Here we will focus on SNMP V3 configuration
on Cisco ASAs with a brief overview of an IOS configuration. This article
assumes a basic understanding of SNMP and its operation.
The most common and sought after reasoning
behind an upgrade to SNMP V3 is security. SNMP versions 1 and 2(c) transmit
data between the SNMP server and the SNMP agent “in the clear”.
This makes your infrastructure and
corresponding infrastructure devices far more vulnerable to attack and or
misuse. Weak SNMP provides attackers with low hanging fruit they sometimes need
for improved attack vectors.
SNMP V3’s focus was to improve this
security flaw. SNMP V3 adds authentication and privacy options to secure its
communication between SNMP servers and SNMP agents.
SNMP
V3 Security Models
The authentication (auth) and privacy
(priv) options are grouped into security models.
- NoAuthPriv – no authentication and no privacy
- AuthNoPriv – authentication and no privacy
- AuthPriv – you guessed it – authentication and privacy
SNMP
Groups
SNMP groups provide an access control
policy to which users are added. The user will inherit the security model of
the group. If the SNMP group “SEC3” has the AuthPriv security model, users
assigned to it will inherit the AuthPriv security model.
SNMP
Users
SNMP users are assigned a username, a group
to which they belong, authentication password, encryption password, and
associated algorithms to use.
Authentication algorithms are MD5 and SHA
Encryption algorithms are DES, 3DES, and AES (128,192,256)
Encryption algorithms are DES, 3DES, and AES (128,192,256)
SNMP
Host
An SNMP host is the server to which SNMP
notifications and traps are sent. SNMP V3 hosts require the SNMP server IP
address and SNMP username. Each SNMP host can only have one username associated
with it. The user credentials on the NMS (CiscoWorks, Solarwinds, etc.) must
match the SNMP username credentials.
Configuring SNMP V3:
Note–the brackets <> are used to
indicate a variable you assign a name to. I used these brackets to emphasize
these important variables.
- Enable SNMP
snmp-server enable - Enable the SNMP traps (this will change depending on
environment and business requirements). The following example enables all
but this could be limited to a subset of traps.
snmp-server enable traps all - Create the SNMP group
Note the following meanings:
auth indicates authention only
noauth indicates no authentication or encryption
priv indicates encryption and authentication
snmp-server group <GROUPNAME> v3 {auth | noauth | priv} - Create the SNMP user
snmp-server user <USERNAME> <GROUPNAME> v3 encrypted auth md5 <AUTHENTICATION-PASSWORD> priv AES 128 <ENCRYPTION-KEY> - Create the SNMP Server host
snmp-server host <INTERFACE-NAME> <HOSTNAME> version 3 <USERNAME>
Full
Configuration Example for the Cisco ASA (Version 8.4)
snmp-server group SEC3 v3 priv
snmp-server user SNMPUSER3 SEC3GROUP v3
encrypted auth md5 thisshouldbeastrongpassword priv aes 128
thisshouldbeastrongencryptionkey
snmp-server host mgmt 10.20.30.10 version 3
SNMPUSER3
snmp-server enable traps snmp
authentication linkup linkdown coldstart warmstart
snmp-server enable traps ipsec start stop
snmp-server enable traps remote-access
session-threshold-exceeded
Full
Configuration Example for the Cisco IOS
snmp-server view SNMPMGR iso included
snmp-server group SEC3GROUP v3 priv read
SNMPMGR write SNMPMGR notify SNMPMGR
snmp-server user SNMPUSER3 SEC3GROUP v3
auth md5 thisshouldbeastrongpassword priv aes 128
thisshouldbeastrongencryptionkey
snmp-server enable traps config
Note –
in IOS you won’t see the following line:
snmp-server user SNMPUSER3 SEC3GROUP v3 auth md5 thisshouldbeastrongpassword priv aes 128 thisshouldbeastrongencryptionkey
snmp-server user SNMPUSER3 SEC3GROUP v3 auth md5 thisshouldbeastrongpassword priv aes 128 thisshouldbeastrongencryptionkey
IOS hides the authentication password and
encryption key from the “show run” and “show startup”.
More
Information
Cisco Configuration Guide for ASA 8.4 and
8.6
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/monitor_snmp.html#wp1239780
Cisco Configuration Guide for ASA 8.4 and
8.6 PDF
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/monitor_snmp.pdf
---Reference from http://www.gomiocon.com/2012/04/29/configuring-snmp-v3-on-cisco-asa-and-ios/
More
Related Cisco and Networking TOPICS:
No comments:
Post a Comment