HPE Community
Operating System - HP-UX
1841987 Members
3978 Online
110185 Solutions
New Discussion

Re: Need customer input: SNMP vs WBEM

 
SOLVED
Go to solution
Brad Klein
Advisor

‎05-28-2002 08:25 AM

‎05-28-2002 08:25 AM

Need customer input: SNMP vs WBEM

We are investigating data provider technologies to use in the
Pay-per-use (PPU) program. In this program, an HP Utility Meter
will periodically poll PPU systems for usage information to be
used as the basis for billing the customer for use of the PPU
systems.

Both the PPU system(s) and the HP Utility Meter reside on the
customer's network behind the customer's firewall.

We would like feedback on the viability of two different
data provider technologies: SNMP and WBEM.

There are dfferent versions of SNMP: version 1 & 2 which are
less secure, and version 3 which is more secure.

WBEM uses secure HTTP as its transport.

For communication originating from the HP Utility Meter,
gathering usage data from PPU systems, and occuring entirely
behind your own firewall,

1. Which of these technologies would you feel most comfortable
with if the communication only took place inside your
firewall?

2. What concerns would you have with either technology?

3. Would either technology be easier to get approved by your
security team?

4. Which one best fits your network configuration?

5. What level of trust do you have in the integrity of your
own intranet? In other words, how necessary is it that
communications behind your firewall be:
a. confidential?
b. spoof proof?
c. other?

6. Any other concerns related to data provider technologies
and protocols?

Thanks for your help!
0 Kudos
Reply
6 REPLIES 6
Steven Sim Kok Leong
Honored Contributor

‎05-28-2002 03:49 PM

‎05-28-2002 03:49 PM

Solution

Re: Need customer input: SNMP vs WBEM

Hi,

>> Both the PPU system(s) and the HP Utility Meter reside on the customer's network behind the customer's firewall.

For the HP Utility Meter, I would think of implementing a host-based firewall (such as IPFilter/9000 or at least tcpwrappers) and IDS (such as IDS/9000 or snort), in addition to the network-based firewall already protecting both the Utility Meter and PPUs. This is to reduce the risk of the HP Utility Meter being used as a launchpad to compromise the PPUs.

>> 1. Which of these technologies would you feel most comfortable
with if the communication only took place inside your
firewall?

>> 2. What concerns would you have with either technology?

Is it read-only access (snmpget, http-get) ? Is write access (snmpset, http-put etc) required?

What authentication protocol and encryption protocol is used in snmp v3 or https?

For the authentication portion, snmp v3 supports HMAC-MD5-96 (truncated 96 bits) and HMAC-SHA-96 (truncated 96 bits). This is less than the 160-bits used in SHA1 by SSL in https. For the encryption portion, it used to support just DES-CBC. DES-CBC is weak as compared to triple-DES supported by SSL in https. I do not know if there is a stronger encryption algorithm currently used in snmp v3.

Both have anti-replay and anti-traffic-analysis features but I don't recall both having any anti-DoS features.

It would appear first glance to me that snmp v3 still uses UDP and uses weaker encryption. I would think that snmp v3 wants decent security without degrading performance to a great extent.

>> 3. Would either technology be easier to get approved by your security team?

It really depends on the security policies. I don't think it is a big concern in my environment whether snmp v3 or https is used.

>> 4. Which one best fits your network configuration?

On my site, we are already using snmpget via MRTG to poll performance and other health statistics. Thus, I would think that snmp v3 fits the bill as long as it is only read-only access.

Thus, it really depends on whether write-access is allowed.

>> 5. What level of trust do you have in the integrity of your own intranet? In other words, how necessary is it that communications behind your firewall be:

>> a. confidential?

Depends on the network. A controlled switched network behind the network-baesd firewall can hardly be sniffed.

>> b. spoof proof?

It depends on the switch's physical security and the network-based firewall's anti-spoofing ability at its interfaces.

If the switch is exposed physically or the network-based firewall does not perform anti-spoofing, then I would think a PKI based on certificates (such as SSL certificates) would be important to prevent PPU or utility-meter spoofing.

My 2 cents. Hope this helps. Regards.

Steven Sim Kok Leong
Reply
melvyn burnard
Honored Contributor

‎05-28-2002 10:48 PM

‎05-28-2002 10:48 PM

Re: Need customer input: SNMP vs WBEM

bump to top
My house is the bank's, my money the wife's, But my opinions belong to me, not HP!
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

‎06-07-2002 04:49 PM

‎06-07-2002 04:49 PM

Re: Need customer input: SNMP vs WBEM

Hi,

I read from the Singapore Straits Times Papers an extract from Bloomberg New York News that "IBM has unveiled a PPU service to manage client's computers or software eremotely, letting companies that are short-handed buy data skills on a per-usage basis."

The header of the article states "Service is via Web, and client pays per use, as with electricity". So it is via WBEM rather than SNMP.

The article also says "The new service uses software and data encryption to control clients' systems via the Interenet from an IBM data centre" ... "Among the services offered are security and virus alerts, balancing of capacity, managing software and databases, managing websites, backing up and restoring data and managing data-storage systems".

Initially, I wasn't exactly sure what PPU does at the higher-level. Now that I know what it does, I will have greater reservations on it, especially with regards confidential and sensitive data.

A major concern is that of over-empowering the vendor. I think that this increased reliance of the customer on the vendor.

No, I personally will not look forward to allowing sensitive and/or critical data/information of the company to be remotely managed by external parties, even with an NDA.

As such, one enhancement I think would be important to PPU is a strong audit trail that cannot be altered by the vendor. This audit trail should be managed by the customers (thus empowering them), oversees and limits superuser privileges and also, the audit trail software should preferably come from an independent software company.

Just my 2 cents. Hope this helps. Regards.

Steven Sim Kok Leong
Reply
Jeff Schussele
Honored Contributor

‎06-07-2002 07:40 PM

‎06-07-2002 07:40 PM

Re: Need customer input: SNMP vs WBEM

Hi Steven,

Well.. I think you pretty well nailed it....how can you GUARANTEE security/performance if you give the potential fox the run of the hen house?
No thanks..not for me..I'll run my shop thank you.

Rgds,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
Reply
harry d brown jr
Honored Contributor

‎06-09-2002 03:44 PM

‎06-09-2002 03:44 PM

Re: Need customer input: SNMP vs WBEM

Brad,

Amy kind of information that is transmitted out of my site is always a security issue.

We would have to be assured, beyond the shadow of a doubt that, that information is SECURE and is only being used for it's original intent. The information, exactly what and how HP would receive it, we would want the exact same capability. The information would also have to be available via a secured HP site.

We would also require that the information be ONLY used for billing and not any marketing or sales programs. Basically it boils down to that the information would ONLY be used for billing and absolutely NOTHING else!

Also, the amount of network traffic would have to be measurably small.

I have no clue what WBEM is, but I guess I could go dig some info up on it.

live free or die
harry
Live Free or Die
Reply
Bill McNAMARA_1
Honored Contributor

‎06-10-2002 05:22 AM

‎06-10-2002 05:22 AM

Re: Need customer input: SNMP vs WBEM


If this is related to ICOD, well I'd much rather not participate at all..
by the time I'm thinking of activating them, it's usually time to upgrade them in any case.

Some cu's (such as banks for example) won't even consider it at all no matter which protocol you used... most of them anyway have 4hour response contracts.. what really is the advantage?

Bill
It works for me (tm)
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.