Monday, May 13, 2013

SNMP v3 Concept



SNMPv3 protocol a security model, defining new concepts to replace the old community-based pseudo-authentication and provide communication privacy by means of encryption. The new concepts are: usergroupand security level. A group defines the access policy for a set of users. An access policy defines which SNMP objects can be accessed for reading and writing or which SNMP objects can generate notifications to the members of a group. Policy is defined by associating the respective read, write or notify view with a group. By using a notify view, a group determines the list of notifications its users can receive. A group also defines the security modeland security level for its users.
Essentially, all groups form a table, which maps users to their read/write/notify views and security models. Note that if a group is defined without a read view than all objects are available to read. Contrary to that, if no write or notify view is defined, no write access is granted and no objects can send notifications to members of the group. The notify view is usually not configured manually. Rather, it’s added by the snmp-server host command automatically, when a users in a group is bound to a notification target host. Note that SNMP will use the username configured with snmp-server host along with the security model specified to authenticate and possibly encrypt the notifications. If the security model is set to «noauth» then a plain username is sent in a manner resembling the old community string.
The following security models exist: SNMPv1, SNMPv2, SNMPv3. The following security levels exits: “noAuthNoPriv” (no authentiation and no encryption – noauth keyword in CLI), “AuthNoPriv” (messages are authenticated but not encrypted – auth keyword in CLI), “AuthPriv” (messages are authenticated and encrypted – priv keyword in CLI). SNMPv1 and SNMPv2 models only support the “noAuthNoPriv” model since they use plain community string to match the incoming packets. The SNMPv3 implementations could be configured to use either of the models on per-group basis (in case if “noAuthNoPriv” is configured, username serves as a replacement for community string). All users sharing a group utilize the same security model, however, the specific model settings (password, encryption key) are sep per-user. Note that SNMPv3 does not send passwords in clear-text and uses hash-based authentication with either MD5 or SHA1 functions (HMAC authentication – the packet conted is hashed along with authentication key to produce the authentication string). For encryption, statically configured keys are used along with DES56 symmetric cipher (that mean the same key should be configured on NMS for the particular user).
Consider the example below. Three groups are created. Groups «NORMAL» and «RESTRICTED» are used to control remote users access and group «TRAP» is used to send notifications. Note that only read-view is specified for group “RESTRICTED” and it’s limited to IfEntry fields for a fixed interface index. The group «RESTRICTED» has an access-list applied to control the NMS stations the users can access from. Note that the groups have different security levels. Next, three users are created, one for each group respectively, with their authentication and encryption keys. Finally, SNMP link up and down notifications are enabled and SNMP trap destination host is configured. This operation automatically creates and assigns the «notify» view for the respective group (will appear in show commands output below).
!
! Access-List to control users in the RESTRICTED group.
!
access-list 99 permit 155.1.146.0 0.0.0.255

!
! Set ifIndexes persistent, for view definition is based on IfIndexes
!
snmp-server ifindex persist

!
! The first view covers the “ISO” sub-branch and the second one covers
! all “lifEntry” fields for interface with IfIndex 3 (Serial 0/0).
!
snmp-server view NORMAL iso included
snmp-server view RESTRICTED ifEntry.*.3 included

!
! Define three groups. The first one allows to read and write
! into a large portion of the MIB tree. The second one allows reading
! just information specific to Serial 0/0 interface, and limits user
! access based on access-list
!
! The third group is for sending traps. A user belonging to this group
! will be utilized to send trap messages. Its name and password
! will be used to create authentication credentials in a trap message
! and the users privacy password will be used to encrypt the packet.
! Note that this group has NO notify view defined, which is done on
! on purpose. The notify view will be automatically populated when
! notification hosts are configured and bound to users
!

snmp-server group NORMAL v3 priv read NORMAL write NORMAL
snmp-server group RESTRICTED v3 auth read RESTRICTED access 99
snmp-server group TRAP v3 priv

!
! Users, their passwords and encryption keys are defined now
!
snmp-server user NORMAL NORMAL v3 auth sha CISCO priv des56 CISCO
snmp-server user RESTRICTED RESTRICTED v3 auth sha CISCO
snmp-server user TRAP TRAP v3 auth sha CISCO priv des56 CISCO

!
! Allow sending traps and configure a destination host. Note that when
! a host is configured and bound to SNMPv3 username, the corresponding
! group notify view is populated based on traps allowed for this
! particular destination. This is why it’s not required to configure
! the notify view for a group.
!
snmp-server enable traps snmp linkup linkdown
snmp-server host 155.1.146.100 traps version 3 priv TRAP
Perform some basic verifications next using the show commands. Note that SNMPv3 users do not appear in the running configuration for security reason (different management channel) but you can see some information usingshow snmp users command. Also, pay attention to the automatic view assigned to the “TRAP” group.
Rack1R6#show snmp user 

User name: TRAP
Engine ID: 80000009030000119221DA80
storage-type: nonvolatile active
Authentication Protocol: SHA
Privacy Protocol: DES
Group-name: TRAP

User name: NORMAL
Engine ID: 80000009030000119221DA80
storage-type: nonvolatile active
Authentication Protocol: SHA
Privacy Protocol: DES
Group-name: NORMAL

User name: RESTRICTED
Engine ID: 80000009030000119221DA80
storage-type: nonvolatile active
Authentication Protocol: SHA
Privacy Protocol: None
Group-name: RESTRICTED

Rack1R6#show snmp group
groupname: ILMI security model:v1
readview : *ilmi writeview: *ilmi
notifyview:
row status: active

groupname: ILMI security model:v2c
readview : *ilmi writeview: *ilmi
notifyview:
row status: active

groupname: TRAP security model:v3 noauth
readview : writeview:
notifyview: *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF0F
row status: active

groupname: TRAP security model:v3 priv
readview : v1default writeview:
notifyview:
row status: active

groupname: NORMAL security model:v3 priv
readview : NORMAL writeview: NORMAL
notifyview:
row status: active

groupname: RESTRICTED security model:v3 auth
readview : RESTRICTED writeview:
notifyview:
row status: active access-list: 99

Rack1R6#show snmp view
*ilmi system - included permanent active
*ilmi atmForumUni - included permanent active
NORMAL iso - included nonvolatile active
v1default iso - included permanent active
v1default internet.6.3.15 - excluded permanent active
v1default internet.6.3.16 - excluded permanent active
v1default internet.6.3.18 - excluded permanent active
v1default ciscoMgmt.394 - excluded permanent active
v1default ciscoMgmt.395 - excluded permanent active
v1default ciscoMgmt.399 - excluded permanent active
v1default ciscoMgmt.400 - excluded permanent active
RESTRICTED ifEntry.0.3 FF:EF included nonvolatile active
*tv.FFFFFFFF.FFFFFFFF.FFFFFFFF0F iso.2.840.10036 - included volatile active
*tv.FFFFFFFF.FFFFFFFF.FFFFFFFF0F internet - included volatile active
==========================================================================================


Cisco Router SNMPv3 Configuration Sample & Guide



!!!!SNMP access control to only allow desired hosts!!!!!
ip access-list standard snmp-allow
permit 10.214.102.0 0.0.0.255
permit 172.16.202.0 0.0.0.7
!
!
!!!!!! First you’d need to create a view!!!!!
!A read or write view can be !configured with desired MIB access.  Then, such views are assigned
!to snmpv3 grops. Below is a read only view that start from the
! root, ‘iso’, but excludes snmpUsmMIB, snmpVacmMIB, !snmpCommuityMIB for enhance security.  These MIB are
!explained below.
!
snmp-server view ReadView-All iso included
!!!!!!!Exclusion for better security!!!!!
snmp-server view ReadView-All 1.3.6.1.6.3.18 excluded
snmp-server view ReadView-All 1.3.6.1.6.3.16 excluded
snmp-server view ReadView-All 1.3.6.1.6.3.15 excluded
snmp-server view ReadView-All 1.3.6.1.2.1.4.21 excluded
snmp-server view ReadView-All 1.3.6.1.2.1.4.22 excluded
!
!
!Here’s a write view which can be modified as needed to include or
!exclude MIBs
snmp-server view WriteView-ALL iso included
!!!!!!!!Exclusions for better security!!!!!
snmp-server view WriteView-All 1.3.6.1.6.3.18 excluded
snmp-server view WriteView-All 1.3.6.1.6.3.16 excluded
snmp-server view WriteView-All 1.3.6.1.6.3.15 excluded
snmp-server view WriteView-All 1.3.6.1.2.1.4.21 excluded
snmp-server view WriteView-All 1.3.6.1.2.1.4.22 excluded
!
!
!!! Read/ Write group with ACL restriction
snmp-server group SNMPv3-RW v3 priv read ReadView-ALL write WriteView-ALL  access snmp-allow
!
!
!!!! Read only group with ACL restriction
snmp-server group SNMPv3-RO v3 priv read ReadView-ALL access snmp-allow
!
!
!!!Username is NetServices-RW, group is SNMPv3-RW I used DES for !priv as it’s more widely supported
snmp-server user NetServices-RW  SNMPv3-RW v3 auth sha youpassword priv des yourpassword
!
!
!!!Username is NetServices-RO, group is SNMPv3-RO
snmp-server user NetServices-RO SNMPv3-RO v3 auth sha yourpassword priv des yourpassword
!
!
!!!Monitoriing host that received SNMP traps via the username
!NetService-RO I created above; so it uses NetService-RO for
!auth and priv purposes
snmp-server host 10.10.10.10 trap version 3 priv NetService-RO
!
!
!!!This Enables all traps; you could modify it
snmp-server enable traps



  1. snmpUsmMIB: management information definition for SNMP user-based security model

  2. snmpVacmMIB: management information definition for View-based Access Controll model for SNMP

  3. snmpCommunityMIB: this module defines objects for backward compatibility with v1 and v2c.


No comments: