42268members
186172posts

SNMP communities and security considerations for ITE

Highlighted
Ensign

SNMP communities and security considerations for ITE

Hello all,

I've got a couple of questions from a customer who seriously care about security.

First: is it possible to avoid from using WRITE community in Gateway settings to not allow any (including SE's) applications any possible chance to change settings. What is the official recommendation?

Second: Some devices in a big data center have only TWO different READ communities. One is used for DCE, another is for a BMS system. It's undesirable to share communities between systems. What is the official recommendation to connect the equipment to ITE Gateway securely?

Thanks.

5 REPLIES 5
Highlighted
Administrator

Re: SNMP communities and security considerations for ITE

Hi Andy,

 

Thank you for posting and sorry for the delay!

 

I'll see if I can get some eyes on this.

 

Thanks,

 

Stine

Highlighted
Ensign

Re: SNMP communities and security considerations for ITE

Hi Andy,

The recommended way to connect to the Gateway is with SNMPv3 because it is encrypted and has more secure authentication.  If a device does not support SNMPv3, and therefore must use SNMPv1, you can enter an incorrect WRITE community string.  As of the current version of IT Gateway (1.8), the only time it writes to a device is to register for traps on APC devices which use the NMC network card.  In which case, you can manually register the Gateway as a trap receiver in the NMC's UI.  The Gateway also does SNMP writes to register for event log and waveform information from APC Galaxy VS/VM UPSs.  SNMP writes may be used in future versions of the Gateway to support other features.

 

And of course, the devices should be on a private network.  A little more on that here:  https://helpcenter.ecostruxureit.com/hc/en-us/articles/360007479438-EcoStruxure-IT-Gateway-in-a-Secu...

 

Hope that helps.

 

Jake

Highlighted
Ensign

Re: SNMP communities and security considerations for ITE

Hi Jake, thanks for the detailed answer.

I have proposed to the customer to use a wrong write community. Their answer was 'please make the field unnecessary because the way how it works guides users to make systems less secure'

Can you please help me with other questions closely related to the subject and the PoC at a customer premise.

- manually register the Gateway as a trap receiver - does GW receive and react to Traps/Informs from 3rd party equipment?

- is FTP used for mass APC configuration or SNMP?

- which protocols used for FW upgrades?

 

Appreciated/Andrey

Highlighted
Ensign

Re: SNMP communities and security considerations for ITE

Hi Andy,

Currently (GW version 1.8.x) and previous does not receive traps from 3rd party devices.  We are working on that however, so it may be available in the future.  FTP is used for both firmware updates and for device configuration.  

 

Thanks,

Jake

Highlighted
Ensign

Re: SNMP communities and security considerations for ITE

Hi Andy,

An update on the question about traps for third party devices.  We do have limited support for it now.  See this article for more details.  https://helpcenter.ecostruxureit.com/hc/en-us/articles/360009699437-Trap-receiver-registration-for-t...

 

When we receive a trap from the third party device, it will trigger a poll of the configured sensors and alarms.  

Tags (1)