NMIS supports using SNMPv3 for securing the collection of sensivite network information. This is especially important from core switches and routers which if compromised could have a considerable business impact. This configuration note does not include details about the SNMPv3 protocol, and assumes that people are wanting to use the authPriv (Authentication and Privilege) mode which is the most secure.
...
Once you have updated the SNMP libraries NMIS uses for SNMP, you should be able to use the following protocols for SNMPv3.
Authentication Protocols
NMIS9 name | Name | OID | Notes |
---|---|---|---|
md5 | usmHMACMD5AuthProtocol | 1.3.6.1.6.3.10.1.1.2 | RFC3411 |
sha (or sha1) | usmHMACSHAAuthProtocol | 1.3.6.1.6.3.10.1.1.3 | RFC3411 |
sha224 | usmHMAC128SHA224AuthProtocol | 1.3.6.1.6.3.10.1.1.4 | RFC3411 |
sha256 | usmHMAC192SHA256AuthProtocol | 1.3.6.1.6.3.10.1.1.5 | RFC3411 |
sha384 | usmHMAC256SHA384AuthProtocol | 1.3.6.1.6.3.10.1.1.6 | RFC3411 |
sha512 | usmHMAC384SHA512AuthProtocol | 1.3.6.1.6.3.10.1.1.7 | RFC3411 |
Privilege Protocols
NMIS9 name | Name | OID | Notes |
---|---|---|---|
des | usmDESPrivProtocol | 1.3.6.1.6.3.10.1.2.1 | RFC3411 |
3des | usm3DESPrivProtocol | 1.3.6.1.4.1.14832.1 | RFC3411 |
aes (or aes128) | usmAESCfb128PrivProtocol | 1.3.6.1.4.1.14832.2 | Blumenthal implementation of SNMPv3 |
aes192 | usmAESCfb192PrivProtocol | 1.3.6.1.4.1.14832.3 | Blumenthal implementation of SNMPv3 |
aes256 | usmAESCfb256PrivProtocol | 1.3.6.1.4.1.14832.4 | Blumenthal implementation of SNMPv3 |
aes192c | cusmAESCfb192PrivProtocol | 1.3.6.1.4.1.9.12.6.1.1 | Cisco implementation of SNMPv3 AES192 |
aes256c | cusmAESCfb256PrivProtocol | 1.3.6.1.4.1.9.12.6.1.2 | Cisco implementation of SNMPv3 AES256 |
aes192c2 | usmAES192Cisco2PrivProtocol | 1.3.6.1.4.1.9.12.6.1.101 | A mysterious version 2 of the Cisco implementation, possibly related to pysnmp |
aes256c2 | usmAES256Cisco2PrivProtocol | 1.3.6.1.4.1.9.12.6.1.102 | A mysterious version 2 of the Cisco implementation, possibly related to pysnmp |
Update or Install Perl Modules
Crypt::Rijndael module needs to be installed for AES support. This is the command to install Crypt::Rijndael if this module is not already installed and will ensure we have the latest version:
Code Block |
---|
sudo cpanm Crypt::Rijndael --sudo |
Net::SNMP module needs to be up to date - currently v6.0.1 - this command will ensure we have the latest version:
Code Block |
---|
sudo cpanm Net::SNMP --sudo |
Patch Net::SNMP::Security::USM to support 256 bit and higher encryption
The NMIS development team have added support to the Net::SNMP library using the work done recently by the team and leveraging the work done by Napsty @ https://raw.githubusercontent.com/Napsty/scripts/master/perl-net-snmp-sha2/USM.pm
If you are using NMIS 9.4.3 or earlier you will need to obtain the contrib folder from GitHub @https@ https://github.com/Opmantek/nmis9/tree/nmis9_dev/contrib/perl-net-snmp-256
We will use a patched Net::SNMP::Security::USM, for Net::SNMP v6.0.1, which is backwards compatible with all snmp protocol strings used in the original Net::SNMP::Security::USM module.
All protocol strings are case-insensitive.
Copy the shipped USM.pm from the contrib folder and replace the Net::SNMP v6.0.1 version.
On RedHat 8 based systems
Code Block |
---|
sudo cp /usr/share/perl5/vendor_perl/Net/SNMP/Security/USM.pm /usr/share/perl5/vendor_perl/Net/SNMP/Security/USM.pm.original sudo cp /usr/local/nmis9/contrib/perl-net-snmp-256/USM.pm /usr/share/perl5/vendor_perl/Net/SNMP/Security/USM.pm |
On Debian/Ubuntu based systems
Code Block |
---|
sudo cp /usr/share/perl5/Net/SNMP/Security/USM.pm /usr/share/perl5/Net/SNMP/Security/USM.pm.original sudo cp /usr/local/nmis9/contrib/perl-net-snmp-256/USM.pm /usr/share/perl5/Net/SNMP/Security/USM.pm |
...
For example on a Fortigate device, the administration GUI allowed setting SHA256 and AES256 but these would not work together, when SHA256 and AES256 Cisco were used, the system was very happy. Many Cisco devices will support SHA256 but only AES128 (which given the entropy is reasonable "AES-128 would take about 2.61*10^12 years to crack" https://www.ubiqsecurity.com/128bit-or-256bit-encryption-which-to-use/).
...