Presentation is loading. Please wait.

Presentation is loading. Please wait.

Slide 1 SNMPv3, SSH & Cisco Matthew G. Marsh Chief Scientist of the NEbraskaCERT.

Similar presentations


Presentation on theme: "Slide 1 SNMPv3, SSH & Cisco Matthew G. Marsh Chief Scientist of the NEbraskaCERT."— Presentation transcript:

1 Slide 1 SNMPv3, SSH & Cisco Matthew G. Marsh Chief Scientist of the NEbraskaCERT

2 Slide 2 Scope Quick Overview Important Points Security Models Authentication Privacy General Usage Supported Platforms IOS Configuration CatOS Configuration Usage Example C Words

3 Slide 3 Overview of SNMPv3 SNMP Version 3 is the current version of the Simple Network Management Protocol. This version was ratified as a Draft Standard in March of 1999. RFC 2570: Introduction to Version 3 of the Internet-standard Network Management Framework, Informational, April 1999 RFC 2571: An Architecture for Describing SNMP Management Frameworks, Draft Standard, April 1999 RFC 2572: Message Processing and Dispatching for the Simple Network Management Protocol (SNMP), Draft Standard, April 1999 RFC 2573: SNMP Applications, Draft Standard, April 1999 RFC 2574: User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3), Draft Standard, April 1999 RFC 2575: View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP), Draft Standard, April 1999 RFC 2576: Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework, Proposed Standard, March 2000 These documents reuse definitions from the following SNMPv2 specifications: RFC 1905: Protocol Operations for Version 2 of the Simple Network Management Protocol (SNMPv2), Draft Standard RFC 1906: Transport Mappings for Version 2 of the Simple Network Management Protocol (SNMPv2), Draft Standard RFC 1907: Management Information Base for Version 2 of the Simple Network Management Protocol (SNMPv2), Draft Standard

4 Slide 4 SNMPv3 Important Points Authentication MD5 or SHA authentication passphrase hashes Passphrase must be greater than 8 characters including spaces Privacy Packet data may now be DES encrypted (future use allows additional encryptions) Passphrase defaults to authentication passphrase Allows for unique Privacy passphrase SNMPv3 provides for both security models and security levels. A security model is an authentication strategy set up for a user and the user’s group A security level is the permitted security within the security model Three security models are available: SNMPv1, SNMPv2c, and SNMPv3

5 Slide 5 SNMPv3 Security Models ModelLevelAuthenticatio n EncryptionNotes SNMPv1noAuthNoPrivSimple StringNone"Traditional" SNMP Management SNMPv2cnoAuthNoPrivSimple StringNone SNMPv3noAuthNoPrivUserNoneBackwards Compatible SNMPv3noAuthPrivMD5/SHANoneAuthenticatio n Hashes SNMPv3AuthPrivMD5/SHADESFull Authenticatio n & Privacy

6 Slide 6 Authentication User Defines the unit of access Group Defines User's class for application of scope View Defines a set of resources within a MIB structure Operation Defines the actions that may be performed READ WRITE ADMINISTER Operations are applied to Views Users are assigned to Groups Groups are assigned Views SNMP Version 3 - Authentication

7 Slide 7 Privacy SNMP v1 and v2c transported data in clear text v3 allows the data payload to be encrypted Currently the specification only allows for DES May be overridden for custom applications Specification allows for multiple encryption mechanisms to be defined Passphrase defaults to using the authentication passphrase Passphrase may be completely separate and unique Privacy must be specified in conjunction with authentication Allowed: NONE, authnoPriv, authPriv SNMP Version 3 - Privacy

8 Slide 8 General Usage Notes Use multiple Users One for each action (get, set, trap) Different Authentication passphrases Always use Privacy - authPriv Make sure the passphrases are different from the User's Always set up your initial security in a secure environment before exposing the system to the elements. SUMMARY: SNMP is a Message Passing Protocol. Always use SSH to connect to your Cisco devices Requires the encryption IOS and CatOS versions Well worth the investment

9 Slide 9 Supported Platforms Cisco IOS V12.0(3)T and higher You want to use the "Strong Encryption" version if possible If not then you can usually still get a version that will support Auth SSH users are unique to the system at enable mode Cisco CatOS 6.3(1) and higher Requires the version that supports "Secure Shell" Denoted usually by a "k" in the image - ex: cat4000-k9.6-1-2.bin If not a Secure Shell version then you can use v3 but only with noAuthNoPriv SSH users all use same dual passwords (enable/exec) Almost all Cisco hardware is supported Except xDSL and other SOHO type network devices

10 Slide 10 IOS Configuration First set up SSH access aaa new-model username {user} password {pw} ip domain-name {groovie.org} crypto key generate rsa ip ssh time-out 60 ip ssh authentication-retries 2 line vty 0 4 transport input ssh Now set up SNMPv3 snmp-server group {mygroup} v3 priv snmp-server user {myuser} {mygroup} v3 auth sha {authpw} priv des56 {privpw} And away you go

11 Slide 11 CatOS Configuration First set up SSH access set crypto key rsa 1024 set ip permit enable ssh Clear all Telnet and replace with ssh clear ip permit {10.1.1.1} telnet set ip permit {10.1.1.1} ssh set snmp trap enable ippermit Now set up SNMPv3 set snmp user {myuser} authentication md5 {authpw} privacy {privpw} set snmp group {mygroup} user {myuser} security-model v3 set snmp access {mygroup} security-model v3 privacy read defaultAdminView write defaultAdminView And away you go

12 Slide 12 Comments, Critiques, CIA These are words that begin with a 'c'

13 Slide 13 SNMPv3, SSH & Cisco Matthew G. Marsh Chief Scientist of the NEbraskaCERT


Download ppt "Slide 1 SNMPv3, SSH & Cisco Matthew G. Marsh Chief Scientist of the NEbraskaCERT."

Similar presentations


Ads by Google