- Solutions
      - SNMP Research         - Security Pack


 Security Pack Data Sheet  (pdf - 145KB)


 SNMP Research Corporate Website


 Request more information about SNMP Research

Security Pack - to implement SNMPv3

By providing SNMPv3 support, the SNMP Security Pack offers amongst others NNM and IBM Tivoli customers the benefits of a comprehensive approach to management security, including authentication, authorization, access control, data integrity, key management, and encryption options. Security Pack allows NNM and IBM Tivoli customers to use set commands to alter device or network configuration in a secure fashion and to add security to other sensitive SNMP transactions, such as the exchange of network topology between multiple NNMs or other management applications.

Architecture

Security Pack architecture

Overview

The SNMP Security Pack supports two local configuration datastores (LCDs), one of which is used by the BRASS server and the other by the EMANATE® Master Agent. The LCDs provide access control table parameters, as well as parameters for configuring trap destinations. The SNMP Security Pack contains the following products:

  • Bilingual Request and Security Subsystem (BRASSTM) allows the manager applications to support secured communications via SNMPv3. BRASS provides a C programming API that allows one or many management applications to access a single, shared SNMP stack and security database.
  • EMANATE® Master Agent offers an SNMPv3 agent, so that SNMPv3 management can be performed. EMANATE also assists in configuring the manager's datastore. EMANATE is a run-time extensible, SNMP agent based upon a Master Agent/Subagent architecture, which allows for subagents to be loaded and unloaded dynamically at run-time.
  • The SNMPv3 Configuration Wizard guides the user through all the steps for configuration of SNMPv3 security.

Security Mechanisms

By employing SNMPv3, Security Pack offers five main types of threat protection (shown below).

Threat

Protection

Masquerade

Verifies the identity of the message's origin by checking the integrity of the data.

Modification of Information

Thwarts accidental or intentional alterations of in-transit messages by checking the integrity of the data, including a time stamp.

Message Stream Modification

Thwarts replay attacks by checking message stream integrity, including a time stamp.

Disclosure

Prevents eavesdropping by protocol analyzers, etc. by using encryption.

Unauthorized Access

Verifies operator authorization and protects critical data from intentional and/or accidental corruption by using an Access Control Table. (Supports policy-based management.)

Table 1: Security Threats and Protection

To deploy sophisticated security mechanisms such as those provided by SNMPv3, each management application must have access to the LCD that includes "secrets" shared with an agent. As a result, each copy of the manager must coordinate its use of the LCD and secrets with other managers and/or SNMPv3 entities. Security Pack provides this coordination transparently by maintaining the SNMPv3 datastore and by performing SNMP operations at NNM's (or other managemen application's) request. This prevents multiple NNMs or other SNMPv3 applications from conflicting in their use of the security datastore.

Authentication and Privacy

Quick and Easy Security Configuration: The SNMPv3 Configuration Wizard makes configuration of SNMPv3-based agents and managers quick and easy. The Wizard is a stand-alone Java application that guides the user through all the steps for configuration of SNMPv3 security including: establishment of a secure connection for initial configuration, addition of new users, configuration of pass-phrases, set-up of fine-grained access control policies, and definition of notification destinations (SNMP-based managers). The Wizard is also an excellent tool for gaining a basic understanding of how the SNMPv3 administrative model works.

Features include:

  • Create, modify, or delete SNMPv3 USM users
  • Create, modify, or delete SNMPv1 and SNMPv2c community strings
  • Define security groups and access views
  • Define notification destinations

Specifying Authorization Privileges: Users are assigned a "Profile" or group, which determines the permissions granted to that user. These permissions are defined in an SNMPv3-based access control table stored in the agent LCD. The user profile is associated with a password. As a result, one password supports both authentication (checking the user's identity) and authorization, (discerning which actions the user is allowed to perform, and on what MIB variables.) An optional second Privacy Password is entered if encryption is to be used.

Summary

Using SNMP Security Pack, SNMPv3 is easy to configure and use, and memory requirements are minimized. Most importantly, SNMP Security Pack enables smooth coexistence and transition from SNMPv1, preserving the vast customer investment in SNMP-based management. In summary, the SNMP Security Pack provides several important benefits to our customers:

  • Multifaceted security management, including authentication, privacy, and authorization/access control
  • Support for SNMPv1, SNMPv2c, and SNMPv3 simultaneously and transparently
  • Simplification of SNMPv3 security agent configuration files for all NNMs and SNMPv3 managed nodes
  • Hiding of SNMPv3 clock synchronization details
  • Sensitivity to the memory constraints and ease-of-use requirements relevant to agents, management stations, and administrators
 

© Ubizen AETHIS sa/nv 2003 - All rights reserved.