SNMPv3 traps are far superior to the SNMPv1 and v2c traps, as long as your network devices support it. SNMPv3 provides us with security that the previous SNMP versions do not offer (remember that SNMPv1 and v2c only use clear-text community names which can be easily intercepted).
Version 3 protocol also allows the administrator to specify the authentication and privacy passwords as well as various security schemas. SNMPv3 uses SHA and MD5 for authentication hashing, and DES and AES for privacy encryption. The three security schemas present in version 3 are "noAuthNoPriv", "authNoPriv", and "authPriv" which are pretty self-explanatory.
The first schema does not use any authentication or privacy mechanisms, whereas the "authNoPriv" only uses authentication, and "authPriv" uses the fullblown security mechanism. Now, all this security mumbo-jumbo does not make SNMPv3 perfect. Since we are securing it we are also obscuring it, as the protocol is not supported by all devices and is harder to configure (which is probably why it's not supported by all devices in the first place, chicken and the egg kind of thing).
SNMPv3 traps require both authentication in the form of username and password as well as engineid. Engineid is a random string (usually made up of SNMP user and IP/Mac addresses) from a remote SNMP host which needs to be placed in /var/net-snmp/snmptrapd.conf or /etc/snmp/snmptrapd.conf (the first one being a persistent file) of the SNMP NMS. It is in a hexidecimal form and each byte is a character string of two hex digits. Finding out that engineid can be fairly tricky, but here is the general gist of it that should help you get started:
[code]createUser -e 0xXXXXXXXXXXXXXXX auth_user MD5 auth_user_password[/code]
You must note that is important to find the engineid for every remote SNMP device that will be sending you SNMPv3 traps as each device will have a different engineid.
All in all, SNMPv3 requires quite a bit of work and understanding to set up. Whether it's worth it or not is up to the systems administrator, but one must remember that security should trump everything in this age of digital mess. You never know if somebody is snooping on your or not so it is safe put down some basic security that at least hides your traffic since SNMP can be easily (of course, once understood) used to find out an insane amount of information about your network.
Comments
comments powered by Disqus