Setting up and using SNMPv3 on OS X
If you look at the usage syntax for the various snmp commands, (just enter the command name without any options, and you get more info than you will out of the man pages), and you have a little familiarity with SNMP, then using SNMPv3 is pretty straightforward. You’ll need to specify the SNMP version, (3), the SNMPv3 user name, the authlevel, (I use authPriv, which sets it all up nicely), the authentication mechanism, the encryption protocol, and the passwords for authentication and encryption. For example, if you wanted to securely get a list of every SNMP option on a server named “test,” the command, snmpwalk would look like this:
snmpwalk -v 3 -u snmpv3test -l authPriv -a MD5 -A 78Y+-0u1# -x DES -X 78Y+-0u1# test.bynkii.com .1
The command is “walk the SNMP tree using version 3, (-v 3), with a user name of snmpv3test, (- u snmpv3test), an authentication level of authPriv, (-l authPriv), set the authentication mechanism to MD5, (-a MD5), with an authentication password of 78Y+-0u1#, (-A 78Y+-0u1#), set the encryption protocol to DES, (-x DES), with an authentication password of 78Y+-0u1# (-X 78Y+-0u1#), on test.bynkii.com, and start at the very beginning of the SNMP tree, (.1).”
Running that will get you the same results as using snmpwalk with earlier versions of SNMP, but it will be done in a secure manner. Yes, the passwords in the command line are not blanked out, but that’s common with this kind of command, and makes it far easier to integrate SNMPv3 into different monitoring tools. Again, the idea here isn’t “Top Secret” level security, just “more secure than SNMPv1 and v2.” Since SNMP commands tend to be really similar, if you just wanted to get the uptime of test.bynkii.com with snmpv3, you'd use:
snmpget -v 3 -u snmpv3test -l authPriv -a MD5 -A 78Y+-0u1# -x DES -X 78Y+-0u1# test.bynkii.com 220.127.116.11.18.104.22.168.0
While the commands aren’t as simple as point and click, having them all use similar syntax makes things much easier.
The two biggest issues I run into with SNMPv3 are setup and ubiquity. For example, while setting up SNMPv3 on Mac OS X and most other Unix systems is pretty straightforward, setting it up various routers and switches can be nightmarish, since they all have to have their own terms and their own syntax.
The other issue is ubiquity. On the high end, SNMPv3 support is fairly standard. However, on mid-to low end devices, support gets weaker. As well, at least up through Windows Server 2003 R2, I’ve yet to find native SNMPv3 support on Windows at all. Server 2008 may change this, or it may be really well hidden. Either way, Windows has been the biggest fly in the SNMPv3 ointment.
As well, you’re going to find that while the commands and data transfer are pretty secure, setting up the commands and the various monitoring utilities are not. My two favorites, Nagios and Cacti, both support and use SNMPv3, but they store the passwords in plain text form. So you still have to deal with security on the systems running your monitoring tools so that an attacker doesn’t break into them and get your SNMPv3 authentication data.
As I said in my earlier SNMP article on my own site, I’m not going to pretend that this is a complete look at SNMPv3. Nor am I going to pretend that you can just read this article and be fluent in SNMP. If you already were using SNMP and wanted to add SNMPv3 to the mix, then this article should provide you with a good start. If you are completely new to SNMP, then please go back and read my earlier article first. Doing anything beyond the very superficial with SNMP is almost impossible without really knowing about things like OIDs, MIBs and a few other terms. However, once you do get comfortable with how and why SNMP works, you can do some pretty cool stuff with it that will make running your network far easier.
[John C. Welch is a senior systems administrator for The Zimmerman Agency, and a long-time Mac IT pundit.]