Understanding the different security levels in SNMPv3.
SNMPv3 operates in one of three means
- noAuthNoPriv
- authNoPriv
- authPriv
The following graph shows the various levels of security in SNMPv1 thru 3
1st SNMP
v1 & v2c was weak with regards to security, in that it
used communities. Until recently,
it only relied on a RO/RW community for set operations, had no means to strict a user with access to
that communities, nor the means to read or write certain mibs.
The following shows the level of security in SNMPv1 thru 3
The following shows the level of security in SNMPv1 thru 3
With SNMP-VIEWs we can block and control accesss to certain mibs/oids; “Btw snmp-views can be applied on numerous cisco devices & to
any version of SNMP ( 1-3 )
So what is
noAuthNoPriv ? authNoPriv ? and authPriv?
Simple the 1st
provides no authentication or privacy , the 2nd provides validation of
the user by “Authentication”+”integrity” of the data and the latter provides both Authentication (
who are you ) and Privacy ( encryption ) of the SNMP traffic, and it validates
integrity of the message.
Here’s example data seen in the wild with of noAuthNOpriv;
1.712879 172.23.44.77 -> 11.11.11.131 SNMP getBulkRequest
IF-MIB::ifIndex IF-MIB::ifSpeed IF-MIB::ifHighSpeed IF-MIB::ifDescr
IF-MIB::ifOperStatus IF-MIB::ifAlias IF-MIB::ifName
The request in this case, is a BulkRequest , and the oids
being queried; " are in the clear". Anybody in the path that intercepts this
request/response can see the network-manager and
agent data.
Here’s the same thing but now encrypted;
1.712879 172.23.44.77 -> 11.11.11.131 SNMP encryptedPDU:
privKey Unknown
Data is fully encrypted and protected from any M-I-M ( man-in-middle ) or any external
eyes. I should also mention in the above examples, the requests & responses would be encrypted also.
Okay so why would I choose one of the other ? Will that all depends on your SNMP manager and
agents capabilities. The security
level authPriv does provide the greatest level of protection from various
threats to include but not limited to
;
Data harvest , DoS, the leaking of Sensitive information.
Your company should have a security-policy in place to analyze
the risks with SNMP traffic internally and external to your network. My
thoughts on the matters has been to always deploy SNMPv3 both int/external to the network, but that has not always been
doable.
Example; most nagios plugins are badly written for SNMPv3
and needs to be re-built.
If the above is not immediately doable and you must query
items from abroad, you can rely on network encryption via ipsec. This would protect from MIMI, but I must
warn you , that the traffic exposed outside of the ipsec encryption tunnel pre/post encryption is still vulnerable to be compromised. If you
can’t 100% validate that these segments are secured, you might want to take a
hard stance and mandate SNMPv3 compliant network managers and agents, or build ipsec from the devices that are operating as SNMP manager and agents.
2nd I would not rely on just SNMPv1/v2c with RW and ACLs. These packets can be spoof’d and
with the attacker knowing the community , he/she could just spoof’d the
SNMP-GET/SETs or requests/responses.
Bottom line, if you
are in a sector that demands the highest level of security with regards to your
management traffic, SNMPv3 is a must.
Now when we deploy SNMPv3 a few items about cisco;
Not all cisco support all levels of encryption. Yeap ; DES ,3DES even AES is not always supported.
Here's a sample of various devices with their SNMPv3 configurations;
Here's a sample of various devices with their SNMPv3 configurations;
(Cisco 760000 des56 only )
snmp-server group drsv v3 priv read dpvread
snmp-server view drsvread iso included
snmp-server view drsvread mib-2 included
snmp-server view drsvread system included
snmp-server view drsvread cisco included
snmp-server location NAPMIA.34AC1_11
snmp-server contact xxxx@hyperfeed.com
snmp-server view drsvread iso included
snmp-server view drsvread mib-2 included
snmp-server view drsvread system included
snmp-server view drsvread cisco included
snmp-server location NAPMIA.34AC1_11
snmp-server contact xxxx@hyperfeed.com
snmp-server user kfelix drsv v3 auth md5 sedddddddd priv des56 seddddddddddd
( Fortigate 3800 )
config system snmp user
edit "nms"
set security-level auth-priv
set auth-pwd ENC bml0eRNv/GC4Z/gohnk2CtHn82+qdPCudgyRs3JUKGa0aAADtcU374bFVCDcthiL6ei50JhXIE8xdWJnllCXJnc1ZCBHUZ1gxFg96X2/5sJRLQc/
set priv-pwd ENC bml0eRNv/GC4Z/goAaqdFIIERklHDjSBe+/lfitWy2Sk9YehrJILBSaNibWIxGolx4XMjlSC7NxqW/6hbx+SEWvcHf6KOHEsxBM+QxxNnb64PuSR
next
edit "nmsmgr"
set security-level auth-no-priv
set auth-proto md5
set auth-pwd ENC bml0efK1pWEonL7waf7UNccVmJkkfWnjOpE6S1bY/JtqzB7qcfbGzG/k5KU63Zt4rAyYqb2fCFH9AiRsPMWaL52Aah7j5KtmehgniCJ+J6R1Xa3d
next
end
edit "nms"
set security-level auth-priv
set auth-pwd ENC bml0eRNv/GC4Z/gohnk2CtHn82+qdPCudgyRs3JUKGa0aAADtcU374bFVCDcthiL6ei50JhXIE8xdWJnllCXJnc1ZCBHUZ1gxFg96X2/5sJRLQc/
set priv-pwd ENC bml0eRNv/GC4Z/goAaqdFIIERklHDjSBe+/lfitWy2Sk9YehrJILBSaNibWIxGolx4XMjlSC7NxqW/6hbx+SEWvcHf6KOHEsxBM+QxxNnb64PuSR
next
edit "nmsmgr"
set security-level auth-no-priv
set auth-proto md5
set auth-pwd ENC bml0efK1pWEonL7waf7UNccVmJkkfWnjOpE6S1bY/JtqzB7qcfbGzG/k5KU63Zt4rAyYqb2fCFH9AiRsPMWaL52Aah7j5KtmehgniCJ+J6R1Xa3d
next
end
(Nexus)
mia_drscr01# sh snmp user
______________________________________________________________
SNMP USERS
______________________________________________________________
User Auth Priv(enforce) Groups
____ ____ _____________ ______
nms sha aes-128(no) network-operator
adminnet sha des(no) network-admin
opsview sha aes-128(no) network-operator
______________________________________________________________
NOTIFICATION TARGET USERS (configured for sending V3 Inform)
______________________________________________________________
User Auth Priv
______________________________________________________________
SNMP USERS
______________________________________________________________
User Auth Priv(enforce) Groups
____ ____ _____________ ______
nms sha aes-128(no) network-operator
adminnet sha des(no) network-admin
opsview sha aes-128(no) network-operator
______________________________________________________________
NOTIFICATION TARGET USERS (configured for sending V3 Inform)
______________________________________________________________
User Auth Priv
mia_drscr01# sh run | i snmp
logging level snmpd 0
snmp-server user nms network-operator auth sha 0xe31234a06ae8c98664099643e2af8691902d6a007f priv aes-128 0xf50691b2d701460ab236c912feaf486bcd2f224c localizedkey
logging level snmpd 0
snmp-server user nms network-operator auth sha 0xe31234a06ae8c98664099643e2af8691902d6a007f priv aes-128 0xf50691b2d701460ab236c912feaf486bcd2f224c localizedkey
snmp-server user adminnet network-admin auth sha 0xe323a06ae8c98664099643e2af8691902d6a007f priv 0xe323a06ae8c98664099643e2af8691902d6a007f localizedkey
snmp-server user opsview network-operator auth sha 0xd0ce4972bf941c2bbb8d2cacbb813e3df14f8a90 priv aes-128 0x960230beaebb516cb7ecdb3abca22137ac1ae0d86 localizedkey
I hope you found this post interesting. I will discuss more about snmp tools such as
- snmpset
- snmpget
- snmpwalk
later on down the line.
Freelance Network and Security
Kfelix " a t " hyperfeed.com
No comments:
Post a Comment