Upload
berniece-webb
View
217
Download
0
Embed Size (px)
Citation preview
Slide 1
SNMPv3, SSH & Cisco
Matthew G. Marsh
Chief Scientist of the NEbraskaCERT
Slide 2
Scope
Quick OverviewImportant PointsSecurity Models
AuthenticationPrivacy
General UsageSupported PlatformsIOS ConfigurationCatOS ConfigurationUsage ExampleC Words
Slide 3
Overview of SNMPv3
SNMP Version 3 is the current version of the Simple Network Management Protocol. This version was ratified as a Draft Standard in March of 1999.
•RFC 2570: Introduction to Version 3 of the Internet-standard Network Management Framework, Informational, April 1999 •RFC 2571: An Architecture for Describing SNMP Management Frameworks, Draft Standard, April 1999 •RFC 2572: Message Processing and Dispatching for the Simple Network Management Protocol (SNMP), Draft Standard, April 1999•RFC 2573: SNMP Applications, Draft Standard, April 1999 •RFC 2574: User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3), Draft Standard, April 1999 •RFC 2575: View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP), Draft Standard, April 1999 •RFC 2576: Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework, Proposed Standard, March 2000
These documents reuse definitions from the following SNMPv2 specifications:
•RFC 1905: Protocol Operations for Version 2 of the Simple Network Management Protocol (SNMPv2), Draft Standard •RFC 1906: Transport Mappings for Version 2 of the Simple Network Management Protocol (SNMPv2), Draft Standard •RFC 1907: Management Information Base for Version 2 of the Simple Network Management Protocol (SNMPv2), Draft Standard
Slide 4
SNMPv3 Important Points
AuthenticationMD5 or SHA authentication passphrase hashes
Passphrase must be greater than 8 characters including spaces
PrivacyPacket data may now be DES encrypted (future use allows additional encryptions)
Passphrase defaults to authentication passphrase
Allows for unique Privacy passphrase
SNMPv3 provides for both security models and security levels.
A security model is an authentication strategy set up for a user and the user’s group
A security level is the permitted security within the security model
Three security models are available: SNMPv1, SNMPv2c, and SNMPv3
Slide 5
SNMPv3 Security Models
Model Level Authentication
Encryption
Notes
SNMPv1 noAuthNoPriv
Simple String
None "Traditional"
SNMP Management
SNMPv2c
noAuthNoPriv
Simple String
None
SNMPv3 noAuthNoPriv
User None Backwards Compatible
SNMPv3 noAuthPriv
MD5/SHA
None Authentication
Hashes
SNMPv3 AuthPriv MD5/SHA
DES Full Authentication
& Privacy
Slide 6
Authentication
UserDefines the unit of access
Group
Defines User's class for application of scope
View
Defines a set of resources within a MIB structure
Operation
Defines the actions that may be performed
READ
WRITE
ADMINISTER
Operations are applied to ViewsUsers are assigned to Groups Groups are assigned Views
SNMP Version 3 - Authentication
Slide 7
Privacy
SNMP v1 and v2c transported data in clear text
v3 allows the data payload to be encrypted
Currently the specification only allows for DES
May be overridden for custom applications
Specification allows for multiple encryption mechanisms to be defined
Passphrase defaults to using the authentication passphrase
Passphrase may be completely separate and unique
Privacy must be specified in conjunction with authentication
Allowed: NONE, authnoPriv, authPriv
SNMP Version 3 - Privacy
Slide 8
General Usage Notes
Use multiple Users
One for each action (get, set, trap)
Different Authentication passphrases
Always use Privacy - authPriv
Make sure the passphrases are different from the User's
Always set up your initial security in a secure environment before exposing the system to the elements.
SUMMARY: SNMP is a Message Passing Protocol.
Always use SSH to connect to your Cisco devices
Requires the encryption IOS and CatOS versions
Well worth the investment
Slide 9
Supported Platforms
Cisco IOS V12.0(3)T and higher
You want to use the "Strong Encryption" version if possible
If not then you can usually still get a version that will support Auth
SSH users are unique to the system at enable mode
Cisco CatOS 6.3(1) and higher
Requires the version that supports "Secure Shell"
Denoted usually by a "k" in the image - ex: cat4000-k9.6-1-2.bin
If not a Secure Shell version then you can use v3 but only with noAuthNoPriv
SSH users all use same dual passwords (enable/exec)
Almost all Cisco hardware is supported
Except xDSL and other SOHO type network devices
Slide 10
IOS Configuration
First set up SSH accessaaa new-model
username {user} password {pw}
ip domain-name {groovie.org}
crypto key generate rsa
ip ssh time-out 60
ip ssh authentication-retries 2
line vty 0 4
transport input ssh
Now set up SNMPv3snmp-server group {mygroup} v3 priv
snmp-server user {myuser} {mygroup} v3 auth sha {authpw} priv des56 {privpw}
And away you go
Slide 11
CatOS Configuration
First set up SSH accessset crypto key rsa 1024
set ip permit enable ssh
Clear all Telnet and replace with sshclear ip permit {10.1.1.1} telnet
set ip permit {10.1.1.1} ssh
set snmp trap enable ippermit
Now set up SNMPv3set snmp user {myuser} authentication md5 {authpw} privacy {privpw}
set snmp group {mygroup} user {myuser} security-model v3
set snmp access {mygroup} security-model v3 privacy read defaultAdminView write defaultAdminView
And away you go
Slide 12
Comments, Critiques, CIA
These are words that begin with a 'c'
Slide 13
SNMPv3, SSH & Cisco
Matthew G. Marsh
Chief Scientist of the NEbraskaCERT