Version 3 – Symmetricom S100 User Manual

Page 114

background image

106

S100 User Guide – Rev. D – June 2005

SyncServer S100

SNMP is a simple request/response protocol. The network-management system issues a
request, and managed devices return responses. This is implemented using one of four
operations: Get, GetNext, Set, and Trap. The Get operation is used to retrieve the value of
one or more object instances from an agent. If the agent responding to the Get operation
cannot provide values for all the objects in a list, it does not provide any values. The GetNext
operation is used to retrieve the value of the next object in a table or a list within an agent.
The Set operation is used to set the values of object instances within an agent. The Trap
operation is used by agents to inform the NMS of a significant event.

SNMP v1 has no authentication capabilities, which increases vulnerability to security threats.
These include masquerading occurrences, modification of information, message sequence
and timing modifications, and disclosure. Masquerading consists of an unauthorized entity
attempting to perform management operations by assuming the identity of an authorized
management entity. Modification of information involves an unauthorized entity attempting to
alter a message generated by an authorized entity so that the message results in
unauthorized accounting management or configuration management operations. Message
sequence and timing modifications occur when an unauthorized entity reorders, delays, or
copies and later replays a message generated by an authorized entity. Disclosure results
when an unauthorized entity extracts values stored in managed objects, or learns of notifiable
events by monitoring exchanges between managers and agents. SNMP does not implement
authentication, many vendors do not implement Set operations, thereby reducing SNMP to a
monitoring facility.

Note:

The S100 does not support SNMP Version 2.

Version 3

This contains many new security features that have been missing from the previous versions.
Both SNMP v1 and SNMP v2c are highly insecure.

SNMP v3 introduces advanced security splitting the authentication and the authorization into
two facets:

The default User-based Security Module (USM) lists the users and their attributes. The

USM is described by

RFC 2574

.

The VACM is the Version-based Access Control Module and controls which users (and

SNMP v1/v2c communities as well) are allowed to access and how they can access
sections of the MIB tree. The VACM is described by

RFC 2575

.

In this version, each user has a name (called a securityName), an authentication type
(authProtocol), and a privacy type (privProtocol) as well as associated keys for each of these
(authKey and privKey).

Authentication is performed using a user’s authKey to sign the message being sent. The
authProtocol can be either MD5 or SHA. The authKeys (and privKeys) are generated from a
passphrase that must be at least 8-10 characters in length.

Authentication is performed using a user’s privKey to encrypt the data portion the message
being sent. The privProtocol can only be DES at this time.

Messages can be be sent unauthenticated, authenticated, or authenticated and encrypted by
setting the securityLevel to use.