Asante Technologies IC36240 user manual Configuring Snmp, Authentication, Access Control

In the following example, the software is configured from the file my-config at IP address 192.168.123.59:

Switch# copy tftp://192.168.123.59/my-confg running-config

Download file ‘my-config’ from 192.168.123.59 to running-config? [y/n] y

Accessing tftp://192.168.123.59/my-config...

[OK] 487 bytes copied in time <1 sec

Updating running-config...

To clear the saved configuration, use the following command from privileged mode:

Switch# erase startup-config

5.3 Configuring SNMP

This section discusses the following tasks needed to configure Simple Network Management Protocol (SNMP).

Simple Network Management Protocol (SNMP) is the standard of network management protocols on TCP/IP-based networks.

SNMP allows network managers to obtain specific performance and configuration information from a software agent on a remote-network device. SNMP allows different types of networks to communicate by exchanging network information through messages known as protocol data units (PDUs). The IntraCore IC36240 supports SNMPv1, v2 and v3. The SNMPv3 protocol has improved the authentication, access control, and security methods. The following sections outline these methods.

5.3.1 Authentication

SNMPv1 relies on IP address-based access lists and community strings that function like a password and is shared between an SNMP manager and agent. IP address-based access lists can be vulnerable to IP address spoofing.

When there is easy physical access to a network or community strings intercepted, simple network management operations can reveal network information about any device configured for remote SNMP management.

Because SNMPv3 requires that, both the SNMP manager and agent share a secret authentication key, to ensure security in your network use the SNMPv3 protocol. Each SNMPv3 packet carries the user's name and key. The key is generated from a user password by using a secure hash function.

The User-based Security Model (USM) for SNMPv3 defines two authentication protocols: HMAC-MD5-96, which is based on MD5 (faster). The MD5 protocol must be implemented in an SNMPv3 environment.

MD5 is a hashing algorithm. When a message concatenated with a user's key is received, the system generates a fingerprint for the string. After the hash is performed, the fingerprint is added to the message (without the key). Sending this fingerprint with the message protects it from both the Modification of Information and Masquerade security threats. If any of the data in the packet is modified after the original is transmitted, it is detected when the hash is performed on the received message (minus the fingerprint, plus the users key), and the result is compared to the fingerprint that was received. This process also protects the network from Masquerade attack because the scope of the authentication includes the message's origin. In this way, both the identity of the sender and integrity of the message can be verified.

5.3.2 Access Control

SNMPv3 allows for the definition of multiple access controls. Access control is a security function performed at the PDU level. Strong access control demands strong authentication, which SNMPv3 does have.