1 / 13

SNMPv3, SSH & Cisco

SNMPv3, SSH & Cisco. Matthew G. Marsh Chief Scientist of the NEbraskaCERT. Scope. Quick Overview Important Points Security Models Authentication Privacy General Usage Supported Platforms IOS Configuration CatOS Configuration Usage Example C Words. Overview of SNMPv3.

lluvia
Download Presentation

SNMPv3, SSH & Cisco

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. SNMPv3, SSH & Cisco Matthew G. Marsh Chief Scientist of the NEbraskaCERT

  2. Scope • Quick Overview • Important Points • Security Models • Authentication • Privacy • General Usage • Supported Platforms • IOS Configuration • CatOS Configuration • Usage Example • C Words

  3. Overview of SNMPv3 SNMP Version 3 is the current version of the Simple Network Management Protocol. This version was ratified as a Draft Standard in March of 1999. • RFC 2570: Introduction to Version 3 of the Internet-standard Network Management Framework, Informational, April 1999 • RFC 2571: An Architecture for Describing SNMP Management Frameworks, Draft Standard, April 1999 • RFC 2572: Message Processing and Dispatching for the Simple Network Management Protocol (SNMP), Draft Standard, April 1999 • RFC 2573: SNMP Applications, Draft Standard, April 1999 • RFC 2574: User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3), Draft Standard, April 1999 • RFC 2575: View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP), Draft Standard, April 1999 • RFC 2576: Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework, Proposed Standard, March 2000 These documents reuse definitions from the following SNMPv2 specifications: • RFC 1905: Protocol Operations for Version 2 of the Simple Network Management Protocol (SNMPv2), Draft Standard • RFC 1906: Transport Mappings for Version 2 of the Simple Network Management Protocol (SNMPv2), Draft Standard • RFC 1907: Management Information Base for Version 2 of the Simple Network Management Protocol (SNMPv2), Draft Standard

  4. SNMPv3 Important Points • Authentication • MD5 or SHA authentication passphrase hashes • Passphrase must be greater than 8 characters including spaces • Privacy • Packet data may now be DES encrypted (future use allows additional encryptions) • Passphrase defaults to authentication passphrase • Allows for unique Privacy passphrase • SNMPv3 provides for both security models and security levels. • A security model is an authentication strategy set up for a user and the user’s group • A security level is the permitted security within the security model • Three security models are available: SNMPv1, SNMPv2c, and SNMPv3

  5. SNMPv3 Security Models

  6. Authentication • User • Defines the unit of access • Group • Defines User's class for application of scope • View • Defines a set of resources within a MIB structure • Operation • Defines the actions that may be performed • READ • WRITE • ADMINISTER • Operations are applied to Views • Users are assigned to Groups • Groups are assigned Views • SNMP Version 3 - Authentication

  7. Privacy • SNMP v1 and v2c transported data in clear text • v3 allows the data payload to be encrypted • Currently the specification only allows for DES • May be overridden for custom applications • Specification allows for multiple encryption mechanisms to be defined • Passphrase defaults to using the authentication passphrase • Passphrase may be completely separate and unique • Privacy must be specified in conjunction with authentication • Allowed: NONE, authnoPriv, authPriv • SNMP Version 3 - Privacy

  8. General Usage Notes • Use multiple Users • One for each action (get, set, trap) • Different Authentication passphrases • Always use Privacy - authPriv • Make sure the passphrases are different from the User's • Always set up your initial security in a secure environment before exposing the system to the elements. • SUMMARY: SNMP is a Message Passing Protocol. • Always use SSH to connect to your Cisco devices • Requires the encryption IOS and CatOS versions • Well worth the investment

  9. Supported Platforms • Cisco IOS V12.0(3)T and higher • You want to use the "Strong Encryption" version if possible • If not then you can usually still get a version that will support Auth • SSH users are unique to the system at enable mode • Cisco CatOS 6.3(1) and higher • Requires the version that supports "Secure Shell" • Denoted usually by a "k" in the image - ex: cat4000-k9.6-1-2.bin • If not a Secure Shell version then you can use v3 but only with noAuthNoPriv • SSH users all use same dual passwords (enable/exec) • Almost all Cisco hardware is supported • Except xDSL and other SOHO type network devices

  10. IOS Configuration • First set up SSH access aaa new-model username {user} password {pw} ip domain-name {groovie.org} crypto key generate rsa ip ssh time-out 60 ip ssh authentication-retries 2 line vty 0 4 transport input ssh • Now set up SNMPv3 snmp-server group {mygroup} v3 priv snmp-server user {myuser} {mygroup} v3 auth sha {authpw} priv des56 {privpw} • And away you go

  11. CatOS Configuration • First set up SSH access set crypto key rsa 1024 set ip permit enable ssh • Clear all Telnet and replace with ssh clear ip permit {10.1.1.1} telnet set ip permit {10.1.1.1} ssh set snmp trap enable ippermit • Now set up SNMPv3 set snmp user {myuser} authentication md5 {authpw} privacy {privpw} set snmp group {mygroup} user {myuser} security-model v3 set snmp access {mygroup} security-model v3 privacy read defaultAdminView write defaultAdminView • And away you go

  12. Comments, Critiques, CIA • These are words that begin with a 'c'

  13. SNMPv3, SSH & Cisco Matthew G. Marsh Chief Scientist of the NEbraskaCERT

More Related