-- extracted from draft-jones-cable-gateway-security-mib-00.txt
-- at Sat Nov  2 06:10:56 2002

CABH-SEC-MIB DEFINITIONS ::= BEGIN

IMPORTS
        MODULE-IDENTITY,
	OBJECT-TYPE		
                                FROM SNMPv2-SMI
	OBJECT-GROUP,
	MODULE-COMPLIANCE	
                                FROM SNMPv2-CONF

  	SnmpAdminString		
                                FROM SNMP-FRAMEWORK-MIB 
	X509Certificate		
                                FROM DOCS-BPI2-MIB
	clabProjCableHome	
                                FROM CLAB-DEF-MIB;
--==========================================================================
--
--	History:
--
--	Date		Modified by		Reason
--	04/05/02				Issued I01
--      09/20/02                                Issued I02
--      10/25/02                                IETF I-D revisions
--
--==========================================================================
    
cabhSecMib MODULE-IDENTITY
    LAST-UPDATED    "200210250000Z"  -- October 25, 2002
    ORGANIZATION    "CableLabs Broadband Access Department"
    CONTACT-INFO
            "Kevin Luehrs
            Postal: 	Cable Television Laboratories, Inc.
			400 Centennial Parkway
			Louisville, Colorado 80027-1266
            		U.S.A.
            Phone:  +1 303-661-9100
            Fax:    +1 303-661-9199
            E-mail: k.luehrs@cablelabs.com"
    DESCRIPTION
            "This MIB module supplies the basic management objects 
            for the security functionality of the CableHome Portal 
            Services.
            
            Acknowledgements:
            Roy Spitzer	  -  Consultant to CableLabs
            Chris Zacker  -  Broadcom Visiting Engineer"
    ::=  { clabProjCableHome 2 }

-- Textual conventions
	
cabhSecFwObjects	OBJECT IDENTIFIER ::= { cabhSecMib 1 }
cabhSecFwBase       	OBJECT IDENTIFIER ::= { cabhSecFwObjects 1 }
cabhSecFwLogCtl		OBJECT IDENTIFIER ::= { cabhSecFwObjects 2 }
cabhSecCertObjects		OBJECT IDENTIFIER ::= { cabhSecMib 2 }
--
--	The following group describes the base objects in the Cable Home
--	Firewall. 
--

cabhSecFwPolicyFileEnable OBJECT-TYPE
	SYNTAX      INTEGER {
		enable	(1),
		disable	(2)
	}
    	MAX-ACCESS  read-write
    	STATUS      current
    	DESCRIPTION
         "This parameter indicates whether or not to enable the 
          firewall functionality."
	DEFVAL {enable}
    	::= { cabhSecFwBase 1 }

cabhSecFwPolicyFileURL OBJECT-TYPE
    	SYNTAX      SnmpAdminString
    	MAX-ACCESS  read-write
    	STATUS      current
    	DESCRIPTION
	 "This object contains the name and IP address of the policy 
	  rule set file in a TFTP URL format. Once this object has been
	  updated, it will trigger the file download."	
	::= { cabhSecFwBase 2 }

    
cabhSecFwPolicyFileHash OBJECT-TYPE
    	SYNTAX OCTET STRING (SIZE(20))
    	MAX-ACCESS read-write
    	STATUS current
    	DESCRIPTION
	  "Hash of the contents of the rules set file, calculated and 
	   sent to the PS prior to sending the rules set file.  For the
	   SHA-1 authentication algorithm the length of the hash is 160
	   bits. This hash value is encoded in binary format."
	::= { cabhSecFwBase 3 }

		
cabhSecFwPolicyFileOperStatus OBJECT-TYPE
	SYNTAX 	INTEGER	{
            inProgress(1),
            completeFromProvisioning(2),
            completeFromMgt(3),
            failed(4)
    	}
	MAX-ACCESS read-only
	STATUS current
	DESCRIPTION
         "InProgress(1) indicates that a TFTP download is underway,
          either as a result of a version mismatch at provisioning
          or as a result of a upgradeFromMgt request.
          CompleteFromProvisioning(2) indicates that the last software 
          upgrade was a result of version mismatch at provisioning. 
          CompleteFromMgt(3) indicates that the last software upgrade 
          was a result of setting docsDevSwAdminStatus to 
          upgradeFromMgt. Failed(4) indicates that the last attempted 
          download failed, ordinarily due to TFTP timeout."
	::= { cabhSecFwBase 4 }


cabhSecFwPolicyFileCurrentVersion OBJECT-TYPE
 	SYNTAX      SnmpAdminString
 	MAX-ACCESS  read-only
	STATUS      current
    	DESCRIPTION
      	  "The rule set version currently operating in the PS device. 
      	   This object should be in the syntax used by the individual 
      	   vendor to identify software versions.  Any PS element MUST 
      	   return a string descriptive of the current rule set file 
      	   load. If this is not applicable, this object MUST contain an
      	   empty string."
  	::= { cabhSecFwBase 5 }
--
--	Firewall log parameters
--

cabhSecFwEventType1Enable OBJECT-TYPE
	SYNTAX	INTEGER {
		enable (1), -- log event
		disable (2) -- do not log event 
		}
	MAX-ACCESS read-write
	STATUS	current
	DESCRIPTION
	  "This object enables or disables logging of type 1 firewall 
	  event messages. Type 1 event messages report attempts from 
	  both private and public clients to traverse the firewall that
	  violate the Security Policy."
	DEFVAL { disable }
	::= { cabhSecFwLogCtl 1 }

cabhSecFwEventType2Enable OBJECT-TYPE
	SYNTAX	INTEGER {
		enable (1), -- log event
		disable (2) -- do not log event
	}
	MAX-ACCESS read-write
	STATUS current
	DESCRIPTION
	  "This object enables or disables logging of type 2 firewall 
	   event messages. Type 2 event messages report identified 
	   Denial of Service attack attempts."
	DEFVAL { disable }
	::= { cabhSecFwLogCtl 2 }

cabhSecFwEventType3Enable OBJECT-TYPE
	SYNTAX INTEGER {
	  enable (1), -- log event
	  disable (2) -- do not log event
	}
	MAX-ACCESS read-write
	STATUS current
	DESCRIPTION
	  "Enables or disables logging of type 3 firewall event 
	   messages. Type 3 event messages report changes made to the 
	   following firewall management parameters: 
	   cabhSecFwPolicyFileURL, cabhSecFwPolicyFileCurrentVersion, 
	   cabhSecFwPolicyFileEnable"
	DEFVAL { disable }
	::= { cabhSecFwLogCtl 3 }

cabhSecFwEventAttackAlertThreshold  OBJECT-TYPE
	SYNTAX 	INTEGER	(0..65535)
	MAX-ACCESS read-write
	STATUS current
	DESCRIPTION
	  "If the number of type 1 or 2 hacker attacks exceeds this 
	   threshold in the period define by 
	   cabhSecFwEventAttackAlertPeriod, a firewall message event 
	   MUST be logged with priority level 4."
	DEFVAL { 65535 }
	::= { cabhSecFwLogCtl 4 }

cabhSecFwEventAttackAlertPeriod OBJECT-TYPE
	SYNTAX	INTEGER (0..65535)
	MAX-ACCESS read-write
	STATUS current
	DESCRIPTION 
	  "Indicates the period to be used (in hours) for the 
	   cabhSecFwEventAttackAlertThreshold. This MIB variable 
	   should always keep track of the last  x hours of events 
	   meaning that if the variable is set to track events for 10 
	   hours then when the 11th hour is reached, the 1st hour of 
	   events is deleted from the tracking log. A default value is 
	   set to zero, meaning zero time, so that this MIB variable 
	   will not track any events unless configured."
	DEFVAL {0}
	::= { cabhSecFwLogCtl 5 }

cabhSecCertPsCert OBJECT-TYPE
	SYNTAX 		X509Certificate
	MAX-ACCESS 	read-only
	STATUS 		current
	DESCRIPTION
	  "The X509 DER-encoded PS certificate."
	REFERENCE
	  "CableLabs 1.0 Specification version I01 (CH-SP-I01-020405) 
 	   Section 11.3 Requirements (security requirements)"
	::= { cabhSecCertObjects 1 }


--
-- notification group is for future extension.
-- 

cabhSecNotification OBJECT IDENTIFIER ::= { cabhSecMib 3 0 }
cabhSecConformance  OBJECT IDENTIFIER ::= { cabhSecMib 4 }
cabhSecCompliances  OBJECT IDENTIFIER ::= { cabhSecConformance 1 }
cabhSecGroups       OBJECT IDENTIFIER ::= { cabhSecConformance 2 }

--
--    Notification Group
--

-- compliance statements
cabhSecBasicCompliance MODULE-COMPLIANCE
    	STATUS     current
    	DESCRIPTION
            "The compliance statement for CableHome Firewall feature."
    	MODULE   --cabhSecMib

-- unconditionally mandatory groups

    MANDATORY-GROUPS {
            cabhSecGroup
    }

::= { cabhSecCompliances 3 }


cabhSecGroup OBJECT-GROUP
    OBJECTS {
		cabhSecFwPolicyFileEnable,
		cabhSecFwPolicyFileURL,
		cabhSecFwPolicyFileHash,
		cabhSecFwPolicyFileOperStatus,
		cabhSecFwPolicyFileCurrentVersion,
		 
		cabhSecFwEventType1Enable,
		cabhSecFwEventType2Enable,
		cabhSecFwEventType3Enable,
		cabhSecFwEventAttackAlertThreshold,
		cabhSecFwEventAttackAlertPeriod,
		cabhSecCertPsCert 
    }
    STATUS    current
    DESCRIPTION
    	"Group of object in CableHome Firewall MIB"
    ::= { cabhSecGroups 1 } 

END

-- 
--    Copyright (C) The Internet Society (1999).  All Rights Reserved.
-- 
--    This document and translations of it may be copied and furnished to
--    others, and derivative works that comment on or otherwise explain it
--    or assist in its implementation may be prepared, copied, published
--    and distributed, in whole or in part, without restriction of any
--    kind, provided that the above copyright notice and this paragraph are
--    included on all such copies and derivative works.  However, this
--    document itself may not be modified in any way, such as by removing
--    the copyright notice or references to the Internet Society or other
--    Internet organizations, except as needed for the purpose of
--    developing Internet standards in which case the procedures for
--    copyrights defined in the Internet Standards process must be
--    followed, or as required to translate it into languages other than
--    English.
--    The limited permissions granted above are perpetual and will not be
--    revoked by the Internet Society or its successors or assigns.
-- 
--    This document and the information contained herein is provided on an
--    "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
--    TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
--    BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
--    HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
--    MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
--