Slide 1

SNMPv3, SSH & Cisco

Matthew G. Marsh

Chief Scientist of the NEbraskaCERT

Slide 2

Scope

Quick OverviewImportant PointsSecurity Models

AuthenticationPrivacy

General UsageSupported PlatformsIOS ConfigurationCatOS ConfigurationUsage ExampleC Words

Slide 3

Overview of SNMPv3

SNMP Version 3 is the current version of the Simple Network Management Protocol. This version was ratified as a Draft Standard in March of 1999.

•RFC 2570: Introduction to Version 3 of the Internet-standard Network Management Framework, Informational, April 1999 •RFC 2571: An Architecture for Describing SNMP Management Frameworks, Draft Standard, April 1999 •RFC 2572: Message Processing and Dispatching for the Simple Network Management Protocol (SNMP), Draft Standard, April 1999•RFC 2573: SNMP Applications, Draft Standard, April 1999 •RFC 2574: User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3), Draft Standard, April 1999 •RFC 2575: View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP), Draft Standard, April 1999 •RFC 2576: Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework, Proposed Standard, March 2000

These documents reuse definitions from the following SNMPv2 specifications:

•RFC 1905: Protocol Operations for Version 2 of the Simple Network Management Protocol (SNMPv2), Draft Standard •RFC 1906: Transport Mappings for Version 2 of the Simple Network Management Protocol (SNMPv2), Draft Standard •RFC 1907: Management Information Base for Version 2 of the Simple Network Management Protocol (SNMPv2), Draft Standard

Slide 4

SNMPv3 Important Points

AuthenticationMD5 or SHA authentication passphrase hashes

Passphrase must be greater than 8 characters including spaces

PrivacyPacket data may now be DES encrypted (future use allows additional encryptions)

Passphrase defaults to authentication passphrase

Allows for unique Privacy passphrase

SNMPv3 provides for both security models and security levels.

A security model is an authentication strategy set up for a user and the user’s group

A security level is the permitted security within the security model

Three security models are available: SNMPv1, SNMPv2c, and SNMPv3

Slide 5

SNMPv3 Security Models

Model Level Authentication

Encryption

Notes

SNMPv1 noAuthNoPriv

Simple String

None "Traditional"

SNMP Management

SNMPv2c

noAuthNoPriv

Simple String

None

SNMPv3 noAuthNoPriv

User None Backwards Compatible

SNMPv3 noAuthPriv

MD5/SHA

None Authentication

Hashes

SNMPv3 AuthPriv MD5/SHA

DES Full Authentication

& Privacy

Slide 6

Authentication

UserDefines the unit of access

Group

Defines User's class for application of scope

View

Defines a set of resources within a MIB structure

Operation

Defines the actions that may be performed

READ

WRITE

ADMINISTER

Operations are applied to ViewsUsers are assigned to Groups Groups are assigned Views

SNMP Version 3 - Authentication

Slide 7

Privacy

SNMP v1 and v2c transported data in clear text

v3 allows the data payload to be encrypted

Currently the specification only allows for DES

May be overridden for custom applications

Specification allows for multiple encryption mechanisms to be defined

Passphrase defaults to using the authentication passphrase

Passphrase may be completely separate and unique

Privacy must be specified in conjunction with authentication

Allowed: NONE, authnoPriv, authPriv

SNMP Version 3 - Privacy

Slide 8

General Usage Notes

Use multiple Users

One for each action (get, set, trap)

Different Authentication passphrases

Always use Privacy - authPriv

Make sure the passphrases are different from the User's

Always set up your initial security in a secure environment before exposing the system to the elements.

SUMMARY: SNMP is a Message Passing Protocol.

Always use SSH to connect to your Cisco devices

Requires the encryption IOS and CatOS versions

Well worth the investment

Slide 9

Supported Platforms

Cisco IOS V12.0(3)T and higher

You want to use the "Strong Encryption" version if possible

If not then you can usually still get a version that will support Auth

SSH users are unique to the system at enable mode

Cisco CatOS 6.3(1) and higher

Requires the version that supports "Secure Shell"

Denoted usually by a "k" in the image - ex: cat4000-k9.6-1-2.bin

If not a Secure Shell version then you can use v3 but only with noAuthNoPriv

SSH users all use same dual passwords (enable/exec)

Almost all Cisco hardware is supported

Except xDSL and other SOHO type network devices

Slide 10

IOS Configuration

First set up SSH accessaaa new-model

username {user} password {pw}

ip domain-name {groovie.org}

crypto key generate rsa

ip ssh time-out 60

ip ssh authentication-retries 2

line vty 0 4

transport input ssh

Now set up SNMPv3snmp-server group {mygroup} v3 priv

snmp-server user {myuser} {mygroup} v3 auth sha {authpw} priv des56 {privpw}

And away you go

Slide 11

CatOS Configuration

First set up SSH accessset crypto key rsa 1024

set ip permit enable ssh

Clear all Telnet and replace with sshclear ip permit {10.1.1.1} telnet

set ip permit {10.1.1.1} ssh

set snmp trap enable ippermit

Now set up SNMPv3set snmp user {myuser} authentication md5 {authpw} privacy {privpw}

set snmp group {mygroup} user {myuser} security-model v3

set snmp access {mygroup} security-model v3 privacy read defaultAdminView write defaultAdminView

And away you go

Slide 12

Comments, Critiques, CIA

These are words that begin with a 'c'

Slide 13

SNMPv3, SSH & Cisco

Matthew G. Marsh

Chief Scientist of the NEbraskaCERT