Monday, December 3, 2012

SNMPv3 ( for security )

-->
Understanding the different security levels in SNMPv3. SNMPv3 operates in one of three means
  • noAuthNoPriv
  • authNoPriv
  • authPriv 

The following graph shows the  various levels of security in SNMPv1 thru 3

1st SNMP  v1 & v2c was weak with regards to security,  in that it  used  communities. Until recently, it only relied on a RO/RW community for set operations,  had no means to strict a user with access to that communities, nor the means to read or write certain mibs.

The following shows the level of security in SNMPv1 thru 3

With SNMP-VIEWs we can block and control accesss to certain mibs/oids;  “Btw snmp-views can be applied on numerous cisco devices &  to any  version of SNMP ( 1-3 )

 So what is  noAuthNoPriv ?  authNoPriv ? and authPriv? 

Simple the 1st provides no authentication or privacy , the 2nd provides validation of the user by “Authentication”+”integrity” of the data  and the latter provides both Authentication ( who are you ) and Privacy ( encryption ) of the SNMP traffic, and it validates integrity of the message.

Here’s  example data seen in the wild with of noAuthNOpriv;

1.712879 172.23.44.77 -> 11.11.11.131 SNMP getBulkRequest IF-MIB::ifIndex IF-MIB::ifSpeed IF-MIB::ifHighSpeed IF-MIB::ifDescr IF-MIB::ifOperStatus IF-MIB::ifAlias IF-MIB::ifName


The request in this case, is a BulkRequest , and the oids being queried; " are in the clear". Anybody in the path that intercepts this request/response can see  the network-manager and agent  data.

Here’s the same thing but now encrypted;


1.712879 172.23.44.77 -> 11.11.11.131 SNMP encryptedPDU: privKey Unknown

Data is fully encrypted and protected from any  M-I-M ( man-in-middle ) or any external eyes. I should also mention in the above examples, the  requests & responses would be encrypted also.

Okay so why would I choose one of the other ? Will  that all depends on your SNMP manager  and  agents capabilities.  The security level authPriv does provide the greatest level of protection from  various  threats to include but not limited to  ;

Data harvest , DoS,  the leaking of  Sensitive information.

Your company should have a security-policy in place to analyze the risks with SNMP traffic internally and external to your network. My thoughts on the matters has been to always deploy  SNMPv3 both int/external  to the network, but that has not always been doable.

Example; most nagios plugins are badly written for SNMPv3 and needs to be re-built.


If the above is not immediately doable and you must query items from abroad, you can rely on network encryption via ipsec. This would protect from MIMI,  but I must warn you , that the traffic  exposed outside of the ipsec encryption tunnel pre/post encryption is still vulnerable to be compromised. If you can’t 100% validate that these segments are secured, you might want to take a hard stance and mandate SNMPv3 compliant network managers and agents, or build ipsec from the devices that are operating as SNMP manager and agents.

2nd I would not rely  on just SNMPv1/v2c with  RW and ACLs. These packets can be  spoof’d and  with the attacker knowing the community , he/she could just spoof’d the SNMP-GET/SETs or requests/responses.

 Bottom line, if you are in a sector that demands the highest level of security with regards to your management traffic, SNMPv3 is a must.

 Now when we deploy SNMPv3 a few items about cisco;

Not all cisco support all levels of encryption. Yeap ; DES ,3DES even AES is not always supported.

Here's a sample of various devices  with their  SNMPv3 configurations;

(Cisco 760000  des56 only )

snmp-server group drsv v3 priv read dpvread
snmp-server view drsvread iso included
snmp-server view drsvread mib-2 included
snmp-server view drsvread system included
snmp-server view drsvread cisco included
snmp-server location NAPMIA.34AC1_11
snmp-server contact xxxx@hyperfeed.com 
snmp-server user kfelix drsv v3 auth md5 sedddddddd priv des56 seddddddddddd



( Fortigate 3800 )

config system snmp user
    edit "nms"
        set security-level auth-priv
        set auth-pwd ENC bml0eRNv/GC4Z/gohnk2CtHn82+qdPCudgyRs3JUKGa0aAADtcU374bFVCDcthiL6ei50JhXIE8xdWJnllCXJnc1ZCBHUZ1gxFg96X2/5sJRLQc/
        set priv-pwd ENC bml0eRNv/GC4Z/goAaqdFIIERklHDjSBe+/lfitWy2Sk9YehrJILBSaNibWIxGolx4XMjlSC7NxqW/6hbx+SEWvcHf6KOHEsxBM+QxxNnb64PuSR
    next

    edit "nmsmgr"
        set security-level auth-no-priv
        set auth-proto md5
        set auth-pwd ENC bml0efK1pWEonL7waf7UNccVmJkkfWnjOpE6S1bY/JtqzB7qcfbGzG/k5KU63Zt4rAyYqb2fCFH9AiRsPMWaL52Aah7j5KtmehgniCJ+J6R1Xa3d
    next
end

(Nexus)
mia_drscr01# sh snmp user
______________________________________________________________
                  SNMP USERS
______________________________________________________________

User                          Auth  Priv(enforce) Groups                       
____                          ____  _____________ ______                       
nms                           sha   aes-128(no)   network-operator             

adminnet                         sha   des(no)       network-admin                

opsview                       sha   aes-128(no)   network-operator             

______________________________________________________________
 NOTIFICATION TARGET USERS (configured  for sending V3 Inform)
______________________________________________________________

User                          Auth  Priv 


mia_drscr01# sh run | i snmp
logging level snmpd 0
snmp-server user nms network-operator auth sha 0xe31234a06ae8c98664099643e2af8691902d6a007f priv aes-128 0xf50691b2d701460ab236c912feaf486bcd2f224c localizedkey
 
snmp-server user adminnet network-admin auth sha 0xe323a06ae8c98664099643e2af8691902d6a007f priv 0xe323a06ae8c98664099643e2af8691902d6a007f localizedkey
 
snmp-server user opsview network-operator auth sha 0xd0ce4972bf941c2bbb8d2cacbb813e3df14f8a90 priv aes-128 0x960230beaebb516cb7ecdb3abca22137ac1ae0d86 localizedkey


I hope you found this post interesting. I will discuss more about snmp tools such as 

  • snmpset
  • snmpget
  • snmpwalk

later on down the line.


Freelance  Network and Security 
Kfelix " a t " hyperfeed.com

No comments:

Post a Comment