1.4.3 Configure SNMPv3 - group v3

Information

The Simple Network Management Protocol (SNMP) is an application-layer protocol that provides a message format for communication between SNMP managers and agents. SNMP provides a standardized framework and a common language used for the monitoring and management of devices in a network. SNMPv3 provides secure access to devices by a combination of authenticating and encrypting frames over the network.

Rationale:

SNMPv3 provides for both security models and security levels. A security model is an authentication strategy that is set up for a user and the role in which the user resides. A security level is the permitted level of security within a security model. A combination of a security model and a security level determines which security mechanism is employed when handling an SNMP packet.

Impact:

SNMPv3 provides security features such as:

Message Integrity - Ensures that a packet has not be tampered with

Authentication - Determines message is from a valid source

Encryption - Scrambles the packet content to prevent being seen by unauthorized sources.

SNMPv2 does not provide any of these features, as SNMPv2 is a cleartext protocol that exposes the community string in each exchange of information.

Solution

Create SNMPv3 Users (and groups if needed). Ensure that SHA hashes are used rather than MD5. Also ensure that appropriate authorization levels are set ('network-admin' is shown below):

switch(config)#snmp-server user SNMPv3_UserName network-admin auth sha 0x12624c4dcb90cffeb43a1177324f547d priv 0x12624c4dcb90cffeb43a1177324f547d localizedkey

To set SNMP to version 3, add the 'version' parameter to the snmp-server command (note that SNMPv3 users and groups need to be configured first):

switch(config)# snmp-server host 1.2.3.4 traps version 3 priv <SNMPv3_UserName>

To enforce encryption for all SNMPv3 Users. This can be done by individual user, but it's recommended to enforce it globally:

switch(config)# snmp-server globalEnforcePriv

Default Value:

Not configured

See Also

https://workbench.cisecurity.org/files/3102