For the longest time in the networking industry, we had a running joke about Simple Network Management Protocol (SNMP). We would love to state that it actually stood for “Security is Not My Problem!”. This was because even though SNMP was dealing with all of this potentially sensitive information about your network device, it would rely on a plain text password for security. Yuck!
SNMP version 3 really responded to the security weaknesses of the protocol by introducing a security model within the protocol. The wonderful components of this new security model that we can leverage are the user, group and security level.
That’s right, this approach is so flexible, there are multiple security levels you can take advantage of depending on the security requirements of your environment. The following security levels exits:
- “noAuthNoPriv” (no authentication and no encryption – use the noauth keyword in the CLI)
- “AuthNoPriv” (messages are authenticated but not encrypted – use the auth keyword in the CLI)
- “AuthPriv” (messages are authenticated and encrypted – use the priv keyword in the CLI)
You should note that the old SNMPv1 and SNMPv2 approaches only supported the “noAuthNoPriv” model since they used plain text community strings to match the incoming packets.
With our SNMPv3 implementations, you can configure the appropriate security model on per-group basis.
In SNMPv3, a group defines the access policy for a set of users. The access policy defines which SNMP objects can be accessed for reading and writing or which SNMP objects can generate notifications to the members of a group. A group also defines the security model and security level for its users.
Here is an example configuration for you. Here three groups are created. They are the TEST1, TEST2, and TEST3 groups. Notice these groups consist of users and can be associated with SNMP views to control the scope of access.
snmp-server view VIEW1 iso included
snmp-server view VIEW2 ifEntry.*.3 included
snmp-server group TEST1 v3 priv read VIEW1 write VIEW1
snmp-server group TEST2 v3 auth read VIEW2
snmp-server group TEST3 v3 priv
snmp-server user JOHN TEST1 v3 auth sha CISCO priv des56 CISCO
snmp-server user SARAH TEST2 v3 auth sha CISCO
snmp-server user LUCY TEST3 v3 auth sha CISCO priv des56 CISCO