SNMP Security Pack Details

Note: SNMP Security Pack is being replaced by the Distributed SNMP Security Pack.

SNMP Security Pack

Note: This product has been replaced by Distributed SNMP Security Pack™.

The SNMP Security Pack™ provides an extension to SNMP manager devices that only support SNMPv1 and/or SNMPv2c, allowing these "vintage" managers to use SNMPv3 with security. SNMPv3 provides safe configuration and control operations. Its administration offers logical contexts, view-based access control, and remote configuration. The user-based authentication mechanism is based on MD5 and SHA. The user-based privacy mechanism is based on Data Encryption Standard (DES) Cipher Block Chaining (CBC) mode, 56-byte key algorithms, and multiple levels of compliance. In addition to DES, the Advanced Encryption Standard (AES) and Triple-Des (3DES) may also be implemented. SNMPv3 is available for networks, systems, applications, manager-to-manager communications, and proxy management of legacy systems.

By providing SNMPv3 support to vintage management applications, the SNMP Security Pack offers customers the benefits of a comprehensive approach to management security, including authentication, authorization, access control, data integrity, key management, and encryption options. Security Pack allows customers to use set commands to alter device or network configuration in a secure fashion and to add security to other sensitive SNMP transactions, such as the exchange of network topology between vintage management applications.

Overview

The SNMP Security Pack supports two local configuration datastores (LCDs), one of which is used by the BRASS server and the other by the EMANATE® Master Agent. The LCDs provide access control table parameters, as well as parameters for configuring trap destinations.

The SNMP Security Pack contains the following products:

Security Mechanisms

By employing SNMPv3, Security Pack offers five main types of threat protection (shown below).

Table 1: Security Threats and Protection
Threat Protection

Masquerade

Verifies the identity of the message's origin by checking the integrity of the data.

Modification of Information

Thwarts accidental or intentional alterations of in-transit messages by checking the integrity of the data, including a time stamp.

Message Stream Modification

Thwarts replay attacks by checking message stream integrity, including a time stamp.

Disclosure

Prevents eavesdropping by protocol analyzers, etc. by using encryption.

Unauthorized Access

Verifies operator authorization and protects critical data from intentional and/or accidental corruption by using an Access Control Table. (Supports policy-based management.)

To deploy sophisticated security mechanisms such as those provided by SNMPv3, each management application must have access to the LCD that includes "secrets" shared with an agent. As a result, each copy of the vintage application (for example, NNM or IBM Tivoli NetView) must coordinate its use of the LCD and secrets with other managers and/or SNMPv3 entities. Security Pack provides this coordination transparently by maintaining the SNMPv3 datastore and by performing SNMP operations at the management application's request. This prevents multiple NNMs or other SNMPv3 applications from conflicting in their use of the security datastore.

Authentication and Privacy

Quick and Easy Security Configuration

The SNMPv3 Configuration Wizard offers a complete solution to quick and easy SNMPv3-based configuration of SNMP agents and managers. The Wizard is a stand-alone Java application that guides the user through each step of configuring SNMPv3 security, including: establishment of a secure connection for initial configuration, addition of new users, configuration of pass-phrases, set-up of fine-grained access control policies, and definition of notification destinations (SNMP-based managers). The Wizard is also an excellent tool for gaining a basic understanding of how the SNMPv3 administrative model works.

Features include:

Specifying Authorization Privileges: Users are assigned a "Profile" or group, which determines the permissions granted to that user. These permissions are defined in an SNMPv3-based access control table stored in the agent LCD. The user profile is associated with a password. As a result, one password supports both authentication (checking the user's identity) and authorization, (discerning which actions the user is allowed to perform, and on what MIB variables.) An optional second Privacy Password is entered if encryption is to be used.

Architecture

architecture

Summary

Using SNMP Security Pack, SNMPv3 is easy to configure and use, and memory requirements are minimized. Most importantly, SNMP Security Pack enables smooth coexistence and transition from SNMPv1, preserving the vast customer investment in SNMP-based management.

In summary, the SNMP Security Pack provides several important benefits to our customers:

Note: To add SNMPv3 support through firewalls, please visit the Distributed SNMP Security Pack Web page.