[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference netcad::hub_mgnt

Title:DEChub/HUBwatch/PROBEwatch CONFERENCE
Notice:Firmware -2, Doc -3, Power -4, HW kits -5, firm load -6&7
Moderator:NETCAD::COLELLADT
Created:Wed Nov 13 1991
Last Modified:Fri Jun 06 1997
Last Successful Update:Fri Jun 06 1997
Number of topics:4455
Total number of notes:16761

2091.0. "Display Comm Sting in the Open?" by NAC::LICAUSE () Fri Mar 10 1995 13:15

    Has anyone raised the question "why does the community string show up
    on the display"?
    
    If so, good.  If not, then let me start.
    
    This is really a stupid idea.
    
    SNMP is not very secure, but why make is so much less so by displaying
    the password right where everyone can see it?
    
    I hope this is being removed for V4?
    
    If not why not?
    
    Al
T.RTitleUserPersonal
Name		DateLines
2091.1Heard it before, completely agreeROGER::GAUDETBecause the Earth is 2/3 waterFri Mar 10 1995 15:195
I got the same reaction from several people at DECUS in December.  I passed on
the concerns to the HUBwatch team.  I'm sure someone will give us the status for
V4.0.

...Roger...
2091.2The short answer is "no"...SLINK::HOODThis is my new personal name for NotesFri Mar 10 1995 15:4823
>   This is really a stupid idea.
 
Thank you.  Have you told the product manager it is a stupid idea and
needs to be removed?

>   I hope this is being removed for V4?
 
No, it is not.  Neither is it scheduled to be removed.
   
>    If not why not?
 
(1) It is not a requirement for V4.0
(2) There are over 60 windows that would need to be changed.  This is a 
    time-consuming task.  Which new features and bug-fixes that are scheduled
    for V4.0, and are requirements for V4.0 would you like us to drop?
(3) We have a code freeze in a very few weeks.
(4) The community is useful information to have.
(5) If we remove it, people who use the community (I visited a customer who
    monitors about 4 hubs at a time) would be annoyed.
(6) Because it's not good netiquette to call our product "stupid"

Tom Hood
stupid HUBwatch developer
2091.3It's still dumb!NAC::LICAUSEFri Mar 10 1995 19:2123
    RE: .2
    
    Who is the product manager for HUBwatch?
    He or/she hasn't made themselves very visible in LKG!
    
    Interesting that some customers want to see the community string 
    displayed publicly.  Do they also want their login password echoed?
    It's really more or less the same thing!
    
    We too are customers that happen to run a fairly large LAN....one that
    supports development of applications like HUBwatch.  And devices like
    DEChub's.  I guess our feedback is worthless....right?!
    
    We have HUBwatch displayed publicly in LKG1/1 and we received calls
    from some concerned folks that saw the read/write community string
    displayed publicly indicating that this was a security risk.
    
    My reaction was, "fix the damned product."   That's still my reaction.
    I can't imagine wanting a product that publicly displays what is normally 
    concidered a secure operational password.
    
    And there......Al
2091.4invisible Product Managers = Jack Forrest and Mike BouchardNAC::FORRESTFri Mar 10 1995 20:4313
    re: .3
    
    Al, my visibility comes and goes, because the engineers usually answer
    questions long before I get around to reading them. I also usually just
    sign my entries with "jack", not "the HUBwatch Product Manager". If you
    have access to VTX, you can always type VTX PM and navigate through the
    people locator screens to find the product manager for any product.
    
    I'm taking your input seriously for future revisions, but we can't 
    accept new requests just as we are about to button up the code. We 
    will talk this over in one of our upcoming meetings.
    
    jack
2091.5Public == READONLY, only.SLINK::HOODThis is my new personal name for NotesFri Mar 10 1995 21:098
>    We have HUBwatch displayed publicly in LKG1/1 and we received calls
>    from some concerned folks that saw the read/write community string
>    displayed publicly indicating that this was a security risk.

Short-term fix to this problem... 
Invoke HUBwatch with the READ-ONLY community for the hub or agent.

Tom H
2091.6ExROGER::GAUDETBecause the Earth is 2/3 waterMon Mar 13 1995 11:097
.3>>   DEChub's.  I guess our feedback is worthless....right?!

Actually, Al, all feedback, including yours, is extremely important to the
HUBwatch team.  However, I think it's safe to say that your choice of words to
label the idea "stupid" and "dumb" leaves much to be desired.

...Roger...
2091.7Appology NAC::LICAUSEMon Mar 13 1995 14:5515
    >> However, I think it's safe to say that your choice of words to
    >> label the idea "stupid" and "dumb" leaves much to be desired.
    
    On further thought, I would tend to agree and I appologize if offense
    was taken.  
    
    It is one of those items that I would have thought to be fairly obvious
    and am surprised to hear that some customers like a password
    displayed, though I shouldn't be given some of the customer requests
    that I've seen.
    
    Al
2091.8ThanksSLINK::HOODThis is my new personal name for NotesMon Mar 13 1995 15:0613
>Actually, Al, all feedback, including yours, is extremely important to the
>HUBwatch team.  

Roger is (sigh) right again...

In fact, within a few hours of reading your base note, while I was waiting
for a compilation, I started doing the initial design on how we can 
selectively hide community strings, as some kind of HUBwatch startup option. 
That feature will *not* be in V4.0, but might be in a future HUBwatch version.


Tom Hood
HUBwatch
2091.9a customer quote about "security"TLSE01::SELLESPierre-Jean - Toulouse -FranceFri Mar 24 1995 15:5937
hello Tom and Jack , 

not wanting to offense anybody ;-) , i'd like to quote 
an administration customer who is very concerned 
about security :

-" community should not appear in clear text "; 

in decmcc or temip , for each SNMP entity  you want to manage 
you have to enter a "password" thru a sub-menu ,
 in fact the read-write  community , that is not displayed ;  
of course , by default , it uses "public" community for 
display only function 

now , somebody with a sniffer can always detect this read-write
community , but not anybody entering the  operation center 
( i guess that community will be encrypted with SNMP V2 , right ? ) 

-" for dechub900 setup port , there should be a password 
for terminal access "

it exists for Chipcom hubs and no customer complained about this 


those quotes are just for "apporter de l'eau au moulin" concerning
better security for Hubwatch  ( which , always quoting the customer,
is a really good interface and very easy to use , "the LAN Interconnect
is a marvel " ) 

regards PJ


PS : it is not a military customer 

PS : "apporter de l'eau au moulin " should be "add water to the mill"
but it is very basic translation !
2091.10We heard you! We're working on it!SLINK::HOODThis is my new personal name for NotesFri Mar 24 1995 16:379
Yes.  I get it.  Really.

In a future HUBwatch version, we will implement a new feature to hide such
things.

---------

"add water to the mill"...  An almost word-for-word English translation
could lead to "that's water over the dam", which means almost the opposite
2091.11if French language was not only for Olympic Games ...TLSE01::SELLESPierre-Jean - Toulouse -FranceSun Mar 26 1995 15:0715

Well for us French people , it is always so easy to try 
and translate  word for word ; 
each language has of course its specificities and 
English is not that easy to learn , specially for 
a guy from South ( more latin like , than anglo-saxon ) 

sorry but as i dont have a dictionnary at hand , 
i did my best !! 

thanks and keep the good work going , Tom 


regards PJ