CCNP Security - SENSS

Simple Network Management Protocol

 SNMP Overview
» By the name
•  It’s a simple protocol for network management
» SNMP Roles
•  SNMP Agent (network device being managed)
•  SNMP Manager (SNMP server)
» Three versions
•  SNMPv1
•  SNMPv2c
•  SNMPv3
Copyright © www.ine.com
 SNMP Overview
» SNMP server uses the concept of MIB
(Management Information Base) for
•  Reading status / health information from a network device
•  Changing configuration of the network device
» SNMP functions based on three main operations
•  SNMP GET
•  SNMP SET
•  SNMP TRAP

Copyright © www.ine.com
 SNMP Operations
» SNMP GET
•  Server reads device statistics (interface load, memory, CPU)
•  Requires read-only access on the managed device
•  Runs over UDP 161
» SNMP SET
•  Server configures the device (VTP configuration)
•  Requires read-write access on the remote device
•  Runs over UDP 161

Copyright © www.ine.com
 SNMP Operations
» SNMP TRAP
•  Server receives unsolicited events from device
(interface is down)
•  Partially overlaps in scope with with syslog
•  Runs over UDP 162, can optionally use TCP (called
INFORM)

Copyright © www.ine.com
 SNMP Views
» SNMP Views are used to limit access to MIB
information on the managed device
» SNMP View Types
•  Read views (for GET actions)
•  Write views (for SET actions)
•  Notify views (for traps/informs actions)

Copyright © www.ine.com
 SNMPv3 Overview
» SNMPv3 mainly adds security features
» SNMPv1 and SNMPv2c
•  Authentication via community-strings (RO / RW )
•  Community-string was sent in clear-text in SNMP packets
•  No SNMP packet encryption
» SNMPv3
•  Authentication via username/password
•  Password is not sent in clear-text
•  Supports encryption
Copyright © www.ine.com
 SNMPv3 Security Models
» Based on required security level, different models
can be implemented
» Noauthnopriv
•  Username authentication only, as community-string
» Authnopriv
•  Username / password authentication via MD5/SHA-1
» Authpriv
•  Username / password authentication via MD5/SHA-1
•  Encryption via DES/3DES/AES

Copyright © www.ine.com
 SNMP on IOS vs. ASA
» ASA does not support
•  SET actions (no RW communities)
•  Informs

Copyright © www.ine.com
 IOS SNMPv3 Configuration
» Optionally configure SNMP views
» Configure SNMP group of users
•  Define security model
•  Optionally configure view access
» Configure SNMP username / password
•  Define authentication and encryption algorithms
•  Bind the username to the group

Copyright © www.ine.com
 IOS SNMPv3 Configuration
» Optionally configure SNMP server
•  Only if traps/informs are being used
•  Bind the username to be used
» Optionally configure SNMP Local Engine ID
•  Default one can be used

Copyright © www.ine.com
 IOS SNMPv3 Verification
» Verify users and groups
•  show snmp group
•  show snmp user
» Verify SNMP servers
•  show snmp host
•  show snmp sessions

Copyright © www.ine.com
 ASA SNMPv3 Configuration
» Configure SNMP group of users
•  Define security model
» Configure SNMP username / password
•  Define authentication and encryption algorithms
•  Bind the username to the group
» Configure SNMP server
•  Bind the username to be used

Copyright © www.ine.com
 ASA SNMPv3 Verification
» Verify users and groups
•  show snmp-server group
•  show snmp-server user
» Verify SNMP servers
•  show snmp-server host

Copyright © www.ine.com
 Q&A

Copyright © www.ine.com All rights reserved.