Presentation is loading. Please wait.

Presentation is loading. Please wait.

Slide 1 SNMPv3, SSH & Cisco Matthew G. Marsh Chief Scientist of the NEbraskaCERT.

Published byBerniece Webb Modified over 9 years ago

Similar presentations

Presentation on theme: "Slide 1 SNMPv3, SSH & Cisco Matthew G. Marsh Chief Scientist of the NEbraskaCERT."— Presentation transcript:

1 Slide 1 SNMPv3, SSH & Cisco Matthew G. Marsh Chief Scientist of the NEbraskaCERT

2 Slide 2 Scope Quick Overview Important Points Security Models Authentication Privacy General Usage Supported Platforms IOS Configuration CatOS Configuration Usage Example C Words

3 Slide 3 Overview of SNMPv3 SNMP Version 3 is the current version of the Simple Network Management Protocol. This version was ratified as a Draft Standard in March of 1999. RFC 2570: Introduction to Version 3 of the Internet-standard Network Management Framework, Informational, April 1999 RFC 2571: An Architecture for Describing SNMP Management Frameworks, Draft Standard, April 1999 RFC 2572: Message Processing and Dispatching for the Simple Network Management Protocol (SNMP), Draft Standard, April 1999 RFC 2573: SNMP Applications, Draft Standard, April 1999 RFC 2574: User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3), Draft Standard, April 1999 RFC 2575: View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP), Draft Standard, April 1999 RFC 2576: Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework, Proposed Standard, March 2000 These documents reuse definitions from the following SNMPv2 specifications: RFC 1905: Protocol Operations for Version 2 of the Simple Network Management Protocol (SNMPv2), Draft Standard RFC 1906: Transport Mappings for Version 2 of the Simple Network Management Protocol (SNMPv2), Draft Standard RFC 1907: Management Information Base for Version 2 of the Simple Network Management Protocol (SNMPv2), Draft Standard

4 Slide 4 SNMPv3 Important Points Authentication MD5 or SHA authentication passphrase hashes Passphrase must be greater than 8 characters including spaces Privacy Packet data may now be DES encrypted (future use allows additional encryptions) Passphrase defaults to authentication passphrase Allows for unique Privacy passphrase SNMPv3 provides for both security models and security levels. A security model is an authentication strategy set up for a user and the user’s group A security level is the permitted security within the security model Three security models are available: SNMPv1, SNMPv2c, and SNMPv3

5 Slide 5 SNMPv3 Security Models ModelLevelAuthenticatio n EncryptionNotes SNMPv1noAuthNoPrivSimple StringNone"Traditional" SNMP Management SNMPv2cnoAuthNoPrivSimple StringNone SNMPv3noAuthNoPrivUserNoneBackwards Compatible SNMPv3noAuthPrivMD5/SHANoneAuthenticatio n Hashes SNMPv3AuthPrivMD5/SHADESFull Authenticatio n & Privacy

6 Slide 6 Authentication User Defines the unit of access Group Defines User's class for application of scope View Defines a set of resources within a MIB structure Operation Defines the actions that may be performed READ WRITE ADMINISTER Operations are applied to Views Users are assigned to Groups Groups are assigned Views SNMP Version 3 - Authentication

7 Slide 7 Privacy SNMP v1 and v2c transported data in clear text v3 allows the data payload to be encrypted Currently the specification only allows for DES May be overridden for custom applications Specification allows for multiple encryption mechanisms to be defined Passphrase defaults to using the authentication passphrase Passphrase may be completely separate and unique Privacy must be specified in conjunction with authentication Allowed: NONE, authnoPriv, authPriv SNMP Version 3 - Privacy

8 Slide 8 General Usage Notes Use multiple Users One for each action (get, set, trap) Different Authentication passphrases Always use Privacy - authPriv Make sure the passphrases are different from the User's Always set up your initial security in a secure environment before exposing the system to the elements. SUMMARY: SNMP is a Message Passing Protocol. Always use SSH to connect to your Cisco devices Requires the encryption IOS and CatOS versions Well worth the investment

9 Slide 9 Supported Platforms Cisco IOS V12.0(3)T and higher You want to use the "Strong Encryption" version if possible If not then you can usually still get a version that will support Auth SSH users are unique to the system at enable mode Cisco CatOS 6.3(1) and higher Requires the version that supports "Secure Shell" Denoted usually by a "k" in the image - ex: cat4000-k9.6-1-2.bin If not a Secure Shell version then you can use v3 but only with noAuthNoPriv SSH users all use same dual passwords (enable/exec) Almost all Cisco hardware is supported Except xDSL and other SOHO type network devices

10 Slide 10 IOS Configuration First set up SSH access aaa new-model username {user} password {pw} ip domain-name {groovie.org} crypto key generate rsa ip ssh time-out 60 ip ssh authentication-retries 2 line vty 0 4 transport input ssh Now set up SNMPv3 snmp-server group {mygroup} v3 priv snmp-server user {myuser} {mygroup} v3 auth sha {authpw} priv des56 {privpw} And away you go

11 Slide 11 CatOS Configuration First set up SSH access set crypto key rsa 1024 set ip permit enable ssh Clear all Telnet and replace with ssh clear ip permit {10.1.1.1} telnet set ip permit {10.1.1.1} ssh set snmp trap enable ippermit Now set up SNMPv3 set snmp user {myuser} authentication md5 {authpw} privacy {privpw} set snmp group {mygroup} user {myuser} security-model v3 set snmp access {mygroup} security-model v3 privacy read defaultAdminView write defaultAdminView And away you go

12 Slide 12 Comments, Critiques, CIA These are words that begin with a 'c'

13 Slide 13 SNMPv3, SSH & Cisco Matthew G. Marsh Chief Scientist of the NEbraskaCERT

Download ppt "Slide 1 SNMPv3, SSH & Cisco Matthew G. Marsh Chief Scientist of the NEbraskaCERT."

Similar presentations

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
SNMP v3.

SNMP v3.
Connect communicate collaborate DRAFT ON NETWORK MANAGEMENT ARCHITECTURE Esad Saitovic, Ivan Ivanovic AMRES Network monitoring workshop for GN3/NA3/T4.

Connect communicate collaborate DRAFT ON NETWORK MANAGEMENT ARCHITECTURE Esad Saitovic, Ivan Ivanovic AMRES Network monitoring workshop for GN3/NA3/T4.
Securing the Router Chris Cunningham.

Securing the Router Chris Cunningham.
Implementing a Highly Available Network

Implementing a Highly Available Network
CSEE W4140 Networking Laboratory Lecture 11: SNMP Jong Yul Kim 04.19.2010.

CSEE W4140 Networking Laboratory Lecture 11: SNMP Jong Yul Kim
1 Network Management and SNMP  What is Network Management?  ISO Network Management Model (FCAPS)  Network Management Architecture  SNMPv1 and SNMPv2.

1 Network Management and SNMP  What is Network Management?  ISO Network Management Model (FCAPS)  Network Management Architecture  SNMPv1 and SNMPv2.
SNMP Simple Network Management Protocol

SNMP Simple Network Management Protocol
SNMPv3 Wes Hardaker Network Associates Laboratories 6 August 2002

SNMPv3 Wes Hardaker Network Associates Laboratories 6 August 2002
Integrated Security Model for SNMPv3 (ISMS) pronounced is miss David T. Perkins & Wes Hardaker 60 th IETF August 6, 2004.

Integrated Security Model for SNMPv3 (ISMS) pronounced "is" "miss" David T. Perkins & Wes Hardaker 60 th IETF August 6, 2004.
SNMPv3 Yen-Cheng Chen Department of Information Management National Chi Nan University

SNMPv3 Yen-Cheng Chen Department of Information Management National Chi Nan University
Session-based Security Model for SNMPv3 (SNMPv3/SBSM) David T. Perkins Wes Hardaker IETF November 12, 2003.

Session-based Security Model for SNMPv3 (SNMPv3/SBSM) David T. Perkins Wes Hardaker IETF November 12, 2003.
S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.

S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Securing Network Services.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Securing Network Services.
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.

Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
Network Protocols UNIT IV – NETWORK MANAGEMENT FUNDAMENTALS.

Network Protocols UNIT IV – NETWORK MANAGEMENT FUNDAMENTALS.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
NMS LAB2 EXPENSES  Software  Hardware and OS for software  Training  Extra usage of work time (active use of SNMP - software etc.)  New SNMP enabled.

NMS LAB2 EXPENSES  Software  Hardware and OS for software  Training  Extra usage of work time (active use of SNMP - software etc.)  New SNMP enabled.
2010 Cisco Configuration Elements APRICOT 2010 Kuala Lumpur, Malaysia.

2010 Cisco Configuration Elements APRICOT 2010 Kuala Lumpur, Malaysia.

Similar presentations

Ads by Google