HP-ICF-SECURITY DEFINITIONS ::= BEGIN IMPORTS Integer32, IpAddress, TimeTicks, OBJECT-TYPE, MODULE-IDENTITY FROM SNMPv2-SMI DisplayString, RowStatus FROM SNMPv2-TC MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF hpicfObjectModules, icfSecurity FROM HP-ICF-OID InetAddress, InetAddressType, InetAddressPrefixLength FROM INET-ADDRESS-MIB; icfSecurityMib MODULE-IDENTITY LAST-UPDATED "200710010903Z" -- October 01, 2007 ORGANIZATION "Hewlett Packard Company, Network Infrastructure Solutions" CONTACT-INFO "Hewlett Packard Company 8000 Foothills Blvd. Roseville, CA 95747" DESCRIPTION "This MIB module describes objects for managing the SNMPv1 authorization configuration for devices in the HP Integrated Communication Facility product line." REVISION "200803050900Z" -- March 05, 2008 DESCRIPTION "Added icfAuthIPMgrAccessMethod." REVISION "200710010903Z" -- October 01, 2007 DESCRIPTION "Deprecated icfAuthIPMgrAddress and icfAuthIPMgrMask." REVISION "200301090112Z" -- January 9, 2003 DESCRIPTION "Deprecated icfCommunityTable and icfAuthMgrTable." REVISION "200011030756Z" -- November 3, 2000 DESCRIPTION "Added icfAuthIPMgrTable. Updated division name." REVISION "9609100200Z" -- September 10, 1996 DESCRIPTION "Updated division name in ORGANIZATION clause." REVISION "9601250356Z" -- October 25, 1996 DESCRIPTION "Split this MIB module from the former monolithic hp-icf MIB. Added the SNMP community group." REVISION "9307090000Z" -- July 9, 1993 DESCRIPTION "Initial version of this MIB module." ::= { hpicfObjectModules 1 } -- The HP ICF Security Group. This group contains objects for -- configuring SNMPv1 (non)security for this agent. icfSecurPassword OBJECT-TYPE SYNTAX DisplayString (SIZE (0..63)) MAX-ACCESS read-write STATUS deprecated DESCRIPTION "********* THIS OBJECT IS DEPRECATED ********* This variable contains a string which is used both as the community name for the password community, and as the login password for the console port. This community name is needed for most SET operations. In addition, the variables in the ICF security group are only visible within the password community, and must use the value of this variable as the community name for GET operations. If the value of this variable is equal to the null string, the community name 'public' or the null string will be treated the same as the password community. This object has been deprecated. Its functionality has been replaced by the icfCommunityTable." ::= { icfSecurity 1 } icfSecurAuthAnyMgr OBJECT-TYPE SYNTAX INTEGER { enabled(1), disabled(2) } MAX-ACCESS read-write STATUS deprecated DESCRIPTION "********* THIS OBJECT IS DEPRECATED ********* When this variable is set to enabled, any manager with a valid community name may perform SET operations on this device. In this configuration, entries in the icfSecurAuthMgrTable are used only for trap destinations. If this variable is set to disabled, a manager must be in the icfSecurAuthMgrTable and have a valid community name in order to perform SET operations. This object has been deprecated. Its functionality has been replaced by the icfAuthMgrTable." ::= { icfSecurity 2 } icfSecurAuthMgrTable OBJECT-TYPE SYNTAX SEQUENCE OF IcfSecurAuthMgrEntry MAX-ACCESS not-accessible STATUS deprecated DESCRIPTION "********* THIS OBJECT IS DEPRECATED ********* This table contains a list of addresses of managers that are allowed to perform SET operations on this device, and controls the destination addresses for traps. If icfSecurAuthAnyMgr is set to disabled, a manager must be in this table and use the correct community name for the password community in order to perform a GET operation on this table. This table has been deprecated. It is replaced by the icfAuthMgrTable. The trap destination functionality has been replaced by the hpicfTrapDestTable." ::= { icfSecurity 3 } icfSecurAuthMgrEntry OBJECT-TYPE SYNTAX IcfSecurAuthMgrEntry MAX-ACCESS not-accessible STATUS deprecated DESCRIPTION "********* THIS OBJECT IS DEPRECATED ********* An entry in the icfSecurAuthMgrTable containing information about a single manager. This table has been deprecated. It is replaced by the icfAuthMgrTable. The trap destination functionality has been replaced by the hpicfTrapDestTable." INDEX { icfAuthMgrIndex } ::= { icfSecurAuthMgrTable 1 } IcfSecurAuthMgrEntry ::= SEQUENCE { icfAuthMgrIndex Integer32, icfAuthMgrIpAddress IpAddress, icfAuthMgrIpxAddress OCTET STRING, icfAuthMgrRcvTraps INTEGER } icfAuthMgrIndex OBJECT-TYPE SYNTAX Integer32 (1..10) MAX-ACCESS read-only STATUS deprecated DESCRIPTION "********* THIS OBJECT IS DEPRECATED ********* This object contains the index which uniquely identifies this entry in the icfSecurAuthMgrTable. This table has been deprecated. It is replaced by the icfAuthMgrTable. The trap destination functionality has been replaced by the hpicfTrapDestTable." ::= { icfSecurAuthMgrEntry 1 } icfAuthMgrIpAddress OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-write STATUS deprecated DESCRIPTION "********* THIS OBJECT IS DEPRECATED ********* The IP address of a manager that is allowed to manage this device. Setting this variable to a nonzero value will clear the corresponding instance of the icfAuthMgrIpxAddress variable. This table has been deprecated. It is replaced by the icfAuthMgrTable. The trap destination functionality has been replaced by the hpicfTrapDestTable." ::= { icfSecurAuthMgrEntry 2 } icfAuthMgrIpxAddress OBJECT-TYPE SYNTAX OCTET STRING (SIZE (10)) MAX-ACCESS read-write STATUS deprecated DESCRIPTION "********* THIS OBJECT IS DEPRECATED ********* The IPX address of a manager that is allowed to manage this device. Setting this variable to a valid IPX address will clear the corresponding instance of the icfAuthMgrIpAddress variable. This table has been deprecated. It is replaced by the icfAuthMgrTable. The trap destination functionality has been replaced by the hpicfTrapDestTable." ::= { icfSecurAuthMgrEntry 3 } icfAuthMgrRcvTraps OBJECT-TYPE SYNTAX INTEGER { enabled(1), disabled(2) } MAX-ACCESS read-write STATUS deprecated DESCRIPTION "********* THIS OBJECT IS DEPRECATED ********* If this variable is set to enabled, any traps generated by this device will be sent to the manager indicated by the corresponding instance of either icfAuthMgrIpAddress or icfAuthMgrIpxAddress, whichever is valid. This table has been deprecated. It is replaced by the icfAuthMgrTable. The trap destination functionality has been replaced by the hpicfTrapDestTable." ::= { icfSecurAuthMgrEntry 4 } -- icfSecurIntruder objects. When the agent detects an -- authentication failure, it records the violation in the -- following objects and in nonvolatile memory. It uses the -- icfSecurIntruderFlag as a throttle to prevent excessive -- nvram writes. icfSecurIntruder OBJECT IDENTIFIER ::= { icfSecurity 4 } icfSecurIntruderFlag OBJECT-TYPE SYNTAX INTEGER { valid(1), invalid(2) } MAX-ACCESS read-write STATUS current DESCRIPTION "If this object is set to 'valid', the remainder of the intruder objects contain information about an authentication failure. The Security LED on the device will blink if this flag is set to 'valid'. The intruder objects will not be overwritten as long as this flag is set to 'valid'. Setting this flag to 'invalid' will turn off the Security LED if there are no other current violations, and will allow the intruder objects to be overwritten by subsequent authentication failures." ::= { icfSecurIntruder 1 } icfSecurIntruderIpAddress OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-only STATUS current DESCRIPTION "The IP address of the manager that caused the authentication failure. Only one of icfSecurIntruderIpAddress and icfSecurIntruderIPXAddress will be valid." ::= { icfSecurIntruder 2 } icfSecurIntruderIpxAddress OBJECT-TYPE SYNTAX OCTET STRING (SIZE (10)) MAX-ACCESS read-only STATUS current DESCRIPTION "The IPX address of the manager that caused the authentication failure. Only one of icfSecurIntruderIpAddress and icfSecurIntruderIPXAddress will be valid." ::= { icfSecurIntruder 3 } icfSecurIntruderTime OBJECT-TYPE SYNTAX TimeTicks MAX-ACCESS read-only STATUS current DESCRIPTION "The value of sysUpTime when the authentication failure occurred. A value of 0 indicates that the agent has been reset since this authentication failure occurred." ::= { icfSecurIntruder 4 } -- The SNMP community group. Used for configuring SNMPv1 -- (non)security. Replaces the old icfSecurity group. icfCommunityTable OBJECT-TYPE SYNTAX SEQUENCE OF IcfCommunityEntry MAX-ACCESS not-accessible STATUS deprecated DESCRIPTION "******************DEPRECATED******************* This table contains information about community names known by this agent." ::= { icfSecurity 5 } icfCommunityEntry OBJECT-TYPE SYNTAX IcfCommunityEntry MAX-ACCESS not-accessible STATUS deprecated DESCRIPTION "******************DEPRECATED******************* An entry in the table, containing information about a single community name." INDEX { icfCommunityIndex } ::= { icfCommunityTable 1 } IcfCommunityEntry ::= SEQUENCE { icfCommunityIndex Integer32, icfCommunityName OCTET STRING, icfCommunityReadView INTEGER, icfCommunityWriteView INTEGER, icfCommunityStatus RowStatus } icfCommunityIndex OBJECT-TYPE SYNTAX Integer32 (1..65535) MAX-ACCESS not-accessible STATUS deprecated DESCRIPTION "******************DEPRECATED******************* Uniquely identifies this community name entry." ::= { icfCommunityEntry 1 } icfCommunityName OBJECT-TYPE SYNTAX OCTET STRING (SIZE(1..32)) MAX-ACCESS read-create STATUS deprecated DESCRIPTION "******************DEPRECATED******************* Community name this entry is about. Not allowed to have two active rows with the same community name." ::= { icfCommunityEntry 2 } icfCommunityReadView OBJECT-TYPE SYNTAX INTEGER { none(1), discovery(2), restricted(3), user(4), root(5) } MAX-ACCESS read-create STATUS deprecated DESCRIPTION "******************DEPRECATED******************* The MIB view used for read requests using this community name. One of the following: 'none' is the empty MIB view. 'discovery' has access to discovery objects, which will be enough to do an address search, send announce packets, and do a link test. This view also includes objects under the samplingProbe subtree. This view is typically used as a writeView for a community used by autodiscovery and autotopology applications. 'restricted' has access to a limited subset of the MIB, which includes monitoring objects and limited set of configuration objects. 'user' has access to everything except objects under the icfSecurity subtree. 'root' has access to everything, including the icfSecurity subtree." ::= { icfCommunityEntry 3 } icfCommunityWriteView OBJECT-TYPE SYNTAX INTEGER { none(1), discovery(2), restricted(3), user(4), root(5) } MAX-ACCESS read-create STATUS deprecated DESCRIPTION "******************DEPRECATED******************* The MIB view used for write requests using this community name. One of the following: 'none' is the empty MIB view. 'discovery' has access to discovery objects, which will be enough to do an address search, send announce packets, and do a link test. This view also includes objects under the samplingProbe subtree. This view is typically used as a writeView for a community used by autodiscovery and autotopology applications. 'restricted' has access to a limited subset of the MIB, which includes monitoring objects and limited set of configuration objects. 'user' has access to everything except objects under the icfSecurity subtree. 'root' has access to everything, including the icfSecurity subtree." ::= { icfCommunityEntry 4 } icfCommunityStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS deprecated DESCRIPTION "******************DEPRECATED******************* Status of this entry." ::= { icfCommunityEntry 5 } icfAuthMgrTable OBJECT-TYPE SYNTAX SEQUENCE OF IcfAuthMgrEntry MAX-ACCESS not-accessible STATUS deprecated DESCRIPTION "******************DEPRECATED******************* This table contains a list of manager addresses. Entries in this table are grouped by using a common value for icfCommunityIndex, that identifies the community name that the group of manager addresses has access to. A community name entry which has a set of entries in this table can only be used by requests originating from one of the addresses in the set. A community name entry which has no entries in this table can be used by requests originating from any address." ::= { icfSecurity 6 } icfAuthMgrEntry OBJECT-TYPE SYNTAX IcfAuthMgrEntry MAX-ACCESS not-accessible STATUS deprecated DESCRIPTION "******************DEPRECATED******************* An entry in the table, containing a single authorized manager address." INDEX { icfCommunityIndex, icfAuthMgrSubIndex } ::= { icfAuthMgrTable 1 } IcfAuthMgrEntry ::= SEQUENCE { icfAuthMgrSubIndex Integer32, icfAuthMgrAddrType INTEGER, icfAuthMgrAddress OCTET STRING, icfAuthMgrMask OCTET STRING, icfAuthMgrStatus RowStatus } icfAuthMgrSubIndex OBJECT-TYPE SYNTAX Integer32 (1..65535) MAX-ACCESS not-accessible STATUS deprecated DESCRIPTION "******************DEPRECATED******************* An index which uniquely identifies an address within a group." ::= { icfAuthMgrEntry 1 } icfAuthMgrAddrType OBJECT-TYPE SYNTAX INTEGER { ip(1), ipx(2) } MAX-ACCESS read-create STATUS deprecated DESCRIPTION "******************DEPRECATED******************* The network type for this entry." ::= { icfAuthMgrEntry 2 } icfAuthMgrAddress OBJECT-TYPE SYNTAX OCTET STRING (SIZE(4|10)) MAX-ACCESS read-create STATUS deprecated DESCRIPTION "******************DEPRECATED******************* The manager address for this entry, formatted according to the value of icfAuthMgrAddrType. When icfAuthMgrAddrType is 'ip', this value will consist of four octets, containing the IP address of the manager in network byte order. When icfAuthMgrAddrType is 'ipx', this value will consist of ten octets. The first four octets will contain the IPX network number in network byte order, and the remaining six octets will contain the IPX node number in network byte order." ::= { icfAuthMgrEntry 3 } icfAuthMgrMask OBJECT-TYPE SYNTAX OCTET STRING (SIZE(4|10)) MAX-ACCESS read-create STATUS deprecated DESCRIPTION "******************DEPRECATED******************* This object is used to qualify the value of the corresponding instance of icfAuthMgrAddress. The semantics of this object depend on the corresponding value of icfAuthMgrAddrType. When icfAuthMgrType is 'ip', this object can be used to allow access by all managers on a particular IP subnet. When icfAuthMgrType is 'ipx', this object can be used to allow access by all managers with a particular IPX network number." ::= { icfAuthMgrEntry 4 } icfAuthMgrStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS deprecated DESCRIPTION "******************DEPRECATED******************* Status of this entry." ::= { icfAuthMgrEntry 5 } icfAuthIPMgrTable OBJECT-TYPE SYNTAX SEQUENCE OF IcfAuthIPMgrEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table contains a list of IP manager addresses. This list is used grant or deny access to HTTP, telnet, and TFTP." ::= { icfSecurity 7 } icfAuthIPMgrEntry OBJECT-TYPE SYNTAX IcfAuthIPMgrEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry in the table containing a single IP authorized manager address." INDEX { icfAuthIPMgrIndex } ::= { icfAuthIPMgrTable 1 } IcfAuthIPMgrEntry ::= SEQUENCE { icfAuthIPMgrIndex Integer32, icfAuthIPMgrAddress IpAddress, icfAuthIPMgrMask IpAddress, icfAuthIPMgrAccess INTEGER, icfAuthIPMgrStatus RowStatus, icfAuthIPMgrInetAddrType InetAddressType, icfAuthIPMgrInetAddress InetAddress, icfAuthIPMgrInetAddrMaskType InetAddressType, icfAuthIPMgrInetAddrMask InetAddress, icfAuthIPMgrAccessMethod INTEGER } icfAuthIPMgrIndex OBJECT-TYPE SYNTAX Integer32 (1..65535) MAX-ACCESS not-accessible STATUS current DESCRIPTION "An index which uniquely identifies an address within the group." ::= { icfAuthIPMgrEntry 1 } icfAuthIPMgrAddress OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-create STATUS deprecated DESCRIPTION "**************deprecated********************* The IP address of the authorized manager for this entry. This object is deprecated new object icfAuthIPMgr InetAddress has been defined to hold version neutral address type." ::= { icfAuthIPMgrEntry 2 } icfAuthIPMgrMask OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-create STATUS deprecated DESCRIPTION "**************deprecated********************** This object qualifies the value of the corresponding instance of icfAuthIPMgrAddress. This object can be used to allow access by all managers on a particular IP subnet. This object is deprecated the new objects which are defined to hold this is value are icfAuthIPMgrInetAddrMaskType and icfAuthIPMgrInetAddrMask." ::= { icfAuthIPMgrEntry 3 } icfAuthIPMgrAccess OBJECT-TYPE SYNTAX INTEGER { operator(1), manager(2) } MAX-ACCESS read-create STATUS current DESCRIPTION "This object defines the access level for a given manager. Operator allows for read only access, and Manager allows for read/write access." ::= { icfAuthIPMgrEntry 4 } icfAuthIPMgrStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "Status of this entry." ::= { icfAuthIPMgrEntry 5 } icfAuthIPMgrInetAddrType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-create STATUS current DESCRIPTION "Specifies the type of address stored in icfAuthIPMgrInetAddress object." ::= { icfAuthIPMgrEntry 6 } icfAuthIPMgrInetAddress OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-create STATUS current DESCRIPTION "The IP address of the authorized manager for this entry.This object can hold the version neutral IP address." ::= { icfAuthIPMgrEntry 7 } icfAuthIPMgrInetAddrMaskType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-create STATUS current DESCRIPTION "Specifies the type of IP Mask stored in icfAuthIPMgrInetAddrMask object." ::= { icfAuthIPMgrEntry 8 } icfAuthIPMgrInetAddrMask OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-create STATUS current DESCRIPTION "This object qualifies the value of the corresponding instance of icfAuthIPMgrInetAddress. This object can be used to allow access by all managers on a particular IP subnet.This object can hold the version neutral IP address Mask." ::= { icfAuthIPMgrEntry 9 } icfAuthIPMgrAccessMethod OBJECT-TYPE SYNTAX INTEGER { all(1), ssh(2), telnet(3), web(4), snmp(5), tftp(6) } MAX-ACCESS read-create STATUS current DESCRIPTION "This object defines the access method for a given manager. The different access methods are all, ssh, telnet, web, snmp, tftp" DEFVAL { 1 } ::= { icfAuthIPMgrEntry 10 } -- Conformance information icfSecurityConformance OBJECT IDENTIFIER ::= { icfSecurityMib 1 } icfSecurityCompliances OBJECT IDENTIFIER ::= { icfSecurityConformance 1 } icfSecurityGroups OBJECT IDENTIFIER ::= { icfSecurityConformance 2 } -- compliance statements icfSecurCompliance MODULE-COMPLIANCE STATUS obsolete -- change to deprecated when new SMI DESCRIPTION "********* THIS COMPLIANCE IS DEPRECATED *********/ A compliance statement for agents implementing the original version of this module." MODULE MANDATORY-GROUPS { icfSnmpSecurityGroup, icfSecIntruderGroup } ::= { icfSecurityCompliances 1 } icfV1CommunityCompliance MODULE-COMPLIANCE STATUS deprecated DESCRIPTION "********* THIS GROUP IS DEPRECATED ********* A compliance statement for HP ICF agents implementing SNMPv1 community name management." MODULE MANDATORY-GROUPS { icfV1CommunityGroup } GROUP icfSecIntruderGroup DESCRIPTION "This group should be implemented by devices that are able to keep a non-volatile record of authentication failures." ::= { icfSecurityCompliances 2 } -- units of conformance icfSnmpSecurityGroup OBJECT-GROUP OBJECTS { icfSecurPassword, icfSecurAuthAnyMgr, icfAuthMgrIndex, icfAuthMgrIpAddress, icfAuthMgrIpxAddress, icfAuthMgrRcvTraps } STATUS obsolete -- change to deprecated when new SMI DESCRIPTION "********* THIS GROUP IS DEPRECATED ********* A collection of objects for managing the SNMPv1 (non-)security configuration on HP networking devices." ::= { icfSecurityGroups 1 } icfSecIntruderGroup OBJECT-GROUP OBJECTS { icfSecurIntruderFlag, icfSecurIntruderIpAddress, icfSecurIntruderIpxAddress, icfSecurIntruderTime } STATUS current DESCRIPTION "A collection of objects for tracking authentication failures." ::= { icfSecurityGroups 2 } icfV1CommunityGroup OBJECT-GROUP OBJECTS { icfCommunityName, icfCommunityReadView, icfCommunityWriteView, icfCommunityStatus, icfAuthMgrAddrType, icfAuthMgrAddress, icfAuthMgrMask, icfAuthMgrStatus } STATUS deprecated DESCRIPTION "********* THIS GROUP IS DEPRECATED ********* A collection of objects for managing SNMPv1 community strings." ::= { icfSecurityGroups 13 } icfAuthIPMgrGroup OBJECT-GROUP OBJECTS { icfAuthIPMgrAddress, icfAuthIPMgrMask, icfAuthIPMgrAccess, icfAuthIPMgrStatus } STATUS deprecated DESCRIPTION "***************** deprecated ****************** A collection of objects for granting or denying access to specific IP addresses for HTTP, telnet, and TFTP. This Group object has been deprecated and a new group object has been defined with name icfAuthIPMgrInetGroup." ::= { icfSecurityGroups 14 } icfAuthIPMgrInetGroup OBJECT-GROUP OBJECTS { icfAuthIPMgrInetAddrType, icfAuthIPMgrInetAddress, icfAuthIPMgrInetAddrMaskType, icfAuthIPMgrInetAddrMask } STATUS current DESCRIPTION "A collection of objects for granting or denying access to specific IP addresses for HTTP, telnet, and TFTP." ::= { icfSecurityGroups 15 } END