Slide 1 SNMPv3, SSH & Cisco Matthew G. Marsh Chief Scientist of the NEbraskaCERT.

Slides:



Advertisements
Similar presentations
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
Advertisements

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
SNMP v3.
Connect communicate collaborate DRAFT ON NETWORK MANAGEMENT ARCHITECTURE Esad Saitovic, Ivan Ivanovic AMRES Network monitoring workshop for GN3/NA3/T4.
Securing the Router Chris Cunningham.
Implementing a Highly Available Network
CSEE W4140 Networking Laboratory Lecture 11: SNMP Jong Yul Kim
1 Network Management and SNMP  What is Network Management?  ISO Network Management Model (FCAPS)  Network Management Architecture  SNMPv1 and SNMPv2.
SNMP Simple Network Management Protocol
SNMPv3 Wes Hardaker Network Associates Laboratories 6 August 2002
Integrated Security Model for SNMPv3 (ISMS) pronounced "is" "miss" David T. Perkins & Wes Hardaker 60 th IETF August 6, 2004.
SNMPv3 Yen-Cheng Chen Department of Information Management National Chi Nan University
Session-based Security Model for SNMPv3 (SNMPv3/SBSM) David T. Perkins Wes Hardaker IETF November 12, 2003.
S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Securing Network Services.
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
Network Protocols UNIT IV – NETWORK MANAGEMENT FUNDAMENTALS.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
NMS LAB2 EXPENSES  Software  Hardware and OS for software  Training  Extra usage of work time (active use of SNMP - software etc.)  New SNMP enabled.
2010 Cisco Configuration Elements APRICOT 2010 Kuala Lumpur, Malaysia.
CLI modes Accessing the configuration Basic configuration (hostname and DNS) Authentication and authorization (AAA) Log collection Time Synchronization.
Title: HP OpenView Network Node Manager SPI for SNMPv3 Session #: 326 Speakers: Jeff Scheaffer, HP OpenView NSM David Reid, SNMP Research.
SNMP Simple Network Management Protocol Team: Matrix CMPE-208 Fall 2006.
CLI modes Accessing the configuration Basic configuration (hostname and DNS) Authentication and authorization (AAA) Log collection Time Synchronization.
On the Impact of Security Protocols on the Performance of SNMP J. Schonwalder and V. Marinov IEEE Transactions on Network and Service Management, 2011,
1 Introduction to Internet Network Management Mi-Jung Choi Dept. of Computer Science KNU
Slide 1 Replacing TripWire with SNMPv3 Matthew G. Marsh Chief Scientist of the NEbraskaCERT.
Slide 1 Replacing TripWire with SNMPv3 Matthew G. Marsh Chief Scientist of the NEbraskaCERT.
Saeed Darvish Pazoki – MCSE, CCNA Abstracted From: Cisco Press – ICND 1 – Chapter 9 Ethernet Switch Configuration 1.
APRICOT 2008 Network Management Taipei, Taiwan February 20-24, 2008 Cisco configuration elelements.
Cisco Configuration Elements Network Monitoring and Management Tutorial.
User Access to Router Securing Access.
1 Course Number Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 1 Network Security 2 Module 7 – Secure Network Architecture and Management.
Internet Standard Management Framework
SNMPv3 1.DESIGN REQUIREMENTS 2.BIRTH & FEATURES of SNMPv3 3.ARCHITECTURE 4.SECURE COMMUNICATION - USER SECURITY MODEL (USM) 5. ACCESS CONTROL - VIEW BASED.
Chapter 3: Authentication, Authorization, and Accounting
Secure Shell (SSH) Presented By Scott Duckworth April 19, 2007.
NetPro-ITI Ethernet LANs
These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (
Management Information Base for Version 2 of the Simple Network Management Protocol (MIB for SNMPv2)
Network Management Security
Slide 1 NEbraskaCERT Managing Secure Networks Matthew G. Marsh Chief Scientist, NEbraskaCERT President, Paktronix Systems LLC Note: Use of this material.
Jose Luis Flores / Amel Walkinshaw
Configuring AAA requires four basic steps: 1.Enable AAA (new-model). 2.Configure security server network parameters. 3.Define one or more method lists.
Carlos Armas Roundtrip Networks Hervey Allen NSRC.
ISMS IETF72 David Harrington. Status IETF72 Transport Subsystem for the Simple Network Management Protocol (SNMP) –IETF69: draft-ietf-isms-tmsm-09.txt.
© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—2-1 Ethernet LANs Understanding Switch Security.
SSHSM Issues David Harrington IETF64 ISMS WG Vancouver, BC.
© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—4-1 LAN Connections Understanding Cisco Router Security.
Presentation at ISMS WG Meeting1 ISMS – March 2005 IETF David T. Perkins.
Text Overview of SNMP, FTP, Telnet. Text Overview of SNMP.
Cisco LAN Switches.
Transport Mapping Security Model D. Harrington. Architecture Transport Mapping Dispatcher Message Processing Model ApplicationsAccess Control Model TM.
Setup a Cisco router to SNMPv3 query a 117G running ANW2 for a oid value Cisco 891 router running Version 15.1(4)M4 117G radios running ODIA code for ANW2C.
CISCO CONFIGURATION ELEMENTS 1. Overview Basic things that we need to make sure are configured on a Cisco router (and switch) to do proper network management.
Network Management Security in distributed and remote network management protocols.
SNMP (Simple Network Management Protocol) Overview
Cisco configuration elelements
Instructor Materials Chapter 5: Network Security and Monitoring
Working at a Small-to-Medium Business or ISP – Chapter 8
SNMP (Simple Network Management Protocol) Overview
Cisco configuration elements
Introduction to Networking
Chapter 5: Network Security and Monitoring
Understanding Cisco Router Security
Chapter 8: Monitoring the Network
Review - week 4 Basic device access security
Presentation transcript:

Slide 1 SNMPv3, SSH & Cisco Matthew G. Marsh Chief Scientist of the NEbraskaCERT

Slide 2 Scope Quick Overview Important Points Security Models Authentication Privacy General Usage Supported Platforms IOS Configuration CatOS Configuration Usage Example C Words

Slide 3 Overview of SNMPv3 SNMP Version 3 is the current version of the Simple Network Management Protocol. This version was ratified as a Draft Standard in March of RFC 2570: Introduction to Version 3 of the Internet-standard Network Management Framework, Informational, April 1999 RFC 2571: An Architecture for Describing SNMP Management Frameworks, Draft Standard, April 1999 RFC 2572: Message Processing and Dispatching for the Simple Network Management Protocol (SNMP), Draft Standard, April 1999 RFC 2573: SNMP Applications, Draft Standard, April 1999 RFC 2574: User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3), Draft Standard, April 1999 RFC 2575: View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP), Draft Standard, April 1999 RFC 2576: Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework, Proposed Standard, March 2000 These documents reuse definitions from the following SNMPv2 specifications: RFC 1905: Protocol Operations for Version 2 of the Simple Network Management Protocol (SNMPv2), Draft Standard RFC 1906: Transport Mappings for Version 2 of the Simple Network Management Protocol (SNMPv2), Draft Standard RFC 1907: Management Information Base for Version 2 of the Simple Network Management Protocol (SNMPv2), Draft Standard

Slide 4 SNMPv3 Important Points Authentication MD5 or SHA authentication passphrase hashes Passphrase must be greater than 8 characters including spaces Privacy Packet data may now be DES encrypted (future use allows additional encryptions) Passphrase defaults to authentication passphrase Allows for unique Privacy passphrase SNMPv3 provides for both security models and security levels. A security model is an authentication strategy set up for a user and the user’s group A security level is the permitted security within the security model Three security models are available: SNMPv1, SNMPv2c, and SNMPv3

Slide 5 SNMPv3 Security Models ModelLevelAuthenticatio n EncryptionNotes SNMPv1noAuthNoPrivSimple StringNone"Traditional" SNMP Management SNMPv2cnoAuthNoPrivSimple StringNone SNMPv3noAuthNoPrivUserNoneBackwards Compatible SNMPv3noAuthPrivMD5/SHANoneAuthenticatio n Hashes SNMPv3AuthPrivMD5/SHADESFull Authenticatio n & Privacy

Slide 6 Authentication User Defines the unit of access Group Defines User's class for application of scope View Defines a set of resources within a MIB structure Operation Defines the actions that may be performed READ WRITE ADMINISTER Operations are applied to Views Users are assigned to Groups Groups are assigned Views SNMP Version 3 - Authentication

Slide 7 Privacy SNMP v1 and v2c transported data in clear text v3 allows the data payload to be encrypted Currently the specification only allows for DES May be overridden for custom applications Specification allows for multiple encryption mechanisms to be defined Passphrase defaults to using the authentication passphrase Passphrase may be completely separate and unique Privacy must be specified in conjunction with authentication Allowed: NONE, authnoPriv, authPriv SNMP Version 3 - Privacy

Slide 8 General Usage Notes Use multiple Users One for each action (get, set, trap) Different Authentication passphrases Always use Privacy - authPriv Make sure the passphrases are different from the User's Always set up your initial security in a secure environment before exposing the system to the elements. SUMMARY: SNMP is a Message Passing Protocol. Always use SSH to connect to your Cisco devices Requires the encryption IOS and CatOS versions Well worth the investment

Slide 9 Supported Platforms Cisco IOS V12.0(3)T and higher You want to use the "Strong Encryption" version if possible If not then you can usually still get a version that will support Auth SSH users are unique to the system at enable mode Cisco CatOS 6.3(1) and higher Requires the version that supports "Secure Shell" Denoted usually by a "k" in the image - ex: cat4000-k bin If not a Secure Shell version then you can use v3 but only with noAuthNoPriv SSH users all use same dual passwords (enable/exec) Almost all Cisco hardware is supported Except xDSL and other SOHO type network devices

Slide 10 IOS Configuration First set up SSH access aaa new-model username {user} password {pw} ip domain-name {groovie.org} crypto key generate rsa ip ssh time-out 60 ip ssh authentication-retries 2 line vty 0 4 transport input ssh Now set up SNMPv3 snmp-server group {mygroup} v3 priv snmp-server user {myuser} {mygroup} v3 auth sha {authpw} priv des56 {privpw} And away you go

Slide 11 CatOS Configuration First set up SSH access set crypto key rsa 1024 set ip permit enable ssh Clear all Telnet and replace with ssh clear ip permit { } telnet set ip permit { } ssh set snmp trap enable ippermit Now set up SNMPv3 set snmp user {myuser} authentication md5 {authpw} privacy {privpw} set snmp group {mygroup} user {myuser} security-model v3 set snmp access {mygroup} security-model v3 privacy read defaultAdminView write defaultAdminView And away you go

Slide 12 Comments, Critiques, CIA These are words that begin with a 'c'

Slide 13 SNMPv3, SSH & Cisco Matthew G. Marsh Chief Scientist of the NEbraskaCERT

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.