3Com 6.0.4.6 SNMP, CLI Access, Web Access, set snmp community, set ip snmp server disable, set ip https server enable

■Access to 3WXM. To secure access, configure user accounts within 3WXM.

■Access to the 3WXM monitoring service. To secure access, configure user accounts within the moni- toring service.

■Do not use passwords that are easy to guess, such as vehicle registration plates, family birthdays and names, or common words. Use combinations of uppercase and lowercase letters as well as num- bers in all passwords.

SNMP is disabled by default. 3Com recommends that you leave SNMP disabled unless you are using 3Com Network Director or a similar product to manage your wired network. If you do need to use SNMP, do not use the well-known community strings public (com- monly used for read-only access) or private (com- monly used for read-write access.) By default, no SNMP community strings are configured. Use SNMP on an isolated management VLAN so that the clear text community strings are not visible on the public network.

To disable SNMP (if not already disabled), use the set ip snmp server disable command.

To change the community strings, use the set snmp community command.

MSS allows CLI access through the console, through Telnet, and through SSH. Console and SSH access are enabled by default. Telnet is disabled by default.

Configure a username and password, so that MSS requires login even for console access. Usernames and their passwords are not specific to the type of management access. You can use the same username and password for access through the console, Telnet, or SSH.

Leave Telnet disabled unless you need it. Use SSH instead.

WebView uses HTTPS for encrypted communications and certificate-based server authentication, and requires use of the enable password.

WebView access through HTTPS is disabled by default. Unless you need to use WebView, leave the HTTPS server on the WX switch disabled. (Even though 3WXM also uses HTTPS, disabling the HTTPS server does not disable access by 3WXM.)

If you do need to use WebView, you can enable it using the set ip https server enable command. Use the following best practices to preserve or increase the security level related to Web access:

■Use an enable password that follows the password recommendations given above.

■Use a CA-signed certificate instead of a self-signed certificate on the WX switch.

If a user’s client does not trust the certificate, the user might experience an additional delay during login. To avoid the additional delay, use a certificate signed by your CA or an Internet CA.