tags:

views:

725

answers:

3
+2  Q: 

SNMP SET with ACL and Set Community Name

Hi All,

I need to perform a SNMP Set operation in a printer in the network which as an Access Control List configured (ACL) and my host's IP Address is not in the ACL table. I'm getting a strange behavior: When I have a SNMPv1 Set community name configured, I am ONLY able to perform a SNMP Set if my host ip is in the ACL table. If there is no SNMPSet community name configured, I am able to perform SNMP Set normally even if my ip address is not in the ACL table. So, does anyone know if there is any relationship between the ACL table and the SNMP Set community name? I mean, the ACL is only "working" when the set community name is configured. Does this make sense?

Thanks for any help

A: 

So the ACL is on a local router or the printer itself? What model of printer is it and how are you connected to it, are you on the same network or do you pass through the router to get to the printer which is on a seperate network range?

I would check the full ACL list as perhaps there is a block all rule that is stopping you from accessing atm.

Omegatron  2008-09-30 03:54:10
+1  A: 

The ACL is on the printer itself. We are connected through a network and the printer is in another subnet. The ACL contains only one entry and there is not a blocking rule. The issue itself is regarding the behavior related with the SNMP Set Community itself that I'd like to understand if there is any relationship between them.

 2008-10-01 02:48:53
If your SNMP manager and the printer SNMP agent are in different subnet, it is possible that the device in between (such as a router) is changing the SET SNMP packet source IP address to its own. If this is the case and the ACL allows this device's IP address, this behavior can be explained.IP address based ACL is not that secure, compared to community name based (but remember to use complex names)
Lex Li  2009-11-01 00:27:36
A: 

As far as I know, such ACL is not a default part of SNMP, and its function can be varied by the vendor.

Like your test revealed, this may be a security flaw. Consider reporting this issue to the vendor. If they have a fix, they will send to you.

Lex Li  2009-05-16 04:14:38

related questions

POSIX ACLs and the 'sticky' bit applied to a directory
Using Python set type to implement ACL
How can my C# app test whether the user has "Read" access to a network share?
remove an ACL entry for just ONE user in MacOS? oddly difficult
In linux, is there a way to set a default permission for newly created files and directories under a directory?
Changing Parent for a Resource - Zend ACL - 1.7.3
How should I be implementing my ACL in a web application?
Help with Zend ACL
File Vs Database
Why can I not set this ACL rule in C#?
ACL for a network device
User authentication
Recommend a PHP ACL class?
Authentication for a browser-based application dependent on the client machine
Rails User Access Plugins
What technology to get NTFS access rights in C ?
Why is SetNamedSecurityInfoW leaving out ACEs?
Does it make sense to set up a trusted relationship between Active Directory instances at partner companies?
Copying file security permisions
File security attributes getting screwed up on file copy
What's the best way to implement ACLs to a Rails application?
Where to Store writable data to be shared by all users in a vista installer ?
CakePHP ACL Database Setup: ARO / ACO structure?
Access Control Lists & Access Control Objects, good tutorial?