CABH-IETF-SEC-MIB: View SNMP OID List / Download MIB

This MIB module supplies the basic management objects for the Security Portal Services. Copyright (C) The Internet Society (2003). This version of this MIB module is part of RFC xxxx; see the RFC itself for full legal notices.

This parameter indicates whether or not to enable the firewall functionality. Enumeration: 'enable': 1, 'disable': 2.

Contains the location of the last successfull downloaded policy rule set file in the format pointed in the reference. A policy rule set file download is triggered when the value used to SET this MIB is different than the value in the cabhSecFwPolicySuccessfulFileURL object.

Hash of the contents of the rules set file, calculated and sent to the PS prior to sending the rules set file. For the SHA-1 authentication algorithm the length of the hash is 160 bits. This hash value is encoded in binary format.

inProgress(1) indicates a firewall configuration file download is underway. complete (2) indicates the firewall configuration file downloaded and configured successfully. completeFromMgt(3) This state is deprecated. failed(4) indicates the last attempted firewall configuration file download or processing failed ordinarily due to TFTP timeout. Enumeration: 'failed': 4, 'inProgress': 1, 'complete': 2.

The rule set version currently operating in the PS device. This object should be in the syntax used by the individual vendor to identify software versions. Any PS element MUST return a string descriptive of the current rule set file load. If this is not applicable, this object MUST contain an empty string.

Contains the location of the last successfull downloaded policy rule set file in the format pointed in the reference. If a successful download has not yet occurred, this MIB object should report empty string.

This object enables or disables logging of type 1 firewall event messages. Type 1 event messages report attempts from both private and public clients to traverse the firewall that violate the Security Policy. Enumeration: 'enable': 1, 'disable': 2.

This object enables or disables logging of type 2 firewall event messages. Type 2 event messages report identified Denial of Service attack attempts. Enumeration: 'enable': 1, 'disable': 2.

Enables or disables logging of type 3 firewall event messages. Type 3 event messages report changes made to the following firewall management parameters: cabhSecFwPolicyFileURL, cabhSecFwPolicyFileCurrentVersion, cabhSecFwPolicyFileEnable Enumeration: 'enable': 1, 'disable': 2.

If the number of type 1 or 2 hacker attacks exceeds this threshold in the period define by cabhSecFwEventAttackAlertPeriod, a firewall message event MUST be logged with priority level 4.

Indicates the period to be used (in hours) for the cabhSecFwEventAttackAlertThreshold. This MIB variable should always keep track of the last x hours of events meaning that if the variable is set to track events for 10 hours then when the 11th hour is reached, the 1st hour of events is deleted from the tracking log. A default value is set to zero, meaning zero time, so that this MIB variable will not track any events unless configured.

The X509 DER-encoded PS certificate.

The PKINIT Grace Period is needed by the PS to know when it should start retrying to get a new ticket. The PS MUST obtain a new Kerberos ticket (with a PKINIT exchange); this may be many minutes before the old ticket expires.

The TGS Grace Period is needed by the PS to know when it should start retrying to get a new ticket. The PS MUST obtain a new Kerberos ticket (with a TGS Request); this may be many minutes before the old ticket expires.

This timeout applies to PS initiated AP-REQ/REP key management exchange with NMS. The maximum timeout is the value which may not be exceeded in the exponential backoff algorithm.

The number of retries the PS is allowed for AP-REQ/REP key management exchange initiation with the NMS. This is the maximum number of retries before the PS gives up attempting to establish an SNMPv3 security association with NMS.

This parameter indicates whether to enable or disable the firewall. Enumeration: 'disabled': 2, 'enabled': 1.

Contains the location of the last successfull downloaded policy rule set file in the format pointed in the reference. A policy rule set file download is triggered when the value used to SET this MIB is different than the value in the cabhSec2FwPolicySuccessfulFileURL object.

Hash of the contents of the firewall configuration file. For the SHA-1 authentication algorithm the length of the hash is 160 bits. This hash value is encoded in binary format.

InProgress(1) indicates a firewall configuration file download is underway. Complete(2) indicates the firewall configuration file was downloaded and processed successfully. Failed(3) indicates that the last attempted firewall configuration file download or processing failed. Enumeration: 'failed': 3, 'inProgress': 1, 'complete': 2.

A label set by the cable operator that can be used to track various versions of configured rulesets. Once the label is set it and configured rules are changed, it may not accurately reflect the version of configured rules running on the box. This object MUST contain the string 'null' if has never been configured.

Allows PS or firewall configuration files to contain either a complete firewall configured ruleset or an incremental to the already established configured ruleset depending up on its existence in the configuration file. If the PS receives a configuration file with firewall settings which includes a cabhSec2FwClearPreviousRuleset object setting marked as increment(1) or if this object setting is not included in a configuration file which contains filter settings for the firewall, then the PS MUST treat the firewall filter settings in the configuration file as an increment to the configured ruleset. If the PS receives a configuration file with firewall settings which includes a cabhSec2FwClearPreviousRuleset object setting marked as incrementDefault(3) then the PS MUST remove all previously configured rules from the configured ruleset, including any rules in the filter schedule table and increment the newly downloaded rules on top of (i.e. subsequent to) the factory default policy. If the PS receives a configuration file with firewall settings which includes a cabhSec2FwClearPreviousRuleset object setting marked as complete(2), then the PS MUST remove all previously configured rules from the configured ruleset, including any rules in cabhSec2FwFilterScheduleTable table before applying the firewall filter settings contained in the configuration file. If cabhSec2FwClearPreviousRuleset is set to increment(1) using SNMP, the PS MUST treat all of the following firewall filter settings using SNMP as an increment to the configured ruleset. If cabhSec2FwClearPreviousRuleset is set to incrementDefault(3) using SNMP, the PS MUST remove all previously configured rules from the configured ruleset, including any rules in the filter schedule table and treat all of the following firewall filter settings using SNMP as an increment on top of the factory default policy. If cabhSec2FwClearPreviousRuleset is set to complete(2), then the PS MUST remove all rules from the configured ruleset, including any rules in the filter schedule table. In this scenario the PS will operate without any configured rules, (e.g. there will be no defined filtering rules, but the firewall will still provide the minimum set of capabilities and architecture). Enumeration: 'incrementDefault': 3, 'complete': 2, 'increment': 1.

This parameter indicates which policy should currently be running in the firewall, either the factoryDefault policy or the configuredRuleset. Enumeration: 'configuredRuleset': 2, 'factoryDefault': 1.

If set to 'true', entries in cabhSec2FwEventControlEntry are set to their default values. Reading this value always returns false.

The value of sysUpTime when cabhSec2FwEventSetToFactory was last set to true. Zero if never reset.

Contains the location of the last successfull downloaded policy rule set file in the format pointed in the reference. If a successful download has not yet occurred, this MIB object should report empty string.

This table controls the reporting of the Firewall Attacks events

Allows configuration of the reporting mechanisms for a particular type of attack.

Classification of the different types of attacks. Type 1 logs all attempts from both LAN and WAN clients to traverse the Firewall that violate the Security Policy. Type 2 logs identified Denial of Service attack attempts. Type 3 logs all changes made to the cabhSec2FwPolicyFileURL, cabhSec2FwPolicyFileCurrentVersion or cabhSec2FwPolicyFileEnable objects. Type 4 logs all failed attempts to modify cabhSec2FwPolicyFileURL and cabhSec2FwPolicyFileEnable objects. Type 5 logs allowed inbound packets from the WAN. Type 6 logs allowed outbound packets from the LAN. Enumeration: 'type5': 5, 'type4': 4, 'type6': 6, 'type1': 1, 'type3': 3, 'type2': 2.

Enables or disables counting and logging of firewall events by type as assigned by cabhSec2FwEventType. Enumeration: 'disabled': 2, 'enabled': 1.

Number of attacks to count before sending the appropriate event by type as assigned by cabhSec2FwEventType.

Indicates the time interval in hours to count and log occurrences of a firewall event type as assigned in cabhSec2FwEventType. If this MIB has a value of zero then there is no interval assigned and the PS will not count or log events.

Indicates the current count up to the cabhSec2FwEventThreshold value by type as assigned by cabhSec2FwEventType.

Setting this object to true clears the log table for the specified event type. Reading this object always returns false.

The value of sysUpTime when cabhSec2FwEventLogReset was last set to true. Zero if never reset.

Contains a log of packet information as related to events enabled by the cable operator. The types are defined in the CableHome 1.1 specification and require various objects to be included in the log. The following is a description for what is expected in the log for each type Type 1, Type 2, Type 5 and Type 6 table MUST include cabhSec2FwEventType, cabhSec2FwEventPriority, cabhSec2FwEventId, cabhSec2FwLogTime, cabhSec2FwIpProtocol, cabhSec2FwIpSourceAddr, cabhSec2FwIpDestAddr, cabhSec2FwIpSourcePort, cabhSec2FwIpDestPort, cabhSec2Fw, cabhSec2FwReplayCount. The other values not used by types 1, 2, 5 and 6 are default values. Type 3 and Type 4 MUST include cabhSec2FwEventType, cabhSec2FwEventPriority, cabhSec2FwEventId, cabhSec2FwLogTime, cabhSec2FwIpSourceAddr, cabhSec2FwLogMIBPointer. The other values not used by type 3 and 4 are default values.

Each entry contains the log of firewall events

A sequence number for the specific events under a cabhSec2FwEventType.

Classification of the different types of attacks. Type 1 logs all attempts from both LAN and WAN clients to traverse the Firewall that violate the Security Policy. Type 2 logs identified Denial of Service attack attempts. Type 3 logs all changes made to the cabhSec2FwPolicyFileURL, cabhSec2FwPolicyFileCurrentVersion or cabhSec2FwPolicyFileEnable objects. Type 4 logs all failed attempts to modify cabhSec2FwPolicyFileURL and cabhSec2FwPolicyFileEnable objects. Type 5 logs allowed inbound packets from the WAN. Type 6 logs allowed outbound packets from the LAN. Enumeration: 'type5': 5, 'type4': 4, 'type6': 6, 'type1': 1, 'type3': 3, 'type2': 2.

The priority level of this event as defined by CableHome Specification. If a priority is not assigned in the CableHome specification for a particular event then the vendor or cable operator may assign priorities. These are ordered from most serious (emergency) to least serious (debug). Enumeration: 'information': 7, 'notice': 6, 'emergency': 1, 'alert': 2, 'critical': 3, 'error': 4, 'debug': 8, 'warning': 5.

The assigned event ID.

The time that this entry was created by the PS.

The IP Protocol

The type of IP addresses in the packet

The Source IP Address of the packet logged. The address type of this object is specified by cabhSec2FwLogIpAddrType.

The Destination IP Address of the packet logged. The address type of this object is specified by cabhSec2FwLogIpAddrType.

The Source IP Port of the packet logged

The Source IP Port of the packet logged

The ICMP defined types.

The number of identical attack packets that were seen by the firewall based on cabhSec2FwLogIpProtocol, cabhSec2FwLogIpSourceAddr, cabhSec2FwLogIpDestAddr, cabhSec2FwLogIpSourcePort, cabhSec2FwLogIpDestPort and cabhSec2FwLogMessageType

Identifies if the cabhSec2FwPolicyFileURL or the cabhSec2FwEnable MIB object changed or an attempt was made to change it.

Extends the filtering matching parameters of docsDevFilterIpTable defined in RFC 2669 for CableHome Residential Gateways to include time day intervals and days of the week.

Extended values for entries of docsDevFilterIpTable. If the PS has not acquired ToD the entire docsDevFilterIpEntry rule set is ignored.

The start time, with optional time zone, for a firewall filter ruleset. Only the time portion of the DateAndTime TEXTUAL-CONVENTION have a meaning.

The end time, with optional time zone, for a firewall filter ruleset. Only the time portion of the DateAndTime TEXTUAL-CONVENTION have a meaning.

If the day of week bit associated with the PS given day is '1', this object criteria matches. Bits: 'monday': 1, 'tuesday': 2, 'friday': 5, 'wednesday': 3, 'thursday': 4, 'sunday': 0, 'saturday': 6.

The compliance statement for CableHome Security.

Group of objects in CableHome 1.0 Firewall MIB.

Group of objects in CableHome gateway for PS Certificate.

Group of objects in CableHome gateway for Kerberos.

Group of objects in CableHome 1.1 Firewall MIB.