Replacing Tripwire with SNMPv3 DefConX Presentation 08/02/02

1
SNMPv3, SSH Cisco
Matthew G. Marsh Chief Scientist of the
NEbraskaCERT
2
Scope

• Quick Overview
• Important Points
• Security Models
• Authentication
• Privacy
• General Usage
• Supported Platforms
• IOS Configuration
• CatOS Configuration
• Usage Example
• C Words

3
Overview of SNMPv3

• SNMP Version 3 is the current version of the
  Simple Network Management Protocol. This version
  was ratified as a Draft Standard in March of
  1999.
• RFC 2570 Introduction to Version 3 of the
  Internet-standard Network Management Framework,
  Informational, April 1999
• RFC 2571 An Architecture for Describing SNMP
  Management Frameworks, Draft Standard, April 1999
  
• RFC 2572 Message Processing and Dispatching for
  the Simple Network Management Protocol (SNMP),
  Draft Standard, April 1999
• RFC 2573 SNMP Applications, Draft Standard,
  April 1999
• RFC 2574 User-based Security Model (USM) for
  version 3 of the Simple Network Management
  Protocol (SNMPv3), Draft Standard, April 1999
• RFC 2575 View-based Access Control Model (VACM)
  for the Simple Network Management Protocol
  (SNMP), Draft Standard, April 1999
• RFC 2576 Coexistence between Version 1, Version
  2, and Version 3 of the Internet-standard Network
  Management Framework, Proposed Standard, March
  2000
• These documents reuse definitions from the
  following SNMPv2 specifications
• RFC 1905 Protocol Operations for Version 2 of
  the Simple Network Management Protocol (SNMPv2),
  Draft Standard
• RFC 1906 Transport Mappings for Version 2 of the
  Simple Network Management Protocol (SNMPv2),
  Draft Standard
• RFC 1907 Management Information Base for Version
  2 of the Simple Network Management Protocol
  (SNMPv2), Draft Standard

4
SNMPv3 Important Points

• Authentication
• MD5 or SHA authentication passphrase hashes
• Passphrase must be greater than 8 characters
  including spaces
• Privacy
• Packet data may now be DES encrypted (future use
  allows additional encryptions)
• Passphrase defaults to authentication passphrase
• Allows for unique Privacy passphrase
• SNMPv3 provides for both security models and
  security levels.
• A security model is an authentication strategy
  set up for a user and the users group
• A security level is the permitted security within
  the security model
• Three security models are available SNMPv1,
  SNMPv2c, and SNMPv3

5
SNMPv3 Security Models
Model Level Authentication Encryption Notes
SNMPv1 noAuthNoPriv Simple String None "Traditional" SNMP Management
SNMPv2c noAuthNoPriv Simple String None
SNMPv3 noAuthNoPriv User None Backwards Compatible
SNMPv3 noAuthPriv MD5/SHA None Authentication Hashes
SNMPv3 AuthPriv MD5/SHA DES Full Authentication Privacy
6
Authentication
SNMP Version 3 - Authentication

• User
• Defines the unit of access
• Group
• Defines User's class for application of scope
• View
• Defines a set of resources within a MIB structure
• Operation
• Defines the actions that may be performed
• READ
• WRITE
• ADMINISTER
• Operations are applied to Views
• Users are assigned to Groups
• Groups are assigned Views

7
Privacy
SNMP Version 3 - Privacy

• SNMP v1 and v2c transported data in clear text
• v3 allows the data payload to be encrypted
• Currently the specification only allows for DES
• May be overridden for custom applications
• Specification allows for multiple encryption
  mechanisms to be defined
• Passphrase defaults to using the authentication
  passphrase
• Passphrase may be completely separate and unique
• Privacy must be specified in conjunction with
  authentication
• Allowed NONE, authnoPriv, authPriv

8
General Usage Notes

• Use multiple Users
• One for each action (get, set, trap)
• Different Authentication passphrases
• Always use Privacy - authPriv
• Make sure the passphrases are different from the
  User's
• Always set up your initial security in a secure
  environment before exposing the system to the
  elements.
• SUMMARY SNMP is a Message Passing Protocol.
• Always use SSH to connect to your Cisco devices
• Requires the encryption IOS and CatOS versions
• Well worth the investment

9
Supported Platforms

• Cisco IOS V12.0(3)T and higher
• You want to use the "Strong Encryption" version
  if possible
• If not then you can usually still get a version
  that will support Auth
• SSH users are unique to the system at enable mode
• Cisco CatOS 6.3(1) and higher
• Requires the version that supports "Secure Shell"
• Denoted usually by a "k" in the image - ex
  cat4000-k9.6-1-2.bin
• If not a Secure Shell version then you can use v3
  but only with noAuthNoPriv
• SSH users all use same dual passwords
  (enable/exec)
• Almost all Cisco hardware is supported
• Except xDSL and other SOHO type network devices

10
IOS Configuration

• First set up SSH access
• aaa new-model
• username user password pw
• ip domain-name groovie.org
• crypto key generate rsa
• ip ssh time-out 60
• ip ssh authentication-retries 2
• line vty 0 4
• transport input ssh
• Now set up SNMPv3
• snmp-server group mygroup v3 priv
• snmp-server user myuser mygroup v3 auth sha
  authpw priv des56 privpw
• And away you go

11
CatOS Configuration

• First set up SSH access
• set crypto key rsa 1024
• set ip permit enable ssh
• Clear all Telnet and replace with ssh
• clear ip permit 10.1.1.1 telnet
• set ip permit 10.1.1.1 ssh
• set snmp trap enable ippermit
• Now set up SNMPv3
• set snmp user myuser authentication md5
  authpw privacy privpw
• set snmp group mygroup user myuser
  security-model v3
• set snmp access mygroup security-model v3
  privacy read defaultAdminView write
  defaultAdminView
• And away you go

12
Comments, Critiques, CIA

• These are words that begin with a 'c'

13
SNMPv3, SSH Cisco
Matthew G. Marsh Chief Scientist of the
NEbraskaCERT