0% found this document useful (0 votes)

103 views

Module 7: Secure Network Architecture and Management: PDF Created With Pdffactory Trial Version

The document discusses secure network architecture and management. It covers layer 2 security best practices and factors affecting layer 2 mitigation techniques. Specific cases discussed include a single security zone with one user group on a single switch; a single zone with one group across multiple switches; and a single zone with multiple user groups on one switch. Mitigation strategies include port security, dynamic ARP inspection, BPDU guard, and VLAN configuration.

Uploaded by

Le Minh Ngoc

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

103 views

Module 7: Secure Network Architecture and Management: PDF Created With Pdffactory Trial Version

Uploaded by

Le Minh Ngoc

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 95

Module 7: Secure Network

Architecture and Management

PDF created with pdfFactory trial version www.pdffactory.com

Overview

PDF created with pdfFactory trial version www.pdffactory.com

Layer 2 Security Best Practices

PDF created with pdfFactory trial version www.pdffactory.com

Factors affecting layer 2 mitigation techniques

• An example of case #1 could be a small business network using a

broadband connection behind a DSL router or firewall.
• An example of case #8 could be a large application service provider
data center. These cases are discussed in further detail in the following
sections.

PDF created with pdfFactory trial version www.pdffactory.com

1.Single security zone, one user group, single physical
switch

• An example of such a design would be a switch within a network DMZ

created between an edge router and a corporate firewall as shown in
Figure . In this design all systems within the security zone are on the
same VLAN.
• Vulnerabilities
The primary Layer 2 vulnerabilities in this design include the following:
– MAC spoofing
– CAM table overflow

PDF created with pdfFactory trial version www.pdffactory.com

1.Single security zone, one user group, single physical
switch

• Mitigation
Port security may be administratively appropriate in this case because
of the limited size of the design. The Layer 2 switches are a part of the
security perimeter between the zones of trust and should be managed
as securely as possible including the use of SSH for command line
management, Simple Network Management Protocol Version 3
(SNMPv3) for remote management, configuration audits and regular
penetration testing of each VLAN using tools capable of exploiting
Layer 2 vulnerabilities such as Dsniff. An equally effective and less
administratively taxing approach would be to use dynamic port security
through the application of DHCP snooping and Dynamic ARP
Inspection.

PDF created with pdfFactory trial version www.pdffactory.com

1.Single security zone, one user group, single physical
switch

PDF created with pdfFactory trial version www.pdffactory.com

Extra: Mitigating CAM table overflow attack

PDF created with pdfFactory trial version www.pdffactory.com

Extra: Mitigating CAM Table Overflow Attacks

• You can mitigate CAM table overflow attacks in

several ways. One of the primary ways is to
configure port security on the switch. You can
apply port security in three ways:
– Static secure MAC addresses
– Dynamic secure MAC addresses
– Sticky secure MAC addresses

PDF created with pdfFactory trial version www.pdffactory.com

Extra: Mitigating CAM Table Overflow Attacks

• The type of action taken when a port security violation occurs falls into
the following three categories:
– Protect If the number of secure MAC addresses reaches the limit
allowed on the port, packets with unknown source addresses are
dropped until a number of MAC addresses are removed or the
number of allowable addresses is increased. You receive no
notification of the security violation in this type of instance.
– Restrict If the number of secure MAC addresses reaches the limit
allowed on the port, packets with unknown source addresses are
dropped until some number of secure MAC addresses are removed
or the maximum allowable addresses is increased. In this mode, a
security notification is sent to the Simple Network Management
Protocol (SNMP) server (if configured) and a syslog message is
logged. The violation counter is also incremented.
– Shutdown If a port security violation occurs, the interface changes
to error-disabled and the LED is turned off. It sends an SNMP trap,
logs to a syslog message, and increments the violation counter.

PDF created with pdfFactory trial version www.pdffactory.com

1.Single security zone, one user group, single physical
switch

PDF created with pdfFactory trial version www.pdffactory.com

Extra: Using dynamic ARP inspection to mitigate MAC
spoofing attacks

PDF created with pdfFactory trial version www.pdffactory.com

2.Single security zone, one user group, multiple physical
switches

• This can be represented by a very large DMZ, or a DMZ with multiple VLANs
all existing within a single security zone of trust. Additionally, this could also be
represented as a Layer 3 switch within the DMZ to provide inter-VLAN routing.
• Vulnerabilities
The primary layer 2 vulnerabilities of this design include the following:
– MAC spoofing
– CAM table overflow
– VLAN hopping
– Spanning tree attacks, in networks with multiple switches.
13

PDF created with pdfFactory trial version www.pdffactory.com

2.Single security zone, one user group, multiple physical
switches

• Mitigation
If the security zone is small enough, use port security to help mitigate
the CAM table overflow vulnerability as well as the MAC spoofing
vulnerability. BPDU guard and root guard can be used to mitigate
attacks against the Spanning Tree Protocol (STP).
• The Layer 2 switches are a part of the security perimeter between
zones of trust and should be managed as securely as possible
including the use of SSH for command line management, SNMPv3 for
remote management, configuration audits and regular penetration
testing of each VLAN using tools capable of exploiting Layer 2
vulnerabilities such as Dsniff.

PDF created with pdfFactory trial version www.pdffactory.com

Extra: Mitigating VLAN Hopping Attacks

• Mitigating VLAN hopping attacks requires the following configuration

modifications:
– Always use dedicated VLAN IDs for all trunk ports.
– Disable all unused ports and place them in an unused VLAN.
– Set all user ports to nontrunking mode by disabling DTP. Use the
switchport mode access command in the interface configuration mode.
– For backbone switch-to-switch connections, explicitly configure trunking.
– Do not use the user native VLAN as the trunk port native VLAN.
– Do not use VLAN 1 as the switch management VLAN.
15

PDF created with pdfFactory trial version www.pdffactory.com

3.Single security zone, multiple user groups, single
physical switch

• A typical example of such

a design would be an
application service
provider data center or
different departments
within a single corporate
enterprise that require
data segregation.
• Vulnerabilities
The primary layer 2
vulnerabilities of this
design include the
following:
– MAC spoofing
– CAM table overflow
– VLAN hopping

PDF created with pdfFactory trial version www.pdffactory.com

3.Single security zone, multiple user groups, single
physical switch

• Mitigation
If the security zone is small enough, use port security to
help mitigate the CAM table overflow vulnerability as well
as the MAC spoofing vulnerability. Additionally, mitigation
of VLAN hopping can be accomplished by using the
following VLAN best practices as guidelines:
– Use dedicated VLAN IDs for all trunk ports.
– Disable all unused switch ports and place them in an
unused VLAN.
– Set all user ports to non-trunking mode by explicitly
turning off DTP on those ports.

PDF created with pdfFactory trial version www.pdffactory.com

4.Single security zone, multiple user groups, multiple
physical switches

• This design represents one

where high-availability is a
factor as well as the need to
trunk information between the
switch devices. In addition,
the direction of travel for the
network traffic as determined
through STP requires
additional considerations
when determining some of
the more specific mitigation
techniques. VLANs are used
to provide traffic
segmentation between the
various user groups.
• Vulnerabilities
The primary layer 2
vulnerabilities of this design
include the following:
– MAC spoofing
– CAM table overflow
– VLAN hopping
– STP attacks
18

PDF created with pdfFactory trial version www.pdffactory.com

4.Single security zone, multiple user groups, multiple
physical switches

• Mitigation
If the security zone is small enough, use port security to
help mitigate the CAM table overflow vulnerability as well
as the MAC spoofing vulnerability. Additionally, mitigation
of VLAN hopping can be accomplished by following the
VLAN best practices outlined in this module. If necessary,
deploy 802.1x authentication to prevent unauthorized
access to the security zone from an attacker who may
physically connect to a switch in the design. As with the
previous cases, the switches must be managed as
securely as possible and tested on a regular basis.

PDF created with pdfFactory trial version www.pdffactory.com

5.Multiple security zones, one user group, single
physical switch

• Vulnerabilities
The primary layer 2 vulnerabilities of this design include the following:
– MAC spoofing, within VLANs
– CAM table overflow, through per VLAN traffic flooding
– VLAN hopping

PDF created with pdfFactory trial version www.pdffactory.com

5.Multiple security zones, one user group, single
physical switch

• Mitigation
If the security zones are small enough, use port security to
help mitigate the CAM table overflow vulnerability as well
as the MAC spoofing vulnerability. Additionally, mitigation
of VLAN hopping can be accomplished by following the
VLAN best practices outlined in this module. As with the
previous cases, the switches must be managed as
securely as possible and tested on a regular basis.

PDF created with pdfFactory trial version www.pdffactory.com

5.Multiple security zones, one user group, single
physical switch

• In the design shown in Figure ,

another mitigation approach would
be to split the Layer 2 functionality
of the switch to two separate
physical switches. If this is done,
the mitigation techniques
described in case #1 would apply
to both distinct security zones.
• If private VLANs (PVLANs) are
employed in any of the VLANs,
consideration must be given to the
possibility of private VLAN attacks.
If the VLANs utilize DHCP for
address assignment then DHCP
starvation by an attacker and
needs to be considered.

PDF created with pdfFactory trial version www.pdffactory.com

6.Multiple security zones, one user group, multiple
physical switches
• This design, shown in Figure ,
represents a large data center within
a single enterprise. However, the
need to segregate traffic as well as
data for various groups or
departments within the enterprise is
reflected by the separation of the
data center into security zones. This
can be accomplished securely
through the use of VLANs within the
data center, however, there are
considerations which must be
evaluated regarding some of the
potential vulnerabilities.
• Vulnerabilities
The primary layer 2 vulnerabilities of
this design include the following:
– MAC spoofing, within VLANs
– CAM table overflow, through per
VLAN traffic flooding
– VLAN hopping
– STP attacks

PDF created with pdfFactory trial version www.pdffactory.com

6.Multiple security zones, one user group, multiple
physical switches

PDF created with pdfFactory trial version www.pdffactory.com

7.Multiple security zones, multiple user groups, single
physical switch

• VLANs can be used to

provide traffic
segregation between
the security zones.
• Vulnerabilities
The primary layer 2
vulnerabilities of this
design include the
following:
– MAC spoofing,
within VLANs
– CAM table overflow,
through per VLAN
traffic flooding
– VLAN hopping
– Private VLAN
attacks, on a per
VLAN basis

PDF created with pdfFactory trial version www.pdffactory.com

7.Multiple security zones, multiple user groups, single
physical switch

• Mitigation
If the security zones are small enough, use port security to help
mitigate CAM table overflow vulnerabilities as well as the MAC
spoofing vulnerability. Additionally, mitigation of VLAN hopping can be
accomplished by following the VLAN best practices outlined within this
module. If necessary, deploy 802.1x authentication to prevent
unauthorized access to each of the security zones from an attacker
who may physically connect to a switch in the design. Another possible
mitigation method would be to add a firewall within the data center
design and integrate it into the central switch similar to that employed
in the previous design. The firewall enforces additional Layer 3 traffic
segregation between the various user groups. As with the previous
cases, the switches must be managed as securely as possible and
tested on a regular basis.

PDF created with pdfFactory trial version www.pdffactory.com

8.Multiple security zones, multiple user groups, multiple
physical switches

• VLANs can be used to

provide traffic segregation
between the security zones.
The need to provide high
security in some of the zones
may require additional
measures.
• Vulnerabilities
The primary layer 2
vulnerabilities of this design
include the following:
– MAC spoofing, within
VLANs
– CAM table overflow,
through per VLAN traffic
flooding
– VLAN hopping
– STP attacks
– VTP attacks

PDF created with pdfFactory trial version www.pdffactory.com

8.Multiple security zones, multiple user groups, multiple
physical switches

• Mitigation
If the security zones are small enough, use port security to help
mitigate CAM table overflow vulnerabilities as well as the MAC
spoofing vulnerability. Additionally, mitigation of VLAN hopping can be
accomplished by following the VLAN best practices outlined within this
module. If necessary, deploy 802.1x authentication to prevent
unauthorized access to each of the security zones from an attacker
who may physically connect to a switch in the design. Another
possible mitigation method would be to add a firewall within the data
center design and integrate it into the one or more of the switches,
similar to that employed in the case #6 design. The firewall enforces
additional Layer 3 traffic segregation between the various user groups.
As with the previous cases, the switches must be managed as
securely as possible and tested on a regular basis.

PDF created with pdfFactory trial version www.pdffactory.com

Layer 2 security best practices

PDF created with pdfFactory trial version www.pdffactory.com

SDM Security Audit

PDF created with pdfFactory trial version www.pdffactory.com

Using SDM to perform security audits

• The SDM security audit feature compares router

configurations to a predefined checklist of best practices
using ICSA and Cisco TAC recommendations.

PDF created with pdfFactory trial version www.pdffactory.com

Using SDM to perform security audits

• Security Audit contains two

modes:
– Security Audit –
Examines router
configuration, then
displays the Report
Card screen, which
shows a list of possible
security problems. The
administrator can then
pick and choose which
vulnerability to lock
down.
– One-step lockdown –
Initiates the automatic
lockdown using
recommended settings.

PDF created with pdfFactory trial version www.pdffactory.com

Using SDM monitor mode

• The monitor function includes the following elements :

– Overview – Displays the router status including a list of the error
log entries.
– Interface Status – Used to select the interface to monitor and the
conditions (for example, packets and errors, in or out) to view.
– Firewall Status – Displays a log showing the number of entry
attempts that were denied by the firewall.
– VPN Status – Displays statistics about active VPN connections on
the router.
– QoS Status – Display statistics on Quality of Service (QoS)
configured on router.
– Logging – Displays an event log categorized by severity level.

PDF created with pdfFactory trial version www.pdffactory.com

Using SDM monitor mode

PDF created with pdfFactory trial version www.pdffactory.com

Router Management Center (MC)

PDF created with pdfFactory trial version www.pdffactory.com

Introduction to the Router MC

• The CiscoWorks Router Management Center (Router MC), a

component of the CiscoWorks VPN/Management Solution (VMS),
provides scalable security management for the configuration and
deployment of VPN connections. One of the greatest challenges in
implementing large site-to-site and remote access VPNs is
management. The primary role of the Router MC is to manage site-to-
site VPNs .
36

PDF created with pdfFactory trial version www.pdffactory.com

Introduction to the Router MC

• The Router MC can be defined as follows:

– A Web-based application for the setup and maintenance of VPN
connections using Cisco VPN Routers
– Centralizes the configuration of IKE and tunnel policies for multiple devices
– Scalable to a large number of VPN routers
– Router MC is a web-based application designed for large-scale
management of virtual private network (VPN) and firewall configurations on
Cisco routers. Router MC 1.2.1 provides the following features:
• Enables the setup and maintenance of VPN connections among
multiple Cisco VPN routers, in a hub-and-spoke topology.
• Enables the provisioning of the critical connectivity, security, and
performance parameters of a site-to-site VPN, quickly and easily.
• Allows for efficient migration from leased line connections to Internet or
intranet-based VPN connections.
• Allows for the overlay of a VPN over a Frame Relay network for added
security.
• Enables the configuration of Cisco IOS routers to function as firewalls.

PDF created with pdfFactory trial version www.pdffactory.com

Introduction to the Router MC

• Router MC is integrated with CiscoWorks Common Services, which

supplies core server-side components required by Router MC, such as
Apache Web server, Secure Sockets Layer (SSL) libraries, Secure
Shell (SSH) libraries, embedded SQL database, Tomcat servlet
engine, the CiscoWorks desktop, and others.
38

PDF created with pdfFactory trial version www.pdffactory.com

Introduction to the Router MC

• Before installing Router MC 1.2.1,

CiscoWorks Common Services 2.2
must be installed and operational.
CiscoWorks Common Services
provides centralized management of
certain functions for all the
CiscoWorks VMS products that are
installed.
• These functions include:
– Backup and restore of data
– Integration with Access Control
Server (ACS) or Common
Management Framework (CMF)
for user authentication and
permissions
– Licensing
– Starting/stopping the database
– Logging of administration tasks

PDF created with pdfFactory trial version www.pdffactory.com

Key concepts in the Router MC

PDF created with pdfFactory trial version www.pdffactory.com

Key concepts in the Router MC

PDF created with pdfFactory trial version www.pdffactory.com

Key concepts in the Router MC

PDF created with pdfFactory trial version www.pdffactory.com

Supported tunneling technologies

• The Router MC supports the following tunneling technologies:

– IPSec
– IPSec with GRE
– IPSec with GRE over a frame relay network
– IPSec with GRE and DMVPN – Dynamic Multipoint VPN (DMVPN)
combines GRE tunnels .

PDF created with pdfFactory trial version www.pdffactory.com

Router MC installation

• The Router MC requires VMS 2.1 Common Services or

CiscoWorks 2000 . VMS Common Services provides the
CiscoWorks 2000 Server based components, software
libraries, and software packages developed for the Router
MC.

PDF created with pdfFactory trial version www.pdffactory.com

Router MC installation

• Before beginning the installation of the Router MC, verify that the
server meets the requirements shown in Figure1 .
• Also, verify that the client machine being used meets the requirements
shown in Figure2 .
45

PDF created with pdfFactory trial version www.pdffactory.com

Installation process

PDF created with pdfFactory trial version www.pdffactory.com

Getting started with the Router MC

• Log in to the CiscoWorks Web page and complete the following steps to launch the
Router MC:
– Open a browser and point the browser to the IP address of the CiscoWorks server
with a port number of 1741. If the CiscoWorks server is local, type the following
address in the browser: http://127.0.0.1:1741
– If this is the first time that CiscoWorks has been used, enter the username admin
and the password admin.
47

PDF created with pdfFactory trial version www.pdffactory.com

Router MC interface

• The Router MC main window is the first window that is encountered in the
Router MC user interface. The Router MC user interface contains four tabs as
shown in Figure
– Devices
– Configuration
– Deployment
– Reports
– Admin
48

PDF created with pdfFactory trial version www.pdffactory.com

Router MC interface

• The Router MC interface is the environment administrators work with

when using the Router MC application .
49

PDF created with pdfFactory trial version www.pdffactory.com

Installation process

• The Devices tab, shown in Figure is used to import and manage the inventory of routers
to be configured using the Router MC.
– Device hierarchy – Use this option to view the device hierarchy and to manage the
routers within the hierarchy by creating device groups, moving or deleting
devices/groups, editing router parameters, and adding unmanaged spokes.
– Device import – Use this option to import the routers to be configured into Router
MC, and to re-import routers when necessary.
– Credentials – Use this option to edit router credentials or synchronize the
credentials of multiple routers from a comma-separated value (CSV) file. Device
credentials include the username, password, and enable password.
50

PDF created with pdfFactory trial version www.pdffactory.com

Installation process

• Use the options in the Configuration tab, shown in Figure

to configure VPN and firewall settings and policies for
deployment to the routers. Settings and policies can be
configured globally for all routers, for groups of routers, or
for individual routers.
51

PDF created with pdfFactory trial version www.pdffactory.com

Installation process

• Select the configuration context using the Object Selector,

shown in Figure along the left-hand side of the page.
52

PDF created with pdfFactory trial version www.pdffactory.com

Installation process

• Select the configuration context using the Object Selector,

shown in Figure along the left-hand side of the page.
53

PDF created with pdfFactory trial version www.pdffactory.com

Installation process

• Deployment of VPN and firewall configurations is always done within

the context of a deployment job, shown in Figure .

PDF created with pdfFactory trial version www.pdffactory.com

Installation process

• The deployment tab offers the administrator the following

options, shown in Figure .
55

PDF created with pdfFactory trial version www.pdffactory.com

Installation process

• The Reports tab,

shown in Figure
is used to view
reports on various
Router MC
functions. This tab
presents the
following options:
– Deployment
– Activities
– Audit
– Hub-Spoke
Assignment

PDF created with pdfFactory trial version www.pdffactory.com

Installation process

• Administrators use the

Admin tab, shown in
Figure to define various
Router MC application
settings, and to define
Auto Update Server
(AUS) settings.
• This tab presents the
following options:
– Application Settings
– Auto Update Server
Settings

PDF created with pdfFactory trial version www.pdffactory.com

Basic work flow and tasks

• Common configuration tasks include:

– Configuring general Cisco IOS Firewall settings
– Building access rules
– Using Building Blocks
– Using Upload

PDF created with pdfFactory trial version www.pdffactory.com

Simple Network Management Protocol
(SNMP)

PDF created with pdfFactory trial version www.pdffactory.com

SNMP introduction

• Another technique that the administrator can use to manage and monitor the
network is to employ the Simple Network Management Protocol (SNMP).
SNMP is an application-layer protocol that facilitates the exchange of
management information between network devices. It is part of the TCP/IP
protocol suite. SNMP enables network administrators to manage network
performance, find and solve network problems, and plan for network growth.
SNMP can be used to manage Cisco routers, switches, wireless access points,
firewalls, printers, servers and other SNMP capable devices .

PDF created with pdfFactory trial version www.pdffactory.com

SNMP introduction

• There are 3 versions of SNMP, as shown in Figure . SNMPv1 and

SNMPv2 have features in common, but SNMPv2 offers enhancements,
such as additional protocol operations. SNMPv3 adds administration
and security features. This section provides descriptions of the
SNMPv3 protocol operations. Cisco recommends disabling SNMP if
not in use or use version 3.
61

PDF created with pdfFactory trial version www.pdffactory.com

SNMP introduction

• SNMP Key Terms

In order to understand SNMP support in Cisco devices, it is important
to understand the SNMP-related terminology discussed in Figure .
62

PDF created with pdfFactory trial version www.pdffactory.com

SNMP introduction

• SNMP Key Terms

In order to understand SNMP support in Cisco devices, it is important
to understand the SNMP-related terminology discussed in Figure .
63

PDF created with pdfFactory trial version www.pdffactory.com

SNMP introduction

• SNMP Basic Components

An SNMP managed network consists of three key components:
– Managed devices
– Agents
– Network management systems (NMSs)
64

PDF created with pdfFactory trial version www.pdffactory.com

Extra: Components of SNMP

PDF created with pdfFactory trial version www.pdffactory.com

SNMP introduction

• An NMS executes applications that monitor and control managed

devices . NMSs provide the bulk of the processing and memory
resources required for network management. One or more NMSs must
exist on any managed network. SNMP management applications, such
as CiscoWorks2000, communicate with agents to get statistics and
alerts from the managed devices.
66

PDF created with pdfFactory trial version www.pdffactory.com

SNMP introduction

• SNMP Basic Commands

Managed devices are monitored and controlled using basic SNMP commands, as shown in Figure :
– The read command is used by an NMS to monitor managed devices. The NMS examines
different variables that are maintained by managed devices.
– The write command is used by an NMS to control managed devices. The NMS changes the
values of variables stored within managed devices.
– Managed devices to asynchronously report events to the NMS use the trap command. When
certain types of events occur, a managed device sends a trap to the NMS.
– Traversal operations are used by the NMS to determine which variables a managed device
supports and to sequentially gather information in variable tables, such as a routing table.

PDF created with pdfFactory trial version www.pdffactory.com

Extra: SNMP Notifications

PDF created with pdfFactory trial version www.pdffactory.com

Extra: SNMPv1

PDF created with pdfFactory trial version www.pdffactory.com

Extra: SNMPv2

PDF created with pdfFactory trial version www.pdffactory.com

SNMP security

• SNMP is often used to gather statistics and remotely

monitor network infrastructure devices. It is a simple
protocol which contains inadequate security in early
versions.
• In SNMPv1, community strings, or passwords, are sent in
clear text and can easily be stolen by someone
eavesdropping on the wire.
– These community strings are used to authenticate
messages sent between the SNMP manager and the
agent.
• SNMPv2 addresses some of the known security
weaknesses of SNMPv1. Specifically, version 2 uses the
MD5 algorithm to authenticate messages between the
SNMP server and the agent.

PDF created with pdfFactory trial version www.pdffactory.com

Extra: SNMP security

PDF created with pdfFactory trial version www.pdffactory.com

SNMP security

• SNMPv1 lacks any authentication capabilities, which results in vulnerability to a

variety of security threats. These include the following:
– Masquerading
– Modification of information
– Message sequence and timing modifications
– Disclosure

PDF created with pdfFactory trial version www.pdffactory.com

SNMP Version 3 (SNMPv3)

• SNMPv3 is an interoperable standards-based protocol for network management.

SNMPv3 provides secure access to devices by a combination of authenticating and
encrypting packets over the network. The security features provided in SNMPv3 are:
– Message integrity – Ensuring that a packet has not been tampered with in-transit.
– Authentication – Determining the message is from a valid source.
– Encryption – Scrambling the contents of a packet prevent it from being seen by an
unauthorized source.

PDF created with pdfFactory trial version www.pdffactory.com

Extra: SNMPv3

• Data integrity
Provided by the MD5 message digest algorithm. A 128-bit digest is
calculated over the designated portion of a SNMPv3 message and
included as part of the message sent to the recipient.
• Data origin authentication
Provided by prefixing each message with a secret value shared by the
originator of that message and its intended recipient before digesting.
• Message delay or replay
Provided by including a timestamp value in each message.
• Data confidentiality
Provided by the symmetric privacy protocol which encrypts an
appropriate portion of the message according to a secret key known
only to the originator and recipient of the message. This protocol is
used in conjunction with the symmetric encryption algorithm, in the
cipher block chaining mode, which is part of the Data Encryption
Standard (DES). The designated portion of an SNMPv3 message is
encrypted and included as part of the message sent to the recipient.

PDF created with pdfFactory trial version www.pdffactory.com

SNMP Version 3 (SNMPv3)

• Cisco devices such as router and switches support

SNMPv3 message types and the increased security
capabilities, but many management software applications
do not support SNMPv3.
76

PDF created with pdfFactory trial version www.pdffactory.com

SNMP Version 3 (SNMPv3)

• Applications which support version 3 include MG-Soft MIB

Browser and SNMP Research International’s CiAgent or
Enterpol. HP Openview can support version 3 with the help
of SNMP Research International extensions.
77

PDF created with pdfFactory trial version www.pdffactory.com

SNMP management applications

• SNMP is a distributed management protocol. A system can operate exclusively

as either an NMS or an agent, or it can perform the functions of both. When a
system operates as both an NMS and an agent, another NMS might require
that the system query managed devices and provide a summary of the
information learned, or that it reports locally-stored management information.

PDF created with pdfFactory trial version www.pdffactory.com

SNMP management applications

• CiscoView is a graphical SNMP-based device management tool that provides

real-time views of networked Cisco devices. These views deliver a
continuously updated physical picture of device configuration and performance
conditions, with simultaneous views available for multiple device sessions.
Additionally, CiscoView is designed for integration with leading network
management platforms, such as HP OpenView Network Node Manager, to
provide seamless and powerful methods of managing Cisco devices such as
routers, switches, hubs, concentrators, and adapters.