2 Replies Latest reply on Jan 5, 2009 8:43 PM by r0berth1

    SNMP Read/Write and security

      Hello everyone, and Happy New Year! :)

       

      We are in the process of rolling out VOIP monitor to watch the VOIP network.  As a part of the setup, Orion wants me to put in the Read/Write community string so it can setup IP SLA.  Our network services department is concerned that if the R/W string is entered in the Orion System Manager that any user will be able to disable/enable interfaces in the Web Console at will.  From what I've seen, if toolset integration is enabled for a user, you do indeed have that option, but you still have to supply the R/W string -so I don't see that as an issue.

       

      What I need to know is: if I enter R/W strings for all of our VOIP routers, will that expose any management functionality to non-admin users through the web interface?  I can't seem to get a good answer from the manual.

        • Re: SNMP Read/Write and security
          RSimmons

          Hello,

          Orion's handling of community strings is quite secure, by default the web console will not reveal these to users. However there is an option within the System Manager advanced settings to show "Secure data on web" - if this and the Toolset Integration is enabled on an account, then the web console will reveal the community string on request. Otherwise as you say, with just toolset integration enabled the user will be prompted to provide the string.

          Some equipment does provide the facility to set an ACL on the SNMP string, so you could restrict that string to only handle IP SLAs - might be worth checking if there is such a thing for your kit!

          Hope this answers your question.

          Cheers,

          Robert.

          • Re: SNMP Read/Write and security
            r0berth1

            You can choose to not display the community string in the Orion settings, which shoule eliminate your concerns. Also you can created limited user accounts in orion that dont have the ability to change anything, just view. I have close to 1000 devices and almost 2000 interfaces setup in orion that everyone can view, but i have the setup to view only. In other words, make them use the web console not the Orion System Manager. all of your admin, setup...etc can be done from there.

            so to answer your question, NO, it will not if you take the time and effort to correctly setup the user rights and views in the web console (web interface).