Why SNMPv3? ................................................... 3 SNMPv3 Security ............................................... 4 General Implementation ..................................... 6 SolarWinds Product-Specific Implementation .... 7 SolarWinds SNMPv3 input mapped to IOS .. 7 This paper examines the steps required to implement SNMPv3and how to use SNMPv3 in SolarWinds Products.
network management simplified - solarwinds.com
Copyright© 1995-2010 SolarWinds. All rights reserved worldwide. No part of this document may be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means withoutthe written consent of SolarWinds. All right, title and interest in and to the software and documentation are and shall remain the exclusive property of SolarWinds and its licensors. SolarWinds Orion™, SolarWinds Cirrus™, and SolarWinds Toolset™ are trademarks of SolarWinds and SolarWinds.net® and the SolarWinds logo are registered trademarks of SolarWinds All other trademarks contained in thisdocument and in the Software are the property of their respective owners. SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERSOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Document Revised: 03/31/2010
SNMP version 1 and version 2 provide a very simple model for device management communications. Unfortunately, they also lack some critical features inthe areas of security and flexibility, including the following: • Weak Authentication Security. • Community strings are transmitted in clear text. A packet capture will expose read-only and read/write community. • Only two roles are allowed, read only and read/write. • Default community strings for read only (public) and read/write (private) can be easily implemented in production networks,allowing access to devices by rogue SNMP managers. • Provides no ability to authenticate the source of an SNMP request. Weak Privacy. • Requests and replies are easily decoded, exposing entire SNMP conversations, including aspects of system configurations. No Access Control Model. • SNMP v1 and v2 do not define access control mechanisms, so once a device gains access to the device using v1 or v2 thatdevice has unrestricted access.
The three problems with SNMP version 1 and version 2 listed above are addressed in SNMPv3 through the implementation of the following enhancements: • Authentications Enhancements – User-Based Security Model (USM). • Individual messages can be authenticated to known SNMP authorities, such as a particular NetworkManagement System (NMS). • Messages contain multiple timing mechanisms preventing capture and replay. These include • SNMP authority engine uptime. The time since the last reset of the authority’s SNMP engine. • SNMP authority up time. The uptime of the NMS.
Because this information is passed in encrypted form, a device attempting to mimic the authority has no way of knowing these details.Below is a depiction of SNMPv3 USM.
SNMP v3 USM • • Strong Privacy. • Data encryption options strengthen message privacy. Access Control - View-Based Access Control (VBAC) • VBAC allows the configuration of SNMP agents to restrict the authority access to the following: • Access certain portions of a MIB or deny access to all of a MIB on a per-authority basis. • Define the rights to the level of...