Securing SNMP
within IOS-XR
In order to secure IOS routers with SNMP, it’s best & common practices to use version 3, vrs using version 1 or 2c, when transported over unsecured channels.
If this is not practical or reasonable, than encapsulating the traffic in a IPSEC tunnel will suffice.
Regardless, deploying ACLs will provide some type of layer 3 filtering & provide controls. In my past experiences, SNMP is one security avenue that's most commonly overlooked.
In this example I
will post a simple SNMP_ACL and create a user group and user. This user will have full access. The user/password will have both read+write and will restricted by the src/dst address.
1st here’s
my simple ACL;
config t
ipv4 access-list SNMP_ACL-RW
10 remark
“NMS OBJECTs with full access “
15 permit ipv4 1.1.1.1/32
2.2.2.2/32
20 permit ipv4 1.1.1.2/32
2.2.2.2/32
25 permit ipv4 1.1.1.3/32
2.2.2.2/32
!
commit
Now for the SNMP v3 group details, we will craft the group
and define the access-list.
config t
snmp-server
group NMS01 v3 priv SNMP_ACL-RW
commit
finally;
Our snmpv3 user and credentials
snmp-server user socpuppets NMS01
v3 auth md5 Isosecured priv
3des youcanthackme234dj
commit
And finally a simple snmpwalk will provide an output similar to below;
Okay, now how about views?
SNMPviews allows you to control what the user can view ( duh )
Okay, so we will need a view installed. You can either include or exclude oids from that view. If you remember the thread on snmpview with juniper SRX, the same exists in the cisco IOS and IOS-XR families.
reference;
Rest assure, the IOS-XR snmpv3 configuration is much simpler than Junos :)
1st we craft the view;
config t
snmp-server view
SYSCONTACTONLY 1.3.6.1.2.1.1.5 include
commit
NNOTE: This OID <1.3.6.1.2.1.1.5> is a common OID for sysContact. You can use a mib tree viewer or snmpwalk with the "-On" option to get the numerical output for the OID. This full name for this OID = SNMPv2-MIB::sysContact
Next;
I'm going to create a new group and user and attach this view to that group.
the group;
config t
snmp-server group test v3 priv read SYSCONTACTONLY SNMP_ACL-RW
commit
the user;
config t
snmp-server user kfelix test v3 auth md5 kenfelix priv des kenfelix
commit
Now we have even further locked down what a nms agent can display. A snmpwalk of the against our target will display something of the following;
NOTE: In reality, we would probably use 3des or AES at minimum, but for this blog purpose and my limitation with MACOSX 10.6.8, I set these samples using des. Please using something other than DES.
I hope this helps you with understanding snmpv3 and views. One issues that I want to point out. SNMP views is NOT restricted to SNMP version 3. All SNMP versions, supports views.
Ken Felix
Freelance Network / Security Engineer
kfelix ----a---t---socpuppets ---d---o---t---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment