Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

NMIS supports using SNMPv3 for securing the collection of sensitive network information.  This is especially important from core switches and routers which if compromised could have a considerable business impact.  This configuration note does not include details about the SNMPv3 protocol, and assumes that people are wanting to use the authPriv (Authentication and Privilege) mode which is the most secure.

NOTE: From NMIS 9.5.2, SHA256 and AES256 support is enabled by the installer (if selected)

Table of Contents

IMPORTANT NOTE ON 256 BIT ENCRYPTION PROTOCOL SUPPORT

...

The first step is to enable SNMPv3 on in the /etc/snmp/snmpd.conf file, then restart the daemon.

Required Linux SNMPD Configuration for SNMPv3 communication to

...

NMIS9

Add the following configuration to the top, edit the /etc/snmp/snmpd.conf file as the root user, e.g.

...

Updating NMIS9 to support SHA256 and AES256 including Cisco variants

The history of encryption in SNMPv3 is long and winding From NMIS 9.5.2, SHA256 and AES256 support is enabled by the installer (if selected and passes Net::SNMP v6 requirements), so the instructions below are not required.

The history of encryption in SNMPv3 is long and winding and possibly interesting to some people, the reality is that the only consistency with SNMPv3 implementations is the inconsistency in the implementations by different vendors and projects.  Frequently combinations of protocols are not supported (or do not work), so you need to find the matching combinations.

...

NMIS9 nameNameOIDNotes
desusmDESPrivProtocol1.3.6.1.6.3.10.1.2.1RFC3411
3desusm3DESPrivProtocol1.3.6.1.4.1.14832.1RFC3411
aes (or aes128)usmAESCfb128PrivProtocol1.3.6.1.4.1.14832.2Blumenthal implementation of SNMPv3
aes192usmAESCfb192PrivProtocol1.3.6.1.4.1.14832.3Blumenthal implementation of SNMPv3
aes256usmAESCfb256PrivProtocol1.3.6.1.4.1.14832.4Blumenthal implementation of SNMPv3
aes192ccusmAESCfb192PrivProtocol

1.3.6.1.4.1.9.12.6.1.1

Cisco implementation of SNMPv3 AES192
aes256ccusmAESCfb256PrivProtocol1.3.6.1.4.1.9.12.6.1.2Cisco implementation of SNMPv3 AES256
aes192c2

usmAES192Cisco2PrivProtocol

1.3.6.1.4.1.9.12.6.1.101A mysterious version 2 of the Cisco implementation, possibly related to pysnmp
aes256c2usmAES256Cisco2PrivProtocol1.3.6.1.4.1.9.12.6.1.102A mysterious version 2 of the Cisco implementation, possibly related to pysnmp

...

Copy the shipped USM.pm from the contrib folder and replace the Net::SNMP v6.0.1 version.

On RedHat 8 based systems (including our CentOS Virtual Machine)

...

NOTE: NMIS 9.5.2 will place the USM.pm file into the NMIS lib structure and does not change lib files outside of the nmis9 directory

On RedHat 8 based systems (including our CentOS Virtual Machine)

Code Block
sudo cp /usr/share/perl5/vendor_perl/Net/SNMP/Security/USM.pm /usr/share/perl5/vendor_perl/Net/SNMP/Security/USM.pm.original
sudo cp /usr/local/nmis9/contrib/perl-net-snmp-256/USM.pm /usr/share/perl5/vendor_perl/Net/SNMP/Security/USM.pm

# some similar systems may also have these files in
ls -l /usr/local/share/perl5/Net/SNMP/Security/USM.pm

# if they exist run the same operations to replace them
sudo cp /usr/local/share/perl5/vendor_perl/Net/SNMP/Security/USM.pm /usr/local/share/perl5/vendor_perl/Net/SNMP/Security/USM.pm.original
sudo cp /usr/local/nmis9/contrib/perl-net-snmp-256/USM.pm /usr/local/share/perl5/vendor_perl/Net/SNMP/Security/USM.pm

...

Many Cisco devices will support SHA256 but only AES128 (which given the entropy is reasonable "AES-128 would take about 2.61*10^12 years to crack" https://www.ubiqsecurity.com/128bit-or-256bit-encryption-which-to-use/).

...

Vendor / Operating SystemSHAAESNMIS Considerations
Cisco IOSSHA1AES256aes256c needs to be configured as the entry.configuration.privprotocol value
SHA1AES192aes192c needs to be configured as the entry.configuration.privprotocol value
SHA1AES128
Cisco NX-OSSHA1AES128
SHA256AES128
FortinetSHA1AES
SHA224AES256 Ciscosha224 needs to be configured as the entry.configuration.authprotocol value AND aes256c needs to be configured as the entry.configuration.privprotocol value
SHA256AES256 Ciscosha256 needs to be configured as the entry.configuration.authprotocol value AND aes256c needs to be configured as the entry.configuration.privprotocol value
SHA384AES256 Ciscosha384 needs to be configured as the entry.configuration.authprotocol value AND aes256c needs to be configured as the entry.configuration.privprotocol value
SHA512AES256 Ciscosha512 needs to be configured as the entry.configuration.authprotocol value AND aes256c needs to be configured as the entry.configuration.privprotocol value
Palo AltoSHA1AES128
SHA224AES128
SHA256AES128
SHA384AES128
SHA224AES192aes192c needs to be configured as the entry.configuration.privprotocol value
SHA256AES192aes192c needs to be configured as the entry.configuration.privprotocol value
SHA256AES256aes256c needs to be configured as the entry.configuration.privprotocol value
SHA384AES192aes192c needs to be configured as the entry.configuration.privprotocol value
SHA384AES256aes256c needs to be configured as the entry.configuration.privprotocol value
NET-SNMP (Tested on v5.8 with Ubuntu 20.04)SHA512AES128sha512 needs to be configured as the entry.configuration.authprotocol value
HUAWEISHA256AES256aes256c needs to be configured as the entry.configuration.privprotocol value

You may notice that when configuring SNMPv3 on a (for example) Cisco IOS device that there is not an explicit AES192C/AES256C in the command, rather it is needed to be defined as AES 192 and/or AES 256.

...