SNMP Security Levels and Privileges
SNMPv2c and SNMPv3 each represent a different security model. The security model combines with the selected security level to determine the security mechanism applied when the SNMP message is processed.
The security level determines the privileges required to view the message associated with an SNMP trap. The privilege level determines whether the message requires protection from disclosure or whether the message is authenticated. The supported security level depends on which security model is implemented. SNMP security levels support one or more of the following privileges:
-
noAuthNoPriv—No authentication or encryption
-
authNoPriv—Authentication but no encryption
-
authPriv—Authentication and encryption
SNMPv3 provides for both security models and security levels. A security model is an authentication strategy that is set up for a user and the role in which the user resides. A security level is the permitted level of security within a security model. A combination of a security model and a security level determines which security mechanism is employed when handling an SNMP packet.
Supported Combinations of SNMP Security Models and Levels
The following table identifies the combinations of security models and levels.
Model | Level | Authentication | Encryption | What Happens |
---|---|---|---|---|
v2c | noAuthNoPriv | Community string | No | Uses a community string match for authentication. |
v3 | noAuthNoPriv | Username | No | Uses a username match for authentication. |
v3 | authNoPriv | HMAC-SHA | No | Provides authentication based on the Hash-Based Message Authentication Code (HMAC) Secure Hash Algorithm (SHA). |
v3 | authPriv | HMAC-SHA | DES | Provides authentication based HMAC-SHA algorithms. Provides Data Encryption Standard (DES) 56-bit encryption in addition to authentication based on the Cipher Block Chaining (CBC) DES (DES-56) standard. |
SNMPv3 Security Features
SNMPv3 provides secure access to devices through a combination of authenticating and encrypting frames over the network. SNMPv3 authorizes only configured users to perform management operations and encrypts SNMP messages. The SNMPv3 User-Based Security Model (USM) refers to SNMP message-level security and offers the following services:
-
Message integrity—Ensures that messages are not altered or destroyed in an unauthorized manner, and that data sequences are not altered beyond what can occur non-maliciously.
-
Message origin authentication—Ensures that the identity of a message originator is verifiable.
-
Message confidentiality and encryption—Ensures that information is not made available or disclosed to unauthorized individuals, entities, or processes
Authentication Protocols for SNMPv3 Users
Cisco Intersight supports the following authentication protocols for SNMPv3 users:
-
HMAC-SHA-96 (SHA)
AES Privacy Protocol for SNMPv3 Users
Cisco Intersight uses Advanced Encryption Standard (AES) as one of the privacy protocols for SNMPv3 message encryption and conforms with RFC 3826.
The privacy password, or priv option, offers a choice of DES or 128-bit AES encryption for SNMP security encryption. If you enable AES-128 configuration and include a privacy password for an SNMPv3 user, Cisco Intersight uses the privacy password to generate a 128-bit AES key. The AES privacy password can have a minimum of eight characters. If the passphrases are specified in clear text, you can specify a maximum of 64 characters. To deploy such a user, enable AES-128 encryption.