Warning
Potential for Data Loss: The steps detailed in the resolution of this article may result in a loss of critical data if not performed properly. Before beginning these steps, make sure all important data is backed up in the event of data loss. If you are unsure or unfamiliar with any complex steps detailed in this article, please contact Product Support Services for assistance.
Issue
There is no clear guidance on how to handle the SNMP settings for TAC Xenta Servers
Product Line
TAC Vista
Environment
- TAC Xenta Server
- TAC XBuilder
- SNMP
Cause
Previously the SNMP feature has not been widely used and has not been a security concern.
There are two types or flavors of SNMP. One is for browsing a device to get information about it (SNMP Agent), and the other is to automatically send alarms from a given device to a central alarm system (SNMP Alarm Trap).
Now according to reports from the field, IT departments are starting to get concerned about the SNMP feature in Xenta Servers. A general overview of how SNMP can be used maliciously for intrusion can be studied here.
Normally the IT department requests that:
- The default community string is changed
- SNMP is disabled
Here is an example of what you see when you browse a Xenta Server (having the correct Xenta Server mib file) using a SNMP browser such as "MIB Browser" from iReasoning
Here is an example of alarms received from a Xenta Server via SNMP
Resolution
All (or most) SNMP settings are changed through TAC XBuilder
First step is to change the default community name. If the community name is either "private" or "public" (the latter is default), it can be browsed without knowing the name. You simply change the name in "Community Name" and "Trap Community Name". Download all project files to the Xenta Server afterwards.
Now when you try to browse the Xenta Server from the SNMP agent without first defining the community name, you will not be able to retrieve data.
Next, we can disable the SNMP Alarm Trap. Download all project files to the Xenta Server afterwards. After that, alarms will not be sent to the IP address configured.
Following here are advanced steps to change the ports used for SNMP (161 and 162)
If the settings described above are not enough, we can change the port number used for SNMP. This is however a little more complicated. You need to connect to the Xenta Server using FTP (Note that the FTP access may be disabled, refer to Disable FTP in the Xenta 5/7/9xx Controllers if unsure how to enable this), and fetch the following file: /sys/system/snmp.cfg
- Open the file in Notepad
- Change the two port number as below - you can choose other port numbers, but it is crucial that they are not the same as any other ports used by the Xenta Server.
- Upload the changed file to the same location on the Xenta Server
- Download the project from TAC XBuilder, choosing to download all files
- You now get this message
- Here you must click "Target system" or the changed settings are overwritten
- Note that the port numbers defined in XBuilder have not changed yet
- Save the project and close XBuilder
- Open the project again
- You will now see that the port numbers have the value you defined in the file earlier
- Now when you try browsing the Xenta Server with a SNMP tool, you can no longer connect on the default port 161
