Cisco CCNA ICND2 (Interconnecting Cisco Networking Devices Part 2)Exam Cram

5. Infrastructure Maintenance

5.1 SNMPv2 and SNMPv3

Internet Protocol (IP) networks use managing devices such as Simple Network Management Protocol (SNMP) to monitor network attached devices. In a computer network, a group of devices are attached, and they are managed and monitored by a manager. An agent, which is a software module in a managed device, reports information through the SNMP to the manager which has a Network Management System (NMS) that executes the applications that monitor and control managed devices.

There are seven SNMP protocol data units (PDU)

  • GetRequest - request to retrieve the value of a variable from the manager to the agent.
  • SetRequest - request to change the value of a variable from the manager to the agent.
  • GetNextRequest - request to find variables from the manager to the agent.
  • GetBulkRequest - enhanced version of GetNextRequest.
  • Response - reply from the agent to the manager through the return of variables.
  • Trap - simultaneous message from the agent to the manager.
  • InformRequest - simultaneous messages between managers.

There are three versions of SNMP

SNMPv1: which is the network management protocol being used by the Internet.

SNMPv2: which is a revised version of the SNMPv1. It contains improvements in performance, confidentiality, security, and communications between managers. Its party-based security system is very complex, though, and has to be revised in order to be able to use it with the SNMPv1.

SNMPv3: which has added cryptographic security and new concepts, terminology, remote configuration enhancements, and textual conventions.

images/pin-icon.png

The main difference between SNMPv3 and v2 (or v1) is that the v3 version addresses the security and privacy issues. For example, in SNMPv2, passwords are transmitted in plain text, whereas v3 uses encryption.

1. Authentication

2. Privacy

3. Authorization and Access Control

4. Remote configuration and administration capabilities

SNMPv1 and SNMPv2c use a community string that is used as the password and there's no authentication or encryption.

The security features provided in SNMPv3 are as follows:

  • Message integrity - Ensures that a packet has not been tampered with during transit.
  • Authentication - Determines that the message is from a valid source.
  • Encryption - Scrambles the content of a packet to prevent it from being learned by an unauthorized source.

SNMPv3 is a security model in which an authentication strategy is set up for a user and the group in which the user resides.

SNMPv1 was the first version of SNMP. Although it accomplished its goal of being an open, standard protocol, it was found to be lacking in key areas like security, and flexibility.

SNMPv2 is essentially same as SNMPv1 in practical terms, except it adds support for 64 bit counters.

SNMPv2 did not include communities, and it was added to SNMPv2c on demand from users.

SNMPv3 is the latest version of SNMP. Its primary feature is enhanced security.

SNMPv3 security comes primarily in 2 forms:

1. User-based Authentication Mechanism is based on the following:

  • MD5 message digest algorithm in HMAC
  • SHA, an optional alternative algorithm
  • Loosely synchronized monotonically increasing time indicator values defend against certain message stream modification attacks

2. User-based Privacy Mechanism is based on the following:

  • Data Encryption Standard (DES) Cipher Block Chaining (CBC) mode
  • Provides data confidentiality
  • Uses encryption
  • Subject to export and use restrictions in many jurisdictions
  • Uses 16-byte key known by sender and receiver
  • Multiple levels of compliances with respect to DES due to problems associated with international use
  • Triple Data Encryption Standard (Triple DES)
  • Advanced Encryption Standard (128, 192, and 256, bit keys)

The following security levels and encryption are available in SNMPv3:

1. NoAuthNoPriv - Communication without authentication and privacy. Uses only User Name for authentication and no encryption or privacy.

2. AuthNoPriv - Communication with authentication and without privacy. The protocols used for Authentication are MD5 and SHA (Secure Hash Algorithm).Provides authentication based on the Hashed Message Authentication Code (HMAC)-MD5 or HMAC-SHA algorithms

3. AuthPriv - Provides authentication based on the HMAC-MD5 or HMAC-SHA algorithms. Communication with authentication and without privacy. The protocols used for Authentication are MD5 and SHA (Secure Hash Algorithm).

In addition to authentication, provides DES 56-bit encryption based on the Cipher Block Chaining (CBC)-DES (DES-56) standard.

The following is the set of security levels as defined in the USM MIB (RFC 2574) :

Security Model Security Level Authentication Encryption Type
SNMPv1 noAuthNoPriv Community string None
SNMPv2c noAuthNoPriv Community string None
SNMPv3 noAuthNoPriv User name None
  AuthNoPriv MD5 or SHA None
  authPriv MD5 or SHA CBC-DES (DES-56)

Previous   Contents   Next


CCNA-ICND2 Cram Notes Contents certexams.com ad