Highlight Security Considerations
This page explains how Highlight offers layers of security to mitigate any risk of granting SNMP write access to a device, and addresses security associated with the use of poller agents.
In order for Highlight to produce Performance statistics on latency, packet loss and jitter Highlight uses the built-in ipSLA test feature of Cisco IOS or RPM for JunOS.
Highlight must use SNMP Write access to provision, modify and delete these tests. Since ‘Write’ access can represent a security problem, Highlight imposes multiple layers of security to ensure that the granted Write access is used safely and cannot affect router operation.
The following describes how security is provided when using SNMP Write access, in additional to that described in the previous section:
Access-list restriction is applied on the router which only allows it to accept SNMP requests from the Poller Agents' IP Addresses.
SNMP Write access is restricted by a pre-shared authentication password, separate to the Read password.
SNMP Write access is limited, by configuration statements on the router, to the specific MIB used in IPSLA or RPM. This is a very small branch of the MIB tree within the device, and means that Highlight can only change parameters relating directly to IPSLA/RPM tests (for provisioning of tests etc. as described above). Access to all other parts of the device and MIB remains Read Only, so no other functions of the router can be altered.
The following describes how Highlight's platform provides security for SNMP access from the poller agent, specifically when located on customer premises.
A poller run inside the customer’s private network is only capable of initiating outbound traffic. There are no listening ports opened by Highlight.
The poller is located behind the customer’s firewall and requires no special access through the firewall. The only traffic will be TCP 443 outbound.
All traffic between the Agent and the main Highlight platform is encrypted using the HTTPS protocol.
Access-list restriction is applied on the devices monitored by Highlight, which only allows only SNMP requests from the poller’s internal IP Address.
SNMP Read-Only access is restricted via the SNMP community string – this is a pre-shared authentication password.