slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
SNMPv3, SSH & Cisco PowerPoint Presentation
Download Presentation
SNMPv3, SSH & Cisco

Loading in 2 Seconds...

play fullscreen
1 / 13

SNMPv3, SSH & Cisco - PowerPoint PPT Presentation


  • 120 Views
  • Uploaded on

SNMPv3, SSH & Cisco. Matthew G. Marsh Chief Scientist of the NEbraskaCERT. Scope. Quick Overview Important Points Security Models Authentication Privacy General Usage Supported Platforms IOS Configuration CatOS Configuration Usage Example C Words. Overview of SNMPv3.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

SNMPv3, SSH & Cisco


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
    Presentation Transcript
    1. SNMPv3, SSH & Cisco Matthew G. Marsh Chief Scientist of the NEbraskaCERT

    2. Scope • Quick Overview • Important Points • Security Models • Authentication • Privacy • General Usage • Supported Platforms • IOS Configuration • CatOS Configuration • Usage Example • C Words

    3. Overview of SNMPv3 SNMP Version 3 is the current version of the Simple Network Management Protocol. This version was ratified as a Draft Standard in March of 1999. • RFC 2570: Introduction to Version 3 of the Internet-standard Network Management Framework, Informational, April 1999 • RFC 2571: An Architecture for Describing SNMP Management Frameworks, Draft Standard, April 1999 • RFC 2572: Message Processing and Dispatching for the Simple Network Management Protocol (SNMP), Draft Standard, April 1999 • RFC 2573: SNMP Applications, Draft Standard, April 1999 • RFC 2574: User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3), Draft Standard, April 1999 • RFC 2575: View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP), Draft Standard, April 1999 • RFC 2576: Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework, Proposed Standard, March 2000 These documents reuse definitions from the following SNMPv2 specifications: • RFC 1905: Protocol Operations for Version 2 of the Simple Network Management Protocol (SNMPv2), Draft Standard • RFC 1906: Transport Mappings for Version 2 of the Simple Network Management Protocol (SNMPv2), Draft Standard • RFC 1907: Management Information Base for Version 2 of the Simple Network Management Protocol (SNMPv2), Draft Standard

    4. SNMPv3 Important Points • Authentication • MD5 or SHA authentication passphrase hashes • Passphrase must be greater than 8 characters including spaces • Privacy • Packet data may now be DES encrypted (future use allows additional encryptions) • Passphrase defaults to authentication passphrase • Allows for unique Privacy passphrase • SNMPv3 provides for both security models and security levels. • A security model is an authentication strategy set up for a user and the user’s group • A security level is the permitted security within the security model • Three security models are available: SNMPv1, SNMPv2c, and SNMPv3

    5. SNMPv3 Security Models

    6. Authentication • User • Defines the unit of access • Group • Defines User's class for application of scope • View • Defines a set of resources within a MIB structure • Operation • Defines the actions that may be performed • READ • WRITE • ADMINISTER • Operations are applied to Views • Users are assigned to Groups • Groups are assigned Views • SNMP Version 3 - Authentication

    7. Privacy • SNMP v1 and v2c transported data in clear text • v3 allows the data payload to be encrypted • Currently the specification only allows for DES • May be overridden for custom applications • Specification allows for multiple encryption mechanisms to be defined • Passphrase defaults to using the authentication passphrase • Passphrase may be completely separate and unique • Privacy must be specified in conjunction with authentication • Allowed: NONE, authnoPriv, authPriv • SNMP Version 3 - Privacy

    8. General Usage Notes • Use multiple Users • One for each action (get, set, trap) • Different Authentication passphrases • Always use Privacy - authPriv • Make sure the passphrases are different from the User's • Always set up your initial security in a secure environment before exposing the system to the elements. • SUMMARY: SNMP is a Message Passing Protocol. • Always use SSH to connect to your Cisco devices • Requires the encryption IOS and CatOS versions • Well worth the investment

    9. Supported Platforms • Cisco IOS V12.0(3)T and higher • You want to use the "Strong Encryption" version if possible • If not then you can usually still get a version that will support Auth • SSH users are unique to the system at enable mode • Cisco CatOS 6.3(1) and higher • Requires the version that supports "Secure Shell" • Denoted usually by a "k" in the image - ex: cat4000-k9.6-1-2.bin • If not a Secure Shell version then you can use v3 but only with noAuthNoPriv • SSH users all use same dual passwords (enable/exec) • Almost all Cisco hardware is supported • Except xDSL and other SOHO type network devices

    10. IOS Configuration • First set up SSH access aaa new-model username {user} password {pw} ip domain-name {groovie.org} crypto key generate rsa ip ssh time-out 60 ip ssh authentication-retries 2 line vty 0 4 transport input ssh • Now set up SNMPv3 snmp-server group {mygroup} v3 priv snmp-server user {myuser} {mygroup} v3 auth sha {authpw} priv des56 {privpw} • And away you go

    11. CatOS Configuration • First set up SSH access set crypto key rsa 1024 set ip permit enable ssh • Clear all Telnet and replace with ssh clear ip permit {10.1.1.1} telnet set ip permit {10.1.1.1} ssh set snmp trap enable ippermit • Now set up SNMPv3 set snmp user {myuser} authentication md5 {authpw} privacy {privpw} set snmp group {mygroup} user {myuser} security-model v3 set snmp access {mygroup} security-model v3 privacy read defaultAdminView write defaultAdminView • And away you go

    12. Comments, Critiques, CIA • These are words that begin with a 'c'

    13. SNMPv3, SSH & Cisco Matthew G. Marsh Chief Scientist of the NEbraskaCERT