SNMPv3 allows for us to generate traps and secure these between the agent and manager. To do this we need to take a few steps in our configurations;
1st we need to enable traps
config t
snmp-server enable traps
end
next we need to define a snmpv3 group and a user. Here we are defining a group name <mygroup> and a user <myuser> and with <md5> and single <des> for authentication and encryption.
config t
snmp-server group mygroup v3 auth
snmpserver user myuser mygroup v3 priv md5 Ims0s3cur3d des56 hAckm3123Wed
end
The next few steps are crucial; we have to have a unique EnginID, but we don't have to configured one. By default, our snmpEngineID is predefined on every cisco router/switch device.
This ID is created by default , & by using the 1st physical interface bia ( burned in address aka mac-address )
Here's a cisco 2800;
rt1.mdc11#show int gi 0/0 | incl bia
Hardware is MV96340 Ethernet, address is 0015.fad8.2211 (bia 0015.fad8.2211
and check out our SNMPengine ID
rt1.mdc11#show snmp engineID
Local SNMP engineID: 8000000903000015FAD2211 <------ here
Remote Engine ID IP-addr Port
Notice how our bia is used to compute the engine ID?
It's done by default and you have to do nothing. Arguments have been made for crafting the ID by and for it being unique for each device in your network. A few valid reasons exist for this purpose;
etc.
- Such as if you change hardware ( i.e RMA ) or configurations are move to a new device ( SNMP engine ID will change )
- Also the SNMPv3 user password is hashed off this ID. So if you change it mid-stream, it would screw up the SNMPv3 user
Now moving on, you need to craft a remote snmp engine ID for the remote collector;
snmp-server engineID remote 192.0.2.1 8000000903000000000001
Once again this ID is unique and should be for the SNMPtrap collector.
Now that we have all of the ingredients, we can complete the config by mapping the SNMPv3 user to our snmp-server hosts that's to receive the traps.
Here's the final configuration for our user to send traps to the host 192.0.2.1; the user = "myuser", and we are using version 3.
e.g
snmp-server host 192.0.2.1 informs version 3 priv myuser
So in this example, the router/switch would send snmpv3 traps with authentication only, and with no encryption. The SNMP collector would authenticate the sender traps.
The following dumps shows you some unencrypted traps being sent to a collector & from the above host;
Here's some other important information that pertains to cisco and SNMPv3 users;
The SNMPv3 user information, is NOT maintain in the running-config. If you "dir" the nvram filesystem, it would maintain a list of SNMPv3 user names/password-hashes and along with any ssh private-pub/keys. If you would run the "show run " command, you will not find any user information for SNMPv3.
NOTE: The file <private-config> contains the SNMPv3 user information and it is NOT read/write by anyone.
So SNMPv3 traps are easy to configure , and requires a few more steps. Its simple, and just remember ; " you have the means to use auth or authPriv between the SNMPagent and collector"
Ken Felix
Freelance Network/Security Engineer
^ ^
=( * * )=
o
/ \
SNMP V3’s focus was to enhance this security flaw. SNMP V3 adds authentication and privacy choices to secure its communication between SNMP servers and SNMP agents.
ReplyDeleteThanks
Silvester Norman
Change Mac Address