NMIS supports using SNMPv3 for securing the collection of sensivite sensitive network information. This is especially important from core switches and routers which if compromised could have a considerable business impact. This configuration note does not include details about the SNMPv3 protocol, and assumes that people are wanting to use the authPriv (Authentication and Privilegeand Privilege) mode which is the most secure.
...
The first step is to enable SNMPv3 on in the /etc/snmp/snmpd.conf file, then restart the daemon.
Required Linux SNMPD Configuration for SNMPv3 communication to
...
NMIS9
Add the following configuration to the top, edit the /etc/snmp/snmpd.conf file as the root user, e.g.
...
| Code Block |
|---|
/usr/local/nmis9/bin/admin/testtests.pl act=snmp node=NODENAME |
...
Once you have updated the SNMP libraries NMIS uses for SNMP, you should be able to use the following protocols for SNMPv3.
Authentication Protocols
| NMIS9 name | Name | OID | Notes |
|---|---|---|---|
| md5 | usmHMACMD5AuthProtocol | 1.3.6.1.6.3.10.1.1.2 | RFC3411 |
| sha (or sha1) | usmHMACSHAAuthProtocol | 1.3.6.1.6.3.10.1.1.3 | RFC3411 |
| sha224 | usmHMAC128SHA224AuthProtocol | 1.3.6.1.6.3.10.1.1.4 | RFC3411 |
| sha256 | usmHMAC192SHA256AuthProtocol | 1.3.6.1.6.3.10.1.1.5 | RFC3411 |
| sha384 | usmHMAC256SHA384AuthProtocol | 1.3.6.1.6.3.10.1.1.6 | RFC3411 |
| sha512 | usmHMAC384SHA512AuthProtocol | 1.3.6.1.6.3.10.1.1.7 | RFC3411 |
Privilege Protocols
| NMIS9 name | Name | OID | Notes |
|---|---|---|---|
| des | usmDESPrivProtocol | 1.3.6.1.6.3.10.1.2.1 | RFC3411 |
| 3des | usm3DESPrivProtocol | 1.3.6.1.4.1.14832.1 | RFC3411 |
| aes (or aes128) | usmAESCfb128PrivProtocol | 1.3.6.1.4.1.14832.2 | Blumenthal implementation of SNMPv3 |
| aes192 | usmAESCfb192PrivProtocol | 1.3.6.1.4.1.14832.3 | Blumenthal implementation of SNMPv3 |
| aes256 | usmAESCfb256PrivProtocol | 1.3.6.1.4.1.14832.4 | Blumenthal implementation of SNMPv3 |
| aes192c | cusmAESCfb192PrivProtocol | 1.3.6.1.4.1.9.12.6.1.1 | Cisco implementation of SNMPv3 AES192 |
| aes256c | cusmAESCfb256PrivProtocol | 1.3.6.1.4.1.9.12.6.1.2 | Cisco implementation of SNMPv3 AES256 |
| aes192c2 | usmAES192Cisco2PrivProtocol | 1.3.6.1.4.1.9.12.6.1.101 | A mysterious version 2 of the Cisco implementation, possibly related to pysnmp |
| aes256c2 | usmAES256Cisco2PrivProtocol | 1.3.6.1.4.1.9.12.6.1.102 | A mysterious version 2 of the Cisco implementation, possibly related to pysnmp |
Update or Install Perl Modules
Crypt::Rijndael module needs to be installed for AES support. This is the command to install Crypt::Rijndael if this module is not already installed and will ensure we have the latest version:
| Code Block |
|---|
sudo cpanm Crypt::Rijndael --sudo |
Net::SNMP module needs to be up to date - currently v6.0.1 - this command will ensure we have the latest version:
| Code Block |
|---|
sudo cpanm Net::SNMP --sudo |
Patch Net::SNMP::Security::USM to support 256 bit and higher encryption
The NMIS development team have added support to the Net::SNMP library using the work done recently by the team and leveraging the work done by Napsty @ https://raw.githubusercontent.com/Napsty/scripts/master/perl-net-snmp-sha2/USM.pm
If you are using NMIS 9.4.3 or earlier you will need to obtain the contrib folder from GitHub @https@ https://github.com/Opmantek/nmis9/tree/nmis9_dev/contrib/perl-net-snmp-256
We will use a patched Net::SNMP::Security::USM, for Net::SNMP v6.0.1, which is backwards compatible with all snmp protocol strings used in the original Net::SNMP::Security::USM module.
All protocol strings are case-insensitive.
Copy the shipped USM.pm from the contrib folder and replace the Net::SNMP v6.0.1 version.
On RedHat 8 based systems (including our CentOS Virtual Machine)
| Code Block |
|---|
sudo cp /usr/share/perl5/vendor_perl/Net/SNMP/Security/USM.pm /usr/share/perl5/vendor_perl/Net/SNMP/Security/USM.pm.original sudo cp /usr/local/nmis9/contrib/perl-net-snmp-256/USM.pm /usr/share/perl5/vendor_perl/Net/SNMP/Security/USM.pm |
On Debian/Ubuntu based systems
| Code Block |
|---|
sudo cp /usr/share/perl5/Net/SNMP/Security/USM.pm /usr/share/perl5/Net/SNMP/Security/USM.pm.original sudo cp /usr/local/nmis9/contrib/perl-net-snmp-256/USM.pm /usr/share/perl5/Net/SNMP/Security/USM.pm |
...
Update NMIS GUI to show new options
| Code Block |
|---|
sudo cp /usr/local/nmis9/contrib/perl-net-snmp-256/Table-Nodes.nmis /usr/local/nmis9/conf |
Testing SNMPv3 quickly
The contrib folder includes a lightweight SNMP testing tool, which differs from the nmis9/admin/tests.pl tool, in that it does not use net-snmp Linux package at all, it purely exercises the NMIS SNMP libraries.
| Code Block |
|---|
# Make a copy of original incase you have customization and forget to add it # If command says it doesnt exisit you can skip to next command sudo cp /usr/local/nmis9/contribconf/Table-Nodes.nmis /usr/local/nmis9/conf/Table-Nodes.nmis.bak # Adding in new SNMPv3 Options sudo cp /usr/local/nmis9/contrib/perl-net-snmp-256/Table-Nodes.nmis /usr/local/nmis9/conf |
Testing SNMPv3 quickly
The contrib folder includes a lightweight SNMP testing tool, which differs from the nmis9/admin/tests.pl tool, in that it does not use net-snmp Linux package at all, it purely exercises the NMIS SNMP libraries.
| Code Block |
|---|
/usr/local/nmis9/contrib/perl-net-snmp-256/test-snmp.pl node=lab-fortigate SNMP test results for lab-fortigate: Open SNMP session to lab-fortigate Auth Protocol: sha, Priv Protocol: aes Testing SNMP session Performing SNMP get ofperl-net-snmp-256/test-snmp.pl node=lab-fortigate SNMP test results for lab-fortigate: Open SNMP session to lab-fortigate Auth Protocol: sha, Priv Protocol: aes Testing SNMP session Performing SNMP get of 1.3.6.1.2.1.1.1.0 and 1.3.6.1.2.1.1.2.0 sysDescr: lab-fortigate-int sysObjectID: 1.3.6.1.2.1.1.1.0 and 1.3.6.1.2.1.1.2.0 sysDescr: lab-fortigate-int sysObjectID: 1.3.6.1.4.1.12356.101.1.65 SNMP PASSED |
...
For example on a Fortigate device, the administration GUI allowed setting SHA256 and AES256 but these would not work together, when . When SHA256 and AES256 Cisco were used, the system was very happy.
Many Many Cisco devices will support SHA256 but only AES128 (which given the entropy is reasonable "AES-128 would take about 2.61*10^12 years to crack" https://www.ubiqsecurity.com/128bit-or-256bit-encryption-which-to-use/).
NMIS can only support something if the vendor support its.
BTW, at At the time of writing (March 2023) net-snmp on Linux does not include support for AES256 by default , nor do the SNAP repos, (including SNAP repositories). net-snmp does support AES256, you just need to compile if yourself.
...
| Code Block |
|---|
ERROR: Could not retrieve SNMP vars from node lab-fortigate: No response from remote host "lab-fortigate-int.opmantek.net" |
This means you have the wrong privilege protocol or password, you will need to change them and try again
The authProtocol is unknown during discovery
The test-snmp.pl tool would show this:
| Code Block |
|---|
ERROR: Could not open SNMP session to node lab-fortigate: The authProtocol "1.3.6.1.6.3.10.1.1.5" is unknown during discovery |
This means the remote SNMP agent in the end device (node) does not know what this authentication protocol is.
Related Topics
...
-fortigate-int.opmantek.net" |
This means you have the wrong privilege protocol or password, you will need to change them and try again
The authProtocol is unknown during discovery
The test-snmp.pl tool would show this:
| Code Block |
|---|
ERROR: Could not open SNMP session to node lab-fortigate: The authProtocol "1.3.6.1.6.3.10.1.1.5" is unknown during discovery |
This means the remote SNMP agent in the end device (node) does not know what this authentication protocol is.
Confirmed working combinations
The below is a list of confirmed working SNMPv3 combinations across a variety of different vendor and operating systems.
This is by no means a comprehensive list of the products we support.
| Vendor / Operating System | SHA | AES | NMIS Considerations |
|---|---|---|---|
| Cisco IOS | SHA1 | AES256 | aes256c needs to be configured as the entry.configuration.privprotocol value |
| SHA1 | AES192 | aes192c needs to be configured as the entry.configuration.privprotocol value | |
| SHA1 | AES128 | ||
| Cisco NX-OS | SHA1 | AES128 | |
| SHA256 | AES128 | ||
| Fortinet | SHA1 | AES | |
| SHA224 | AES256 Cisco | sha224 needs to be configured as the entry.configuration.authprotocol value AND aes256c needs to be configured as the entry.configuration.privprotocol value | |
| SHA256 | AES256 Cisco | sha256 needs to be configured as the entry.configuration.authprotocol value AND aes256c needs to be configured as the entry.configuration.privprotocol value | |
| SHA384 | AES256 Cisco | sha384 needs to be configured as the entry.configuration.authprotocol value AND aes256c needs to be configured as the entry.configuration.privprotocol value | |
| SHA512 | AES256 Cisco | sha512 needs to be configured as the entry.configuration.authprotocol value AND aes256c needs to be configured as the entry.configuration.privprotocol value | |
| Palo Alto | SHA1 | AES128 | |
| SHA224 | AES128 | ||
| SHA256 | AES128 | ||
| SHA384 | AES128 | ||
| SHA224 | AES192 | aes192c needs to be configured as the entry.configuration.privprotocol value | |
| SHA256 | AES192 | aes192c needs to be configured as the entry.configuration.privprotocol value | |
| SHA256 | AES256 | aes256c needs to be configured as the entry.configuration.privprotocol value | |
| SHA384 | AES192 | aes192c needs to be configured as the entry.configuration.privprotocol value | |
| SHA384 | AES256 | aes256c needs to be configured as the entry.configuration.privprotocol value | |
| NET-SNMP (Tested on v5.8 with Ubuntu 20.04) | SHA512 | AES128 | sha512 needs to be configured as the entry.configuration.authprotocol value |
You may notice that when configuring SNMPv3 on a (for example) Cisco IOS device that there is not an explicit AES192C/AES256C in the command, rather it is needed to be defined as AES 192 and/or AES 256.
When configuring the device for NMIS, you will need to explicitly tell it to use AES192C/AES256C using node_admin.pl (example covered previously).