SNMPv3, SSH & Cisco

1. SNMPv3, SSH & Cisco Matthew G. Marsh Chief Scientist of the NEbraskaCERT

2. Scope • Quick Overview • Important Points • Security Models • Authentication • Privacy • General Usage • Supported Platforms • IOS Configuration • CatOS Configuration • Usage Example • C Words

3. Overview of SNMPv3 SNMP Version 3 is the current version of the Simple Network Management Protocol. This version was ratified as a Draft Standard in March of 1999. • RFC 2570: Introduction to Version 3 of the Internet-standard Network Management Framework, Informational, April 1999 • RFC 2571: An Architecture for Describing SNMP Management Frameworks, Draft Standard, April 1999 • RFC 2572: Message Processing and Dispatching for the Simple Network Management Protocol (SNMP), Draft Standard, April 1999 • RFC 2573: SNMP Applications, Draft Standard, April 1999 • RFC 2574: User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3), Draft Standard, April 1999 • RFC 2575: View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP), Draft Standard, April 1999 • RFC 2576: Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework, Proposed Standard, March 2000 These documents reuse definitions from the following SNMPv2 specifications: • RFC 1905: Protocol Operations for Version 2 of the Simple Network Management Protocol (SNMPv2), Draft Standard • RFC 1906: Transport Mappings for Version 2 of the Simple Network Management Protocol (SNMPv2), Draft Standard • RFC 1907: Management Information Base for Version 2 of the Simple Network Management Protocol (SNMPv2), Draft Standard

4. SNMPv3 Important Points • Authentication • MD5 or SHA authentication passphrase hashes • Passphrase must be greater than 8 characters including spaces • Privacy • Packet data may now be DES encrypted (future use allows additional encryptions) • Passphrase defaults to authentication passphrase • Allows for unique Privacy passphrase • SNMPv3 provides for both security models and security levels. • A security model is an authentication strategy set up for a user and the user’s group • A security level is the permitted security within the security model • Three security models are available: SNMPv1, SNMPv2c, and SNMPv3

5. SNMPv3 Security Models

6. Authentication • User • Defines the unit of access • Group • Defines User's class for application of scope • View • Defines a set of resources within a MIB structure • Operation • Defines the actions that may be performed • READ • WRITE • ADMINISTER • Operations are applied to Views • Users are assigned to Groups • Groups are assigned Views • SNMP Version 3 - Authentication

7. Privacy • SNMP v1 and v2c transported data in clear text • v3 allows the data payload to be encrypted • Currently the specification only allows for DES • May be overridden for custom applications • Specification allows for multiple encryption mechanisms to be defined • Passphrase defaults to using the authentication passphrase • Passphrase may be completely separate and unique • Privacy must be specified in conjunction with authentication • Allowed: NONE, authnoPriv, authPriv • SNMP Version 3 - Privacy

8. General Usage Notes • Use multiple Users • One for each action (get, set, trap) • Different Authentication passphrases • Always use Privacy - authPriv • Make sure the passphrases are different from the User's • Always set up your initial security in a secure environment before exposing the system to the elements. • SUMMARY: SNMP is a Message Passing Protocol. • Always use SSH to connect to your Cisco devices • Requires the encryption IOS and CatOS versions • Well worth the investment

9. Supported Platforms • Cisco IOS V12.0(3)T and higher • You want to use the "Strong Encryption" version if possible • If not then you can usually still get a version that will support Auth • SSH users are unique to the system at enable mode • Cisco CatOS 6.3(1) and higher • Requires the version that supports "Secure Shell" • Denoted usually by a "k" in the image - ex: cat4000-k9.6-1-2.bin • If not a Secure Shell version then you can use v3 but only with noAuthNoPriv • SSH users all use same dual passwords (enable/exec) • Almost all Cisco hardware is supported • Except xDSL and other SOHO type network devices

10. IOS Configuration • First set up SSH access aaa new-model username {user} password {pw} ip domain-name {groovie.org} crypto key generate rsa ip ssh time-out 60 ip ssh authentication-retries 2 line vty 0 4 transport input ssh • Now set up SNMPv3 snmp-server group {mygroup} v3 priv snmp-server user {myuser} {mygroup} v3 auth sha {authpw} priv des56 {privpw} • And away you go

11. CatOS Configuration • First set up SSH access set crypto key rsa 1024 set ip permit enable ssh • Clear all Telnet and replace with ssh clear ip permit {10.1.1.1} telnet set ip permit {10.1.1.1} ssh set snmp trap enable ippermit • Now set up SNMPv3 set snmp user {myuser} authentication md5 {authpw} privacy {privpw} set snmp group {mygroup} user {myuser} security-model v3 set snmp access {mygroup} security-model v3 privacy read defaultAdminView write defaultAdminView • And away you go

12. Comments, Critiques, CIA • These are words that begin with a 'c'

13. SNMPv3, SSH & Cisco Matthew G. Marsh Chief Scientist of the NEbraskaCERT