Authentication – HP Secure Key Manager User Manual

SNMPv1/v2 rely on the concept of a community to provide a low level of security for communications

between the NMS and agent. In an HP SNMPv1/v2 deployment, each SNMP request packet includes

a community name, which is similar to a password and is associated with a certain MIB access level.

When the SKM receives a request, the agent looks for the community name in its table. If the name is

found and the source IP of the sender is in the access list for the community, the request is accepted and

the MIB information is sent. If the name is not found or the source IP address is not in the access list,

the request is denied.
Because SNMPv1/v2 cannot authenticate the source of a management message or provide encryption, it

is possible for unauthorized users to perform SNMP network management functions. Likewise, it is also

possible for unauthorized users to eavesdrop on management information as it passes from agents to

the NMS. SNMPv3 incorporated all the capabilities of SNMPv1/v2, and introduced the concept of a

User–based Security Model (USM), which consists of two important services: authentication and privacy.

Additionally, SNMPv3 enhanced the existing View Access Control Model (VACM).

Authentication

The authentication piece of the USM ensures that a message was sent by the agent or NMS whose

identifier appears as the source in the message header. Authentication also ensures that the message

was not altered, artificially delayed, or replayed.
In SNMPv3, the agent and NMS share a key that is based on the username and password supplied when

the username is created. The sender provides a means for authentication to the receiver by including a

MAC with the SNMPv3 message it is sending. When the receiver gets the message, it uses the same

secret key to recompute the MAC. If the receiver’s version of the code matches the value appended to

the incoming message, then the receiver knows that the message originated from an authorized sender,

and that the message was not altered in transit.

Privacy

The privacy piece of the USM allows managers and agents to encrypt messages to prevent

eavesdropping. As is the case with authentication in SNMPv3, both the NMS and the agent must share a

secret key. When an NMS and agent are configured for privacy, all traffic between them is encrypted

with the DES algorithm. The sender encrypts all messages with the DES algorithm and its secret key, and

sends the message to the receiver, who decrypts it using the DES algorithm and the same secret key.

Access control

Access control in SNMP makes it possible for agents to provide different levels of MIB access to different

managers. You can restrict access by allowing one NMS to view only standard MIBs and another NMS

to view both standard MIBs and Enterprise MIBs.

SNMP concepts

Before discussing how SNMP is configured on the SKM, it is important that a few terms are understood.
Management Station: A network management station (NMS) is a node on the network that runs SNMP

manager software. The NMS monitors network devices by polling agents, sending responses to inform

notifications sent by agents, and listening for unsolicited, asynchronous (UDP) messages from the agents.
Agent: An agent is a device on the network that is running SNMP agent software. The agent is able

to communicate with the NMS to provide information about security, performance, system health,

statistics, etc.
Entity: An SNMP entity simply refers to an agent or an NMS. Both the agent and the NMS consist of

a variety of applications and services; however, for the sake of simplicity, this documentation does

not attempt to describe all the component parts.
Engine: Core SNMP software around which you can build an agent or NMS. For the sake of simplicity,

Engine and Entity are used interchangeably.
Engine ID: Unique identifier for an SNMP entity.

Secure Key Manager

191