Server Management - Systems Insight Manager
1834346 Members
2205 Online
110066 Solutions
New Discussion

Set wbem in order to replace less secure SNMP protocol

 
Pagnotta
Frequent Advisor

Set wbem in order to replace less secure SNMP protocol

Dear All,

I'm trying to set up wbem in order to replace SNMP which is a less secure protocol(no authentication at all). Here is how I started for testing:

1 Installation of wbem mapper on a system (downloaded from HP web site "Pegasus WMI Mappwr")
2 checked that service is listening on 5989
3 Tried to stop SNMP service without success because HP services are dependent on SNMP service. I changed the community string in order to prevent an SNMP exchange
4 I simulated a Hardware problem, removing one disk of a RAID array

At that point I expected the simulated hardware problem to show up in HP SIM CMS console...surprise the hardware problem doesn't appear... the "Hardware Status Polling Task" runs every five minutes (default)

Can anyone help me ? Is it really possible to get rid of SNMP protocol ?

Regards
Angelo
6 REPLIES 6
David Claypool
Honored Contributor

Re: Set wbem in order to replace less secure SNMP protocol

Since you say you got it from the HP web site, I'm assuming that you're talking about "HP WBEM Services for Linux" for either ProLiant or Integrity?

If you're working with a ProLiant running Linux, eliminating SNMP is not practical at this time. HP SIM expects to be able to gather data, status poll and receive events via SNMP. WBEM Services has not yet been instrumented for all of the features present in ProLiant servers and the Linux WBEM services do not yet send "WBEM Indications," which is the WBEM equivalent of SNMP traps.

Much hoo-haw has been made about SNMP and its relative lack of security stemming from the community string being passed in clear text as well as the data. However, keeping this in mind, our management communications are like spies in the field: don't communicate anything of value over an un-secured line. That's why HP SIM uses secure HTTPS for important operations such as software/firmware updates, agent configuration tasks, replicating disk thresholds and the like.

HP SIM needs only a read community string (although the agents need a read/write community string to be present for inter-agent communication, but that r/w string never goes out over the wire). Best practice also dictates that it's best to set your SNMP service to respond to requests made by localhost and the HP SIM server so other systems cannot do SNMP gets without authorization. Additionally, the new System Management Homepage 2.0 (due out with the 7.2 PSP and also distributed with HP SIM 4.2) strengthens security by going from built-in accounts to OS accounts and adding the ability to selectively bind to an IP address.

If you are inside your firewall and you're worried about a hacker sniffing your network, you've got bigger problems than SNMP. If you're outside the firewall on the internet, we don't recommend locading any management software on an unprotected system; that's just inviting a DoS attack.
Rob Buxton
Honored Contributor

Re: Set wbem in order to replace less secure SNMP protocol

I tend to agree with David, tightening up SNMP is fairly simple.
You can restrict which hosts can communicate. You can remove the default public and private community names and create your own. Note SNMP Community names are case sensitive so there's quite a bit of room for invention.
Pagnotta
Frequent Advisor

Re: Set wbem in order to replace less secure SNMP protocol

Thanks for your suggestions. I'm using Windows NT4.0, 2000 and 2003. Is it possible for thoses OS to replace SNMP by WBEM ?

Which tasks on HP SIM need an SNMP write community string ?

Regards
David Claypool
Honored Contributor

Re: Set wbem in order to replace less secure SNMP protocol

"I'm using Windows NT4.0, 2000 and 2003. Is it possible for thoses OS to replace SNMP by WBEM ?"

The same issues apply for Windows' implementation of WBEM, WMI.

"Which tasks on HP SIM need an SNMP write community tring ?"

HP SIM needs only a read community string (although the agents need a read/write community string to be present for inter-agent communication, but that r/w string never goes out over the wire).
Pagnotta
Frequent Advisor

Re: Set wbem in order to replace less secure SNMP protocol


When you say that the write community string never goes on the wire, does this mean that it travels through HP agents that uses HTTPS using port 2381 ?

Is it possible to get a white paper or such describing all the agents used on HP systems, I mean storage, Nic, web, diagnostics server, event, foundation, and so on... and the communication protocols used by those agents ? I need this because on our network there is a will to identify and restrict the communication between systems and I have to know exactly what is doing what with HP Agens and HP SIM ?

Regards
Angelo
David Claypool
Honored Contributor

Re: Set wbem in order to replace less secure SNMP protocol

The information you are looking for will be found in these 2 documents:

"Managing HP servers through firewalls with HP Systems Insight Manager" and "Understanding HP Systems Insight Manager Security"

from http://www.hp.com/go/hpsim --> Information Library