Cisco NX-OS and SNMPv3 - Securing LibreNMS
This weekend I have spent a bit of time in the lab playing around with SNMPv3. Why SNMPv3? Well I am a big proponent of securing any and all control plane communications, and SNMP traffic should certainly be secured. The configuration is not much more difficult, but the result is a fully encrypted SNMP payload that cannot be intercepted.
SNMPv2c versus SNMPv3
A common SNMP configuration for Cisco devices is to use a SNMP community string plus an ACL to prevent access from unauthorized SNMP scanners. This configuration is fairly secure, however the data is not encrypted as it is transmitted to our NMS. I wish I would have taken my own pcap’s and may do so soon, but for now take a look at this example (hosted by PacketLife.net):
Not only do we see the responses and requests, if we look at the next screenshot we can also find the community string!
You’re probably saying to yourself - that is what the ACL is for, Dan. And for the most part, I would agree. However if an attacker is already inside, it would be fairly trivial to spoof the destination address and intercept the traffic.
So what is an Engineer to do? Enter SNMPv3. Instead of relying on an ACL to limit traffic, SNMPv3 uses an authentication in the form of EngineIDs. Each entity has an EngineID included with its SNMP message, proving its identity. Additionally the messages are encrypted, as shown by the screenshot below (Thanks again to packetpushers.net)
Alright, at this point we know we should be using SNMPv3, but how do we configure it? Luckily, the setup is not to hard. This post focuses on Cisco NX-OS, but I plan on posting an IOS version shortly.
Cisco NX-OS Config
To start, we need to tell our switch to force SNMP encryption:
N9K-1 (config)# snmp-server globalEnforcePriv
Then we need to create our user and set the various passphrases. (Caps should be replaced with your own credentials):
N9K-1 (config)# snmp-server user LIBRENMS auth sha LIBRENMS4ME priv 2LIBRENMS4ME
Next, we’ll tell the switch where our LibreNMS install lives:
N9K-1 (config)# snmp-server host 10.0.1.27 informs version 3 auth librenms
Finally, we’ll tell the switch to use the managment interface for sending SNMP messages:
N9K-1 (config)# snmp-server host 10.0.1.27 use-vrf management
A summary for copy/past purposes:
snmp-server user LIBRENMS auth sha LIBRENMS4ME priv 2LIBRENMS4ME
snmp-server host 10.0.1.27 informs version 3 auth LIBRENMS
snmp-server host 10.0.1.27 use-vrf management
Browse to your LibreNMS install and login. Then head to the add devices page: Devices > Add Device. Once there we are going to make a few adjustments/fill in the form.
- Enter the hostname for your switch
- Switch SNMP version to SNMPv3
- Change AuthLevel to AuthPriv
- Enter the Username you defined on the switch (LIBRENMS in my case).
- Enter the Auth password (LIBRENMS4ME)
- Change the Auth Algorithim to SHA.
- Enter the Crypto Password (2LIBRENMS4ME)
- Change the Crypto Algorithim to DES.
- Click Add Host!
Here is a screenshot of a prefilled LibreNMS Add Device form -
That is all there is to SNMPv3. The config for NX-OS is not much more than SNMPv2c, but we gain a great deal more security. Additionally, adding the device to LibreNMS is a breeze.
I hope you found this post useful. If you have any questions, leave a comment or reach out on Twitter!