Snmp overview, Authentication, Privacy – HP Secure Key Manager User Manual

SNMP overview

The SNMP protocol enables network and system administrators to remotely monitor devices on the
network, such as switches, routers, proxies, and hubs. This protocol relies on three main concepts:
network management station (NMS), agent, and Management Information Base (MIB). The NMS is
configured on a network node and runs SNMP management software; agents run on network devices
that are being monitored by the NMS; and the MIB defines what kind of information can be exchanged
between the agent and the NMS.

SNMP is a request–response protocol used to communicate management information between an
NMS and an agent. SNMP trap messages, sent from agents to managers, might indicate a warning
or error condition or otherwise notify the manager about the agent's state. There are three versions
of SNMP: SNMPv1, SNMPv2 and SNMPv3. The SKM supports all three versions of SNMP.

NOTE:

There are many different versions of SNMPv2. The SKM supports SNMPv2c. For the sake of simplicity,
throughout the rest of this document SNMPv2c is referred to simply as SNMPv2.

SNMPv1/v2 rely on the concept of a community to provide a low level of security for communications
between the NMS and agent. In an HP SNMPv1/v2 deployment, each SNMP request packet includes
a community name, which is similar to a password and is associated with a certain MIB access level.
When the SKM receives a request, the agent looks for the community name in its table. If the name
is found and the source IP of the sender is in the access list for the community, the request is accepted
and the MIB information is sent. If the name is not found or the source IP address is not in the access
list, the request is denied.

Because SNMPv1/v2 cannot authenticate the source of a management message or provide encryption,
it is possible for unauthorized users to perform SNMP network management functions. Likewise, it is
also possible for unauthorized users to eavesdrop on management information as it passes from
agents to the NMS. SNMPv3 incorporated all the capabilities of SNMPv1/v2, and introduced the
concept of a User–based Security Model (USM), which consists of two important services: authentication
and privacy. Additionally, SNMPv3 enhanced the existing View Access Control Model (VACM).

Authentication

The authentication piece of the USM ensures that a message was sent by the agent or NMS whose
identifier appears as the source in the message header. Authentication also ensures that the message
was not altered, artificially delayed, or replayed.

In SNMPv3, the agent and NMS share a key that is based on the username and password supplied
when the username is created. The sender provides a means for authentication to the receiver by
including a MAC with the SNMPv3 message it is sending. When the receiver gets the message, it
uses the same secret key to recompute the MAC. If the receiver's version of the code matches the
value appended to the incoming message, then the receiver knows that the message originated from
an authorized sender, and that the message was not altered in transit.

Privacy

The privacy piece of the USM allows managers and agents to encrypt messages to prevent
eavesdropping. As is the case with authentication in SNMPv3, both the NMS and the agent must
share a secret key. When an NMS and agent are configured for privacy, all traffic between them is
encrypted with the DES algorithm. The sender encrypts all messages with the DES algorithm and its

Using the Management Console

210