In recent blogs, I’ve written about SNMP and how it works. SNMP is a great protocol for monitoring network devices on an IP network. There are currently 3 versions of SNMP and all of them have different ways of implementing security. The latest version of SNMP which is version 3 is the most secure, with version 2 being a little more secure but can be easily cracked.
SNMPv2c- SNMP started to bring about security through authentication and permission with community strings which are widely used in SNMPv2c. Community strings are plain-text passwords that must be included inside the SNMP message such as a manager sending a request for GET, GETNext or SET. This community string will be configured on the managed device as well and a community string has a certain permission assigned to it as well. So the process would be if a manager sends a GET request to an agent it will include the community strings inside the packet, the agent will receive this packet, verify the community string and also verify what kind of permission the manager is able to do as well. The two kinds of permissions that can be attached to a community string are read-only privilege or a read-write privilege. Read-only means the manager can only view values without modifying it and read-write allows both reading and modification rights. The community string is essentially a shared secret that must match on both ends of the communication between the manager and the agent. The reason why community strings are not the most secure is because the community string is sent in plain text without encryption, so it is vulnerable to the password being visible in packet captures.
SNMPv3- SNMP version 3 was designed to address the weaknesses of version 1 and 2. Version 3 has gotten rid of community strings and added user-based authentication, encryption, message integrity and access controls making it much more secure than prior versions. SNMPv3 proves 3 levels of options when it comes to security.
- noAuthNoPriv = No authentication, no encryption
- authNoPriv = Authentication only
- authPriv = Authentication + Encryption
Leave a Reply