SNMPv1 and SNMPv2c protocols security model uses the community-based pseudo-authentication. That means that a password (called a community string) is sent in a clear text between a network management station and managed devices. Both SNMPv1 and v2c are subject to packet sniffing because they do not implement encryption. Security has been the biggest weakness of the SNMP since the beginning. More about SNMPv2c concepts, operation and configuration you can find at “SNMPv2c configuration on Huawei devices“.
What if we want SNMP to be used over a public network?
SNMPv3 can be implemented. It provides important security features, which are not available in both SNMPv1 and v2c:
- Confidentiality – encryption of packets to prevent snooping by an unauthorized source
- Integrity – to ensure that a packet has not been tampered while in transit using optional packet reply protection
- Authentication – to verify that a packet comes from a valid source.
SNMPv3 defines some new concepts: security level, user and group. The following security levels exists:
- Authentication without encryption – authentication keyword in CLI – only the authenticated administrators can access the managed device.
- No authentication and no encryption – noauth keyword in CLI – this security level can be used only in secure networks
- Authentication and encryption – privacy keyword in CLI – only authenticated administrators can access the managed device and transmitted data is encrypted preventing interception or data leaking. This level should be used over the networks vulnerable to attacks.
A group defines the access policy for a user. Access policy defines which SNMP objects can be accessed or which SNMP objects can generate notifications to the members of a group. If the authentication and encryption mode are not specified, a user can only access views in non-authentication and non-encryption mode.
When using SNMPv3, system firstly verifies a user based on the configured authentication and encryption mode. After the user passes the authentication, the system verifies which SNMP views that user can access, based on the group to which the user was assigned.
A group can be configured using command syntax:
snmp-agent group v3 group-name { authentication | noauth | privacy } [ read-view read-view | write-view write-view | notify-view notify-view | acl acl-number ]
An SNMPv3 user can be assigned to the group using the following command syntax:
snmp-agent usm-user v3 user-name group-name [ authentication-mode { md5 | sha } authkey [ privacy-mode { aes128 | des56 } prikey | plain-text ] ] [ acl standard-acl ]
After an SNMPv3 group is configured, the system can effectively control the access rights of all users in the group, using the group settings. User access can be encrypted and authenticated, authenticated but not encrypted, or neither authenticated nor encrypted. If the access level of a user is lower than the security level of the specified group, the access fails. When the group, to which a user belongs, has multiple security levels, the user can select the group with the highest security level, among the groups that can be accessed, and access the view of the group.
Let’s configure SNMPv3 read access for NMS1 IP: 150.100.12.1. In order to do that, NMS1 user will be configured and added to the GROUP1. NMS1 user will use SHA algorithm with AUTHKEY1 key for authentication and AES128 with ENCRYPTKEY1 key for encryption. Access to the group GROUP1 will be allowed for NMS1 only. ACL 2001 will be configured for that restriction.
[LabnarioR1]snmp-agent [LabnarioR1]snmp-agent sys-info version v3 [LabnarioR1]snmp-agent group v3 GROUP1 privacy acl 2001 [LabnarioR1]acl 2001 [LabnarioR1-acl-basic-2001]rule 10 permit source 150.100.12.1 0.0.0.0 [LabnarioR1]snmp-agent usm-user v3 NMS1 GROUP1 authentication-mode sha AUTHKEY1 privacy-mode aes128 ENCRYPTKEY1
As a next step let’s configure trap messages to be sent from our LabnarioR1 router to the NMS1, using traps parameter sending list name NMSTRAPS1:
[LabnarioR1]snmp-agent trap enable [LabnarioR1]snmp-agent target-host trap-hostname NMS1 address 150.100.12.1 trap-paramsname NMS1TRAPS
Traps will be authenticated at the receive end and encrypted at the transmit end (privacy keyword). Transmission protocol will be SNMPv3. Let’s configure traps parameter sending list NMS1TRAPS:
[LabnarioR1]snmp-agent target-host trap-paramsname NMS1TRAPS v3 securityname NMS1 privacy
As a source IP of traps generated, loopback1 address will be used:
[LabnarioR1]snmp-agent trap source LoopBack1
Equipment administrator’s contact information allows the NMS administrator to call equipment administrator in case of a failure:
[LabnarioR1]snmp-agent sys-info contact CALL 0800-123456789
For verification use the commands as below:
[LabnarioR1]dis snmp-agent group GROUP1 Group name: GROUP1 Security model: v3 AuthPriv Readview: ViewDefault Writeview: Notifyview: Storage type: nonVolatile Acl: 2001 [LabnarioR1]dis snmp-agent usm-user User name: NMS1 Engine ID: 800007DB03000000000000 Group name: GROUP1 Authentication mode: sha, Privacy mode: aes128 Storage type: nonVolatile User status: active Acl: 2001 Total number is 1 [LabnarioR1]dis snmp-agent target-host Traphost list: Target host name: NMS1 Traphost address: 150.100.12.1 Traphost portnumber: 162 Target host parameter: NMS1TRAPS Total number is 1 Parameter list trap target host: Parameter name of the target host: NMS1TRAPS Message mode of the target host: SNMPV3 Trap version of the target host: v3 Security name of the target host: NMS1 Security level of the target host: privacy Total number is 1 [LabnarioR1]display snmp-agent sys-info contact The contact person for this managed node: CALL 0800-123456789