Transcript Replacing Tripwire with SNMPv3 DefConX Presentation 08/02/02

SNMPv3, SSH & Cisco
Matthew G. Marsh
Chief Scientist of the NEbraskaCERT
Slide 1
Scope
Quick Overview
Important Points
Security Models
Authentication
Privacy
General Usage
Supported Platforms
IOS Configuration
CatOS Configuration
Usage Example
C Words
Slide 2
Overview of SNMPv3
SNMP Version 3 is the current version of the Simple Network Management
Protocol. This version was ratified as a Draft Standard in March of 1999.
•RFC 2570: Introduction to Version 3 of the Internet-standard Network Management Framework, Informational, April 1999
•RFC 2571: An Architecture for Describing SNMP Management Frameworks, Draft Standard, April 1999
•RFC 2572: Message Processing and Dispatching for the Simple Network Management Protocol (SNMP), Draft Standard, April 1999
•RFC 2573: SNMP Applications, Draft Standard, April 1999
•RFC 2574: User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3), Draft Standard,
April 1999
•RFC 2575: View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP), Draft Standard, April
1999
•RFC 2576: Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework,
Proposed Standard, March 2000
These documents reuse definitions from the following SNMPv2 specifications:
•RFC 1905: Protocol Operations for Version 2 of the Simple Network Management Protocol (SNMPv2), Draft Standard
•RFC 1906: Transport Mappings for Version 2 of the Simple Network Management Protocol (SNMPv2), Draft Standard
•RFC 1907: Management Information Base for Version 2 of the Simple Network Management Protocol (SNMPv2), Draft Standard
Slide 3
SNMPv3 Important Points
Authentication
MD5 or SHA authentication passphrase hashes
Passphrase must be greater than 8 characters including spaces
Privacy
Packet data may now be DES encrypted (future use allows additional encryptions)
Passphrase defaults to authentication passphrase
Allows for unique Privacy passphrase
SNMPv3 provides for both security models and security levels.
A security model is an authentication strategy set up for a user and the user’s group
A security level is the permitted security within the security model
Three security models are available: SNMPv1, SNMPv2c, and SNMPv3
Slide 4
SNMPv3 Security Models
Model
Level
Authenticatio Encryption
n
Notes
SNMPv1
noAuthNoPriv
Simple String
None
"Traditional"
SNMP
Management
SNMPv2c
noAuthNoPriv
Simple String
None
SNMPv3
noAuthNoPriv
User
None
Backwards
Compatible
SNMPv3
noAuthPriv
MD5/SHA
None
Authenticatio
n
Hashes
SNMPv3
AuthPriv
MD5/SHA
DES
Full
Authenticatio
n
& Privacy
Slide 5
Authentication
SNMP Version 3 - Authentication
User
Defines the unit of access
Group
Defines User's class for application of scope
View
Defines a set of resources within a MIB structure
Operation
Defines the actions that may be performed
READ
WRITE
ADMINISTER
Operations are applied to Views
Users are assigned to Groups
Groups are assigned Views
Slide 6
Privacy
SNMP Version 3 - Privacy
SNMP v1 and v2c transported data in clear text
v3 allows the data payload to be encrypted
Currently the specification only allows for DES
May be overridden for custom applications
Specification allows for multiple encryption mechanisms to be defined
Passphrase defaults to using the authentication passphrase
Passphrase may be completely separate and unique
Privacy must be specified in conjunction with authentication
Allowed: NONE, authnoPriv, authPriv
Slide 7
General Usage Notes
Use multiple Users
One for each action (get, set, trap)
Different Authentication passphrases
Always use Privacy - authPriv
Make sure the passphrases are different from the User's
Always set up your initial security in a secure environment before exposing
the system to the elements.
SUMMARY: SNMP is a Message Passing Protocol.
Always use SSH to connect to your Cisco devices
Requires the encryption IOS and CatOS versions
Well worth the investment
Slide 8
Supported Platforms
Cisco IOS V12.0(3)T and higher
You want to use the "Strong Encryption" version if possible
If not then you can usually still get a version that will support Auth
SSH users are unique to the system at enable mode
Cisco CatOS 6.3(1) and higher
Requires the version that supports "Secure Shell"
Denoted usually by a "k" in the image - ex: cat4000-k9.6-1-2.bin
If not a Secure Shell version then you can use v3 but only with noAuthNoPriv
SSH users all use same dual passwords (enable/exec)
Almost all Cisco hardware is supported
Except xDSL and other SOHO type network devices
Slide 9
IOS Configuration
First set up SSH access
aaa new-model
username {user} password {pw}
ip domain-name {groovie.org}
crypto key generate rsa
ip ssh time-out 60
ip ssh authentication-retries 2
line vty 0 4
transport input ssh
Now set up SNMPv3
snmp-server group {mygroup} v3 priv
snmp-server user {myuser} {mygroup} v3 auth sha {authpw} priv des56 {privpw}
And away you go
Slide 10
CatOS Configuration
First set up SSH access
set crypto key rsa 1024
set ip permit enable ssh
Clear all Telnet and replace with ssh
clear ip permit {10.1.1.1} telnet
set ip permit {10.1.1.1} ssh
set snmp trap enable ippermit
Now set up SNMPv3
set snmp user {myuser} authentication md5 {authpw} privacy {privpw}
set snmp group {mygroup} user {myuser} security-model v3
set snmp access {mygroup} security-model v3 privacy read defaultAdminView write
defaultAdminView
And away you go
Slide 11
Comments, Critiques, CIA
These are words that begin with a 'c'
Slide 12
SNMPv3, SSH & Cisco
Matthew G. Marsh
Chief Scientist of the NEbraskaCERT
Slide 13