Controlling SNMP access
When allowing SNMP managers access to your system, consider the following:
- Someone who can access your network with SNMP can gather information about your network. Information that you have hidden by using aliases and a domain-name server becomes available to the would-be intruder through SNMP. Additionally, an intruder might use SNMP to alter your network configuration and disrupt your communications.
- SNMPv3 is recommended because it provides enhanced security over SNMPv1. By default, the IBM® i SNMP agent supports only SNMPv3.
- SNMPv1 relies on a community name for access. If SNMPv1 must be used, the Allow SNMPv3 (ALWSNMPV3) parameter of the Change SNMP Attributes (CHGSNMPA) command can be changed to allow SNMPv1. Conceptually, the SNMPv1 community name is similar to a password. The community name is not encrypted. Therefore, it is vulnerable to packet sniffing. Use the Add Community for SNMP (ADDCOMSNMP) command to set the manager internet address (INTNETADR) parameter to one or more specific IP addresses instead of *ANY. You can also set the Object access (OBJACC) parameter of the ADDCOMSNMP or CHGCOMSNMP commands to *NONE to prevent the managers in a community from accessing any Management Information Base (MIB) objects. Resetting the OBJACC parameter is intended to just be done temporarily to deny access to managers in a community without removing the community. In addition, community names that are easily guessable such as "public" should never be used.
- SNMPv3 allows SNMP access based on the configuration of SNMPv3 users. These users are not the same as an IBM i user profile. The authentication and privacy protocols used by SNMPv3 provide enhanced security over SNMPv1. To use SNMPv3, prompt the CHGSNMPA command to ensure that the Allow SNMPv3 support (ALWSNMPV3) parameter is not set to *NO. Then use the Configure TCP/IP SNMP (CFGTCPSNMP) command to work with and configure SNMPv3 users. The Add User for SNMP (ADDUSRSNMP), Change User for SNMP (CHGUSRSNMP), and Remove User for SNMP (RMVUSRSNMP) commands can also be used to configure SNMPv3 users. Refer to the ADDUSRSNMP command help text for information regarding the supported authentication and privacy protocols.
- IBM i SNMPv3 View-based Access Control Model (VACM) support provides the ability to define rules that can be used to restrict which information is available to individual SNMPv3 users. The VACM rules can only be viewed or configured by an IBM i user profile which has *IOSYSCFG special authority. An option to view and configure VACM rules is available with the CFGTCPSNMP command and by using the Add VACM for SNMP (ADDVACSNMP), Change VACM for SNMP (CHGVACSNMP), and Remove VACM for SNMP (RMVVACSNMP) commands. The IBM i does not allow the VACM information to be retrieved or changed using SNMP requests. Also on the IBM i, VACM rules do not affect SNMPv1 communications. If VACM is to be used to restrict SNMP access to system information, only SNMPv3 should be allowed on the IBM i. This can be done by using the CHGSNMPA command to change the ALWSNMPV3 parameter to either *V3AGENT or *V3ONLY.