Upcoming Events

Cloud Connect
Santa Clara
Feb 13-16, 2012

Cloud Connect brings together the entire cloud eco-system to better understand the transformation we're experiencing and promises to be the defining event of the cloud computing industry. Learn about the latest cloud technologies and platforms from thought leaders in Cloud Connect’s comprehensive conference.

Register Now!

W O R K S H O P

Simplifying SNMPv3

September 18, 2003
By Bruce Boardman

>> continued from previous page

Feeling Secure

	Issue TOC
	Print full article
	Print this page
	Download as PDF
	E-Mail this URL
	Discuss this article
	Flame the author

	In this article
	Introduction
	Feeling Secure
	Hands On Experience

SNMPv3's security features are its main attraction. Version 3 follows the User-Based Security Model (USM) RFC3414, (www.ietf.org/rfc/rfc3414.txt) for authentication and privacy. But any future authentication and privacy modules that emerge could be added to the specification without changing the basic SNMPv3 framework.

SNMPv3 wasn't meant to plug every security hole in a network: Stopping denial-of-service attacks, for example, is not part of the v3 specification. And SNMPv3 was designed to be self-contained so it doesn't rely on other network services, like NTP or key management. It's all about securing the management protocol rather than the management environment or network.

USM consists of authentication, timeliness and privacy modules. Authentication and privacy provide data integrity, authenticity and confidentiality. The timeliness module synchronizes clock values between SNMP entities to thwart replay attacks--it blocks packets with old clocks.

With USM's key management, a user password is converted into a key that is unique to each SNMP entity, so if a key is exposed or captured, only the single device matched to that key is at risk. USM uses the MD5 algorithm, but SHA or other hashing algorithms also work with SNMPv3. As a precaution, the password is not sent over the wire. Rather, the PDU is hashed twice using two keys derived from the secret key, and then the first 12 octets are used as the Message Authentication Code (MAC), which is added to the message. This same process occurs in reverse on the other end. This cumbersome key management may soon be replaced with the more straightforward Diffie-Hillman key-exchange method.

SNMPv3 specifies three levels of authentication and privacy: The first level is simply no privacy, or "noAuthnoPriv." This is similar to SNMPv1 and v2 clear-text community strings, and makes the most sense when you are debugging or the SNMP network entities are in a trusted environment. The second level is authentication without privacy, or "authNoPriv." Many management vendors say their customers opt for this simpler level of security when they first implement SNMPv3. The third level, "authPriv," not only authenticates but also encrypts the SNMP data, but many vendors and enterprises consider that too much overhead for network devices.

Start Your Engine
click to enlarge

Meanwhile, the popular DES encryption algorithm used in v3 actually does not provide acceptable privacy protection. Other algorithms with stronger privacy are in the works, including CBC-AES-128 (www.ietf.org/internet-drafts/draft-blumenthal-aes-usm-06.txt).

SNMPv3 also comes with a view-based access-control model (VACM), which lets you limit access to MIB variables. VACM defines which portion of the MIB is accessible and links users to that view. VACM mechanisms require that a view and group are created on each network device, where the view defines which portion of the MIB is accessible and the group links users to that view.

Early adopters of SNMPv3, such as broadband cable providers, are working around SNMPv3's shortcomings. The cable industry developed the Data Over Cable Service Interface Specification, for example, and providers use Diffie-Hillman or Kerberos to manage their key exchange rather than the bulky USM. They are also using a stronger method of encryption, AES-128, rather than DES.

Bruce Boardman is executive editor of Network Computing, testing and writing about network management and systems. Write to him at bboardman@nwc.com. Post a comment or question on this story at www.nwc.com/go/ask.html.