Snmp
Páginas: 25 (6100 palabras)
Publicado: 7 de mayo de 2012
SNMPv3
Feature Summary
Simple Network Management Protocol Version 3 (SNMPv3) is an interoperable standards-based protocol for network management. SNMPv3 provides secure access to devices by a combination of authenticating and encrypting packets over the network. The security features provided in SNMPv3 are:
• • •
Message integrity—Ensuring that a packet has not been tampered within-transit. Authentication—Determining the message is from a valid source. Encryption—Scrambling the contents of a packet prevent it from being seen by an unauthorized source.
SNMPv3 provides for both security models and security levels. A security model is an authentication strategy that is set up for a user and the group in which the user resides. A security level is the permitted level of securitywithin a security model. A combination of a security model and a security level will determine which security mechanism is employed when handling an SNMP packet. Three security models are available: SNMPv1, SNMPv2c, and SNMPv3. Table 1 identifies what the combinations of security models and levels mean:
Table 1 Model v1 v2c v3 v3 SNMP Security Models and Levels Level noAuthNoPriv noAuthNoPrivnoAuthNoPriv authNoPriv Authentication Community String Community String Username MD5 or SHA Encryption No No No No What Happens Uses a community string match for authentication. Uses a community string match for authentication. Uses a username match for authentication. Provides authentication based on the HMAC-MD5 or HMAC-SHA algorithms. Provides authentication based on the HMAC-MD5 or HMAC-SHAalgorithms. Provides DES 56-bit encryption in addition to authentication based on the CBC-DES (DES-56) standard. SNMPv3 1
v3
authPriv
MD5 or SHA
DES
Feature Summary
Note the following about SNMPv3 objects:
• • • • •
Each user belongs to a group. A group defines the access policy for a set of users. An access policy is what SNMP objects can be accessed for reading, writing, andcreating. A group determines the list of notifications its users can receive. A group also defines the security model and security level for its users.
Benefits
• •
Data can be collected securely from SNMP devices without fear of the data being tampered with or corrupted. Confidential information, for example, SNMP Set command packets that change a router’s configuration, can be encryptedto prevent its contents from being exposed on the network.
List of Terms
authentication—The process of ensuring message integrity and protection against message replays. It includes both data integrity and data origin authentication. authoritative SNMP engine—One of the SNMP copies involved in network communication designated to be the allowed SNMP engine to protect against message replay,delay, and redirection. The security keys used for authenticating and encrypting SNMPv3 packets are generated as a function of the authoritative SNMP engine’s engine ID and user passwords. When an SNMP message expects a response (for example, get exact, get next, set request), the receiver of these messages is authoritative. When an SNMP message does not expect a response, the sender isauthoritative. community string—A text string used to authenticate messages between a management station and an SNMP v1/v2c engine. data integrity—A condition or state of data in which a message packet has not been altered or destroyed in an unauthorized manner. data origin authentication—The ability to verify the identity of a user on whose behalf the message is supposedly sent. This ability protects usersagainst both message capture and replay by a different SNMP engine, and against packets received or sent to a particular user that use an incorrect password or security level. encryption—A method of hiding data from an unauthorized user by scrambling the contents of an SNMP packet. group—A set of users belonging to a particular security model. A group defines the access rights for all the users...
Feature Summary
Simple Network Management Protocol Version 3 (SNMPv3) is an interoperable standards-based protocol for network management. SNMPv3 provides secure access to devices by a combination of authenticating and encrypting packets over the network. The security features provided in SNMPv3 are:
• • •
Message integrity—Ensuring that a packet has not been tampered within-transit. Authentication—Determining the message is from a valid source. Encryption—Scrambling the contents of a packet prevent it from being seen by an unauthorized source.
SNMPv3 provides for both security models and security levels. A security model is an authentication strategy that is set up for a user and the group in which the user resides. A security level is the permitted level of securitywithin a security model. A combination of a security model and a security level will determine which security mechanism is employed when handling an SNMP packet. Three security models are available: SNMPv1, SNMPv2c, and SNMPv3. Table 1 identifies what the combinations of security models and levels mean:
Table 1 Model v1 v2c v3 v3 SNMP Security Models and Levels Level noAuthNoPriv noAuthNoPrivnoAuthNoPriv authNoPriv Authentication Community String Community String Username MD5 or SHA Encryption No No No No What Happens Uses a community string match for authentication. Uses a community string match for authentication. Uses a username match for authentication. Provides authentication based on the HMAC-MD5 or HMAC-SHA algorithms. Provides authentication based on the HMAC-MD5 or HMAC-SHAalgorithms. Provides DES 56-bit encryption in addition to authentication based on the CBC-DES (DES-56) standard. SNMPv3 1
v3
authPriv
MD5 or SHA
DES
Feature Summary
Note the following about SNMPv3 objects:
• • • • •
Each user belongs to a group. A group defines the access policy for a set of users. An access policy is what SNMP objects can be accessed for reading, writing, andcreating. A group determines the list of notifications its users can receive. A group also defines the security model and security level for its users.
Benefits
• •
Data can be collected securely from SNMP devices without fear of the data being tampered with or corrupted. Confidential information, for example, SNMP Set command packets that change a router’s configuration, can be encryptedto prevent its contents from being exposed on the network.
List of Terms
authentication—The process of ensuring message integrity and protection against message replays. It includes both data integrity and data origin authentication. authoritative SNMP engine—One of the SNMP copies involved in network communication designated to be the allowed SNMP engine to protect against message replay,delay, and redirection. The security keys used for authenticating and encrypting SNMPv3 packets are generated as a function of the authoritative SNMP engine’s engine ID and user passwords. When an SNMP message expects a response (for example, get exact, get next, set request), the receiver of these messages is authoritative. When an SNMP message does not expect a response, the sender isauthoritative. community string—A text string used to authenticate messages between a management station and an SNMP v1/v2c engine. data integrity—A condition or state of data in which a message packet has not been altered or destroyed in an unauthorized manner. data origin authentication—The ability to verify the identity of a user on whose behalf the message is supposedly sent. This ability protects usersagainst both message capture and replay by a different SNMP engine, and against packets received or sent to a particular user that use an incorrect password or security level. encryption—A method of hiding data from an unauthorized user by scrambling the contents of an SNMP packet. group—A set of users belonging to a particular security model. A group defines the access rights for all the users...
Leer documento completo
Regístrate para leer el documento completo.