SNMP Device Management Security

Attack Behavior

Common Simple Network Management Protocol (SNMP) attacks are as follows:

An attacker obtains the rights of authorized users by modifying the source IP address of sent packets to perform unauthorized management operations.
An attacker listens on the communication between the NMS and SNMP agents to obtain information, such as user names, passwords, and community names, therefore gaining unauthorized rights.
An attacker intercepts and then reorders, delays, or retransmits SNMP messages to affect normal operations, until obtaining unauthorized access rights.

Security Policy

SNMP is used to manage network devices and has three versions: SNMPv1, SNMPv2, and SNMPv3.

SNMPv1 and SNMPv2 have low security and support ACL and View-based Access Control Model (VACM). Associate an ACL and a MIB view with a community name to limit the NMSs and nodes that can access the switch.

SNMPv3 supports the User-based Security Model (USM), Message Digest 5 (MD5) and Secure Hash Algorithm (SHA) authentication, and Data Encryption Standard (DES), and Advanced Encryption Standard (AES) algorithms. By authenticating and encrypting communication data, SNMPv3 resolves security issues, such as disguise, tampering, and leakage.

Configuration Method

For security purposes, you are advised to configure an SNMPv3 user requiring authentication and encryption, use the SNMPv3 authentication and encryption mode to manage the switch, and associate an ACL and a MIB view with the user to limit the user's access rights.

Configure ACL 2001 to reject packets from 10.138.20.123 and allow packets from 10.138.90.111.

<HUAWEI> system-view
[HUAWEI] acl 2001
[HUAWEI-acl-basic-2001] rule 5 deny source 10.138.20.123 0
[HUAWEI-acl-basic-2001] rule 10 permit source 10.138.90.111 0
[HUAWEI-acl-basic-2001] quit

Configure ACL 2001 as an SNMP ACL to filter users and limit the NMSs that can access the switch.
```
[HUAWEI] snmp-agent acl 2001
```
Configure a MIB view named iso-view to access nodes in the subtree of whose root node is the International Organization for Standardization (ISO).
```
[HUAWEI] snmp-agent mib-view included iso-view iso
```
Configure an SNMPv3 group named v3group, set the associated read, write, and notify views to iso-view, and apply ACL 2001 to the SNMPv3 group to filter users by user group.
```
[HUAWEI] snmp-agent group v3 v3group privacy read-view iso-view write-view iso-view notify-view iso-view acl 2001
```
Configure an SNMPv3 user named v3user and add the user to v3group. Set the user authentication algorithm to sha (indicating HMAC-SHA-96), authentication password to hello1234, encryption algorithm to aes256 (indicating AES-256), and encryption password to hello2012, and apply ACL 2001 to the user to implement user- and user group-based filtering.
```
[HUAWEI] snmp-agent usm-user v3 v3user group v3group
[HUAWEI] snmp-agent usm-user v3 v3user group v3group acl 2001
[HUAWEI] snmp-agent usm-user v3 v3user authentication-mode sha
Please configure the authentication password (8-64)                             
Enter Password:                                                                 
Confirm Password: 
[HUAWEI] snmp-agent usm-user v3 v3user privacy-mode aes256
Please configure the privacy password (8-64)                                    
Enter Password:                                                                 
Confirm Password:    
```
In V200R019C00, the system software does not support the sha parameter. To use the sha parameter, you need to install the V200R019SPH007 patch or the SHA1 plug-in. For higher security purposes, you are advised to specify the sha2-256 parameter, which indicates the more secure HMAC-SHA2-256-192 algorithm.