Snmp v3 is described in many RFC, like RFC3414 and so on.
History and security of the various SNMP versions are easy to find and well known, let’s focus on configuration.
SNMPv3 can work in three ways:
For the tests I use a Cisco871 as snmp-server and a OSX computer to walk the MIBs.
noAuthNoPriv No authorization, no encryption
R(config)#snmp-server view noAuthNoPriv internet included R(config)#snmp-server user user1 noAuthNoPriv v3 R(config)#snmp-server group noAuthNoPriv v3 noauth read noAuthNoPriv
Query from OSX
snmpwalk -v 3 -l noAuthNoPriv -u user1 10.1.0.254
The data is not encrypted, the username is cleartext.
Now we implement the first security level, authorization.
**authNoPriv Authorization required, data is not encrypted ** Router configuration:
R(config)#snmp-server user user2 authNoPriv v3 auth sha CISCO123 R(config)#snmp-server group authNoPriv v3 auth read authNoPriv R(config)#snmp-server view authNoPriv internet included
Query from OSX:
snmpwalk -v 3 -a SHA -A CISCO123 -l authNoPriv -u user2 10.1.0.254
“Authenticated: Set”, we can still see the username “user2”.
Next step: privacy (encryption).
authPriv Authorization required, data is encrypted
R(config)#snmp-server user user3 authPriv v3 auth sha CISCO123 priv aes 128 CISCO123 R(config)#snmp-server view authPriv internet included R(config)#snmp-server group authPriv v3 priv read authPriv
Query from OSX:
snmpwalk -v 3 -a SHA -A CISCO123 -x AES -X CISCO123 -l authPriv -u user3 10.1.0.254
SNMP is often referred as “Security in Not My Problem”, v3 gives as an acceptable security level to use it with confidence.comments powered by Disqus