SNMPv3 With Security And Administration

Table of Contents Secure management is available with SNMPv3, the “Full Standard,” IETF-recommended version of the Internet-Standard Management Framework. This technology provides commercial-grade security and the ease of administration, which includes authentication, authorization, access control, and privacy. The secure management of SNMPv3 is an important enabling technology for safe configuration and control operations. SNMPv3 provides security with authentication and privacy, and its administration offers logical contexts, view-based access control, and remote configuration. This technology is available for networks, systems, applications, manager-to-manager communications, and proxy management of legacy systems. SNMPv3 is derived from and builds upon both the original Internet-Standard Management Framework (SNMPv1) and the second Internet-Standard Management Framework (SNMPv2c). All versions (SNMPv1, SNMPv2c, and SNMPv3) of the Internet-Standard Management Framework share the same basic structure and components. Furthermore, all versions of the specifications of the Internet-Standard Management Framework follow the same architecture. Many SNMP products remain fundamentally the same under SNMPv3, but are enhanced by the following new features: Security Administration * Authorization and access control * Logical contexts * Naming of entities, identities, and information * People and policies * Usernames and key management * Notification destinations and proxy relationships * Remote configuration via SNMP operations The following features are incorporated from the SNMPv2 Framework by reference. FeatureExampleExpanded data types64-bit countersImproved efficiency and performanceget-bulk operatorConfirmed event notificationsinform operatorRicher error handlingerrors and exceptionsImproved setsrow creation/deletionFine tuned data definition languageSMI, textual conventions, conformance statements, and agent capabilitiesSecure management with SNMPv3 protects against four threats: ThreatSNMPv3 ProtectionMasqueradeVerifies the identify of the message’s origin by checking the integrity of the data.Modification of InformationThwarts accidental or intentional alterations of in-transit messages by checking the integrity of the data, including a time stamp.Message Stream ModificationThwarts replay attacks by checking message stream integrity, including a time stamp.DisclosurePrevents eavesdropping by protocol analyzers, etc., by using encryption.Unauthorized AccessVerifies operator authorization and protects critical data from intentional and/or accidental corruption by using an access control table (part of policy-based management).User-based Authentication Mechanism is based on the following: * MD5 message digest algorithm in HMAC * Directly provides data integrity checks * Indirectly provides data origin authentication * Uses private key known by sender and receiver * 16-byte key * 128-bit digest (truncates to 96 bits) * SHA, an optional alternative algorithm * Loosely synchronized monotonically increasing time indicator values defend against certain message stream modification attacks User-based Privacy Mechanism is based on the following: * Data Encryption Standard (DES) Cipher Block Chaining (CBC) mode * Provides data confidentiality * Uses encryption * Subject to export and use restrictions in many jurisdictions * Uses 16-byte key (56-bit DES key, 8-byte DES initialization vector) known by sender and receiver * Multiple levels of compliances with respect to DES due to problems associated with international use * Triple Data Encryption Standard (Triple DES) * Advanced Encryption Standard (128, 192, and 256, bit keys) SNMPv3 provides the following configuration possibilities. (Note: availability depends on export restrictions.) * No authentication and no privacy (noAuthNoPriv) – usually for monitoring * Authentication and no privacy (authNoPriv) – usually for control * Authentication and privacy (authPriv) – usually for downloading secrets The network administrator has the potential to configure the protection level on a transaction-by-transaction basis. Criteria to consider when choosing configuration options are system resources and level of protection. The specifications of the Internet-Standard Management Framework are based on a modular architecture. This framework is more than just a protocol for moving data. The framework consists of * A data definition language, * Definitions of management information (the Management Information Base, or MIB), * A protocol definition, and * Security and administration. The framework was structured with a protocol-independent data definition language and Management Information Base, along with a MIB-independent protocol. The SNMPv3 Framework builds and extends these architectural principles by * Building on these four basic architectural components, in some cases incorporating them from the SNMPv2 Framework by reference, and by * Using these same layering principles in the definition of new capabilities in the security and administration portion of the architecture. Those who are familiar with the architecture of the SNMPv1 Management Framework and the SNMPv2 Management Framework find many familiar concepts in the architecture of the SNMPv3 Management Framework. However, in some cases, the terminology may be somewhat different. SNMP entities contain a security subsystem (and possibly an access control subsystem) to prevent unauthorized users from accessing a MIB or parts of a MIB. SNMP entities also possess these subsystems to ensure that authorized users retrieve and update information from only the parts of the MIB that they are allowed to view. Only a user who has the necessary access privileges will be able to obtain the desired level of service from a properly configured SNMP entity. A Security Administration Framework defines the mechanisms, which control the level of service provided by an SNMP entity. The mechanisms discriminate each message based on who is sending the message, what operation is requested, where the operation takes place within the MIB, and how the request is being sent (security protocol in use). Who? Authentication discriminates a request based on the sender of the message. An authentication identifier includes some type of shared secret, which is used to verify the identity of the sender.What? Authorization discriminates a request based on the operation being requested. An authorization identifier defines a set of operations that are permitted (e.g., Get, Set, Trap, etc.).Where? Access Control discriminates a request based on the MIB objects where a requested operation would be performed. An access control identifier, or MIB View, defines a set of objects in the MIB where operations may be performed.How? Security Level discriminates a request based on the security protocols used for a request. Security level options include privacy protocols and alternative authentication algorithms.The SNMPv3 Request for Comments (RFCs) provide further detail about SNMPv3. A complete list of RFCs can be found at/snmpv3/. * RFC 3410. Introduction to SNMPv3 * RFC 3410. Introduction and Applicability Statements for Internet Standard Management Framework * RFC 3411. An Architecture for Describing SNMP Management Frameworks * RFC 3412. Message Processing and Dispatching * RFC 3413. SNMP Applications * RFC 3414. User-based Security Model * RFC 3415. View-based Access Control Model * RFC 3416. Version 2 of SNMP Protocol Operations * RFC 3417. Transport Mappings * RFC 3584. Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework * RFC 3826. The Advanced Encryption Standard (AES) Cipher Algorithm in the SNMP User-based Security Model For further information about SNMPv3 or SNMP Research’s products, please contact SNMP Research, Inc. SNMP Research Incorporated 3001 Kimberlin Heights Rd. Knoxville, TN U.S.A. Tel: + Fax: + E-mail: