Symmetricom manual 106 S100 User Guide Rev. D June

SyncServer S100

SNMP is a simple request/response protocol. The network-management system issues a request, and managed devices return responses. This is implemented using one of four operations: Get, GetNext, Set, and Trap. The Get operation is used to retrieve the value of one or more object instances from an agent. If the agent responding to the Get operation cannot provide values for all the objects in a list, it does not provide any values. The GetNext operation is used to retrieve the value of the next object in a table or a list within an agent. The Set operation is used to set the values of object instances within an agent. The Trap operation is used by agents to inform the NMS of a significant event.

SNMP v1 has no authentication capabilities, which increases vulnerability to security threats. These include masquerading occurrences, modification of information, message sequence and timing modifications, and disclosure. Masquerading consists of an unauthorized entity attempting to perform management operations by assuming the identity of an authorized management entity. Modification of information involves an unauthorized entity attempting to alter a message generated by an authorized entity so that the message results in unauthorized accounting management or configuration management operations. Message sequence and timing modifications occur when an unauthorized entity reorders, delays, or copies and later replays a message generated by an authorized entity. Disclosure results when an unauthorized entity extracts values stored in managed objects, or learns of notifiable events by monitoring exchanges between managers and agents. SNMP does not implement authentication, many vendors do not implement Set operations, thereby reducing SNMP to a monitoring facility.

Note: The S100 does not support SNMP Version 2.

Version 3

This contains many new security features that have been missing from the previous versions. Both SNMP v1 and SNMP v2c are highly insecure.

SNMP v3 introduces advanced security splitting the authentication and the authorization into two facets:

•The default User-based Security Module (USM) lists the users and their attributes. The USM is described by RFC 2574.

•The VACM is the Version-based Access Control Module and controls which users (and SNMP v1/v2c communities as well) are allowed to access and how they can access sections of the MIB tree. The VACM is described by RFC 2575.

In this version, each user has a name (called a securityName), an authentication type (authProtocol), and a privacy type (privProtocol) as well as associated keys for each of these (authKey and privKey).

Authentication is performed using a user’s authKey to sign the message being sent. The authProtocol can be either MD5 or SHA. The authKeys (and privKeys) are generated from a passphrase that must be at least 8-10 characters in length.

Authentication is performed using a user’s privKey to encrypt the data portion the message being sent. The privProtocol can only be DES at this time.

Messages can be be sent unauthenticated, authenticated, or authenticated and encrypted by setting the securityLevel to use.