You want to enable SNMPv3 on your router for security purposes.
SNMPv3 supports three modes of operation, each with different security features. These modes were summarized in Table 17-1 at the beginning of this chapter. The following configuration commands enable SNMPv3 with no authentication and no encryption services (noAuthNoPriv):
Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#snmp-server view TESTV3 mib-2 include Router(config)#snmp-server group NOTSAFE v3 noauth read TESTV3 Router(config)#snmp-server user WEAK NOTSAFE v3 Router(config)#end Router#
Use the following configuration commands to enable SNMPv3 with MD5 authentication and no encryption services (authNoPriv):
Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#snmp-server view TESTV3 mib-2 include Router(config)#snmp-server group ORAROV3 v3 auth read TESTV3 Router(config)#snmp-server user cking ORAROV3 v3 auth md5 daytona19y Router(config)#end Router#
And you can enable SNMPv3 with MD5 authentication and DES encryption services (authPriv) as follows:
Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#snmp-server view TESTV3 mib-2 include Router(config)#snmp-server group ORAROV3 v3 auth read TESTV3 Router(config)#snmp-server user bpugsley ORAROV3 v3 auth md5 hockeyrules priv des56 shortguy Router(config)#end Router#
The IETF has recently approved SNMP Version 3 (SNMPv3) as a full standard and moved SNMPv1 and SNMPv2 to historic status. Essentially, SNMPv3 just acts like a set of security extensions to SNMPv2c, without providing much new core management functionality. All MIB objects and their associated OIDs remain the same from Versions 1 to 3 (with the small exception of the 64-bit counters that were introduced in Version 2). We will focus our attention on the new security features in Version 3.
Security has traditionally been the Achilles heel of SNMP. The security model for Versions 1 and 2c was little more than a simple password sent through the network as clear-text. SNMP required a security facelift to continue to be useful in the future.
SNMPv3 is standards-based network management protocol that is interoperable between vendors. It provides a secure access to devices by providing authentication and encryption of SNMP packets throughout the network. To do this, SNMPv3 needed to include the following security features: authentication, message integrity, and encryption
Authentication ensures that the messages have originated from a valid source. It proves the authenticity of the packet's source.
Message integrity ensures that a packet has not been tampered with during transmission.
Encryption encodes the contents of the packet to prevent unauthorized people from viewing them.
SNMPv3 provides three security levels: noAuthNoPriv, authNoPriv, and authPriv.
noAuthNoPriv uses a username for authentication and most closely emulates the SNMPv1 and SNMPv2c authentication schemes of transmitting credentials in clear-text. We do not recommend this level of SNMPv3, because it provides no significant advantage over SNMPv2c. If the advanced security features of SNMPv3 are not required for your implementation, it is probably easier to use SNMPv1 or SNMPv2c.
authNoPriv provides authentication based on the MD5 or SHA algorithms. This security model provides packet authentication and message integrity, but no encryption services. Since SNMP packets are authenticated and cannot be altered in transit, this level of security is sufficient for most organizations.
authPriv provides the same MD5 or SHA authentication as authNoPriv. In addition, authPriv allows you to encrypt SNMP packets using 56-bit DES encryption, so packet contents cannot be viewed without authorization. This provides the maximum security available by combining authentication, message integrity, and encryption. The authPriv level of security is suitable for implementations that need to send SNMP packets through the public Internet.
All three SNMPv3 security models require the same three-step process to configure them. First, you must define an SNMP view. Second, you need to create an SNMP group. Third, you create an SNMP user profile and assign it to a group.
Defining an SNMP view for SNMPv3 is no different that creating a view for SNMPv1 or SNMPv2c. In fact, if there are existing SNMP views on the router that were created for SNMPv1 or SNMPv2c, you can use them with SNMPv3 as well. For more information on creating SNMP views, please see Recipe 17.7.
For example, here is a simple SNMP view that allows full access to the MIBII tree:
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#snmp-server view TESTV3 mib-2 include
Router(config)#end
Router#
To define an SNMPv3 group, use the following command:
Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#snmp-server group ORAROV3 v3 auth read TESTV3 Router(config)#end Router#
In this example, we have created a group named ORAROV3, which we have configured as an SNMPv3 group (hence the v3). We have configured this group to require authentication and assigned it to SNMP view TESTV3. Note that we have not assigned a write view to this group, which means that all users assigned to this group will be limited to read-only access. However, the snmp-server group command will also allow you to define a read and a write view at the same time. For example:
Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#snmp-server view TESTRO mib-2 include Router(config)#snmp-server view TESTRW system include Router(config)#snmp-server group TESTGRP v3 auth read TESTRO write TESTRW Router(config)#end Router#
In this example, we defined two separate SNMP views (TESTRO and TESTRW) and assigned them to our group. Note, however, that you can assign the same SNMP view to both the read-only access and read-write groups.
To define an SNMPv3 user, use the following command:
Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#snmp-server user bpugsley ORAROV3 v3 auth md5 hockeyrules priv des56 shortguy Router(config)#end Router#
In this example, we have created a user named bpugsley and assigned that user to our group named ORAROV3. This user will inherit the qualities that we have configured for that group. We have also defined that our user will use the MD5 algorithm for authentication purposes and assigned an authentication password of hockeyrules. We have also configured our user to use the optional DES56 packet encryption with the password shortguy to provide maximum security. Note that this command, once entered, will not be viewable using the show running-config command. We suspect that this is for security purposes.
To view existing SNMP groups, use the show snmp group command:
Router#show snmp group groupname: ORAROV3 security model:v3 auth readview :TESTV3 writeview: <no writeview specified> notifyview: <no notifyview specified> row status: active Router#
In this example, the group ORAROV3 is assigned to the security model v3 auth, the read-only view is TESTV3, and no read-write view exists.
To view the configured SNMPv3 users, use the following command:
Router#show snmp user User name: bpugsley Engine ID: 80000009030000019670B770 storage-type: nonvolatile active Router#
Unfortunately, this command provides very little useful information. Apart from confirming if a user exists or not, the output does not display which group the user belongs to, or if the user is configured to use authentication or encryption. When you consider that Cisco's IOS also hides the user SNMP commands from the running configuration, it becomes clear that managing SNMPv3 users is a difficult task. We hope that Cisco will change the output of this command in upcoming releases as SNMPv3 becomes more popular.
You can extract SNMP information from the router using each of the three SNMPv3 security levels. We will use NET-SNMP's snmpget command, which has full SNMPv3 support.
In our first example (noAuthNoPriv), we will poll the router for its system name using a standard MIB-II object, sysName.
Freebsd% snmpget -v3 -u WEAK -l noAuthNoPriv Router sysName.0 system.sysName.0 = Router.oreilly.com Freebsd%
Note that no user password was supplied, so the router simply accepted the user ID WEAK for authentication purposes. This user ID was sent through the network in clear-text. This command has also introduced two new attributes for the snmpget command: -u and -l. The -u attribute allows you to specify the security name, while -l defines the security level.
The next example uses the authNoPriv security model. We will poll the exact same MIB object using MD5 authentication:
Freebsd% snmpget -v3 -u cking -l authNoPriv -a MD5 -A daytona19y Router sysName.0 system.sysName.0 = Router.oreilly.com Freebsd%
In this example, we specify a user password daytona19y using the -A option and an the authentication protocol MD5 with the -a option. SNMPv3 uses the authentication protocol to authenticate users without sending the password in clear-text. It is important to notice that the result of this SNMP Get is the same as our first example. However, we gathered the information in a much more secure manner. In fact, the same MIB object (sysName) could be retrieved using SNMPv1 if the router was configured to accept the request. However, this method would be considerably less secure.
The final example illustrates how to poll an MIB object using the authentication and encryption services of the authPriv security model:
Freebsd% snmpget -v3 -u bpugsley -l authPriv -a MD5 -A hockeyrules -x DES -X shortguy Router sysName.0 system.sysName.0 = Router.oreilly.com Freebsd%
In this example, we added two new variables, privacy protocol type DES using -x DES and a privacy protocol pass phrase with -X shortguy. These variables enable SNMPv3 packet encryption and specify the pass phrase to use. This ensures that prying eyes cannot view the packet contents in transit. To illustrate the effectiveness of SNMPv3's encryption service, we provide a captured SNMPv3 packet. The packet was captured using the Ethereal protocol analyzer (for more information on Ethereal please see Appendix A):
Simple Network Management Protocol
Version: 3
Message Global Header
Message Global Header Length: 16
Message ID: 1608369049
Message Max Size: 1480
Flags: 0x03
.... .0.. = Reportable: Not set
.... ..1. = Encrypted: Set
.... ...1 = Authenticated: Set
Message Security Model: USM
Message Security Parameters
Message Security Parameters Length: 58
Authoritative Engine ID: 80000009030000019670B780
Engine Boots: 2
Engine Time: 1469970
User Name: bpugsley
Authentication Parameter: B53EFA21230735541B207A39
Privacy Parameter: 00000002C483B016
Encrypted PDU (74 bytes)
The packet response from the router contains some useful SNMP information, such as current version, encryption enabled, authentication enabled, and username (bpugsley), but Ethereal is unable to decipher the payload (Encrypted PDU). This is significant because the other versions of SNMP—including the other security models within SNMPv3—transport payload information in clear-text. At last, SNMP has evolved into a secure protocol.
Of course, SNMPv3 also provides full support for traps and informs including authentication, message integrity, and encryption. SNMPv3 traps and informs support the same three models of security as inbound services do. However, the noAuthNoPriv model provides no tangible advantage over SNMPv1 or SNMPv2c, and the authPriv model tends to be overkill since few networks will require encrypted traps.
To enable SNMPv3 trap support using authentication and message integrity, use the following command:
Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#snmp-server host 172.25.1.1 version 3 auth ijbrown snmp envmon Router(config)#end Router#
The process of enabling SNMPv3 traps or informs is similar to the process for SNMPv2c, but with a few minor twists. First, you must define a SNMPv3 group and user, as in the previous examples. Second, you must include the keyword auth, which enables authentication. Third, you must include a valid SNMPv3 user (ijbrown, in this case). The router is then capable of forwarding SNMPv3 traps with full SNMPv3 authentication and message integrity enabled. For more information on enabling SNMP traps in general, see Recipe 17.13.
Recipe 17.1; Recipe 17.13; Recipe 17.7
|
|
|
| Top |