SNMP v3 - Digi International

Download Report

Transcript SNMP v3 - Digi International

SNMP v3
What is SNMPv3?
• Provides security for SNMP
• Defines a database that determines what
parts of each MIB each user can access
• Database entries also determine what
protocols are used to encrypt data
Who Does What ?
• NET+OS SNMPv3 API provide a way for
applications to create and change the
security database
• User applications must create the database
at boot up and maintain it
Database Structure
•
•
Database consists of USM, VTF, S2G, and
VACM entries.
User based Security Model (USM) entries
contain information about the user
including
–
–
–
Username
Authentication key
Encryption key
Database Structure – cont.
• Security to Group (S2G) entries associate a
user with a group name.
• View Tree Family (VTF) entries define a
view into a MIB. A view is a piece
(possibly all) of a MIB.
• View based Access Control Model (VACM)
entries associate a group with a view.
For User to Access MIB
• Create a USM entry for the user
• Create an S2G entry that associates the user
with a group
• Create a VACM entry that associates the
group with a view
• Create a VTF entry that defines a view into
the MIB
Why SNMPv3 ?
• SNMPv1 doesn’t have security. If it’s on,
don’t bother with SNMPv3.
• SNMPv2c has very weak security
• No support for SNMPv3 features described
in RFC-3413. These features don’t seem to
be important.
Engine ID
• Used to create hash user keys and for encryption
and authentication
• Older versions of SNMPv3 based it on unit’s IP
address. Bad idea since IP address can change.
• This version uses Ethernet MAC address
• Should prevent problems with new customers
• May create minor problems with customers who
already had SNMPv3
NASNMPv3 – Example Application
• Demonstrates how to start SNMPv3 and
create security database entries
• Provides command line interface that lets
users view and create security data base
entries