SNMPv3

Snmp v3 is described in many RFC, like RFC3414 and so on.

History and security of the various SNMP versions are easy to find and well known, let’s focus on configuration.

SNMPv3 can work in three ways:

  • noAuthNoPriv

  • authNoPriv

  • authPriv

For the tests I use a Cisco871 as snmp-server and a OSX computer to walk the MIBs.

noAuthNoPriv No authorization, no encryption

Router configuration;

R(config)#snmp-server view noAuthNoPriv internet included
R(config)#snmp-server user user1 noAuthNoPriv v3
R(config)#snmp-server group noAuthNoPriv v3 noauth read noAuthNoPriv

Query from OSX

snmpwalk -v 3 -l noAuthNoPriv -u user1 10.1.0.254

The data is not encrypted, the username is cleartext.

Now we implement the first security level, authorization.

**authNoPriv Authorization required, data is not encrypted ** Router configuration:

R(config)#snmp-server user user2 authNoPriv v3 auth sha CISCO123
R(config)#snmp-server group authNoPriv v3 auth read authNoPriv
R(config)#snmp-server view authNoPriv internet included

Query from OSX:

snmpwalk -v 3 -a SHA -A CISCO123 -l authNoPriv -u user2 10.1.0.254

“Authenticated: Set”, we can still see the username “user2”.

Next step: privacy (encryption).

authPriv Authorization required, data is encrypted

Router configuration:

R(config)#snmp-server user user3 authPriv v3 auth sha CISCO123 priv aes 128 CISCO123
R(config)#snmp-server view authPriv internet included
R(config)#snmp-server group authPriv v3 priv read authPriv 

Query from OSX:

snmpwalk -v 3 -a SHA -A CISCO123 -x AES -X CISCO123 -l authPriv -u user3 10.1.0.254

SNMP is often referred as “Security in Not My Problem”, v3 gives as an acceptable security level to use it with confidence.

 
comments powered by Disqus