Hello!
In previous entries, which we have studied the SNMP protocol, and we talked about security management in versions 1 and 2 was negligible, since they are based on the concept of community and use a chain of text, sent in plain text, for its management.
SNMPv3 does provide secure access to devices, so that you can access the data without fear of being changed by the journey and in addition, sensitive information (such as a change in the configuration of a router) can be encrypted to prevent their content is exposed on the net. With SNMPv3 we have, therefore, the following features:
- Message integrity: ensures that a received packet has not been modified.
- Authentication: Determines that the message came from a valid source.
- Encryption: the secrecy of the package, preventing it from being read by an unauthorized user.
A practical example
Let's see the protocol in operation. We will use the net-snmp utilities , which we saw in the previous post installing and configuring a Debian machine. For
configure snmpd agent Debian machine, so that you can use SNMPv3 for access to information, we have to edit multiple files, but it's easier if you use the program net-snmp-config .
The first thing to do is stop the agent so we can create our first user and give permission to make inquires or to make changes to objects.
# / etc / init.d / snmpd stop
With this command we create the user "test" with password "asdasd123", using MD5 and DES for security:
(NOTE: You must have openssl installed)
# net-snmp-config - SNMPv3-user-create-a test asdasd123
By default, the program adds a line to / etc / snmp / snmpd.conf created which gives a user read / write access. Edit the file can change permissions.
Let's start the agent again in order to test its operation:
# / etc / init.d / snmpd start
The following command requests the OID 1.3.6.1.2.1.1.4 localhost agent. 0, which is sysContact, using the test user:
$ snmpget-v 3-u test-l authPriv-a MD5-A asdasd123-x DES-X asdasd123
localhost 1.3.6.1.2.1.1.4.0 iso.3.6.1.2.1.1.4.0 = STRING: "Chen
And this other order requests sysLocation:
$ snmpget-v 3-u test-l authPriv-a MD5-A asdasd123-x DES-X localhost asdasd123 1.3.6.1.2.1 .1.6.0
iso.3.6.1.2.1.1.6.0 = STRING: "institute"
In the next picture we see a wireshark capture in which you can see how, indeed, after performing authentication The information travels encrypted, ensuring its integrity and confidentiality: