smilint output for ./CABH-IETF-SEC-MIB
| Message Severities |
|---|
| Severity | Count |
|---|
| error | 4 |
| warning | 2 |
| Message Types |
|---|
| Type | Count |
|---|
| basetype-unknown (error) | 1 |
| import-failed (error) | 1 |
| integer-misuse (warning) | 2 |
| object-identifier-not-prefix (error) | 1 |
| type-unknown (error) | 1 |
Messages:
CABH-IETF-SEC-MIB
1: -- extracted from draft-ietf-ipcdn-cable-gateway-security-mib-00.txt
2: -- at Wed Jun 25 06:13:37 2003
3:
4: CABH-IETF-SEC-MIB DEFINITIONS ::= BEGIN
5:
6: IMPORTS
7: MODULE-IDENTITY,
8: Unsigned32,
9: zeroDotZero,
10: OBJECT-TYPE,
11: mib-2 FROM SNMPv2-SMI -- RFC2578
12:
13: DateAndTime,
14: TruthValue,
15: TimeStamp,
16: VariablePointer FROM SNMPv2-TC -- RFC2579
17:
18: OBJECT-GROUP,
19: MODULE-COMPLIANCE FROM SNMPv2-CONF -- RFC2580
20: InetPortNumber,
21: InetAddressType,
22: InetAddress FROM INET-ADDRESS-MIB --RFC3291
23:
24: SnmpAdminString FROM SNMP-FRAMEWORK-MIB --RFC2571
25:
26: DocsX509ASN1DEREncodedCertificate FROM DOCS-BPI2-MIB
26: error -
identifier `DocsX509ASN1DEREncodedCertificate' cannot be imported from module `DOCS-BPI2-MIB'
27: --TC available in draft-ietf-ipcdn-bpiplus-mib-09.txt or after
28:
29: ZeroBasedCounter32 FROM RMON2-MIB
30:
31: docsDevFilterIpEntry FROM DOCS-CABLE-DEVICE-MIB;
32:
33: cabhSecMib MODULE-IDENTITY
34: LAST-UPDATED "200306210000Z" -- Jun 21, 2003
35: ORGANIZATION "IETF IPCDN Working Group"
36: CONTACT-INFO
37: "Kevin Luehrs
38: Postal: Cable Television Laboratories, Inc.
39: 400 Centennial Parkway
40: Louisville, Colorado 80027-1266
41: U.S.A.
42: Phone: +1 303-661-9100
43: Fax: +1 303-661-9199
44: E-mail: k.luehrs@cablelabs.com; mibs@cablelabs.com
45:
46: IETF IPCDN Working Group
47: General Discussion: ipcdn@ietf.org
48: Subscribe: http://www.ietf.org/mailman/listinfo/ipcdn
49: Archive: ftp://ftp.ietf.org/ietf-mail-archive/ipcdn
50: Co-chairs: Richard Woundy,
51: Richard_Woundy@cable.comcast.com
52: Jean-Francois Mule, jf.mule@cablelabs.com"
53: DESCRIPTION
54: "This MIB module supplies the basic management
55: objects for the Security Portal Services.
56:
57: Copyright (C) The Internet Society (2003). This version
58: of this MIB module is part of RFC xxxx; see the RFC
59: itself
60: for full legal notices."
61: REVISION "200306210000Z" -- Jun 21, 2003
62: DESCRIPTION
63: "Initial version, published as RFC xxxx."
64: -- RFC editor to assign xxxx
65: ::= { mib-2 xx }
65: error -
Object identifier element `xx' name only allowed as first element
66: -- xx to be assigned by IANA
67:
68: -- Textual Conventions
69:
70: cabhSecMibObjects OBJECT IDENTIFIER ::= { cabhSecMib 1 }
71: cabhSecFwObjects OBJECT IDENTIFIER ::= { cabhSecMibObjects 1 }
72: cabhSecFwBase OBJECT IDENTIFIER ::= { cabhSecFwObjects 1 }
73: cabhSecFwLogCtl OBJECT IDENTIFIER ::= { cabhSecFwObjects 2 }
74:
75: cabhSecCertObjects OBJECT IDENTIFIER ::= { cabhSecMibObjects 2 }
76: cabhSecKerbObjects OBJECT IDENTIFIER ::= { cabhSecMibObjects 3 }
77: cabhSecKerbBase OBJECT IDENTIFIER ::= { cabhSecKerbObjects 1 }
78:
79: cabhSec2FwObjects OBJECT IDENTIFIER ::= { cabhSecMibObjects 4 }
80: cabhSec2FwBase OBJECT IDENTIFIER ::= { cabhSec2FwObjects 1 }
81: cabhSec2FwEvent OBJECT IDENTIFIER ::= { cabhSec2FwObjects 2 }
82: cabhSec2FwLog OBJECT IDENTIFIER ::= { cabhSec2FwObjects 3 }
83: cabhSec2FwFilter OBJECT IDENTIFIER ::= { cabhSec2FwObjects 4 }
84:
85:
86: --
87: -- CableHome 1.0 Base Firewall Functions
88: --
89:
90: cabhSecFwPolicyFileEnable OBJECT-TYPE
91: SYNTAX INTEGER {
92: enable(1),
93: disable(2)
94: }
95: MAX-ACCESS read-write
96: STATUS current
97: DESCRIPTION
98: "This parameter indicates whether or not to enable the
99: firewall functionality."
100: DEFVAL {enable}
101: ::= { cabhSecFwBase 1 }
102:
103: cabhSecFwPolicyFileURL OBJECT-TYPE
104: SYNTAX SnmpAdminString
105: MAX-ACCESS read-write
106: STATUS current
107: DESCRIPTION
108: "Contains the location of the last successfull downloaded
109: policy rule set file in the format pointed in the
110: reference. A policy rule set file download is triggered
111: when the value used to SET this MIB is different than the
112: value in the cabhSecFwPolicySuccessfulFileURL object."
113: REFERENCE
114: "CableHome 1.0 Specification, CH-SP-I04-030411,
115: 11.3.5.2 Firewall Rule Set Management Parameters"
116: ::= { cabhSecFwBase 2 }
117:
118: cabhSecFwPolicyFileHash OBJECT-TYPE
119: SYNTAX OCTET STRING (SIZE(0|20))
120: MAX-ACCESS read-write
121: STATUS current
122: DESCRIPTION
123: "Hash of the contents of the rules set file, calculated
124: and sent to the PS prior to sending the rules set file.
125: For the SHA-1 authentication algorithm the length of the
126: hash is 160 bits. This hash value is encoded in binary
127: format."
128: DEFVAL {''h}
129: ::= { cabhSecFwBase 3 }
130:
131: cabhSecFwPolicyFileOperStatus OBJECT-TYPE
132: SYNTAX INTEGER {
133: inProgress(1),
134: complete(2),
135: -- completeFromMgt(3), deprecated
136: failed(4)
137: }
138: MAX-ACCESS read-only
139: STATUS current
140: DESCRIPTION
141: "inProgress(1) indicates a firewall configuration file
142: download is underway.
143: complete (2) indicates the firewall configuration file
144: downloaded and configured successfully.
145: completeFromMgt(3) This state is deprecated.
146: failed(4) indicates the last attempted firewall
147: configuration file download or processing failed
148: ordinarily due to TFTP timeout."
149: ::= { cabhSecFwBase 4 }
150:
151:
152: cabhSecFwPolicyFileCurrentVersion OBJECT-TYPE
153: SYNTAX SnmpAdminString
154: MAX-ACCESS read-only
155: STATUS current
156: DESCRIPTION
157: "The rule set version currently operating in the PS
158: device. This object should be in the syntax used by the
159: individual vendor to identify software versions. Any PS
160: element MUST return a string descriptive of the current
161: rule set file load. If this is not applicable, this
162: object MUST contain an empty string."
163: ::= { cabhSecFwBase 5 }
164:
165: cabhSecFwPolicySuccessfulFileURL OBJECT-TYPE
166: SYNTAX SnmpAdminString
167: MAX-ACCESS read-only
168: STATUS current
169: DESCRIPTION
170: "Contains the location of the last successfull downloaded
171: policy rule set file in the format pointed in the
172: reference. If a successful download has not yet occurred,
173: this MIB object should report empty string."
174: REFERENCE
175: "CableHome 1.0 Specification, CH-SP-I04-030411,
176: 11.3.5.2 Firewall Rule Set Management Parameters"
177: ::= { cabhSecFwBase 6 }
178:
179: --
180: -- CableHome 1.0 Firewall Event MIBs
181: --
182:
183:
184: cabhSecFwEventType1Enable OBJECT-TYPE
185: SYNTAX INTEGER {
186: enable (1), -- log event
187: disable (2) -- do not log event
188: }
189: MAX-ACCESS read-write
190: STATUS current
191: DESCRIPTION
192: "This object enables or disables logging of type 1
193: firewall event messages. Type 1 event messages report
194: attempts from both private and public clients to traverse
195: the firewall that violate the Security Policy."
196: DEFVAL { disable }
197: ::= { cabhSecFwLogCtl 1 }
198:
199: cabhSecFwEventType2Enable OBJECT-TYPE
200: SYNTAX INTEGER {
201: enable (1), -- log event
202: disable (2) -- do not log event
203: }
204: MAX-ACCESS read-write
205: STATUS current
206: DESCRIPTION
207: "This object enables or disables logging of type 2
208: firewall event messages. Type 2 event messages report
209: identified Denial of Service attack attempts."
210: DEFVAL { disable }
211: ::= { cabhSecFwLogCtl 2 }
212:
213: cabhSecFwEventType3Enable OBJECT-TYPE
214: SYNTAX INTEGER {
215: enable (1), -- log event
216: disable (2) -- do not log event
217: }
218: MAX-ACCESS read-write
219: STATUS current
220: DESCRIPTION
221: "Enables or disables logging of type 3 firewall event
222: messages.
223: Type 3 event messages report changes made to the
224: following firewall management parameters:
225: cabhSecFwPolicyFileURL,
226: cabhSecFwPolicyFileCurrentVersion,
227: cabhSecFwPolicyFileEnable"
228: DEFVAL { disable }
229: ::= { cabhSecFwLogCtl 3 }
230:
231: cabhSecFwEventAttackAlertThreshold OBJECT-TYPE
232: SYNTAX INTEGER (0..65535)
232: warning -
warning: use Integer32 instead of INTEGER in SMIv2
233: MAX-ACCESS read-write
234: STATUS current
235: DESCRIPTION
236: "If the number of type 1 or 2 hacker attacks exceeds
237: this threshold in the period define by
238: cabhSecFwEventAttackAlertPeriod, a firewall message
239: event MUST be logged with priority level 4."
240: DEFVAL { 65535 }
241: ::= { cabhSecFwLogCtl 4 }
242:
243:
244: cabhSecFwEventAttackAlertPeriod OBJECT-TYPE
245: SYNTAX INTEGER (0..65535)
245: warning -
warning: use Integer32 instead of INTEGER in SMIv2
246: MAX-ACCESS read-write
247: STATUS current
248: DESCRIPTION
249: "Indicates the period to be used (in hours) for the
250: cabhSecFwEventAttackAlertThreshold. This MIB variable
251: should always keep track of the last x hours of events
252: meaning that if the variable is set to track events for
253: 10 hours then when the 11th hour is reached, the 1st hour
254: of events is deleted from the tracking log. A default
255: value is set to zero, meaning zero time, so that this MIB
256: variable will not track any events unless configured."
257: DEFVAL { 0 }
258: ::= { cabhSecFwLogCtl 5 }
259:
260:
261: --
262: -- CableHome PS device certificate
263: --
264:
265: cabhSecCertPsCert OBJECT-TYPE
265: error -
type `DocsX509ASN1DEREncodedCertificate' of node `cabhSecCertPsCert' does not resolve to a known base type
266: SYNTAX DocsX509ASN1DEREncodedCertificate
267: MAX-ACCESS read-only
267: error -
unknown type `DocsX509ASN1DEREncodedCertificate'
268: STATUS current
269: DESCRIPTION
270: "The X509 DER-encoded PS certificate."
271: ::= { cabhSecCertObjects 1 }
272:
273:
274:
275: --
276: -- CableHome 1.1 Firewall Management MIBs
277: --
278:
279: cabhSec2FwEnable OBJECT-TYPE
280: SYNTAX INTEGER {
281: enabled(1),
282: disabled(2)
283: }
284: MAX-ACCESS read-write
285: STATUS current
286: DESCRIPTION
287: "This parameter indicates whether to enable or disable
288: the firewall."
289: DEFVAL {enabled }
290: ::= { cabhSec2FwBase 1 }
291:
292:
293: cabhSec2FwPolicyFileURL OBJECT-TYPE
294: SYNTAX SnmpAdminString
295: MAX-ACCESS read-write
296: STATUS current
297: DESCRIPTION
298: "Contains the location of the last successfull downloaded
299: policy rule set file in the format pointed in the
300: reference. A policy rule set file download is triggered
301: when the value used to SET this MIB is different than the
302: value in the cabhSec2FwPolicySuccessfulFileURL object."
303: REFERENCE
304: "CableHome 1.1 Specification, CH-1.1-SP-I01-030418,
305: 11.6.4.7.1 Firewall Rule Set Management MIB Objects"
306: ::= { cabhSec2FwBase 2 }
307:
308:
309: cabhSec2FwPolicyFileHash OBJECT-TYPE
310: SYNTAX OCTET STRING (SIZE(0|20))
311: MAX-ACCESS read-write
312: STATUS current
313: DESCRIPTION
314: "Hash of the contents of the firewall configuration file.
315: For the SHA-1 authentication algorithm the length of the
316: hash is 160 bits. This hash value is encoded in binary
317: format."
318: DEFVAL { ''h}
319: ::= { cabhSec2FwBase 3 }
320:
321:
322: cabhSec2FwPolicyFileOperStatus OBJECT-TYPE
323: SYNTAX INTEGER {
324: inProgress(1),
325: complete(2),
326: failed(3)
327: }
328: MAX-ACCESS read-only
329: STATUS current
330: DESCRIPTION
331: "InProgress(1) indicates a firewall configuration file
332: download is underway. Complete(2) indicates the firewall
333: configuration file was downloaded and processed
334: successfully. Failed(3) indicates that the last attempted
335: firewall configuration file download or processing
336: failed."
337: ::= { cabhSec2FwBase 4 }
338:
339:
340: cabhSec2FwPolicyFileCurrentVersion OBJECT-TYPE
341: SYNTAX SnmpAdminString
342: MAX-ACCESS read-write
343: STATUS current
344: DESCRIPTION
345: "A label set by the cable operator that can be used to
346: track various versions of configured rulesets. Once the
347: label is set it and configured rules are changed, it may
348: not accurately reflect the version of configured rules
349: running on the box.
350: This object MUST contain the string 'null' if has never
351: been configured."
352: DEFVAL { "null" }
353: ::= { cabhSec2FwBase 5 }
354:
355:
356: cabhSec2FwClearPreviousRuleset OBJECT-TYPE
357: SYNTAX INTEGER {
358: increment(1),
359: complete(2),
360: incrementDefault(3)
361: }
362: MAX-ACCESS read-write
363: STATUS current
364: DESCRIPTION
365: "Allows PS or firewall configuration files to contain
366: either a complete firewall configured ruleset or an
367: incremental to the already established configured ruleset
368: depending up on its existence in the configuration file.
369: If the PS receives a configuration file with firewall
370: settings which includes a cabhSec2FwClearPreviousRuleset
371: object setting marked as increment(1) or if this object
372: setting is not included in a configuration file which
373: contains filter settings for the firewall, then the PS
374: MUST treat the firewall filter settings in the
375: configuration file as an increment to the configured
376: ruleset. If the PS receives a configuration file with
377: firewall settings which includes a
378: cabhSec2FwClearPreviousRuleset object setting marked as
379: incrementDefault(3) then the PS MUST remove all
380: previously configured rules from the configured ruleset,
381: including any rules in the filter schedule table and
382: increment the newly downloaded rules on top of (i.e.
383: subsequent to) the factory default policy. If the PS
384: receives a configuration file with firewall settings
385: which includes a cabhSec2FwClearPreviousRuleset object
386: setting marked as complete(2), then the PS MUST remove
387: all previously configured rules from the configured
388: ruleset, including any rules in
389: cabhSec2FwFilterScheduleTable table before applying
390: the firewall filter settings contained in the
391: configuration file.
392:
393: If cabhSec2FwClearPreviousRuleset is set to increment(1)
394: using SNMP, the PS MUST treat all of the following
395: firewall filter settings using SNMP as an increment to
396: the configured ruleset.
397:
398: If cabhSec2FwClearPreviousRuleset is set to
399: incrementDefault(3) using SNMP, the PS MUST remove all
400: previously configured rules from the configured ruleset,
401: including any rules in the filter schedule table and
402: treat all of the following firewall filter settings using
403: SNMP as an increment on top of the factory default
404: policy. If cabhSec2FwClearPreviousRuleset is set to
405: complete(2), then the PS MUST remove all rules from the
406: configured ruleset, including any rules in the filter
407: schedule table. In this scenario the PS will operate
408: without any configured rules, (e.g. there will be no
409: defined filtering rules, but the firewall will still
410: provide the minimum set of capabilities and
411: architecture)."
412: REFERENCE
413: "CableHome 1.1 Specification, CH-1.1-SP-I01-030418,
414: 11.6.4.4 Firewall Filtering"
415: DEFVAL { increment }
416: ::= { cabhSec2FwBase 6 }
417:
418: cabhSec2FwPolicySelection OBJECT-TYPE
419: SYNTAX INTEGER {
420: factoryDefault(1),
421: configuredRuleset(2)
422: }
423: MAX-ACCESS read-write
424: STATUS current
425: DESCRIPTION
426: "This parameter indicates which policy should currently
427: be running in the firewall, either the factoryDefault
428: policy or the configuredRuleset."
429: DEFVAL { factoryDefault }
430: ::= { cabhSec2FwBase 7 }
431:
432: cabhSec2FwEventSetToFactory OBJECT-TYPE
433: SYNTAX TruthValue
434: MAX-ACCESS read-write
435: STATUS current
436: DESCRIPTION
437: "If set to 'true', entries in cabhSec2FwEventControlEntry
438: are set to their default values. Reading this value
439: always returns false."
440: DEFVAL { false }
441: ::= { cabhSec2FwBase 8 }
442:
443:
444: cabhSec2FwEventLastSetToFactory OBJECT-TYPE
445: SYNTAX TimeStamp
446: MAX-ACCESS read-only
447: STATUS current
448: DESCRIPTION
449: "The value of sysUpTime when cabhSec2FwEventSetToFactory
450: was last set to true. Zero if never reset."
451: ::= { cabhSec2FwBase 9 }
452:
453:
454: cabhSec2FwPolicySuccessfulFileURL OBJECT-TYPE
455: SYNTAX SnmpAdminString
456: MAX-ACCESS read-only
457: STATUS current
458: DESCRIPTION
459: "Contains the location of the last successfull downloaded
460: policy rule set file in the format pointed in the
461: reference. If a successful download has not yet occurred,
462: this MIB object should report empty string."
463: REFERENCE
464: "CableHome 1.1 Specification, CH-1.1-SP-I01-030418,
465: 11.6.4.7.1 Firewall Rule Set Management MIB Objects"
466: ::= { cabhSec2FwBase 10 }
467:
468: --
469: -- CableHome 1.1 Firewall Event MIBS
470: --
471:
472:
473: cabhSec2FwEventControlTable OBJECT-TYPE
474: SYNTAX SEQUENCE OF CabhSec2FwEventControlEntry
475: MAX-ACCESS not-accessible
476: STATUS current
477: DESCRIPTION
478: "This table controls the reporting of the Firewall
479: Attacks events"
480: ::= { cabhSec2FwEvent 1 }
481:
482:
483: cabhSec2FwEventControlEntry OBJECT-TYPE
484: SYNTAX CabhSec2FwEventControlEntry
485: MAX-ACCESS not-accessible
486: STATUS current
487: DESCRIPTION
488: "Allows configuration of the reporting mechanisms for a
489: particular type of attack."
490: INDEX { cabhSec2FwEventType }
491: ::= { cabhSec2FwEventControlTable 1 }
492:
493: CabhSec2FwEventControlEntry ::= SEQUENCE {
494: cabhSec2FwEventType INTEGER,
495: cabhSec2FwEventEnable INTEGER,
496: cabhSec2FwEventThreshold Unsigned32,
497: cabhSec2FwEventInterval Unsigned32,
498: cabhSec2FwEventCount ZeroBasedCounter32,
499: cabhSec2FwEventLogReset TruthValue,
500: cabhSec2FwEventLogLastReset TimeStamp
501:
502: }
503:
504: cabhSec2FwEventType OBJECT-TYPE
505: SYNTAX INTEGER {
506: type1(1),
507: type2(2),
508: type3(3),
509: type4(4),
510: type5(5),
511: type6(6)
512: }
513: MAX-ACCESS not-accessible
514: STATUS current
515: DESCRIPTION
516: "Classification of the different types of attacks.
517: Type 1 logs all attempts from both LAN and WAN clients to
518: traverse the Firewall that violate the Security Policy.
519: Type 2 logs identified Denial of Service attack attempts.
520: Type 3 logs all changes made to the cabhSec2FwPolicyFileURL,
521: cabhSec2FwPolicyFileCurrentVersion or
522: cabhSec2FwPolicyFileEnable objects.
523: Type 4 logs all failed attempts to modify
524: cabhSec2FwPolicyFileURL and cabhSec2FwPolicyFileEnable
525: objects. Type 5 logs allowed inbound packets from the WAN.
526: Type 6 logs allowed outbound packets from the LAN."
527: ::= { cabhSec2FwEventControlEntry 1 }
528:
529: cabhSec2FwEventEnable OBJECT-TYPE
530: SYNTAX INTEGER {
531: enabled(1),
532: disabled(2)
533: }
534: MAX-ACCESS read-write
535: STATUS current
536: DESCRIPTION
537: "Enables or disables counting and logging of firewall
538: events by type as assigned by cabhSec2FwEventType."
539: DEFVAL { disabled }
540: ::= { cabhSec2FwEventControlEntry 2 }
541:
542:
543: cabhSec2FwEventThreshold OBJECT-TYPE
544: SYNTAX Unsigned32 (0..65535)
545: MAX-ACCESS read-write
546: STATUS current
547: DESCRIPTION
548: "Number of attacks to count before sending the
549: appropriate event by type as assigned by
550: cabhSec2FwEventType."
551: DEFVAL { 0 }
552: ::= { cabhSec2FwEventControlEntry 3 }
553:
554:
555: cabhSec2FwEventInterval OBJECT-TYPE
556: SYNTAX Unsigned32 (0..65535)
557: UNITS "hours"
558: MAX-ACCESS read-write
559: STATUS current
560: DESCRIPTION
561: "Indicates the time interval in hours to count and log
562: occurrences of a firewall event type as assigned in
563: cabhSec2FwEventType. If this MIB has a value of zero then
564: there is no interval assigned and the PS will not count
565: or log events."
566: DEFVAL { 0 }
567: ::= { cabhSec2FwEventControlEntry 4 }
568:
569: cabhSec2FwEventCount OBJECT-TYPE
570: SYNTAX ZeroBasedCounter32
571: MAX-ACCESS read-only
572: STATUS current
573: DESCRIPTION
574: "Indicates the current count up to the
575: cabhSec2FwEventThreshold value by type as assigned by
576: cabhSec2FwEventType."
577: ::= { cabhSec2FwEventControlEntry 5 }
578:
579:
580: cabhSec2FwEventLogReset OBJECT-TYPE
581: SYNTAX TruthValue
582: MAX-ACCESS read-write
583: STATUS current
584: DESCRIPTION
585: "Setting this object to true clears the log table for the
586: specified event type. Reading this object always returns
587: false."
588: DEFVAL { false }
589: ::= { cabhSec2FwEventControlEntry 6 }
590:
591:
592: cabhSec2FwEventLogLastReset OBJECT-TYPE
593: SYNTAX TimeStamp
594: MAX-ACCESS read-only
595: STATUS current
596: DESCRIPTION
597: "The value of sysUpTime when cabhSec2FwEventLogReset was
598: last set to true. Zero if never reset."
599: ::= { cabhSec2FwEventControlEntry 7 }
600:
601:
602:
603: --
604: -- CableHome 1.1 Firewall Log Tables
605: --
606: cabhSec2FwLogTable OBJECT-TYPE
607: SYNTAX SEQUENCE OF CabhSec2FwLogEntry
608: MAX-ACCESS not-accessible
609: STATUS current
610: DESCRIPTION
611: "Contains a log of packet information as related to
612: events enabled by the cable operator. The types are
613: defined in the CableHome 1.1 specification and require
614: various objects to be included in the log.
615: The following is a description for what is expected in
616: the log for each type Type 1, Type 2, Type 5 and Type 6
617: table MUST include cabhSec2FwEventType,
618: cabhSec2FwEventPriority, cabhSec2FwEventId,
619: cabhSec2FwLogTime, cabhSec2FwIpProtocol,
620: cabhSec2FwIpSourceAddr, cabhSec2FwIpDestAddr,
621: cabhSec2FwIpSourcePort, cabhSec2FwIpDestPort,
622: cabhSec2Fw, cabhSec2FwReplayCount. The other values not
623: used by types 1, 2, 5 and 6 are default values. Type 3
624: and Type 4 MUST include cabhSec2FwEventType,
625: cabhSec2FwEventPriority,
626: cabhSec2FwEventId, cabhSec2FwLogTime,
627: cabhSec2FwIpSourceAddr, cabhSec2FwLogMIBPointer.
628: The other values not used by type 3 and 4 are default
629: values."
630: ::= { cabhSec2FwLog 1 }
631:
632: cabhSec2FwLogEntry OBJECT-TYPE
633: SYNTAX CabhSec2FwLogEntry
634: MAX-ACCESS not-accessible
635: STATUS current
636: DESCRIPTION
637: "Each entry contains the log of firewall events"
638: INDEX {cabhSec2FwLogIndex}
639: ::= { cabhSec2FwLogTable 1 }
640:
641: CabhSec2FwLogEntry ::= SEQUENCE {
642: cabhSec2FwLogIndex Unsigned32,
643: cabhSec2FwLogEventType INTEGER,
644: cabhSec2FwLogEventPriority INTEGER,
645: cabhSec2FwLogEventId Unsigned32,
646: cabhSec2FwLogTime DateAndTime,
647: cabhSec2FwLogIpProtocol Unsigned32,
648: cabhSec2FwLogIpAddrType InetAddressType,
649: cabhSec2FwLogIpSourceAddr InetAddress,
650: cabhSec2FwLogIpDestAddr InetAddress,
651: cabhSec2FwLogIpSourcePort InetPortNumber,
652: cabhSec2FwLogIpDestPort InetPortNumber,
653: cabhSec2FwLogMessageType Unsigned32,
654: cabhSec2FwLogReplayCount Unsigned32,
655: cabhSec2FwLogMIBPointer VariablePointer
656: }
657:
658: cabhSec2FwLogIndex OBJECT-TYPE
659: SYNTAX Unsigned32 (1..2147483647)
660: MAX-ACCESS not-accessible
661: STATUS current
662: DESCRIPTION
663: "A sequence number for the specific events under a
664: cabhSec2FwEventType."
665: ::= { cabhSec2FwLogEntry 1 }
666:
667: cabhSec2FwLogEventType OBJECT-TYPE
668: SYNTAX INTEGER {
669: type1(1),
670: type2(2),
671: type3(3),
672: type4(4),
673: type5(5),
674: type6(6)
675: }
676: MAX-ACCESS read-only
677: STATUS current
678: DESCRIPTION
679: "Classification of the different types of attacks.
680: Type 1 logs all attempts from both LAN and WAN clients to
681: traverse the Firewall that violate the Security Policy.
682: Type 2 logs identified Denial of Service attack attempts.
683: Type 3 logs all changes made to the
684: cabhSec2FwPolicyFileURL,
685: cabhSec2FwPolicyFileCurrentVersion or
686: cabhSec2FwPolicyFileEnable objects.
687: Type 4 logs all failed attempts to modify
688: cabhSec2FwPolicyFileURL and cabhSec2FwPolicyFileEnable
689: objects.
690: Type 5 logs allowed inbound packets from the WAN.
691: Type 6 logs allowed outbound packets from the LAN."
692: ::= { cabhSec2FwLogEntry 2 }
693:
694: cabhSec2FwLogEventPriority OBJECT-TYPE
695: SYNTAX INTEGER {
696: emergency(1),
697: alert(2),
698: critical(3),
699: error(4),
700: warning(5),
701: notice(6),
702: information(7),
703: debug(8)
704: }
705: MAX-ACCESS read-only
706: STATUS current
707: DESCRIPTION
708: "The priority level of this event as defined by CableHome
709: Specification. If a priority is not assigned in the
710: CableHome specification for a particular event then the
711: vendor or cable operator may assign priorities. These are
712: ordered from most serious (emergency) to least serious
713: (debug)."
714: ::= { cabhSec2FwLogEntry 3 }
715:
716:
717: cabhSec2FwLogEventId OBJECT-TYPE
718: SYNTAX Unsigned32
719: MAX-ACCESS read-only
720: STATUS current
721: DESCRIPTION
722: "The assigned event ID."
723: ::= { cabhSec2FwLogEntry 4 }
724:
725:
726: cabhSec2FwLogTime OBJECT-TYPE
727: SYNTAX DateAndTime
728: MAX-ACCESS read-only
729: STATUS current
730: DESCRIPTION
731: "The time that this entry was created by the PS."
732: ::= { cabhSec2FwLogEntry 5 }
733:
734:
735: cabhSec2FwLogIpProtocol OBJECT-TYPE
736: SYNTAX Unsigned32 (0..256)
737: MAX-ACCESS read-only
738: STATUS current
739: DESCRIPTION
740: "The IP Protocol"
741: ::= { cabhSec2FwLogEntry 6 }
742:
743:
744: cabhSec2FwLogIpAddrType OBJECT-TYPE
745: SYNTAX InetAddressType
746: MAX-ACCESS read-only
747: STATUS current
748: DESCRIPTION
749: "The type of IP addresses in the packet"
750: ::= { cabhSec2FwLogEntry 7 }
751:
752:
753: cabhSec2FwLogIpSourceAddr OBJECT-TYPE
754: SYNTAX InetAddress
755: MAX-ACCESS read-only
756: STATUS current
757: DESCRIPTION
758: "The Source IP Address of the packet logged.
759: The address type of this object is specified by
760: cabhSec2FwLogIpAddrType."
761: ::= { cabhSec2FwLogEntry 8 }
762:
763:
764: cabhSec2FwLogIpDestAddr OBJECT-TYPE
765: SYNTAX InetAddress
766: MAX-ACCESS read-only
767: STATUS current
768: DESCRIPTION
769: "The Destination IP Address of the packet logged.
770: The address type of this object is specified by
771: cabhSec2FwLogIpAddrType."
772: ::= { cabhSec2FwLogEntry 9 }
773:
774:
775: cabhSec2FwLogIpSourcePort OBJECT-TYPE
776: SYNTAX InetPortNumber
777: MAX-ACCESS read-only
778: STATUS current
779: DESCRIPTION
780: "The Source IP Port of the packet logged"
781: ::= { cabhSec2FwLogEntry 10 }
782:
783:
784: cabhSec2FwLogIpDestPort OBJECT-TYPE
785: SYNTAX InetPortNumber
786: MAX-ACCESS read-only
787: STATUS current
788: DESCRIPTION
789: "The Source IP Port of the packet logged"
790: ::= { cabhSec2FwLogEntry 11 }
791:
792:
793: cabhSec2FwLogMessageType OBJECT-TYPE
794: SYNTAX Unsigned32
795: MAX-ACCESS read-only
796: STATUS current
797: DESCRIPTION
798: "The ICMP defined types."
799: ::= { cabhSec2FwLogEntry 12 }
800:
801:
802: cabhSec2FwLogReplayCount OBJECT-TYPE
803: SYNTAX Unsigned32
804: MAX-ACCESS read-only
805: STATUS current
806: DESCRIPTION
807: "The number of identical attack packets that were seen by
808: the firewall based on cabhSec2FwLogIpProtocol,
809: cabhSec2FwLogIpSourceAddr, cabhSec2FwLogIpDestAddr,
810: cabhSec2FwLogIpSourcePort, cabhSec2FwLogIpDestPort and
811: cabhSec2FwLogMessageType"
812: DEFVAL { 0 }
813: ::= { cabhSec2FwLogEntry 13 }
814:
815: cabhSec2FwLogMIBPointer OBJECT-TYPE
816: SYNTAX VariablePointer
817: MAX-ACCESS read-only
818: STATUS current
819: DESCRIPTION
820: "Identifies if the cabhSec2FwPolicyFileURL or the
821: cabhSec2FwEnable MIB object changed or an attempt was
822: made to change it."
823: DEFVAL { zeroDotZero }
824: ::= { cabhSec2FwLogEntry 14 }
825:
826:
827: -- ============================================================
828: --
829: -- CableHome 1.1 PS IP Filter Scheduling Table
830: --
831: -- The cabhSec2FwFilterScheduleTable contains the firewall
832: -- policy identification and links that policy as defined
833: -- in RFC 2669 to specific time of day restrictions.
834: --
835: -- =============================================================
836:
837:
838: cabhSec2FwFilterScheduleTable OBJECT-TYPE
839: SYNTAX SEQUENCE OF CabhSec2FwFilterScheduleEntry
840: MAX-ACCESS not-accessible
841: STATUS current
842: DESCRIPTION
843: "Extends the filtering matching parameters of
844: docsDevFilterIpTable defined in RFC 2669 for CableHome
845: Residential Gateways to include time day intervals and
846: days of the week."
847: ::= { cabhSec2FwFilter 1 }
848:
849: cabhSec2FwFilterScheduleEntry OBJECT-TYPE
850: SYNTAX CabhSec2FwFilterScheduleEntry
851: MAX-ACCESS not-accessible
852: STATUS current
853: DESCRIPTION
854: "Extended values for entries of docsDevFilterIpTable.
855: If the PS has not acquired ToD the entire
856: docsDevFilterIpEntry rule set is ignored."
857: AUGMENTS { docsDevFilterIpEntry }
858: ::= { cabhSec2FwFilterScheduleTable 1 }
859:
860:
861: CabhSec2FwFilterScheduleEntry ::= SEQUENCE {
862: cabhSec2FwFilterScheduleStartTime DateAndTime,
863: cabhSec2FwFilterScheduleEndTime DateAndTime,
864: cabhSec2FwFilterScheduleDOW BITS
865: }
866:
867:
868: cabhSec2FwFilterScheduleStartTime OBJECT-TYPE
869: SYNTAX DateAndTime
870: MAX-ACCESS read-create
871: STATUS current
872: DESCRIPTION
873: "The start time, with optional time zone, for a firewall
874: filter ruleset. Only the time portion of the DateAndTime
875: TEXTUAL-CONVENTION have a meaning."
876: ::= { cabhSec2FwFilterScheduleEntry 1 }
877:
878: cabhSec2FwFilterScheduleEndTime OBJECT-TYPE
879: SYNTAX DateAndTime
880: MAX-ACCESS read-create
881: STATUS current
882: DESCRIPTION
883: "The end time, with optional time zone, for a firewall
884: filter ruleset. Only the time portion of the DateAndTime
885: TEXTUAL-CONVENTION have a meaning."
886: ::= { cabhSec2FwFilterScheduleEntry 2 }
887:
888:
889: cabhSec2FwFilterScheduleDOW OBJECT-TYPE
890: SYNTAX BITS {
891: sunday(0),
892: monday(1),
893: tuesday(2),
894: wednesday(3),
895: thursday(4),
896: friday(5),
897: saturday(6)
898:
899: }
900: MAX-ACCESS read-create
901: STATUS current
902: DESCRIPTION
903: "If the day of week bit associated with the PS given day
904: is '1', this object criteria matches."
905: ::= { cabhSec2FwFilterScheduleEntry 3 }
906:
907: --
908: -- Kerberos MIBs
909: --
910:
911:
912: cabhSecKerbPKINITGracePeriod OBJECT-TYPE
913: SYNTAX Unsigned32 (15..600)
914: UNITS "minutes"
915: MAX-ACCESS read-write
916: STATUS current
917: DESCRIPTION
918: "The PKINIT Grace Period is needed by the PS to know when
919: it should start retrying to get a new ticket. The PS MUST
920: obtain a new Kerberos ticket (with a PKINIT exchange);
921: this may be many minutes before the old ticket expires."
922: DEFVAL { 30 }
923: ::= { cabhSecKerbBase 1}
924:
925: cabhSecKerbTGSGracePeriod OBJECT-TYPE
926: SYNTAX Unsigned32 (1..600)
927: UNITS "minutes"
928: MAX-ACCESS read-write
929: STATUS current
930: DESCRIPTION
931: "The TGS Grace Period is needed by the PS to know when it
932: should start retrying to get a new ticket. The PS MUST
933: obtain a new Kerberos ticket (with a TGS Request); this
934: may be many minutes before the old ticket expires."
935: DEFVAL { 10 }
936: ::= { cabhSecKerbBase 2}
937:
938: cabhSecKerbUnsolicitedKeyMaxTimeout OBJECT-TYPE
939: SYNTAX Unsigned32 (15..600)
940: UNITS "seconds"
941: MAX-ACCESS read-write
942: STATUS current
943: DESCRIPTION
944: "This timeout applies to PS initiated AP-REQ/REP key
945: management exchange with NMS. The maximum timeout is the
946: value which may not be exceeded in the exponential
947: backoff algorithm."
948: DEFVAL { 600 }
949: ::= { cabhSecKerbBase 3}
950:
951:
952: cabhSecKerbUnsolicitedKeyMaxRetries OBJECT-TYPE
953: SYNTAX Unsigned32 (1..32)
954: MAX-ACCESS read-write
955: STATUS current
956: DESCRIPTION
957: "The number of retries the PS is allowed for AP-REQ/REP
958: key management exchange initiation with the NMS. This is
959: the maximum number of retries before the PS gives up
960: attempting to establish an SNMPv3 security association
961: with NMS."
962: DEFVAL { 8 }
963: ::= { cabhSecKerbBase 4}
964:
965: cabhSecNotification OBJECT IDENTIFIER ::= { cabhSecMib 2 }
966: cabhSecConformance OBJECT IDENTIFIER ::= { cabhSecMib 3 }
967: cabhSecCompliances OBJECT IDENTIFIER ::= { cabhSecConformance 1 }
968: cabhSecGroups OBJECT IDENTIFIER ::= { cabhSecConformance 2 }
969:
970: --
971: -- Notification Group for future extension
972: --
973:
974: -- compliance statements
975:
976: cabhSecCompliance MODULE-COMPLIANCE
977: STATUS current
978: DESCRIPTION
979: "The compliance statement for CableHome Security."
980: MODULE --cabhSecMib
981:
982:
983:
984: -- unconditionally mandatory groups
985:
986: MANDATORY-GROUPS {
987: cabhSecCertGroup,
988: cabhSecKerbGroup
989: }
990:
991:
992: -- conditional mandatory groups
993:
994: GROUP cabhSecGroup
995: DESCRIPTION
996: "This group is implemented only for CH 1.0 gateways."
997:
998: GROUP cabhSec2Group
999: DESCRIPTION
1000: "This group is implemented only for CH 1.1 gateways."
1001:
1002: OBJECT cabhSec2FwLogIpAddrType
1003: SYNTAX InetAddressType { ipv4(1) }
1004: DESCRIPTION
1005: "An implementation is only required to support IPv4
1006: addresses."
1007:
1008: OBJECT cabhSec2FwLogIpSourceAddr
1009: SYNTAX InetAddress (SIZE(4))
1010: DESCRIPTION
1011: "An implementation is only required to support IPv4
1012: addresses."
1013:
1014: OBJECT cabhSec2FwLogIpDestAddr
1015: SYNTAX InetAddress (SIZE(4))
1016: DESCRIPTION
1017: "An implementation is only required to support IPv4
1018: addresses."
1019:
1020: ::= { cabhSecCompliances 1}
1021:
1022: cabhSecGroup OBJECT-GROUP
1023: OBJECTS {
1024: cabhSecFwPolicyFileEnable,
1025: cabhSecFwPolicyFileURL,
1026: cabhSecFwPolicyFileHash,
1027: cabhSecFwPolicyFileOperStatus,
1028: cabhSecFwPolicyFileCurrentVersion,
1029: cabhSecFwPolicySuccessfulFileURL,
1030:
1031: cabhSecFwEventType1Enable,
1032: cabhSecFwEventType2Enable,
1033: cabhSecFwEventType3Enable,
1034: cabhSecFwEventAttackAlertThreshold,
1035: cabhSecFwEventAttackAlertPeriod
1036: }
1037: STATUS current
1038: DESCRIPTION
1039: "Group of objects in CableHome 1.0 Firewall MIB."
1040: ::= { cabhSecGroups 1 }
1041:
1042:
1043: cabhSecCertGroup OBJECT-GROUP
1044: OBJECTS {
1045: cabhSecCertPsCert
1046: }
1047: STATUS current
1048: DESCRIPTION
1049: "Group of objects in CableHome gateway for PS
1050: Certificate."
1051: ::= { cabhSecGroups 2 }
1052:
1053:
1054: cabhSecKerbGroup OBJECT-GROUP
1055: OBJECTS {
1056: cabhSecKerbPKINITGracePeriod,
1057: cabhSecKerbTGSGracePeriod,
1058: cabhSecKerbUnsolicitedKeyMaxTimeout,
1059: cabhSecKerbUnsolicitedKeyMaxRetries
1060: }
1061: STATUS current
1062: DESCRIPTION
1063: "Group of objects in CableHome gateway for Kerberos."
1064: ::= { cabhSecGroups 3 }
1065:
1066: cabhSec2Group OBJECT-GROUP
1067: OBJECTS {
1068: cabhSec2FwEnable,
1069: cabhSec2FwPolicyFileURL,
1070: cabhSec2FwPolicyFileHash,
1071: cabhSec2FwPolicyFileOperStatus,
1072: cabhSec2FwPolicyFileCurrentVersion,
1073: cabhSec2FwClearPreviousRuleset,
1074: cabhSec2FwPolicySelection,
1075: cabhSec2FwEventSetToFactory,
1076: cabhSec2FwEventLastSetToFactory,
1077: cabhSec2FwPolicySuccessfulFileURL,
1078: cabhSec2FwEventEnable,
1079: cabhSec2FwEventThreshold,
1080: cabhSec2FwEventInterval,
1081: cabhSec2FwEventCount,
1082: cabhSec2FwEventLogReset,
1083: cabhSec2FwEventLogLastReset,
1084: cabhSec2FwLogEventType,
1085: cabhSec2FwLogEventPriority,
1086: cabhSec2FwLogEventId,
1087: cabhSec2FwLogTime,
1088: cabhSec2FwLogIpProtocol,
1089: cabhSec2FwLogIpAddrType,
1090: cabhSec2FwLogIpSourceAddr,
1091: cabhSec2FwLogIpDestAddr,
1092: cabhSec2FwLogIpSourcePort,
1093: cabhSec2FwLogIpDestPort,
1094: cabhSec2FwLogMessageType,
1095: cabhSec2FwLogReplayCount,
1096: cabhSec2FwLogMIBPointer,
1097: cabhSec2FwFilterScheduleStartTime,
1098: cabhSec2FwFilterScheduleEndTime,
1099: cabhSec2FwFilterScheduleDOW
1100: }
1101: STATUS current
1102: DESCRIPTION
1103: "Group of objects in CableHome 1.1 Firewall MIB."
1104: ::= { cabhSecGroups 4 }
1105:
1106: END
1107:
1108: --
1109: -- Copyright (C) The Internet Society (2003). All Rights Reserved.
1110: --
1111: -- This document and translations of it may be copied and furnished to
1112: -- others, and derivative works that comment on or otherwise explain it
1113: -- or assist in its implementation may be prepared, copied, published
1114: -- and distributed, in whole or in part, without restriction of any
1115: -- kind, provided that the above copyright notice and this paragraph are
1116: -- included on all such copies and derivative works. However, this
1117: -- document itself may not be modified in any way, such as by removing
1118: -- the copyright notice or references to the Internet Society or other
1119: -- Internet organizations, except as needed for the purpose of
1120: -- developing Internet standards in which case the procedures for
1121: -- copyrights defined in the Internet Standards process must be
1122: -- followed, or as required to translate it into languages other than
1123: -- English.
1124: --
1125: -- The limited permissions granted above are perpetual and will not be
1126: -- revoked by the Internet Society or its successors or assigns.
1127: --
1128: -- This document and the information contained herein is provided on an
1129: -- "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
1130: -- TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
1131: -- BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
1132: -- HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
1133: -- MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."
1134: