Tuesday, June 29, 2021

SNMP - Simple Network Management Protocol

SNMP stands for Simple Network Management Protocol. It was initially developed to collect information from for switches and routers but now it's extended to a wide array of devices such Windows and Linux machines, printers, power supplies, and even IOT devices. This is basically available on almost any device that can transmit packets. 

While working with SNMP we need to know these key terms.

OID - Object Identifier
OID is an object identifier for a value that can be monitored on a device. Anything that can be monitor on a device with SNMP has an OID. For example, we want to monitor the temperature on a device we will find the OID for temperature for that device.

OID is a bunch numbers separated by dots like 1.3.6.1.2.1.2.2.1.8. If you want to monitor something else on same device you will find the OID for that thing you want to monitor.

MIB - Management Information Base
An MIB is a text file that allows us to translate the numerical OID to text base OIDs. For example, synology-system-MIB::temperature.0 can be MID for the OID in the above example. Technically we can work with OID only, but MIBs can make our life easier.

There are standard OIDs and MIBs on a lot of standard devices and can make life a lot easier. For example: sysuptime.0 is MIB for system up time on any device.
You don't really need to find OID and MIBs on standard devices. They are almost the same. The only devices that you need to find for are non-standard devices.

You can find the OID and MIBs on manufacturer user guides. Many these documents are available online.

How SNMP works?

Polling - The network monitoring system connects to device on port 161 and tells which OID it needs information on. The device then responds to the network monitoring system with the information on port 161.

Notifying - The devices themselves send OID information to the network monitoring system on port 162. These messages are called traps, notifications or informs.


Version
There are three version of SNMP so far, SNMPv1, SNMPv2 and SNMPv3. The most prominent difference between them is the increasing security.

For version 1 & 2c you don't need username and password. You just need a community string for authentication and this community string is sent in plain text across the network. It also doesn't offer encryption.

For version 3 the community string is replaced with the need for a username + password. It also enforces encryption.

Remember: SNMP can be used to change device settings. So if you are using version 1 and 2c and attacker gets hold of community string then he can compromise the network.

SNMPv3
Offer stronger authentication and encryption. But they are not required. If monitoring with SNMPv3 is not setup properly then there is no difference between SNMPv1 and SNMPv3 because the secure authentication and encryption is not required. It is available for you to setup/configure but it's not a requirement. Therefore proper configuration is necessary and it all comes down the security levels in SNMPv3. 

What are security levels?
There is no default security level for SNMPv3. The security level must be configured on a device per username basis. Remember that the security level on each device is set on PER USERNAME basis. On a device different users could be set to different security levels.

Once you configured the users and security levels on the device then you configure the network monitoring system to match the security levels configured on the device.

The security levels are explained below:

noAuthNoPriv
  • The lowest security level
  • Username only (no password is required)
  • Message is not encrypted.
  • No better than SNMPv1 and 2c

authNoPriv
  • Middle security level
  • Username and password are required.
  • Message is not encrypted.
  • Anyone who can see the network traffic can see your username and also what the device sends back to you. The communication is taking place in plaintext.
  • The password is not sent over the network, but in fact creates cryptographic hash values which allows both devices to verify that they have the same password.
  • Authentication allows for the use of either MD5 or SHA-1 hashing algorithms. But it must be same on both the device and network monitoring system.
  • This reason we use this security level is that encryption is resource intensive and some people not want to strain their devices or the devices might not be able to cope with it.
authPriv
  • Highest security level
  • Username + password is use for authentication.
  • And privacy password for encryption.
  • The message are authenticated and also partially encrypted. The SNMP message is encrypted but the username and some metadata remains unencrypted.
  • Privacy password is used to both encrypt and decrypt the messages. You have the option of using DES or AES
  • DES - More computationally expensive and less secure
  • AES - Less computationally expensive and more secure

Always create strong passwords and don't create the same password for authentication and privacy. Doesn't matter which protocol version you use but if you don't use a strong password you are making the intruders job easy. 

1 comment:

  1. You've written a very useful article. This article provided me with some useful knowledge about Test Automation in Network Testing. Thank you for providing this information. Keep up the good work.

    ReplyDelete

Please leave your comments and suggestions.

Simplify Third-Party Application Patching with Chocolatey

Managing third-party application updates can be a time-consuming task, especially in an IT environment where automation is crucial. In this ...