Entrust nShield Security Manual page 15

and limit the IP addresses supported on those ports to the ones required.
4.4.2. Simple Network Management Protocol (SNMP)
In the development of the nShield SNMP agent, we have used open-source tools that are
part of the NET-SNMP project. More information on SNMP in general, and the data
structures used to support SNMP installations, is available from the NET-SNMP project
Web site: http://net-snmp.sourceforge.net/.
This site includes some support information and offers access to discussion email lists.
You can use the discussion lists to monitor subjects that might affect the operation or
security of the nShield SNMP agent or command-line utilities.
You should discuss any enquiries arising from information on the NET-SNMP Web site
with Entrust nShield Support before posting potentially sensitive information to the NET-
SNMP Web site.
The nShield SNMP Agent allows other computers on the network to connect to it and
make requests for information. The nShield agent is based on the NET-SNMP code base,
which has been tested but not fully reviewed by Entrust. We strongly recommend that
you deploy the nShield SNMP agent only on a private network or a network protected
from the global Internet by an appropriate firewall.
The default nShield SNMP installation allows read-only access to the Management
Information Base (MIB) with any community string. There is no default write access to
any part of the MIB. The few Object Identifiers (OIDs) in the nShield MIB that are writable
(should write access be enabled) specify ephemerally how the SNMP agent presents
certain information. No software or HSM configuration changes can be made through the
SNMP agent.
Every effort has been taken to ensure the confidentiality of cryptographic keys even
when the SNMP agent is enabled. The SNMP agent runs as a client application of the
HSM, and all the security controls provided and enforced by the HSM are in effect. In
particular, the nShield module is designed to prevent the theft of keys even if the security
of the host system is compromised, provided that the Administrator Cards are used only
with trusted hosts.
snmpd.conf
We strongly advise that you set up suitable access controls in the file. It is also
recommended that a firewall is used to protect the agent, and the information it can
return.
When configuring the nShield SNMP agent, make sure that you protect the configuration
files if you are storing sensitive information in them.
nShield® Security Manual 15 of 90