Liebe NV-L-ers,
-> It is possible to reboot any device in any Netview map for which you
-> have a read-write community in the ovsnmp database if that device has a
-> read-write snmp variable that will trigger it. It has nothing to do
-> with Nways. You can do the same through the mib browser. It's the (lack
-> of) security function in SNMPv1.
I'd like to add my humble comments to this. When I first
familiarised myself with Netview security, I noted that each user
can have any of several security permissions (eg. "r", "w", "x"
or presumably others) for each application supporting the NV security
API. It took awhile for me to realise that for most (all?)
such applications, there is no fine-level control of function based on
this capability.
What I would have loved would be for Netview applications to
refuse to use or divulge the read-write community to users with
only "r" (read) permission, but happily use/divulge it for users with
"w" (write) permission. But I haven't ever known any app to do this
sort of thing, and as Jim points out it's pretty pointless if
xnmbrowser is willing to do anything for anybody with a modicum of
security clearance. Has anyone's mileage varied?
To my discredit, I've never thought this through enough
to justify making it a formal request or requirement to send to
Tivoli's Official Black Hole Requirements Address.
-> Until you get IPsec and SNMPv3, this will continue to be the case. My
-> suspicion is that you'll begin to see these on hardware devices and
-> hardware management applications (whether or not they're in Netview) by
-> the end of the year. (My opinion only, not an IBM announcement).
Such promising new technology likely makes obsolete my
ideas of better using the old security mechanism.
John Dorsey
|