you a system's community string which lets you discover a system is running Windows or has 512MB of memory, it is not a very useful item of information to cause harm...