SNMP Research International, Inc.

Secure Your Network

Information about SNMP

Technology Initiatives

SNMPv3 with Security and Administration

Table of Contents

Introduction

Secure management is available with SNMPv3, the ``Full Standard,'' IETF-recommended version of the Internet-Standard Management Framework. This technology provides commercial-grade security and the ease of administration, which includes authentication, authorization, access control, and privacy.

The secure management of SNMPv3 is an important enabling technology for safe configuration and control operations. SNMPv3 provides security with authentication and privacy, and its administration offers logical contexts, view-based access control, and remote configuration. This technology is available for networks, systems, applications, manager-to-manager communications, and proxy management of legacy systems.

SNMPv3 is derived from and builds upon both the original Internet-Standard Management Framework (SNMPv1) and the second Internet-Standard Management Framework (SNMPv2c). All versions (SNMPv1, SNMPv2c, and SNMPv3) of the Internet-Standard Management Framework share the same basic structure and components. Furthermore, all versions of the specifications of the Internet-Standard Management Framework follow the same architecture.

SNMPv3 Features

Many SNMP products remain fundamentally the same under SNMPv3, but are enhanced by the following new features:

Security

Administration

Additional SNMPv3 Features (from v2)

The following features are incorporated from the SNMPv2 Framework by reference.

Feature Example
Expanded data types 64-bit counters
Improved efficiency and performance get-bulk operator
Confirmed event notifications inform operator
Richer error handling errors and exceptions
Improved sets row creation/deletion
Fine tuned data definition language SMI, textual conventions, conformance statements, and agent capabilities

Security Threats and SNMPv3 Protection

Secure management with SNMPv3 protects against four threats:

Threat SNMPv3 Protection
Masquerade Verifies the identify of the message's origin by checking the integrity of the data.
Modification of Information Thwarts accidental or intentional alterations of in-transit messages by checking the integrity of the data, including a time stamp.
Message Stream Modification Thwarts replay attacks by checking message stream integrity, including a time stamp.
Disclosure Prevents eavesdropping by protocol analyzers, etc., by using encryption.
Unauthorized Access Verifies operator authorization and protects critical data from intentional and/or accidental corruption by using an access control table (part of policy-based management).

Security Mechanisms

User-based Authentication Mechanism is based on the following:

User-based Privacy Mechanism is based on the following:

Configuration

SNMPv3 provides the following configuration possibilities. (Note: availability depends on export restrictions.)

The network administrator has the potential to configure the protection level on a transaction-by-transaction basis. Criteria to consider when choosing configuration options are system resources and level of protection.

SNMPv3 Architecture

The specifications of the Internet-Standard Management Framework are based on a modular architecture. This framework is more than just a protocol for moving data. The framework consists of

The framework was structured with a protocol-independent data definition language and Management Information Base, along with a MIB-independent protocol. The SNMPv3 Framework builds and extends these architectural principles by

Those who are familiar with the architecture of the SNMPv1 Management Framework and the SNMPv2 Management Framework find many familiar concepts in the architecture of the SNMPv3 Management Framework. However, in some cases, the terminology may be somewhat different.

Security and Administration Framework

SNMP entities contain a security subsystem (and possibly an access control subsystem) to prevent unauthorized users from accessing a MIB or parts of a MIB. SNMP entities also possess these subsystems to ensure that authorized users retrieve and update information from only the parts of the MIB that they are allowed to view. Only a user who has the necessary access privileges will be able to obtain the desired level of service from a properly configured SNMP entity.

A Security Administration Framework defines the mechanisms, which control the level of service provided by an SNMP entity. The mechanisms discriminate each message based on who is sending the message, what operation is requested, where the operation takes place within the MIB, and how the request is being sent (security protocol in use).

Who? Authentication discriminates a request based on the sender of the message. An authentication identifier includes some type of shared secret, which is used to verify the identity of the sender.
What? Authorization discriminates a request based on the operation being requested. An authorization identifier defines a set of operations that are permitted (e.g., Get, Set, Trap, etc.).
Where? Access Control discriminates a request based on the MIB objects where a requested operation would be performed. An access control identifier, or MIB View, defines a set of objects in the MIB where operations may be performed.
How? Security Level discriminates a request based on the security protocols used for a request. Security level options include privacy protocols and alternative authentication algorithms.

SNMPv3 RFCs

The SNMPv3 Request for Comments (RFCs) provide further detail about SNMPv3. A complete list of RFCs can be found at http://www.snmp.com/snmpv3/.

Sources for More Information

Contact Information

For further information about SNMPv3 or SNMP Research's products, please contact SNMP Research, Inc.

SNMP Research Incorporated
3001 Kimberlin Heights Rd.
Knoxville, TN 37920
U.S.A.
Tel: +1 865 573 1434
Fax: +1 865 579 6565
E-mail: info@snmp.com
www.snmp.com