Wednesday, May 11, 2011

Small White Wart On Nose

SNMPv3 - Debian Configuration 6

Hello!

In previous entries, which we have studied the SNMP protocol, and we talked about security management in versions 1 and 2 was negligible, since they are based on the concept of community and use a chain of text, sent in plain text, for its management.

SNMPv3 does provide secure access to devices, so that you can access the data without fear of being changed by the journey and in addition, sensitive information (such as a change in the configuration of a router) can be encrypted to prevent their content is exposed on the net. With SNMPv3 we have, therefore, the following features:

  • Message integrity: ensures that a received packet has not been modified.
  • Authentication: Determines that the message came from a valid source.
  • Encryption: the secrecy of the package, preventing it from being read by an unauthorized user.
In SNMPv3, we have 3 levels of security: noAuthnoPriv, authNoPriv and authPriv.


A practical example

Let's see the protocol in operation. We will use the net-snmp utilities , which we saw in the previous post installing and configuring a Debian machine. For

configure snmpd agent Debian machine, so that you can use SNMPv3 for access to information, we have to edit multiple files, but it's easier if you use the program net-snmp-config .

The first thing to do is stop the agent so we can create our first user and give permission to make inquires or to make changes to objects.

# / etc / init.d / snmpd stop

With this command we create the user "test" with password "asdasd123", using MD5 and DES for security:
(NOTE: You must have openssl installed)

# net-snmp-config - SNMPv3-user-create-a test asdasd123

By default, the program adds a line to / etc / snmp / snmpd.conf created which gives a user read / write access. Edit the file can change permissions.

Let's start the agent again in order to test its operation:

# / etc / init.d / snmpd start

The following command requests the OID 1.3.6.1.2.1.1.4 localhost agent. 0, which is sysContact, using the test user:

$ snmpget-v 3-u test-l authPriv-a MD5-A asdasd123-x DES-X asdasd123

localhost 1.3.6.1.2.1.1.4.0 iso.3.6.1.2.1.1.4.0 = STRING: "Chen "

And this other order requests sysLocation:

$ snmpget-v 3-u test-l authPriv-a MD5-A asdasd123-x DES-X localhost asdasd123 1.3.6.1.2.1 .1.6.0

iso.3.6.1.2.1.1.6.0 = STRING: "institute"

In the next picture we see a wireshark capture in which you can see how, indeed, after performing authentication The information travels encrypted, ensuring its integrity and confidentiality:



Greetings!

Tuesday, May 10, 2011

Would A Monroe Piercing Suit Me?

SNMP on Debian Squeeze Squeeze 6

Hello! Following

this series of articles on SNMP ( Introduction , MIBs and messages), today we will see how to configure an SNMP agent on Debian Squeeze 6. To install the service pack must be installed snmpd :

# aptitude install snmpd

The configuration file we should edit to set the agent to our requirements is / etc / snmp / snmpd.conf . However, the syntax of the file is not very comfortable and documentation can be found on the Internet is aimed at older versions of the package. After throw me a while fiddling with the file, my friend Alberto Molina me advised him to take a look at file / usr / share / doc / snmpd / README.Debian , which contains the following:

  The default configuration for snmpd is paranoid for security  Rather 
Reasons. Edit / etc / snmp / snmpd.conf to allow or run snmpconf
Greater access. The

snmpconf Provider to program simple, menu driven way of configuring the snmp
Applications and daemons.

The default configuration of snmpd
quite paranoid about security reasons.

Edit the file / etc / snmp / snmpd.conf or run the script to allow snmpconf
greater access.


THE snmpconf ofrce program a simple, menu-driven, set
applications and daemons snmp.

And the truth is that the service configuration using snmpconf is much simpler. To use the package to install snmp , which contains several utilities:

# aptitude install snmp

And we can throw:

# snmpconf

The program is going by asking questions to help us create the configuration file according to our needs. The first question is whether we want to reuse content from the existing configuration files. We can reuse and snmp.conf snmptrapd.conf .


Then we ask for the file you want to create, in our case snmpd.conf. And shows us the sections that make up the file so that we will be shaping. We start with the access control section:


If we are working with SNMP version 2 (the most common, but much more uncertain than SNMPv3), we must configure the options 3 and / or 4, to create a community of reading and other reading and writing.


If you choose option 3 will ask the name of the community, the addresses of the machines from which requests can be made snmpd agent and objects on which requests can be made.


And the same questions for option 4:


This would be a very basic configuration (very insecure), but we had better to check the operation of the protocol on a Linux machine. And could go out of the menus to exit the program:


Finally, we would que reiniciar el servicio:

#/etc/init.d/snmpd restart

Podemos comprobar el correcto funcionamiento de nuestro agente con cualquier NMS o MIB Browser, como BlackOwl MIB Browser:


En las próximas entradas seguiremos estudiando el protocolo SNMP, centrándonos en los aspectos relacionados con su seguridad.

¡Un saludo!

Monday, May 9, 2011

Difference Between Dismissal And Expungement



¡Hola!

En las entradas anteriores hemos realizado una introducción a SNMP , estudiando sus componentes y arquitectura, y hemos profundizado en los MIBs y el árbol de información de gestión . Hoy we will focus in SNMP messages.

To achieve the goal of being a simple protocol, SNMP proposed a limited set of management commands and responses. The initial version of the protocol was only 5 operators: Get

  • to obtain or read the value of one or more instances of an object. GetNext
  • very similar to Get, it differs in that this operation gets the value of next OID tree
  • Set, to write or set the value of one or more instances of an object.
  • Trap, which are messages sent by agents to the NMS to report that there has been a certain event
  • Response, are the responses from the NMS agents containing the requested values.

SNMPv2 introduced 2 new operators:

  • GetBulk was introduced as an enhancement to Get Next requests, when to get data from a table (such as information of the network interfaces of a computer or table routing).
  • Inform, a message similar to trap but that includes a confirmation from the NMS to receive the message.

GET / GET NEXT / GET BULK / SET


TRAP


INFORM

To see the performance of SNMP in action and to make some catches WireShark need a SNMP NMS and any device. To do this you can use your home router, switch or your own machine.

I will be using a Windows XP virtual machine on which I installed the SNMP service (Start-> Add / Remove Programs -> add windows components -> Management and Monitoring Tools -> SNMP). Once installed you can configure the agent and to define the details. For example, we can establish the contact, which will be the information contained in the sysContact object value, or location, which is the value of sysLoc, both the System group.



If we go to the security tab, we see that by default only public community is created, which is read-only rights. A community (community string) is something like a password in plain text (and therefore very uncertain.) In the next post will discuss security and SNMPv3 protocol.

can create a new community with read and write:


Once the changes have to restart the service. NMS

As we will use the application Blackowl MIB browser. In the picture you can see how I selected the computer on which I work (typing its IP in the Host field), I went sailing through the tree to the group object system and have conducted three operations get to get the value of objects sysDescr, sysContact and sysLocation. As the community of read operations is set by default to public, do not set anything:


As you can see, the values \u200b\u200bthat are returned by the agent that we established previously on the computer.

If you look, the object can be modified sysLocation from the NMS, as access is readwrite. Let's change it! To this end, we must provide our NMS data write of the agent community. We have to go to properties, select SNMPv2 and write the appropriate community string.




If we perform the operation on the object sysLocation September, we miss a new window asking the value to write to the agent:


If we go to the computer and look at the properties we can test SNMP that indeed SysLocation value has changed:


Finally I leave a couple of pictures of the catch made with WireShark get to perform the operation on the object and sysContact response from the agent:



CAUTION After testing, you should disable SNMP or secure in your equipment, lest your teams start doing strange things ...

In the next article speak, precisely, safety and SNMPv3 protocol.

Greetings!


Sources:
http://www3.rad.com/networks/applications/snmp/comp.htm
http://www.manageengine.com/network-monitoring/what-is-snmp.html