1 / 30

Implementing Secure Converged Wide Area Networks (ISCW)

Implementing Secure Converged Wide Area Networks (ISCW). Configuring SNMP. Lesson 9 – Module 5 – ‘Cisco Device Hardening’. Module Introduction.

lauren
Télécharger la présentation

Implementing Secure Converged Wide Area Networks (ISCW)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Implementing Secure Converged Wide Area Networks (ISCW)

  2. Configuring SNMP Lesson 9 – Module 5 – ‘Cisco Device Hardening’

  3. Module Introduction • The open nature of the Internet makes it increasingly important for businesses to pay attention to the security of their networks. As organisations move more of their business functions to the public network, they need to take precautions to ensure that attackers do not compromise their data, or that the data does not end up being accessed by the wrong people. • Unauthorised network access by an outside hacker or disgruntled employee can wreak havoc with proprietary data, negatively affect company productivity, and stunt the ability to compete. • Unauthorised network access can also harm relationships with customers and business partners who may question the ability of companies to protect their confidential information, as well as lead to potentially damaging and expensive legal actions.

  4. Objectives • At the completion of this ninth lesson, you will be able to: • Describe the concepts behind the use of SNMP • Explain the various SNMP actions • Explain why the use of SNMP v1 and 2 is not recommended • Demonstrate how to configure Cisco routers to use SNMPv3

  5. SNMP • SNMP – the Simple Network Management Protocol - forms part of the internet protocol suite as defined by the IETF • SNMP is used by network management systems to monitor network-attached devices for conditions that warrant administrative attention • It consists of a set of standards for network management, including an Application Layer protocol, a database schema, and a set of data objects • The current version is SNMPv3 • SNPv1 and v2 are considered obsolete, and are extremely insecure. It is recommended they NOT be used on a publicly attached network

  6. SNMP Components • An SNMP-managed network consists of three key components: • Managed devices • Agents • Network-management systems (NMSs) • A managed device is a network node that contains an SNMP agent and that resides on a managed network. Managed devices collect and store management information and make this information available to NMSs using SNMP. Managed devices can be routers and access servers, switches and bridges, hubs, computer hosts, or printers. • An agent is a network-management software module that resides in a managed device. An agent has local knowledge of management information and translates that information into a form compatible with SNMP. • An NMS executes applications that monitor (and possibly control) managed devices. NMSs provide the bulk of the processing and memory resources required for network management. One or more NMSs must exist on any managed network. • Ref: Wikepedia - SNMP

  7. SNMP Managed Network

  8. SNMPv1 and SNMPv2 Architecture • SNMP asks agents embedded in network devices for information or tells the agents to do something.

  9. SNMP Actions • The SNMP protocol specifies (in version 1) five core PDUs: • GET REQUEST - used to retrieve a piece of management information. • GETNEXT REQUEST - used iteratively to retrieve sequences of management information. • GET RESPONSE - used agent responds with data to get and set requests from the manager. • SET REQUEST - used to initialise and make a change to a value of the network element. • TRAP - used to report an alert or other asynchronous event about a managed subsystem. • In SNMPv1, asynchronous event reports are called traps while they are called notifications in later versions of SNMP.

  10. SNMP Actions • Other PDUs were added in later versions, including: • GETBULK REQUEST - a faster iterator used to retrieve sequences of management information. • INFORM - an acknowledged trap. • Typically, SNMP uses UDP ports 161 for the agent and 162 for the manager. The Manager may send Requests from any available ports (source port) to port 161 in the agent (destination port). • The agent response will be given back to the source port. The Manager will receive traps on port 162. • The agent may generate traps from any available port.

  11. Community Strings • SNMPv1 and SNMPv2 use a community string to access router SNMP agents • SNMP community strings act like passwords • An SNMP community string is a text string used to authenticate messages between a management station and an SNMP engine • If the manager sends one of the correct read-only community strings, the manager can getinformation but NOT setinformation in an agent • If the manager uses one of the correct read-write community strings, the manager can getor setinformation in the agent

  12. Community Strings • In effect, having read-write access is equivalent to having the enable password! • SNMP agents accept commands and requests only from SNMP systems that use the correct community string. • By default, most SNMP systems use a community string of “public” • If the router SNMP agent is configured to use this commonly known community string, anyone with an SNMP system is able to read the router MIB • Router MIB variables can point to entities like routing tables and other security-critical components of a router configuration, so it is very important that custom SNMP community strings are created

  13. SNMP Security Models and Levels • Definitions: • Security model is a security strategy used by the SNMP agent. • Security level is the permitted level of security within a security model.

  14. SNMPv3 Operational Model

  15. SNMPv3 Operational Model • The concepts of separate SNMP agents and SNMP managers do not apply in SNMPv3 • SNMP combines these concepts into single SNMP entities • Each managed node and the network management system (NMS) is a single entity • There are two types of entities, each containing different applications: • Managed node SNMP entities: The managed node SNMP entity includes an SNMP agent and an SNMP MIB. The agent implements the SNMP protocol and allows a managed node to provide information to the NMS and accept instructions from the NMS. The MIB defines the information that can be collected and used to control the managed node. Information that is exchanged using SNMP takes the form of objects from the MIB • SNMP NMS entities: The SNMP entity on an NMS includes an SNMP manager and SNMP applications. The manager implements the SNMP protocol and collects information from managed nodes and sends instructions to the nodes. The SNMP applications are software applications used to manage the network

  16. SNMPv3 Features and Benefits It is strongly recommend that all network management systems use SNMPv3 rather than SNMPv1 or SNMPv2

  17. Configuring an SNMP Managed Node • These are the four configuration tasks used to set up SNMPv3 communications on a Cisco IOS router: • Configure the SNMP-server engine ID to identify the devices for administrative purposes • Configure the SNMP-server group names for grouping SNMP users • Configure the SNMP-server users to define usernames that reside on hosts that connect to the local agent • Configure the SNMP-server hosts to specify the recipient of a notification operation (trap or inform)

  18. Configuring the SNMP-Server Engine ID(1) • To configure a name for either the local or remote SNMP engine on the router, use the snmp-server engineID global configuration command. • The SNMP engine ID is a unique string used to identify the device for administration purposes. • An engine ID is not required for the device as a default string is generated using a Cisco enterprise number (1.3.6.1.4.1.9) and the MAC address of the first interface on the device. • If an individualised ID is required do not specify the entire 24-character engine ID if the ID contains trailing zeros. • Specify only the portion of the engine ID up to the point at which only zeros remain in the value. This portion must be 10 hexadecimal characters or more. For example, to configure an engine ID of 123400000000000000000000, specify snmp-server engineID local 1234000000.

  19. Configuring the SNMP-Server Engine ID(1) • A remote engine ID must be created when an SNMPv3 inform is configured • The remote engine ID is used to compute the security digest for authenticating and encrypting packets that are sent to a user on the remote host • Informs are acknowledged traps. The agent sends an inform to the manager. When the manager receives the inform, the manager sends a response to the agent. Thus, the agent knows that the inform reached the intended destination.

  20. Configuring the SNMP-Server Group Names (2) • To configure a new SNMP group, or a table that maps SNMP users to SNMP views, use the snmp-server group global configuration command • This command groups SNMP users that reside on hosts that connect to the local SNMP agent • An SNMP view is a mapping between SNMP objects and the access rights that are available for those objects • An object can have different access rights in each view • Access rights indicate whether the object is accessible by either a community string or a user

  21. Configuring the SNMP-Server Group Names (2) • snmp-server group groupname {v1 | v2c | v3 {auth | noauth | priv}} [read readview] [write writeview] [notify notifyview] [access access-list] Router(config)# • Configures a new SNMP group or a table that maps SNMP users to SNMP views PR1(config)#snmp-server group johngroup v3 auth PR1(config)#snmp-server group billgroup v3 auth priv • The top example shows how to define a group johngroup for SNMP v3 using authentication but not privacy (encryption) • The bottom example shows how to define a group billgroup for SNMP v3 using both authentication and privacy

  22. Configuring the SNMP-Server Users (3) • To add a new user to an SNMP group, use the snmp-server user global configuration command • To configure a user that exists on a remote SNMP device, specify the IP address or port number for the remote SNMP device where the user resides • Also, before configuring remote users for that device, configure the SNMP engine ID using the command snmp-server engineID with the remote option • The SNMP engine ID of the remote device is needed to compute the authentication and privacy digests from the password • If the remote engine ID is not configured first, the configuration command will fail

  23. Configuring the SNMP-Server Users (3) • Configure a new user to an SNMP group • snmp-server user usernamegroupname [remote ip-address [udp-port port]] {v1 | v2c | v3 [encrypted] [auth {md5 | sha} auth-password [priv des56 priv-password]]} [access access-list] Router(config)# • The first example (below) shows how to define a user John belonging to the group johngroup. Authentication uses the password john2passwdand no privacy (no encryption) is applied. The second example shows how user Bill, belonging to the group billgroup, is defined using the password bill3passwd and privacy (encryption) is applied PR1(config)#snmp-server user John johngroup v3 auth md5 john2passwd PR1(config)#snmp-server user Bill billgroup v3 auth md5 bill3passwd des56password2 PR1(config)#snmp-server group johngroup v3 auth PR1(config)#snmp-server group billgroup v3 auth priv

  24. Configuring the SNMP-Server Hosts (4) • To specify the recipient of an SNMP notification operation, use the snmp-server host global configuration command. • snmp-server host host-address [traps | informs] [version {1 | 2c | 3 [auth | noauth | priv]}] community-string [udp-port port] [notification-type] • SNMP notifications can be sent as traps or inform requests. • Traps are unreliable because the receiver does not send acknowledgments when the receiver receives traps • The sender cannot determine if the traps were received • An SNMP entity that receives an inform request acknowledges the message with an SNMP response PDU. • Informs consume more computing resources in the agent and in the network. • If an snmp-server host command is NOT entered, no notifications are sent. To configure the router to send SNMP notifications, at least one snmp-server host command must be entered • If the command is entered with no keywords, all trap types are enabled for the host.

  25. Configuring the SNMP-Server Hosts (4) • To be able to send an “inform,” perform these steps: • Configure a remote engine ID. • Configure a remote user. • Configure a group on a remote device. • Enable traps on the remote device. • Enable the SNMP manager.

  26. Configuring the SNMP-Server Hosts (4) snmp-server host host-address [traps | informs] [version {1 | 2c | 3 [auth | noauth | priv]}] community-string [udp-port port] [notification-type] • Configures the recipient of an SNMP trap operation Router(config)# • The example (below) shows how to send configuration informs to the 10.1.1.1 remote host PR1(config)#snmp-server engineID remote 10.1.1.1 1234 PR1(config)#snmp-server user bill billgroup remote 10.1.1.1 v3 PR1(config)#snmp-server group billgroup v3 noauth PR1(config)#snmp-server enable traps PR1(config)#snmp-server host 10.1.1.1 inform version 3 noauth bill PR1(config)#snmp-server manager

  27. SNMP – Types of Traps

  28. SNMPv3 Configuration • The next slide shows how to configure Cisco IOS routers for SNMPv3. • The router Trap_sender is configured to send traps to the NMS host with the IP address 172.16.1.1. The traps are encrypted using the credentials that are configured for the local user snmpuser who belongs to the group snmpgroup. The Trap_sender router sends traps that are related to CPU, configuration, and SNMP. The trap packets are sourced from the router loopback 0 interface • The router Walked_device is configured so that the NMS host can read the MIBs on the local device. The NMS server needs to use the username credentials that are configured on the Walked_device (snmpuser with respective authentication and encryption passwords) to gain access to the SNMP information of the router

  29. SNMPv3 Configuration Example Trap_sender(config)#snmp-server group snmpgroup v3 auth Trap_sender(config)#snmp-server group snmpgroup v3 priv Trap_sender(config)#snmp-server user snmpuser snmpgroup v3 auth md5 authpassword priv des56 encryptpassword Trap_sender(config)#snmp-server enable traps cpu Trap_sender(config)#snmp-server enable traps config Trap_sender(config)#snmp-server enable traps snmp Trap_sender(config)#snmp-server host 172.16.1.1 traps version 3 priv snmpuser Trap_sender(config)#snmp-server source-interface traps loopback 0 Walked_device(config)#snmp-server group snmpgroup v3 auth Walked_device(config)#snmp-server group snmpgroup v3 priv Walked_device(config)#snmp-server user snmpuser snmpgroup v3 auth md5 authpassword priv des56 encrypt password

More Related