NMIS supports using SNMPv3 for securing the collection of sensitive network information. This is especially important from core switches and routers which if compromised could have a considerable business impact. This configuration note does not include details about the SNMPv3 protocol, and assumes that people are wanting to use the authPriv (Authentication and Privilege) mode which is the most secure.
NOTE: From NMIS 9.5.2, SHA256 and AES256 support is enabled by the installer (if selected)
Table of Contents |
---|
IMPORTANT NOTE ON 256 BIT ENCRYPTION PROTOCOL SUPPORT
...
The first step is to enable SNMPv3 on in the /etc/snmp/snmpd.conf file, then restart the daemon.
Required Linux SNMPD Configuration for SNMPv3 communication to
...
NMIS9
Add the following configuration to the top, edit the /etc/snmp/snmpd.conf file as the root user, e.g.
...
Code Block |
---|
/usr/local/nmis9/bin/admin/testtests.pl act=snmp node=NODENAME |
...
Updating NMIS9 to support SHA256 and AES256 including Cisco variants
The history of encryption in SNMPv3 is long and From NMIS 9.5.2, SHA256 and AES256 support is enabled by the installer (if selected and passes Net::SNMP v6 requirements), so the instructions below are not required.
The history of encryption in SNMPv3 is long and winding and possibly interesting to some people, the reality is that the only consistency with SNMPv3 implementations is the inconsistency in the implementations by different vendors and projects. Frequently combinations of protocols are not supported (or do not work), so you need to find the matching combinations.
...
NMIS9 name | Name | OID | Notes |
---|---|---|---|
des | usmDESPrivProtocol | 1.3.6.1.6.3.10.1.2.1 | RFC3411 |
3des | usm3DESPrivProtocol | 1.3.6.1.4.1.14832.1 | RFC3411 |
aes (or aes128) | usmAESCfb128PrivProtocol | 1.3.6.1.4.1.14832.2 | Blumenthal implementation of SNMPv3 |
aes192 | usmAESCfb192PrivProtocol | 1.3.6.1.4.1.14832.3 | Blumenthal implementation of SNMPv3 |
aes256 | usmAESCfb256PrivProtocol | 1.3.6.1.4.1.14832.4 | Blumenthal implementation of SNMPv3 |
aes192c | cusmAESCfb192PrivProtocol | 1.3.6.1.4.1.9.12.6.1.1 | Cisco implementation of SNMPv3 AES192 |
aes256c | cusmAESCfb256PrivProtocol | 1.3.6.1.4.1.9.12.6.1.2 | Cisco implementation of SNMPv3 AES256 |
aes192c2 | usmAES192Cisco2PrivProtocol | 1.3.6.1.4.1.9.12.6.1.101 | A mysterious version 2 of the Cisco implementation, possibly related to pysnmp |
aes256c2 | usmAES256Cisco2PrivProtocol | 1.3.6.1.4.1.9.12.6.1.102 | A mysterious version 2 of the Cisco implementation, possibly related to pysnmp |
...
Copy the shipped USM.pm from the contrib folder and replace the Net::SNMP v6.0.1 version.
On RedHat 8 based systems (including our CentOS Virtual Machine)
...
NOTE: NMIS 9.5.2 will place the USM.pm file into the NMIS lib structure and does not change lib files outside of the nmis9 directory
On RedHat 8 based systems (including our CentOS Virtual Machine)
Code Block |
---|
sudo cp /usr/share/perl5/vendor_perl/Net/SNMP/Security/USM.pm /usr/share/perl5/vendor_perl/Net/SNMP/Security/USM.pm.original sudo cp /usr/local/nmis9/contrib/perl-net-snmp-256/USM.pm /usr/share/perl5/vendor_perl/Net/SNMP/Security/USM.pm |
On Debian/Ubuntu based systems
Code Block |
---|
sudo cp # some similar systems may also have these files in ls -l /usr/local/share/perl5/Net/SNMP/Security/USM.pm # if they exist run the same operations to replace them sudo cp /usr/local/share/perl5/Net/SNMP/Security/USM.pm /usr/local/share/perl5/Net/SNMP/Security/USM.pm.original sudo cp /usr/local/nmis9/contrib/perl-net-snmp-256/USM.pm /usr/local/share/perl5/Net/SNMP/Security/USM.pm |
Find where USM.pm is installed
Older Linux versions will have the Perl module somewhere else, the fastest way to find it is to use find.
Code Block |
---|
sudo find /usr -name USM.pm |
Restart the NMIS9 Daemon
Code Block |
---|
sudo systemctl restart nmis9d |
Update NMIS GUI to show new options
...
On Debian/Ubuntu based systems
Code Block |
---|
sudo cp /usr/share/perl5/Net/SNMP/Security/USM.pm /usr/share/perl5/Net/SNMP/Security/USM.pm.original
sudo cp /usr/local/nmis9/contrib/perl-net-snmp-256/USM.pm /usr/share/perl5/Net/SNMP/Security/USM.pm |
Find where USM.pm is installed
Older Linux versions will have the Perl module somewhere else, the fastest way to find it is to use find.
Code Block |
---|
sudo find /usr -name USM.pm |
Restart the NMIS9 Daemon
Code Block |
---|
sudo systemctl restart nmis9d |
Update NMIS GUI to show new options
Code Block |
---|
# Make a copy of original incase you have customization and forget to add it
# If command says it doesnt exisit you can skip to next command
sudo cp /usr/local/nmis9/conf/Table-Nodes.nmis /usr/local/nmis9/conf/Table-Nodes.nmis.bak
# Adding in new SNMPv3 Options
sudo cp /usr/local/nmis9/contrib/perl-net-snmp-256/Table-Nodes.nmis /usr/local/nmis9/conf |
...
Many Cisco devices will support SHA256 but only AES128 (which given the entropy is reasonable "AES-128 would take about 2.61*10^12 years to crack" https://www.ubiqsecurity.com/128bit-or-256bit-encryption-which-to-use/).
...
Vendor / Operating System | SHA | AES | NMIS Considerations | ||||
---|---|---|---|---|---|---|---|
Cisco IOS | SHA1 | AES256 | aes256c needs to be configured as the entry.configuration.privprotocol value in NMISvalue | ||||
SHA1 | AES192 | aes192c needs to be configured as the entry.configuration.privprotocol value in NMIS | |||||
SHA1 | AES128 | ||||||
Cisco NX-OS | SHA1 | AES128 | |||||
SHA256 | AES128 | ||||||
Fortinet | SHA1 | AES | |||||
SHA224 | AES256 Cisco | sha224 needs to be configured as the entry.configuration.authprotocol value in NMIS value AND aes256c needs to be configured as the entry.configuration.privprotocol value in NMISvalue | |||||
SHA256 | AES256 Cisco | sha256 needs to be configured as the entry.configuration.authprotocol value in NMIS value AND aes256c needs to be configured as the entry.configuration.privprotocol value in NMISvalue | |||||
SHA384 | AES256 Cisco | sha384 needs to be configured as the entry.configuration.authprotocol value in NMIS value AND aes256c needs to be configured as the entry.configuration.privprotocol value in NMISvalue | |||||
SHA512 | AES256 Cisco | sha512 needs to be configured as the entry.configuration.authprotocol value in NMIS value AND aes256c needs to be configured as the entry.configuration.privprotocol value in NMISvalue | |||||
Palo Alto | SHA1 | AES128 | |||||
SHA224 | AES128 | ||||||
SHA256 | AES128 | ||||||
SHA384 | AES128 | ||||||
SHA224 | AES192 | aes192c needs to be configured as the entry.configuration.privprotocol value | |||||
SHA256 | AES192 | aes192c needs to be configured as the entry.configuration.privprotocol value | |||||
SHA256 | AES128 | SHA384 | AES128 | SHA224 | AES192 | aes192c needs AES256 | aes256c needs to be configured as the entry.configuration.privprotocol value in NMIS |
SHA256SHA384 | AES192 | aes192c needs needs to be configured as the entry.configuration.privprotocol value in NMISvalue | |||||
SHA256SHA384 | AES256 | aes256c needs aes256c needs to be configured as the entry.configuration.privprotocol value in NMIS | SHA384 | AES192 | aes192c | ||
NET-SNMP (Tested on v5.8 with Ubuntu 20.04) | SHA512 | AES128 | sha512 needs to be configured as the entry.configuration.privprotocolauthprotocol value in NMIS | ||||
HUAWEI | SHA384SHA256 | AES256 | aes256c needs needs to be configured as the entry.configuration.privprotocol value in NMISvalue |
You may notice that when configuring SNMPv3 on a (for example) Cisco IOS device that there is not an explicit AES192C/AES256C in the command, rather it is needed to be defined as AES 192 and/or AES 256.
...