Friday, September 6, 2013

SNMPv3 security (user +views ) IOS-XR

Securing  SNMP within  IOS-XR

In order to secure  IOS  routers with  SNMP, it’s best &  common practices to use version 3,  vrs using  version 1 or 2c, when transported over unsecured channels.

If this is not practical or reasonable, than encapsulating the traffic in a IPSEC tunnel will suffice. 

Regardless, deploying ACLs will provide some type of layer 3 filtering & provide controls. In my past experiences, SNMP is one security avenue that's most commonly overlooked.

In this example I will post a simple SNMP_ACL and create a user group and user. This user will have full access.  The user/password will have both read+write and will  restricted by the src/dst address.

1st  here’s my simple ACL;

config t

ipv4 access-list SNMP_ACL-RW
 10  remark  “NMS OBJECTs with full access “
 15 permit ipv4
 20 permit ipv4
 25 permit ipv4


NOTE:  1.1.1{1..3} are my NMS snap servers and is our ASR9K loopback address for this example in this blog


Now for the SNMP v3 group details, we will craft the group and define the access-list.

config t

      snmp-server group NMS01 v3 priv SNMP_ACL-RW



Our snmpv3  user and  credentials

 config t

     snmp-server  user socpuppets  NMS01 v3 auth  md5 Isosecured   priv  3des youcanthackme234dj


And  finally a simple snmpwalk will provide an output similar to below;

Okay, now how about views?

SNMPviews allows you to control what the user can view ( duh ) 

Okay,  so we will need a view installed. You can either include or exclude oids from that view. If you remember the thread on snmpview with juniper SRX, the same exists in the  cisco IOS  and IOS-XR families.


Rest assure, the IOS-XR snmpv3 configuration is much simpler than Junos :)

1st we craft the view;

config t

snmp-server view SYSCONTACTONLY  include


NNOTE: This OID    <> is a common OID for sysContact. You can use a mib tree viewer or snmpwalk with  the "-On" option to get the numerical output for the  OID. This full name for  this OID  =  SNMPv2-MIB::sysContact


I'm going to create a new  group and user and attach this  view to that group.

the group;

config t
     snmp-server group test v3 priv  read SYSCONTACTONLY  SNMP_ACL-RW

the user;

config t
snmp-server user kfelix   test v3 auth md5 kenfelix priv des kenfelix

Now we have even further locked down what a nms agent can display. A snmpwalk of the against our target will display something of the following;

NOTE: In reality, we would probably use 3des or AES at minimum, but for this blog purpose and my limitation with MACOSX 10.6.8, I set these samples using  des. Please  using something other than DES.

I hope this helps you with understanding snmpv3 and views. One issues that I want to point out. SNMP views is NOT restricted to SNMP version 3. All SNMP versions,  supports views.

Ken Felix
Freelance Network / Security Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(  @   @ )=
       /     \

No comments:

Post a Comment