TUT:Security

From Net-SNMP Wiki
Revision as of 23:35, 21 June 2010 by Wes (Talk | contribs) (details on securing SNMPv3)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

SNMP, when it was first developed, contained clear-text-"passwords" called "community strings". The first two versions of the SNMP protocol (SNMPv1 and SNMPv2c) contained these clear text passwords, as can be seen below in the following screen dump:

# snmpget -d -v 2c -c demopublic test.net-snmp.org sysContact.0

Sending 47 bytes to UDP: [157.185.82.8]:161->[0.0.0.0]:0
0000: 30 2D 02 01  01 04 0A 64  65 6D 6F 70  75 62 6C 69    0-.....demopubli
0016: 63 A0 1C 02  04 78 8E 32  C9 02 01 00  02 01 00 30    c....x.2.......0
0032: 0E 30 0C 06  08 2B 06 01  02 01 01 04  00 05 00       .0...+.........
  

Received 102 byte packet from UDP: [157.185.82.8]:161->[0.0.0.0]:47960
0000: 30 64 02 01  01 04 0A 64  65 6D 6F 70  75 62 6C 69    0d.....demopubli
0016: 63 A2 53 02  04 78 8E 32  C9 02 01 00  02 01 00 30    c.S..x.2.......0
0032: 45 30 43 06  08 2B 06 01  02 01 01 04  00 04 37 4E    E0C..+........7N
0048: 65 74 2D 53  4E 4D 50 20  43 6F 64 65  72 73 20 3C    et-SNMP Coders <
0064: 6E 65 74 2D  73 6E 6D 70  2D 63 6F 64  65 72 73 40    net-snmp-coders@
0080: 6C 69 73 74  73 2E 73 6F  75 72 63 65  66 6F 72 67    lists.sourceforg
0096: 65 2E 6E 65  74 3E                                    e.net>

SNMPv2-MIB::sysContact.0 = STRING: Net-SNMP Coders <net-snmp-coders@lists.sourceforge.net>

This was obviously a problem so SNMPv3 was later developed to secure the protocol.

SNMPv3

SNMPv3, documented in RFCS 3410-3419, defines a modular approach to SNMPv3. This modular approach is important as it is designed to allow the protocol to adapt in the future if other types of security will be needed or preferred.

The below discusses first the "old" and "new" methods of securing SNMP:

SNMPv3 with USM

The original SNMPv3 specifications included a User-Based Security Model which secured the protocol by allowing administrators to define "users" with various security credentials. This went a long way toward securing the protocol (although, as Wes Hardaker (the founder of Net-SNMP) documents on a blog entry, there are still some concerns with SNMPv3/USM). Operators also found that securing SNMPv3/USM required "yet another" password database to maintain which was operationally burdensome.

SNMPv3/USM is fairly widely implemented and most modern "good" devices will support it. See our TUT:SNMPv3_Options SNMPv3/USM tutorial for details on using SNMPv3/USM with the Net-SNMP toolkit.

Tunneling SNMPv3

The most recent IETF activity regarding SNMP security has been done in the Integrated Security Model for SNMP (ISMS) working group. Rather than create another security system like USM did, it was decided that users would prefer to tunnel SNMP over protocols they already knew and understood. This was done by creating the following new RFCs:

  • [rfc:5590 RFC5590] - Transport Subsystem for the Simple Network Management Protocol
  • [rfc:5591 RFC5591] - Transport Security Model for the Simple Network Management Protocol (SNMP)
  • [rfc:5592 RFC5592] - Secure Shell Transport Model for the Simple Network Management Protocol (SNMP)
  • [rfc:XXXX RFCXXXX] - Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP)

These RFCs provide the framework for tunneling SNMPv3 packets over SSH, TLS and DTLS. The SSH protocol uses existing SSH authentication and encryption methods (like SSH keys and/or usernames and passwords) to secure it's traffic. And the TLS and DTLS protocols use X.509 certificates for securing it's traffic.

Net-SNMP 5.6 contains robust support for using SNMP over TLS and DTLS (see the Using TLS) tutorial for details on seting up and using SNMP over TLS and DTLS).

Net-SNMP 5.6 also contains minimal support for using SNMP over SSH, but the support is limited because of the lack of available SSH server-side libraries and is implemented through a specialized shell "hack" when attached to a OpenSSH sshd server.

Kerberos SNMPv3

Wes Hardaker and Ken Horstein started work in the IETF to implement a kerberos security model for SNMPv3. Although Net-SNMP contains a prototype implementation of this, the work was never finished within the IETF nor within the Net-SNMP implementation and is not yet ready for real-world use.