Highlight Security Considerations
This page explains how Highlight offers layers of security to mitigate risk of granting SNMP write access to a device, and addresses security associated with the use of Relay Agents.
In order for Highlight to produce Performance statistics on latency, packet loss and jitter Highlight uses the built-in ipSLA test feature of Cisco IOS or RPM for JunOS.
Highlight must use SNMP Write access to provision, modify and delete these tests. Since ‘Write’ access can represent a security problem, Highlight imposes multiple layers of security to ensure that the granted Write access is used safely and cannot affect router operation.
The following describes how security is provided when using SNMP Write access, in additional to that described in the previous section:
Access-list restriction is applied on the router which only allows it to accept SNMP requests from the Pollers or Relay Agent’s IP Addresses.
SNMP Write access is restricted by a pre-shared authentication password, separate to the Read password.
SNMP Write access is limited, by configuration statements on the router, to the specific MIB used in IPSLA or RPM. This is a very small branch of the MIB tree within the device, and means that Highlight can only change parameters relating directly to IPSLA/RPM tests (for provisioning of tests etc. as described above). Access to all other parts of the device and MIB remains Read Only, so no other functions of the router can be altered.
The following describes how Highlight's platform provides security for SNMP access via the Relay Agent:
The Relay Agent is run inside the customer’s private network and is only capable of initiating outbound traffic (there are no open ports listening).
The Relay Agent is located behind the customer’s firewall and requires no special access through the firewall (the only traffic will be TCP 443 outbound traffic from the Relay Agent).
All traffic between the Relay Agent and the main Highlight platform is encrypted using the HTTPS protocol.
Access-list restriction is applied on the monitored devices which only allows only SNMP requests from the Relay Agent’s internal IP Address.
SNMP Read-Only access is restricted via the SNMP community string – this is a pre-shared authentication password.