Setting up and using SNMPv3 on OS X

When it comes to monitoring your network, and devices on your network, the 800-pound protocol gorilla is Simple Network Management Protocol, or SNMP. The name is, in my opinion, a passel of lies—the way SNMP works is certainly simple, but setting it up is the exact opposite.

Still, when it comes to checking on your network, SNMP offers a relatively low-bandwidth way to see what’s happening. You can check traffic, server up-or-down status, the status of RAID devices, SANs, how your cooling system is doing, how your power is doing, how many users are on each of your wireless access points, and more.

You have many tools at your disposal for using SNMP’s feature set on Mac OS X—including things like Nagios, Cacti, LanSurveyor, Lithium, and Intermapper, among hundreds of other . The setup ranges from dead simple to rather complicated, and the price ranges from free to tens of thousands of dollars. However, they all use SNMP. And that leads us to a problem: Security.

See, SNMP is unencrypted—at least, versions 1 and 2 of the protocol were. Both versions send all sorts of information about your network around in plain text, allowing anyone armed with a packet sniffer to read them. For example, here’s the data in an SNMPv2 packet during a test probe of one of my servers:

data: get-response (2)
    get-response
        request-id: 240098041
        error-status: noError (0)
        error-index: 0
        variable-bindings: 1 item
            1.3.6.1.2.1.1.3.0: 85515481
                Object Name: 1.3.6.1.2.1.1.3.0 (iso.3.6.1.2.1.1.3.0)
                Value (Timeticks): 85515481

That happens to be the amount of time that particular server had been up in hundredths of a second. Now, this is not that valuable to an attacker, but there are other kinds of SNMP queries that will tell you things like specific OS version for your servers, firmware version for your wireless access points, what processes are running on what server, and so forth. That kind of information, when taken together, can give an attacker a very detailed view of your network and its major components—not something you’d want happening. Prior to SNMPv3, about all you could do was restrict your SNMP use to behind a firewall or over a VPN, and hope for the best. If someone got in and knew what to look for, they could slurp up a lot of information in a very short time.

Obviously, proper physical and access security are parts of the answer here, but why not encrypt the protocol? I mean, you encrypt other sensitive data. You don't give out credit card information on Web sites that aren't using SSL, right? (At least I hope you don’t.) So why not add an extra layer to SNMP’s security and encrypt it?

The folks behind SNMP agreed and came up with SNMPv3. This version of SNMP is based on multiple IETF RFCs, specifically RFCs 3411 through RFC 3418; it became the “current” version of SNMP in 2004. The biggest changes in SNMPv3 involve authentication and transmission of data. In versions 1 an 2 of SNMP, there was no encryption anywhere. So while you had to have a password, aka the “community string,” it wasn’t securely stored or transmitted. If we look at the more of the packet I showed you above, we can see the community string right there, plain as day:

Simple Network Management Protocol
version: v2c (1)
community: bynkii
data: get-response (2)
    get-response
        request-id: 240098041
        error-status: noError (0)
        error-index: 0
        variable-bindings: 1 item
            1.3.6.1.2.1.1.3.0: 85515481
                Object Name: 1.3.6.1.2.1.1.3.0 (iso.3.6.1.2.1.1.3.0)
                Value (Timeticks): 85515481

The community string used here is bynkii. (For those who are interested, I used Wireshark for the packet captures. Fantastic tool.) So even if I pick a good password, anyone with a packet sniffer and a decent text editor can find it. So SNMPv3 fixes this by encrypting the passwords via flavors of either MD5 or SHA (specifically, either HMAC-MD5-96 or HMAC-SHA-96, with SHA being the recommended choice). In addition, the SNMPv3 traffic can also be encrypted via the DES encryption algorithm.

What’s the result? Let’s take a look at an SNMPv3 packet:

Simple Network Management Protocol
msgVersion: snmpv3 (3)
msgGlobalData
    msgID: 530815
    msgMaxSize: 65507
    msgFlags: 07
        .... .1.. = Reportable: Set
        .... ..1. = Encrypted: Set
        .... ...1 = Authenticated: Set
    msgSecurityModel: USM (3)
msgAuthoritativeEngineID: 80001F8880BBEF113416410E48
    1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
    Engine Enterprise ID: net-snmp (8072)
    Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random
    Engine ID Data: BBEF1134
    Engine ID Data: Creation Time: Apr 22, 2008 15:48:38
msgAuthoritativeEngineBoots: 14
msgAuthoritativeEngineTime: 856044
msgUserName: snmpadmin
msgAuthenticationParameters: B30963655F7A5A23488DEDFA
msgPrivacyParameters: 00000001F74583AD
msgData: encryptedPDU (1)
    encryptedPDU: 051391661CEB7D3C9AF7B4EB5716DB68AFCBA5C722D10FC9...

If I’m an attacker, that’s kind of ...useless. I can tell SNMPv3 is in use, but that’s about it. I can’t really see any of the data in the packet, nor can I see the user ID and password used for authentication. Since I’m a systems admin, and not an attacker, though, that’s much better—SNMPv3 makes caring about passwords worth the trouble. Now, to be clear, this is all only as good as the passwords you use. If your password is PUPPIES, it’s not going to last long in the face of a dictionary attack. If it’s *(Gb5^$Mnng1, that will probably survive a bit longer.

So now, we’ve added two more layers to the mix. The user ID and password, (actually, in SNMPv1 and SNMPv2, there’s no user ID) are encrypted, and the traffic itself is encrypted. While it’s not foolproof—and I’d still not send it willy-nilly across the public Internet—it just became a lot more useless to an attacker. Which is the idea.

But that's just the backstory. What about the cool parts—namely setting up SNMPv3 and using it on Mac OS X? Fear not, good reader: that part of the story is upon us. But there are some caveats. To avoid this becoming a truly epic-length article, I’m not going to go into the basics of SNMP setup and usage. Instead, I'll refer you to an earlier article I wrote that covers SNMP basics and setup in detail. It doesn’t cover SNMPv3, but it does address SNMPv1 and v2 rather nicely. That’s important because the way you use SNMP is not radically different between versions, and there are a lot of devices that still don’t support SNMPv3 well or at all. So you’re going to have to be comfortable with the older versions of SNMP to get the most out of it.

Subscribe to the Apple @ Work Newsletter

Comments