SNMP-based Device Management Security

Overview

SNMP is a protocol used to manage network devices. Network administrators can use SNMP to obtain data from devices and configure devices. SNMP also provides the trap function, which enables the device to report important status changes to an NMS.

SNMPv1, SNMPv2c, and SNMPv3 support different security policies.

SNMPv1 and SNMPv2c support ACLs and the view-based access control model (VACM). An NMS can manage a device with a specified SNMP community configured and access objects in a specified MIB view based on a specified ACL. This approach leads to enhanced system security.

SNMPv3 supports USM, the MD5, SHA, and SHA2 authentication algorithms, as well as DES and AES encryption algorithms. SNMPv3 authenticates and encrypts communication data to solve security problems, such as message forging, and modification.

To ensure security, the SHA2 and AES algorithms are recommended.

Community words of SNMPv1 and SNMPv2c are stored in ciphertext.

When the user authentication and encrypted password are configured for an SNMPv3 user, the password must be confirmed twice. In addition, the configured password is not displayed and stored in ciphertext.

Community names and user passwords are stored in ciphertext to effectively protect them from being disclosed.

Common SNMP attacks include the following:

An attacker changes the source IP address of packets to obtain unauthorized operation rights.
An attacker listens in on communication between the NMS and SNMP agents to obtain such information as usernames, passwords, and community names, thereby gaining unauthorized rights.
An attacker intercepts and reorders, delays, or retransmits SNMP messages to obtain the unauthorized operation rights.

SNMP identifies and encrypts data in the USM to reduce and defend these attacks.

Authentication: The data integrity and data source are discriminated to ensure that messages are sent from the source and data packets are not forged or modified during transmission. MD5, SHA, or SHA2 is used to generate data digests and verify if data has been modified.

Encryption: Data is encrypted to prevent the interception of data packets using network technologies such as packet interception. DES or AES ensures the efficiency and strength of data encryption and decryption.

Impact on the System

None

Procedure

To improve security, you are advised to configure SNMPv3 so that devices are managed using authentication and encryption and associate users with an ACL and MIB view to control access rights.

Enter the system view.
```
system-view
```
Configure an ACL numbered 2001 and define one rule to permit specific IP addresses and another rule to reject specific IP addresses.
```
acl 2001
rule 5 deny source 10.138.20.123 0
rule 10 permit source 10.138.90.111 0
```
Configure a MIB view named iso-view, in which users access nodes under the sub-tree whose root node is the ISO.
```
snmp-agent mib-view include iso-view iso
```
Configure an SNMPv3 group named v3group, set the read view, write view, and notification view to iso-view, and apply ACL 2001 to the SNMPv3 group.
```
snmp-agent group v3 v3group privacy read-view iso-view write-view iso-view notify-view iso-view acl 2001
```

Configure an SNMPv3 user named v3user belonging to the v3group. In this example, the authentication mode and password are sha2-256 and hello1234, respectively, and the encryption mode and the password are aes256 and tianxianbaobao2012, respectively. ACL 2001 is associated with the user.

snmp-agent usm-user v3 v3user group v3group acl 2001
snmp-agent usm-user v3 v3user authentication-mode sha2-256
Please configure the authentication password (8-64) 
Enter Password:                            
Confirm password: 
snmp-agent usm-user v3 v3user privacy-mode aes256
Please configure the privacy password (8-64)
Enter Password:   
Confirm password:

Check the SNMP configurations.

display current-configuration | include snmp
snmp-agent local-engineid 800007DB03548998F3A49C
snmp-agent group v3 vrgroup privacy read-view iso-view write-view iso-view notify-view iso-view acl 2001
snmp-agent mib-view iso-view include iso
snmp-agent usm-user v3 v3user
snmp-agent usm-user v3 v3user group v3group
snmp-agent usm-user v3 v3user authentication-mode sha2-256 cipher %^%#*BwWWR"Yw$)/96+kf}EHeP)8C:*-!A3,<pQzhW5$%^%#
snmp-agent usm-user v3 v3user privacy-mode aes256 cipher %^%#{q\&EFUCt-b]23G{.o|Fh!ABRgI'X#Eyt:QJGh%=r_T1#&N`M*!4uMV1>qHN%^%#
snmp-agent usm-user v3 v3user acl 2001
snmp-agent