NMIS supports using SNMPv3 for securing the collection of sensitive network information. This is especially important from core switches and routers which if compromised could have a considerable business impact. This configuration note does not include details about the SNMPv3 protocol, and assumes that people are wanting to use the authPriv (Authentication and Privilege) mode which is the most secure.
...
| Code Block |
|---|
/usr/local/nmis9/bin/admin/testtests.pl act=snmp node=NODENAME |
...
| NMIS9 name | Name | OID | Notes |
|---|---|---|---|
| des | usmDESPrivProtocol | 1.3.6.1.6.3.10.1.2.1 | RFC3411 |
| 3des | usm3DESPrivProtocol | 1.3.6.1.4.1.14832.1 | RFC3411 |
| aes (or aes128) | usmAESCfb128PrivProtocol | 1.3.6.1.4.1.14832.2 | Blumenthal implementation of SNMPv3 |
| aes192 | usmAESCfb192PrivProtocol | 1.3.6.1.4.1.14832.3 | Blumenthal implementation of SNMPv3 |
| aes256 | usmAESCfb256PrivProtocol | 1.3.6.1.4.1.14832.4 | Blumenthal implementation of SNMPv3 |
| aes192c | cusmAESCfb192PrivProtocol | 1.3.6.1.4.1.9.12.6.1.1 | Cisco implementation of SNMPv3 AES192 |
| aes256c | cusmAESCfb256PrivProtocol | 1.3.6.1.4.1.9.12.6.1.2 | Cisco implementation of SNMPv3 AES256 |
| aes192c2 | usmAES192Cisco2PrivProtocol | 1.3.6.1.4.1.9.12.6.1.101 | A mysterious version 2 of the Cisco implementation, possibly related to pysnmp |
| aes256c2 | usmAES256Cisco2PrivProtocol | 1.3.6.1.4.1.9.12.6.1.102 | A mysterious version 2 of the Cisco implementation, possibly related to pysnmp |
...
Many Cisco devices will support SHA256 but only AES128 (which given the entropy is reasonable "AES-128 would take about 2.61*10^12 years to crack" https://www.ubiqsecurity.com/128bit-or-256bit-encryption-which-to-use/).
...
| Vendor / Operating System | SHA | AES | NMIS Considerations |
|---|---|---|---|
| Cisco IOS | SHA1 | AES256 | aes256c needs to be configured as the entry.configuration.privprotocol value in NMISvalue |
| SHA1 | AES192 | aes192c needs to be configured as the entry.configuration.privprotocol value in NMIS | |
| SHA1 | AES128 | ||
| Cisco NX-OS | SHA1 | AES128 | |
| SHA256 | AES128 | ||
| Fortinet | SHA1 | AES | |
| SHA224 | AES256 Cisco | sha224 needs to be configured as the entry.configuration.authprotocol value in NMIS value AND aes256c needs to be configured as the entry.configuration.privprotocol value in NMISvalue | |
| SHA256 | AES256 Cisco | sha256 needs to be configured as the entry.configuration.authprotocol value in NMIS value AND aes256c needs to be configured as the entry.configuration.privprotocol value in NMISvalue | |
| SHA384 | AES256 Cisco | sha384 needs to be configured as the entry.configuration.authprotocol value in NMIS value AND aes256c needs to be configured as the entry.configuration.privprotocol value in NMISvalue | |
| SHA512 | AES256 Cisco | sha512 needs to be configured as the entry.configuration.authprotocol value in NMIS value AND aes256c needs to be configured as the entry.configuration.privprotocol value in NMISvalue | |
| Palo Alto | SHA1 | AES128 | |
| SHA224 | AES128 | ||
| SHA256 | AES128 | ||
| SHA384 | AES128 | ||
| SHA224 | AES192 | aes192c needs aes192c needs to be configured as the entry.configuration.privprotocol value in NMIS | |
| SHA256 | AES192 | aes192c needs aes192c needs to be configured as the entry.configuration.privprotocol value in NMISvalue | |
| SHA256 | AES256 | aes256c needs to be configured as the entry.configuration.privprotocol value in NMIS | |
| SHA384 | AES192 | aes192c needs to be configured as the entry.configuration.privprotocol value in NMIS | |
| SHA384 | AES256 | aes256c needs aes256c needs to be configured as the entry.configuration.privprotocol value in NMISvalue | |
| NET-SNMP (Tested on v5.8 with Ubuntu 20.04) | SHA512 | AES128 | sha512 needs to be configured as the entry.configuration.authprotocol value |
You may notice that when configuring SNMPv3 on a (for example) Cisco IOS device that there is not an explicit AES192C/AES256C in the command, rather it is needed to be defined as AES 192 and/or AES 256.
...