Search This Blog

Monday, July 15, 2013

SNMP Secure Access



Here are few steps to secure SNMP access to Cisco device:
     
     1.       Configure community ACL
     2.       Define view command which allow the user access only to limited parts of the   Management Information Base (MIB).
     3.       Use SNMPv3

Configure ACL:

ip access-list standard ACL_SNMP_ACCESS
permit 10.10.10.0 0.0.0.255
deny any
!
snmp-server community cisco RO ACL_SNMP_ACCESS

This ACL allow only hosts from network 10.10.10.0/24 with Read-Only access.

Define view command:

snmp-server view MYVIEW mgmt.* included
!
snmp-server community cisco view MYVIEW RO ACL_SNMP_ACCESS

The view command allow us to create a group (MYVIEW) with specific parts of the MIB instead of allowing full access to the whole MIB.

The following OID (mgmt..*) allow access to system general and interface information only.

You can use snmp-walk or snmp MIB browser to select the required parts from the device MIB.

Use SNMPv3:

snmp-server engineID local 111100000000000000000000
snmp-server user USER1 GRP1 v3
snmp-server user USER2 GRP2 v3
snmp-server user USER3 GRP3 v3 auth md5 USER3PASS
snmp-server user USER4 GRP4 v3 auth md5 USER4PASS priv des56 USER4PRIV
!
snmp-server group GRP1 v3 noauth
snmp-server group GRP2 v3 noauth read MYVIEW
snmp-server group GRP3 v3 auth
snmp-server group GRP4 v3 priv
!
snmp-server view MYVIEW mgmt.* included
!
snmp-server community public RO

In this example I have configured 4 types of users along with 4 types of groups. Each user tied to a group. The SNMP engine ID is optional and it used to define device entity.

USER1 gets full access without authentication or encryption.
USER2 gets limited access, using the view command which configured under the group, without authentication or encryption.
USER3 gets full access with authentication but without encryption.
USER4 gets full access with authentication and encryption (DES 56bit).

Use the user/group type according to your needs.

Combining all three will allow highly secure (and encrypted) SNMP access to your Cisco device. 

Packet capture for various users access:

User1:


User2:

 
User3:


 User4:


note the encrypted message data.

1 comment:

  1. מחפשים { קבלן גמר לוילה } ? האוס בנייה המובילים בתחום הבנייה הפרטית והשלדים הכנסו לאתר וצרו קשר עוד היום

    ReplyDelete