16.21 Supporting Network Management System

This section describes Network Management System (NMS) settings.

The following sections contain more information:

16.21.1 Enabling ICMP Echo Requests

The default configuration for Novell ZENworks Network Access Control is to not respond to ICMP Echo (ping) requests.

The following sections contain more information:

Enable Temporary Ping

To temporarily (until reboot) enable ICMP echo requests:

Command line

  1. Log in to the Novell ZENworks Network Access Control server as root using SSH or directly with a keyboard.

  2. Enter the following command at the command line:

    echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all

Pings will again be disabled after the next reboot.

Enable Persistent Ping

To persistently enable ICMP echo requests:

Command line

  1. Log in to the Novell ZENworks Network Access Control server as root using SSH or directly with a keyboard.

  2. Open the rc.local file with a text editor such as vi. For example:

    /etc/rc.d/rc.local

  3. In the # Ignore All ICMP requests area, change the following line:

    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

    To:

    echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all

  4. Save and exit the file.

  5. At the command line, enter the following:

    /etc/rc.d/rc.local

Restricting the ICMP Request

If you wish to restrict the ping request to a specific interface, such as the interface facing the protected network, then after following the procedures above, follow the instructions in this section to add rules to the firewall chain so that ping requests are only viable through the interface specified.

To restrict ping entries to a specific interface:

Command line

  1. At the MS command line, enter the following iptables entries in this order:

    iptables -A RH-Lokkit-0-50-INPUT -p icmp --icmp-type echo-request -i ethx -j ACCEPT

iptables -A RH-Lokkit-0-50-INPUT -p icmp --icmp-type echo-request -j DROP

    Where:

    ethx is the interface that you wish to be "pingable". For example, eth0.

  2. In order for these changes to persist through reboots, enter the following command at the command line:

    iptables-save > /etc/sysconfig/iptables.save

16.21.2 Changing the Community Name for SNMPD

Novell ZENworks Network Access Control includes snmpd and it is started by default. You need to change the notpublicsnmp community name to something specific for your community.

To change the community name:

Command line window

  1. Log in as root to the Novell ZENworks Network Access Control MS using SSH.

  2. Open the following file with a text editor such as vi: 

    /etc/snmp/snmpd.conf

    Example 16-5 snmpd.conf Example File

    -----------------------------------------------------------------------------
# Thu Jul 05 15:14:53 MDT 2007
# This file is generated automatically. Please do not edit. Edit the snmpd.conf.template file instead.

#
# This is a template for the snmpd.conf file.
# The following variables will be replaced:
#    SOURCE - replaced with the source CIDR network that is allowed to access
#    COMMUNITY - replaced with the community string for which permissions are being set
#
com2sec allowed_net  default      notpublicsnmp
group   allowed_net_mon       v1          allowed_net
group   allowed_net_mon       v2c         allowed_net
group   allowed_net_mon       usm         allowed_net
view    all     included      system
access  allowed_net_mon       ""      any       noauth    exact  all none none
view all    included  .1                               80
view mib2   included  .iso.org.dod.internet.mgmt.mib-2 fc

-----------------------------------------------------------------------------

  3. Ignore the comment that asks you to not edit this file. Change the following line:

    com2sec allowed_net default notpublicsnmp

    to:

    com2sec allowed_net <IP address range> <customer-specific community>

    where:

    <IP address range> = the IP address range of your network; CIDR notation is supported.

    For example: 10.0.16.0/24

    <customer-specific community> = your customer-specific community name.

    For example: Public2

  4. Save and exit the file.

NOTE:iptables already allows snmpd through UDP port 161.

NOTE:Please be careful with this functionality as a lot of information is available.

16.21.3 SNMP MIBs

A Management Information Base (MIB) is a database that manages devices in a network. Simple Network Management Protocol (SNMP) is a protocol used for communication between devices that uses MIBs to obtain SNMP message formats.

Novell ZENworks Network Access Control supports SNMP v2c for both incoming and outgoing SNMP notifications. The following MIBs (located in /usr/share/snmp/mibs/ ) define the data that Novell ZENworks Network Access Control can read:

  • HOST-RESOURCES-MIB

  • IF-MIB

  • IP-MIB

  • IPV6-MIB

  • NET-SNMP-AGENT-MIB

  • NET-SNMP-MIB

  • RFC1213-MIB

  • SNMP-FRAMEWORK-MIB

  • SNMP-MPD-MIB

  • SNMP-TARGET-MIB

  • SNMP-USER-BASED-SM-MIB

  • SNMPv2-MIB

  • SNMP-VIEW-BASED-ACM-MIB

  • TCP-MIB

  • UCD-DLMOD-MIB

  • UCD-SNMP-MIB

  • UDP-MIB

Enter the following MIB to define outgoing SNMP notifications:

/usr/share/snmp/mibs/NAC-MIB.txt

See the following link for more information on SNMP and MIBs: