SNMP
SNMP manages network devices. Network administrators can use SNMP to obtain data from devices or configure devices. SNMP supports trap alarms and inform alarms that devices automatically send to notify the NMS to events.
Security Policy
SNMPv1, SNMPv2c, and SNMPv3 support different security policies.
SNMPv1 and SNMPv2c support ACLs and the view-based access control model (VACM). An NMS can manage a device with a specified SNMP community configured and access objects in a specified MIB view based on a specified ACL, effectively enhancing system security to some extent. SNMPv1 or SNMPv2c, however, does not support encryption algorithms.
In addition to support for ACLs and VACM, SNMPv3 supports the user-based security model (USM), authentication methods, and encryption algorithms. A supported authentication method can be message digest algorithm 5 (MD5) or secure hash algorithm (SHA). A supported encryption algorithm can be data encryption standard (DES), 3DES, Advanced Encryption Standard (AES), or DASS. Communication data is authenticated and encrypted to prevent security problems, such as message forging, modification, or disclosure.
Configure the lock mechanism for SNMP so that the IP address of a user is locked after the user fails the authentication. The lock mechanism is enabled by default.
To ensure high security, do not use the DES or 3DES algorithm as the SNMPv3 encryption algorithm. It is advised to use SHA algorithm as the encryption algorithm of SNMPv3.
Attack Methods
User Name and Password Cracking
An attacker continuously sends SNMPv1/SNMPv2c community names and SNMPv3 user names and passwords to crack authorized user names and passwords.
Obtaining of Authorized Management Operations
An attacker changes the source IP address of packets to obtain the authorized operation rights.
An attacker monitors the communications between the NMS and SNMP agent to obtain the user name, password, and community name for the authorized operation rights.
An attacker illegally obtains, reorders, delays, or retransmits SNMP messages to obtain the authorized operation rights.
DoS Attack
An attacker launches DoS attacks to slow the device response.
Invalid Packet Attack
An attacker sends invalid packets, such as overlong packets, packets with incorrect SNMP version, write-intended packets with the read right, SNMPv3 packets with incorrect contextname field, packets with incorrect security model, and packets with incorrect security level.
An attacker sends invalid inform reply packets to the device.
SNMP GetBulk Reply Magnifying DoS Attack
SNMP packets are transmitted based on UDP, which is connectionless-oriented. To be specific, both the client and server do not record the peer status or implement data verification for the peer. In this case, the source IP address of such request packets sent from the client can be easily spoofed, causing the response packet to be sent to the bogus IP address. The attacker sends a short request packet and triggers response of overlong packets, causing packet flooding.
CPCAR-based security policies can be used to defend against flood attacks. If a device is connected to the public address space of the Internet, the management and control plane of the device may suffer from flood attacks. In this case, you can deploy a CPU attack defense policy to protect the device against traffic attacks.
Configuration and Maintenance Methods
For security purposes, disabling the insecure SNMPv1 and SNMPv2c is recommended. Configure SNMPv3 users with authentication and encryption configuration, an SNMPv3 authentication encryption mode to manage devices, and associate an ACL and MIB view with the user to control access rights.
Disable insecure SNMPv1 and SNMPv2c (if unnecessary).
[~HUAWEI] undo snmp-agent sys-info version v1 v2c [*HUAWEI] commit
Configure an ACL named ACL 2001 to permit or deny some IP addresses.
[~HUAWEI] acl 2001 [*HUAWEI-acl4-basic-2001] rule 5 permit [*HUAWEI-acl4-basic-2001] rule 10 deny source 10.138.90.111 0 [*HUAWEI-acl4-basic-2001] commit
Configure an SNMP ACL.
[~HUAWEI] snmp-agent acl 2001 [*HUAWEI] commit
Configure a mib-view named iso-view to access nodes under the sub-tree whose root node is the International Organization for Standardization (ISO).
[~HUAWEI] snmp-agent [*HUAWEI] snmp-agent mib-view included iso-view iso [*HUAWEI] commit
Configure an SNMPv3 group named v3group, associate the read view, write view, and notification view named iso-view with the group, and associate ACL 2001 with the group.
[~HUAWEI] snmp-agent group v3 v3group privacy read-view iso-view write-view iso-view notify-view iso-view acl 2001 [*HUAWEI] commit
Configure an SNMPv3 user named v3user in a group named v3group. Set the authentication mode is sha2, password is hello-1234, encryption mode is aes128, password is hello-2012, and acl 2001 is associated.
[~HUAWEI] snmp-agent usm-user v3 v3user v3group [*HUAWEI] snmp-agent usm-user v3 v3user v3group acl 2001 [*HUAWEI] snmp-agent usm-user v3 v3user v3group authentication-mode sha2 Hello-1234 privacy-mode aes128 Hello-2012 [*HUAWEI] commit
Display the current SNMP configurations.
[~HUAWEI] display current-configuration | include snmp
snmp-agent snmp-agent acl 2001 snmp-agent local-engineid 800007DB0338BA376BEA01 undo snmp-agent sys-info version v3 snmp-agent group v3 v3group privacy read-view iso-view write-view iso-view notify-view iso-view acl 2001 snmp-agent mib-view included iso-view iso snmp-agent usm-user v3 v3user snmp-agent usm-user v3 v3user group v3group snmp-agent usm-user v3 v3user authentication-mode sha2 cipher %^%#!h7X2jV15~c13:~1|(V-:ea+I&v*X8[V;Z61$y];%^%# snmp-agent usm-user v3 v3user privacy-mode aes128 cipher %^%#Ko$vVUNO[A3t4O%KX6I5nv\4N_o%b#GL'K#dYTZ'%^%# snmp-agent usm-user v3 v3user acl 2001
SNMPv1 and SNMPv2c support community names, and restrict user access rights using the association between an ACL, a MIB view, and a community name.
Configure an ACL named ACL 2001 to permit or deny some IP addresses.
[~HUAWEI-acl-basic-2001] display this # acl number 2001 rule 5 permit rule 10 permit source 10.138.90.111 0 # return [~HUAWEI-acl-basic-2001]
Configure a mib-view named iso-view to access nodes under the sub-tree whose root node is the ISO.
[~HUAWEI] snmp-agent [*HUAWEI] snmp-agent mib-view included iso-view iso [*HUAWEI] commit
Configure a read-write community name.
[~HUAWEI] snmp-agent community read cipher Public-123456 mib-view iso-view acl 2001 [*HUAWEI] snmp-agent community write cipher Private-123456 mib-view iso-view acl 2001 [*HUAWEI] snmp-agent sys-info version all [*HUAWEI] commit
Display SNMP configurations.
[~HUAWEI] display this | include snmp
snmp-agent snmp-agent local-engineid 800007DB0338BA376BEA01 snmp-agent community read cipher %^%#{H1SU1d}/A{%ZQ8eZwr1,7#s<+=_J$q+G8C|_$m5wG62/.GguS`8ur>lpTzGS[hHLQitwV9Ih*MQcC>W%^%# mib-view iso-viewiso acl 2001 snmp-agent community write cipher %^%#~]`4X&Vz`#6W1^8<h<L*gBDu3T/^IXLQ%]7=O@1<'jHCF4o=-KBCH{,8JC~!"v':C8y'sPCq["-/\29G%^%# mib-view iso-viewiso acl 2001 snmp-agent sys-info version all snmp-agent mib-view included iso-view iso
Configure a CPU attack defense policy.
<HUAWEI> system-view [~HUAWEI] cpu-defend policy 10 [*HUAWEI-cpu-defend-policy-10] commit
Configure TCP/IP attack defense.
By default, TCP/IP attack defense is enabled. If the function is disabled, run the following commands to enable it:
[~HUAWEI-cpu-defend-policy-10] ctcpsyn-flood enable [*HUAWEI-cpu-defend-policy-10] fragment-flood enable [*HUAWEI-cpu-defend-policy-10] udp-packet-defend enable [*HUAWEI-cpu-defend-policy-10] abnormal-packet-defend enable [*HUAWEI-cpu-defend-policy-10] quit [*HUAWEI] commit
Create an ACL.
Add SNMP to ACL 3341.
[~HUAWEI] acl number 3341 [*HUAWEI-acl-adv-3341] rule permit udp source 10.20.20.0 0.0.0.255 source-port eq snmp [*HUAWEI-acl-adv-3341] rule permit udp source 10.20.20.0 0.0.0.255 destination-port eq snmp [*HUAWEI-acl-adv-3341] rule deny udp destination-port eq snmp [*HUAWEI-acl-adv-3341] commit
Create a user-defined flow.
After the ACL is used to classify protocol packets, you can apply the ACL to create a user-defined flow so that different protocol packets are transmitted through different channels.
ACL 3341 corresponds to user-defined flow 11 and is used to protect SNMP. SNMP traffic is heavy but does not require high real-time performance. Therefore, set the priority to low and bandwidth to 1 Mbit/s.
[~HUAWEI] cpu-defend policy 10 [*HUAWEI-cpu-defend-policy-10] user-defined-flow 11 acl 3341 [*HUAWEI-cpu-defend-policy-10] car user-defined-flow 11 cir 1000 [*HUAWEI-cpu-defend-policy-10] priority user-defined-flow 11 low [*HUAWEI-cpu-defend-policy-10] quit [*HUAWEI] commit
Apply the attack defense policy.
[~HUAWEI] slot 10 [~HUAWEI-slot-10] cpu-defend-policy 10 [*HUAWEI-slot-10] quit [*HUAWEI] commit
Configuration and Maintenance Suggestions
SNMPv1 and SNMPv2c community names are stored and displayed in ciphertext. Only high-level commands can query ciphertext community names.
Store community names and user passwords in ciphertext to effectively protect them from being disclosed.
Community names and passwords are stored as ****** in the operation logs on the SNMP server, CLI, and NETCONF tool, to prevent user information leaks.
Use SNMPv3 because SNMPv1/v2c is not secure.
Disable SNMP if it is unnecessary on a device (SNMP is disabled by default).
When SNMPv3 is configured, meet the password complexity when configuring authentication and encryption passwords and ensure that the authentication password must be different from the encryption password. If SNMPv1 or SNMPv2c is configured, the SNMP community name must pass the complexity check.
Configure the lock mechanism for SNMP so that the IP address of a user is locked after the user fails the authentication. The lock mechanism is enabled by default.
Configure URPF on the edge devices to prevent response attacks