Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

NMIS supports using SNMPv3 for securing the collection of sensitive network information.  This is especially important from core switches and routers which if compromised could have a considerable business impact.  This configuration note does not include details about the SNMPv3 protocol, and assumes that people are wanting to use the authPriv (Authentication and Privilege) mode which is the most secure.

NOTE: From NMIS 9.5.2, SHA256 and AES256 support is enabled by the installer (if selected)

Table of Contents

IMPORTANT NOTE ON 256 BIT ENCRYPTION PROTOCOL SUPPORT

...

The first step is to enable SNMPv3 on in the /etc/snmp/snmpd.conf file, then restart the daemon.

Required Linux SNMPD Configuration for SNMPv3 communication to

...

NMIS9

Add the following configuration to the top, edit the /etc/snmp/snmpd.conf file as the root user, e.g.

...

Code Block
/usr/local/nmis9/bin/admin/testtests.pl act=snmp node=NODENAME

...

Updating NMIS9 to support SHA256 and AES256 including Cisco variants

The history of encryption in SNMPv3 is long and From NMIS 9.5.2, SHA256 and AES256 support is enabled by the installer (if selected and passes Net::SNMP v6 requirements), so the instructions below are not required.

The history of encryption in SNMPv3 is long and winding and possibly interesting to some people, the reality is that the only consistency with SNMPv3 implementations is the inconsistency in the implementations by different vendors and projects.  Frequently combinations of protocols are not supported (or do not work), so you need to find the matching combinations.

...

NMIS9 nameNameOIDNotes
desusmDESPrivProtocol1.3.6.1.6.3.10.1.2.1RFC3411
3desusm3DESPrivProtocol1.3.6.1.4.1.14832.1RFC3411
aes (or aes128)usmAESCfb128PrivProtocol1.3.6.1.4.1.14832.2Blumenthal implementation of SNMPv3
aes192usmAESCfb192PrivProtocol1.3.6.1.4.1.14832.3Blumenthal implementation of SNMPv3
aes256usmAESCfb256PrivProtocol1.3.6.1.4.1.14832.4Blumenthal implementation of SNMPv3
aes192ccusmAESCfb192PrivProtocol

1.3.6.1.4.1.9.12.6.1.1

Cisco implementation of SNMPv3 AES192
aes256ccusmAESCfb256PrivProtocol1.3.6.1.4.1.9.12.6.1.2Cisco implementation of SNMPv3 AES256
aes192c2

usmAES192Cisco2PrivProtocol

1.3.6.1.4.1.9.12.6.1.101A mysterious version 2 of the Cisco implementation, possibly related to pysnmp
aes256c2usmAES256Cisco2PrivProtocol1.3.6.1.4.1.9.12.6.1.102A mysterious version 2 of the Cisco implementation, possibly related to pysnmp

...

Copy the shipped USM.pm from the contrib folder and replace the Net::SNMP v6.0.1 version.

On RedHat 8 based systems (including our CentOS Virtual Machine)

...

NOTE: NMIS 9.5.2 will place the USM.pm file into the NMIS lib structure and does not change lib files outside of the nmis9 directory

On RedHat 8 based systems (including our CentOS Virtual Machine)

Code Block
sudo cp /usr/share/perl5/vendor_perl/Net/SNMP/Security/USM.pm /usr/share/perl5/vendor_perl/Net/SNMP/Security/USM.pm.original
sudo cp /usr/local/nmis9/contrib/perl-net-snmp-256/USM.pm /usr/share/perl5/vendor_perl/Net/SNMP/Security/USM.pm

On Debian/Ubuntu based systems

Code Block
sudo cp

# some similar systems may also have these files in
ls -l /usr/local/share/perl5/Net/SNMP/Security/USM.pm

# if they exist run the same operations to replace them
sudo cp /usr/local/share/perl5/Net/SNMP/Security/USM.pm /usr/local/share/perl5/Net/SNMP/Security/USM.pm.original
sudo cp /usr/local/nmis9/contrib/perl-net-snmp-256/USM.pm /usr/local/share/perl5/Net/SNMP/Security/USM.pm

Find where USM.pm is installed

Older Linux versions will have the Perl module somewhere else, the fastest way to find it is to use find.

Code Block
sudo find /usr -name USM.pm

Restart the NMIS9 Daemon

Code Block
sudo systemctl restart nmis9d

Update NMIS GUI to show new options

...

On Debian/Ubuntu based systems

Code Block
sudo cp /usr/share/perl5/Net/SNMP/Security/USM.pm /usr/share/perl5/Net/SNMP/Security/USM.pm.original
sudo cp /usr/local/nmis9/contrib/perl-net-snmp-256/Table-NodesUSM.nmispm /usr/share/localperl5/nmis9/conf

Testing SNMPv3 quickly

The contrib folder includes a lightweight SNMP testing tool, which differs from the nmis9/admin/tests.pl tool, in that it does not use net-snmp Linux package at all, it purely exercises the NMIS SNMP libraries.

Code Block
/usr/local/nmis9/contrib/perl-net-snmp-256/test-snmp.pl node=lab-fortigate

SNMP test results for lab-fortigate:
  Open SNMP session to lab-fortigate
    Auth Protocol: sha, Priv Protocol: aes
  Testing SNMP session
  Performing SNMP get of 1.3.6.1.2.1.1.1.0 and 1.3.6.1.2.1.1.2.0
    sysDescr: lab-fortigate-int
    sysObjectID: 1.3.6.1.4.1.12356.101.1.65

SNMP PASSED

To quickly change NMIS configuration to use a different combination, update the device and commit/apply changes.

Update NMIS node details:

Code Block
/usr/local/nmis9/admin/node_admin.pl act=set node=lab-fortigate entry.configuration.authprotocol=sha256 entry.configuration.privprotocol=aes256c

Repeat your SNMP test

Code Block
SNMP testNet/SNMP/Security/USM.pm

Find where USM.pm is installed

Older Linux versions will have the Perl module somewhere else, the fastest way to find it is to use find.

Code Block
sudo find /usr -name USM.pm

Restart the NMIS9 Daemon

Code Block
sudo systemctl restart nmis9d

Update NMIS GUI to show new options

Code Block
# Make a copy of original incase you have customization and forget to add it
# If command says it doesnt exisit you can skip to next command
sudo cp /usr/local/nmis9/conf/Table-Nodes.nmis /usr/local/nmis9/conf/Table-Nodes.nmis.bak
# Adding in new SNMPv3 Options
sudo cp /usr/local/nmis9/contrib/perl-net-snmp-256/Table-Nodes.nmis /usr/local/nmis9/conf

Testing SNMPv3 quickly

The contrib folder includes a lightweight SNMP testing tool, which differs from the nmis9/admin/tests.pl tool, in that it does not use net-snmp Linux package at all, it purely exercises the NMIS SNMP libraries.

Code Block
/usr/local/nmis9/contrib/perl-net-snmp-256/test-snmp.pl node=lab-fortigate

SNMP test results for lab-fortigate:
  Open SNMP session to lab-fortigate
    Auth Protocol: sha256sha, Priv Protocol: aes256caes
  Testing SNMP session
  Performing SNMP get of 1.3.6.1.2.1.1.1.0 and 1.3.6.1.2.1.1.2.0
    sysDescr: lab-fortigate-int
    sysObjectID: 1.3.6.1.4.1.12356.101.1.65

SNMP PASSED

More on Vendor Support for SHA and AES 256

In testing the NMIS development team found that the implementation of SNMP options was not consistent.

For example on a Fortigate device, the administration GUI allowed setting SHA256 and AES256 but these would not work together. When SHA256 and AES256 Cisco were used, the system was very happy.  

Many Cisco devices will support SHA256 but only AES128 (which given the entropy is reasonable "AES-128 would take about 2.61*10^12 years to crack" https://www.ubiqsecurity.com/128bit-or-256bit-encryption-which-to-use/).

At the time of writing (March 2023) net-snmp on Linux does not include support for AES256 by default (including SNAP repositories). net-snmp does support AES256, you just need to compile if yourself.

SNMPv3 Error Messages and How to Decode Them

No response from remote host during synchronization

The test-snmp.pl tool would show this:

Code Block
ERROR: Could not open SNMP session to node lab-fortigate: No response from remote host "lab-fortigate-int.opmantek.net" during synchronization

This means you have the wrong authentication protocol or password, you will need to change them and try again

No response from remote host

The test-snmp.pl tool would show this:

Code Block
ERROR: Could not retrieve SNMP vars from node lab-fortigate: No response from remote host "lab-fortigate-int.opmantek.net"

This means you have the wrong privilege protocol or password, you will need to change them and try again

The authProtocol is unknown during discovery

The test-snmp.pl tool would show this:

Code Block
ERROR: Could not open SNMP session to node lab-fortigate: The authProtocol "1.3.6.1.6.3.10.1.1.5" is unknown during discovery

This means the remote SNMP agent in the end device (node) does not know what this authentication protocol is.

Confirmed working combinations

The below is a list of confirmed working SNMPv3 combinations across a variety of different vendor and operating systems.

This is by no means a comprehensive list of the products we support.

...



To quickly change NMIS configuration to use a different combination, update the device and commit/apply changes.

Update NMIS node details:

Code Block
/usr/local/nmis9/admin/node_admin.pl act=set node=lab-fortigate entry.configuration.authprotocol=sha256 entry.configuration.privprotocol=aes256c

Repeat your SNMP test

Code Block
SNMP test results for lab-fortigate:
  Open SNMP session to lab-fortigate
    Auth Protocol: sha256, Priv Protocol: aes256c
  Testing SNMP session
  Performing SNMP get of 1.3.6.1.2.1.1.1.0 and 1.3.6.1.2.1.1.2.0
    sysDescr: lab-fortigate-int
    sysObjectID: 1.3.6.1.4.1.12356.101.1.65

SNMP PASSED


More on Vendor Support for SHA and AES 256

In testing the NMIS development team found that the implementation of SNMP options was not consistent.

For example on a Fortigate device, the administration GUI allowed setting SHA256 and AES256 but these would not work together. When SHA256 and AES256 Cisco were used, the system was very happy.  

Many Cisco devices will support SHA256 but only AES128 (which given the entropy is reasonable "AES-128 would take about 2.61*10^12 years to crack" https://www.ubiqsecurity.com/128bit-or-256bit-encryption-which-to-use/).

At the time of writing (March 2023) net-snmp on Linux does not include support for AES256 by default (including SNAP repositories). net-snmp does support AES256, you just need to compile if yourself.

SNMPv3 Error Messages and How to Decode Them

No response from remote host during synchronization

The test-snmp.pl tool would show this:

Code Block
ERROR: Could not open SNMP session to node lab-fortigate: No response from remote host "lab-fortigate-int.opmantek.net" during synchronization

This means you have the wrong authentication protocol or password, you will need to change them and try again

No response from remote host

The test-snmp.pl tool would show this:

Code Block
ERROR: Could not retrieve SNMP vars from node lab-fortigate: No response from remote host "lab-fortigate-int.opmantek.net"

This means you have the wrong privilege protocol or password, you will need to change them and try again

The authProtocol is unknown during discovery

The test-snmp.pl tool would show this:

Code Block
ERROR: Could not open SNMP session to node lab-fortigate: The authProtocol "1.3.6.1.6.3.10.1.1.5" is unknown during discovery

This means the remote SNMP agent in the end device (node) does not know what this authentication protocol is.

Confirmed working combinations

The below is a list of confirmed working SNMPv3 combinations across a variety of different vendor and operating systems.

This is by no means a comprehensive list of the products we support.

SHA1SHA1
Vendor / Operating SystemSHAAESNMIS Considerations
Cisco IOSSHA1AES256aes256c needs to be configured as the entry.configuration.privprotocol value
SHA1AES192aes192c needs to be configured as the entry.configuration.privprotocol value
SHA1AES128
Cisco NX-OSSHA1AES128
SHA256AES128
FortinetSHA1AES
SHA224AES256 Ciscosha224 needs to be configured as the entry.configuration.authprotocol value AND aes256c needs to be configured as the entry.configuration.privprotocol value
SHA256AES256 Ciscosha256 needs to be configured as the entry.configuration.authprotocol value AND aes256c needs to be configured as the entry.configuration.privprotocol value
SHA384AES256 Ciscosha384 needs to be configured as the entry.configuration.authprotocol value AND aes256c needs to be configured as the entry.configuration.privprotocol " value in NMIS
SHA512AES192"aes192c" AES256 Ciscosha512 needs to be configured as the entry.configuration.authprotocol value AND aes256c needs to be configured as the entry.configuration.privprotocol " value in NMIS
Palo AltoSHA1AES128Cisco NX-OS
SHA224AES128
SHA256AES128
SHA384FortinetAES128
SHA256CSHA224AES256C"sha256" needs AES192aes192c needs to be configured as the entry.configuration.authprotocol" value in NMIS AND "aes256c" needs privprotocol value
SHA256AES192aes192c needs to be configured as the entry.configuration.privprotocol " value in NMISPalo AltoSHA1AES128SHA224AES128SHA256AES128SHA384AES128SHA224AES192"aes192c"
SHA256AES256aes256c needs to be configured as the entry.configuration.privprotocol " value in NMIS
SHA256SHA384AES192"aes192c " needs to be configured as the entry.configuration.privprotocol " value in NMIS
SHA256SHA384AES256"aes256c" needs aes256c needs to be configured as the entry.configuration.privprotocol " value in NMISSHA384AES192"aes192c" value
NET-SNMP (Tested on v5.8 with Ubuntu 20.04)SHA512AES128sha512 needs to be configured as the entry.configuration.privprotocol" value in NMISSHA384authprotocol value
HUAWEISHA256AES256"aes256c " needs to be configured as the entry.configuration.privprotocol " value in NMIS

You may notice that when configuring SNMPv3 on a (for example) Cisco IOS device that there is not an explicit AES192C/AES256C in the command, rather it is needed to be defined as AES 192 and/or AES 256.

...