![SNMPv3
Mayukh Rastogi
Mayukh.Rastogi@honeywell.com
Abstract - This paper addresses securing the Honeywell
security and monitoring the network devices and
computers/laptops.
We have discussed the improved, enhanced features of
snmpv3.Shortcoming of the previous SNMP version are
explained and solution to those are discussed along with the
new capabilities of Snmpv3. SNMP User-based security
model is explained, the encryption AES, DES is topically
dealt with for the completeness. We have discussed the
snmpv3 network configuration for the switch /router along
with test tool to monitor the network and devices. Throughout
the paper we emphasized the improvement with snmpv3
which provides a highly secure infrastructure for Honeywell.
Keywords— SNMP, AES, DES, community string, USM
(User-based Security Model)
I . INTRODUCTION
SNMP was derived from its predecessor SGMP (Simple
Gateway Management Protocol).Simple Network
Management Protocol Version 3 (SNMPv3) is an
interoperable standards-based protocol for network
management. SNMP is based on the manager/agent model
consisting of a SNMP manager, an SNMP agent, a database of
management information, managed objects and the network
protocol. The SNMP agent and MIB reside in the switch itself.
SNMPv3 provides secure access to devices by a combination
of authentication and encrypted packets over the network.
The security features [3] provided in the SNMPv3 are-
Encryption—Encrypted the contents of a packet
prevent it from being seen by an unauthorized
source.
Authentication—determining the message is from a
valid source.
Message integrity—ensuring that a packet has not been
tampered with in-transit.
II. LIMITATION OF SNMP VERSIONS
However, SNMP offers very little in terms of security.
Version 1 of SNMP relies on a community string to protect
data exchanged between two computers; community string is
passed in clear text. The intruder can easily trace the
community string and begin to inventory all devices running
SNMP.
In small organization, it is possible that the administrator has
used the same password, possibly for a domain administrator
account. The intruders in this case have access to a root-level
account. An attacker could use the captured data to set value
of SNMP agents. So it is clear that SNMPv1 cannot stand up
to Honeywell/Organization security.
SNMP version 1 provides two security groups: public and
private. The default configuration is to grant read-only access
to the public group and read-write access to the private
group.
SNMPv2 aimed to resolve these security issues. There are
four distinct versions of SNMPv2:
SNMPv2c, SNMPv2u, SNMPv2*, and SNMP-NG
(NG is for Next Generation)
SNMPv2u was the first version to make use of the USM, but
the level of complexity involved proved to be too great, and
very few products adopted this implementation of SNMP.
III. SNMP ARCHITECTURE
A. SNMP structure model
Simple Network Management Protocol (SNMP)
architecture is divided into three parts: managed devices,
SNMP manager and SNMP agent. The SNMP architecture is like
as Figure 1.
Fig 1: SNMP Architecture
The managed device is one of the network nodes, sometime
called network element, it can be router, switch and other
equipment support SNMP protocol.
SNMP manager manages network devices through the
Network management software; one of the main functions of](https://image.slidesharecdn.com/sgg91g3vrgqe1zfcjcrh-signature-d611cad29227b25899c9ff6e26a1be3f2dfb68f0d61c83fe1db5788f24e9257c-poli-160219082025/85/White-Paper-on-SNMPv3-1-320.jpg)
![the network management software is to help network
administrators managing network devices. Network
management software requires SNMP manager regularly
collect important information of the device. The SNMP
manager regularly inquires the relevant equipment running
status, configuration and performance of information which
collected by the network devices’ agent.
B. SNMP MIB
The way of managing network resources is the resources
to object to represent, each object represents managed the
properties of a particular aspect of the resource, the collection
of these objects form the Management Information Base
(MIB) [3]. Management station complete monitoring and
control function through reading and set the value of the MIB
objects. The backbone devices agents are maintaining a MIB
to reflect on the node of managed resources status. Network
management entity can be monitor this node resource by
reading object value in the MIB, and can be controlled these
resources by modifying the value of the object.
C. MESSAGE PROCESSING MODEL
Fig 2: SNMPv3 message format with USM.
This model is responsible for accepting PDUs from the
Dispatcher, encapsulating them in messages, and invoking
the USM to insert security-related parameters in the message
header.
Figure 2 [5] illustrates the message structure. The first five
fields are generated by the message processing model on
outgoing messages and processed by the message processing
model on incoming messages. The next six fields show
security parameters used by USM. Finally, the PDU, together
with the contextEngineID and contextName constitute a
scoped PDU, used for PDU processing.
D. Why SNMPv3?
SNMPv3 addresses these security concerns by adding two
very important features: Authentication via hashing and
Confidentiality via encryption. SNMPv3 uses the USM
(User-based Security Module) for controlling access to
information available via SNMP. In order to retrieve data
from the SNMP agent, a username is required. This username
is referred to as a security Name in the USM.
Administrators may set up as many usernames as necessary.
More importantly, administrators can grant these users access
to specific parts of the available MIBs.
For securing the access to management information
SNMPv3 offers three new models [1]. These models are listed
below:
No Authentication and No Encryption. Using this option
provides no security, confidentiality, or privacy at all. It might
be useful for certain applications such as development and
debugging to turn security off. This is called "no auth/no
priv".
Authentication and No Encryption. The user at the
management application is authenticated by the SNMPv3
entity before the entity allows the user to access any of the
values in the MIB objects on the agent. This is call "auth/no
priv"
Authentication and Encryption. The user at the
management application is authenticated by the SNMPv3
entity before the entity allows the user to access any of the
values in the MIB objects on the agent. In addition, all of the
requests and responses from the management application to
the SNMPv3 entity are encrypted, so that all the data is
completely secure. This is called "auth/priv”.
Each SNMPv3 agent has an engine ID that uniquely
identifies the agent in the device.
E. How does SNMPv3 Implement Encryption
SNMP uses the DES encryption algorithm.DES seems to
be the unlikely choice, as now it has been replaced by 3DES
and DES-56 and more recently, AES-128, AES-192 and AES-
256.However, with these new encryption method, the process
of Encrypting and decrypting data has become more secure.](https://image.slidesharecdn.com/sgg91g3vrgqe1zfcjcrh-signature-d611cad29227b25899c9ff6e26a1be3f2dfb68f0d61c83fe1db5788f24e9257c-poli-160219082025/85/White-Paper-on-SNMPv3-2-320.jpg)
![SNMpv3 uses DES to add security without reducing the
application and server with the CPU intensive cryptography. It
is worth mentioning that encryption won’t be enabled until the
authentication is not enabled. You need to authenticate [2] and
encrypt data before you transmit. AES and 3DES encryption
are only supported in IOS images that support encryption
services.
IV. SNMPV3 CONFIGURATION FOR NETWORK DEVICES
snmp-server enable traps < Enable the SNMP traps>
snmp-server view SNMPVIEW iso included
< Create a snmp-view>
snmp-server group SNMPGROUP v3 priv
< Create the SNMP group>
snmp-server group SNMPGROUP v3 priv read
SNMPVIEW write SNMPVIEW notify SNMPVIEW
snmp-server user mySNMPUSER SNMPGROUP v3 auth
md5 Password1 priv 3des Password1
< Create the SNMP user and authenticate the user and
group with the encrypted password using MD5 and 3DES
algorithm>
snmp-server engineID remote 193.X.X.14
800000090300ACF2C5AC6C01
<Assign the snmp-engine id to the remote host
193.X.X.14>
snmp-server host 10.X.X.141 traps version 3 priv priv
mySNMPUSER
<Create the SNMP Server host for the ip address
10.X.X.141>
V. SNMP TEST TOOL
To check the device is correctly configured and to monitor
we have so many tools to test it. Few of them are-
1) Paessler SNMP Tester
2) SnmpSourceV3 Component
3) Solarwinds Network Monitor + Solarwinds SNMP
enabler
4) PRTG Network Monitor
Paessler SNMP Tester [4] this tool doesn’t support the
AES and DES encryption so this is the limitation of tool for
test of the SNMPv3.But along with, this provide with a lot
of features so that the user can monitor for the local as well
the remote host ip address, we have various request type
option for the monitoring the devices status. We can also
save the log of the SNMPv3 test result using the SAVE
LOG TO FILE option.
SnmpSourceV3 Component comes with the VB.Net and
C# files packages we can use either of the .sln file to use the
test tool for the SNMPv3 test. We have to give the user
community string as the User Name and the server ip as the
local host ip address to start the test. This provides all the
three security level provided by the USM Model. The](https://image.slidesharecdn.com/sgg91g3vrgqe1zfcjcrh-signature-d611cad29227b25899c9ff6e26a1be3f2dfb68f0d61c83fe1db5788f24e9257c-poli-160219082025/85/White-Paper-on-SNMPv3-3-320.jpg)
![SnmpSourceV3 Component support only AES-128 encryption
algorithm. The SNMP default port is 161.
VI. CONCLUSION
SNMPv3 is a great way to secure and monitor the network
devices. Previous versions of SNMP provide an insecure way
to access the data.SNMPv3 addresses the security
shortcomings with the access control based system, which
properly authenticate users and a method for encrypting
SNMP traffic between the agent and the host.
So, from the Infrastructure point of view for our
organization this is very beneficial as SNMPv3 provide intact
secure way to access data between two different hosts while
transmission of information.
REFERENCES
[1] http://blog.ine.com/2008/07/19/snmpv3-tutorial
[2] http://www.cisco.com/en/US/docs/ios/12_4t/12_4t2/snmpv3ae.html
[3] http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/r
elease/12.2_55_se/configuration/guide/swsnmp.html#wp1076836
[4] http://www.paessler.com/tools/snmptester
[5] http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_1-
3/snmpv3.html](https://image.slidesharecdn.com/sgg91g3vrgqe1zfcjcrh-signature-d611cad29227b25899c9ff6e26a1be3f2dfb68f0d61c83fe1db5788f24e9257c-poli-160219082025/85/White-Paper-on-SNMPv3-4-320.jpg)
White Paper on SNMPv3
- 1. SNMPv3 Mayukh Rastogi Mayukh.Rastogi@honeywell.com Abstract - This paper addresses securing the Honeywell security and monitoring the network devices and computers/laptops. We have discussed the improved, enhanced features of snmpv3.Shortcoming of the previous SNMP version are explained and solution to those are discussed along with the new capabilities of Snmpv3. SNMP User-based security model is explained, the encryption AES, DES is topically dealt with for the completeness. We have discussed the snmpv3 network configuration for the switch /router along with test tool to monitor the network and devices. Throughout the paper we emphasized the improvement with snmpv3 which provides a highly secure infrastructure for Honeywell. Keywords— SNMP, AES, DES, community string, USM (User-based Security Model) I . INTRODUCTION SNMP was derived from its predecessor SGMP (Simple Gateway Management Protocol).Simple Network Management Protocol Version 3 (SNMPv3) is an interoperable standards-based protocol for network management. SNMP is based on the manager/agent model consisting of a SNMP manager, an SNMP agent, a database of management information, managed objects and the network protocol. The SNMP agent and MIB reside in the switch itself. SNMPv3 provides secure access to devices by a combination of authentication and encrypted packets over the network. The security features [3] provided in the SNMPv3 are- Encryption—Encrypted the contents of a packet prevent it from being seen by an unauthorized source. Authentication—determining the message is from a valid source. Message integrity—ensuring that a packet has not been tampered with in-transit. II. LIMITATION OF SNMP VERSIONS However, SNMP offers very little in terms of security. Version 1 of SNMP relies on a community string to protect data exchanged between two computers; community string is passed in clear text. The intruder can easily trace the community string and begin to inventory all devices running SNMP. In small organization, it is possible that the administrator has used the same password, possibly for a domain administrator account. The intruders in this case have access to a root-level account. An attacker could use the captured data to set value of SNMP agents. So it is clear that SNMPv1 cannot stand up to Honeywell/Organization security. SNMP version 1 provides two security groups: public and private. The default configuration is to grant read-only access to the public group and read-write access to the private group. SNMPv2 aimed to resolve these security issues. There are four distinct versions of SNMPv2: SNMPv2c, SNMPv2u, SNMPv2*, and SNMP-NG (NG is for Next Generation) SNMPv2u was the first version to make use of the USM, but the level of complexity involved proved to be too great, and very few products adopted this implementation of SNMP. III. SNMP ARCHITECTURE A. SNMP structure model Simple Network Management Protocol (SNMP) architecture is divided into three parts: managed devices, SNMP manager and SNMP agent. The SNMP architecture is like as Figure 1. Fig 1: SNMP Architecture The managed device is one of the network nodes, sometime called network element, it can be router, switch and other equipment support SNMP protocol. SNMP manager manages network devices through the Network management software; one of the main functions of
- 2. the network management software is to help network administrators managing network devices. Network management software requires SNMP manager regularly collect important information of the device. The SNMP manager regularly inquires the relevant equipment running status, configuration and performance of information which collected by the network devices’ agent. B. SNMP MIB The way of managing network resources is the resources to object to represent, each object represents managed the properties of a particular aspect of the resource, the collection of these objects form the Management Information Base (MIB) [3]. Management station complete monitoring and control function through reading and set the value of the MIB objects. The backbone devices agents are maintaining a MIB to reflect on the node of managed resources status. Network management entity can be monitor this node resource by reading object value in the MIB, and can be controlled these resources by modifying the value of the object. C. MESSAGE PROCESSING MODEL Fig 2: SNMPv3 message format with USM. This model is responsible for accepting PDUs from the Dispatcher, encapsulating them in messages, and invoking the USM to insert security-related parameters in the message header. Figure 2 [5] illustrates the message structure. The first five fields are generated by the message processing model on outgoing messages and processed by the message processing model on incoming messages. The next six fields show security parameters used by USM. Finally, the PDU, together with the contextEngineID and contextName constitute a scoped PDU, used for PDU processing. D. Why SNMPv3? SNMPv3 addresses these security concerns by adding two very important features: Authentication via hashing and Confidentiality via encryption. SNMPv3 uses the USM (User-based Security Module) for controlling access to information available via SNMP. In order to retrieve data from the SNMP agent, a username is required. This username is referred to as a security Name in the USM. Administrators may set up as many usernames as necessary. More importantly, administrators can grant these users access to specific parts of the available MIBs. For securing the access to management information SNMPv3 offers three new models [1]. These models are listed below: No Authentication and No Encryption. Using this option provides no security, confidentiality, or privacy at all. It might be useful for certain applications such as development and debugging to turn security off. This is called "no auth/no priv". Authentication and No Encryption. The user at the management application is authenticated by the SNMPv3 entity before the entity allows the user to access any of the values in the MIB objects on the agent. This is call "auth/no priv" Authentication and Encryption. The user at the management application is authenticated by the SNMPv3 entity before the entity allows the user to access any of the values in the MIB objects on the agent. In addition, all of the requests and responses from the management application to the SNMPv3 entity are encrypted, so that all the data is completely secure. This is called "auth/priv”. Each SNMPv3 agent has an engine ID that uniquely identifies the agent in the device. E. How does SNMPv3 Implement Encryption SNMP uses the DES encryption algorithm.DES seems to be the unlikely choice, as now it has been replaced by 3DES and DES-56 and more recently, AES-128, AES-192 and AES- 256.However, with these new encryption method, the process of Encrypting and decrypting data has become more secure.
- 3. SNMpv3 uses DES to add security without reducing the application and server with the CPU intensive cryptography. It is worth mentioning that encryption won’t be enabled until the authentication is not enabled. You need to authenticate [2] and encrypt data before you transmit. AES and 3DES encryption are only supported in IOS images that support encryption services. IV. SNMPV3 CONFIGURATION FOR NETWORK DEVICES snmp-server enable traps < Enable the SNMP traps> snmp-server view SNMPVIEW iso included < Create a snmp-view> snmp-server group SNMPGROUP v3 priv < Create the SNMP group> snmp-server group SNMPGROUP v3 priv read SNMPVIEW write SNMPVIEW notify SNMPVIEW snmp-server user mySNMPUSER SNMPGROUP v3 auth md5 Password1 priv 3des Password1 < Create the SNMP user and authenticate the user and group with the encrypted password using MD5 and 3DES algorithm> snmp-server engineID remote 193.X.X.14 800000090300ACF2C5AC6C01 <Assign the snmp-engine id to the remote host 193.X.X.14> snmp-server host 10.X.X.141 traps version 3 priv priv mySNMPUSER <Create the SNMP Server host for the ip address 10.X.X.141> V. SNMP TEST TOOL To check the device is correctly configured and to monitor we have so many tools to test it. Few of them are- 1) Paessler SNMP Tester 2) SnmpSourceV3 Component 3) Solarwinds Network Monitor + Solarwinds SNMP enabler 4) PRTG Network Monitor Paessler SNMP Tester [4] this tool doesn’t support the AES and DES encryption so this is the limitation of tool for test of the SNMPv3.But along with, this provide with a lot of features so that the user can monitor for the local as well the remote host ip address, we have various request type option for the monitoring the devices status. We can also save the log of the SNMPv3 test result using the SAVE LOG TO FILE option. SnmpSourceV3 Component comes with the VB.Net and C# files packages we can use either of the .sln file to use the test tool for the SNMPv3 test. We have to give the user community string as the User Name and the server ip as the local host ip address to start the test. This provides all the three security level provided by the USM Model. The
- 4. SnmpSourceV3 Component support only AES-128 encryption algorithm. The SNMP default port is 161. VI. CONCLUSION SNMPv3 is a great way to secure and monitor the network devices. Previous versions of SNMP provide an insecure way to access the data.SNMPv3 addresses the security shortcomings with the access control based system, which properly authenticate users and a method for encrypting SNMP traffic between the agent and the host. So, from the Infrastructure point of view for our organization this is very beneficial as SNMPv3 provide intact secure way to access data between two different hosts while transmission of information. REFERENCES [1] http://blog.ine.com/2008/07/19/snmpv3-tutorial [2] http://www.cisco.com/en/US/docs/ios/12_4t/12_4t2/snmpv3ae.html [3] http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/r elease/12.2_55_se/configuration/guide/swsnmp.html#wp1076836 [4] http://www.paessler.com/tools/snmptester [5] http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_1- 3/snmpv3.html