NMIS supports using SNMPv3 for securing the collection of sensivite sensitive network information. This is especially important from core switches and routers which if compromised could have a considerable business impact. This configuration note does not include details about the SNMPv3 protocol, and assumes that people are wanting to use the authPriv (Authentication and Privilegeand Privilege) mode which is the most secure.
...
NMIS9 name | Name | OID | Notes |
---|---|---|---|
des | usmDESPrivProtocol | 1.3.6.1.6.3.10.1.2.1 | RFC3411 |
3des | usm3DESPrivProtocol | 1.3.6.1.4.1.14832.1 | RFC3411 |
aes (or aes128) | usmAESCfb128PrivProtocol | 1.3.6.1.4.1.14832.2 | Blumenthal implementation of SNMPv3 |
aes192 | usmAESCfb192PrivProtocol | 1.3.6.1.4.1.14832.3 | Blumenthal implementation of SNMPv3 |
aes256 | usmAESCfb256PrivProtocol | 1.3.6.1.4.1.14832.4 | Blumenthal implementation of SNMPv3 |
aes192c | cusmAESCfb192PrivProtocol | 1.3.6.1.4.1.9.12.6.1.1 | Cisco implementation of SNMPv3 AES192 |
aes256c | cusmAESCfb256PrivProtocol | 1.3.6.1.4.1.9.12.6.1.2 | Cisco implementation of SNMPv3 AES256 |
aes192c2 | usmAES192Cisco2PrivProtocol | 1.3.6.1.4.1.9.12.6.1.101 | A mysterious version 2 of the Cisco implementation, possibly related to pysnmp |
aes256c2 | usmAES256Cisco2PrivProtocol | 1.3.6.1.4.1.9.12.6.1.102 | A mysterious version 2 of the Cisco implementation, possibly related to pysnmp |
...
On RedHat 8 based systems (including our CentOS Virtual Machine)
Code Block |
---|
sudo cp /usr/share/perl5/vendor_perl/Net/SNMP/Security/USM.pm /usr/share/perl5/vendor_perl/Net/SNMP/Security/USM.pm.original sudo cp /usr/local/nmis9/contrib/perl-net-snmp-256/USM.pm /usr/share/perl5/vendor_perl/Net/SNMP/Security/USM.pm |
...
For example on a Fortigate device, the administration GUI allowed setting SHA256 and AES256 but these would not work together, when . When SHA256 and AES256 Cisco were used, the system was very happy. Many
Many Cisco devices will support SHA256 but only AES128 (which given the entropy is reasonable "AES-128 would take about 2.61*10^12 years to crack" https://www.ubiqsecurity.com/128bit-or-256bit-encryption-which-to-use/).
NMIS can only support something if the vendor support its.
BTW, at the At the time of writing (March 2023) net-snmp on Linux does not include support for AES256 by default , nor do the SNAP repos, (including SNAP repositories). net-snmp does support AES256, you just need to compile if yourself.
...
This means the remote SNMP agent in the end device (node) does not know what this authentication protocol is.
Related Topics
...
Confirmed working combinations
The below is a list of confirmed working SNMPv3 combinations across a variety of different vendor and operating systems.
This is by no means a comprehensive list of the products we support.
Vendor / Operating System | SHA | AES |
---|---|---|
Cisco IOS | SHA1 | AES256C |
Cisco IOS | SHA1 | AES192C |
Cisco IOS | SHA1 | AES128 |
Cisco NX-OS | SHA1 | AES128 |
Cisco NX-OS | SHA256 | AES128 |
Fortinet | SHA256C | AES256C |
You may notice that when configuring SNMPv3 on a Cisco IOS device that there is not an explicit AES192C/AES256C in the command, rather it is needed to be defined as AES 192 and/or AES 256. When configuring the device for NMIS, you will need to explicitly tell it to use AES192C/AES256C.