Browse
 
Tools
Rss Categories

SNMP User-Based Security Model

Reference Number: AA-02169 Views: 10730 0 Rating/ Voters

Changes introduced in LumenVox version 15.1 included the additional support for secure SNMP (SNMPv3) which also introduced support for corresponding User-Based Security Model (USM) profiles.

USM Profiles are secure username and password combinations that can be used to both authenticate as well as secure (encrypt) SNMPv3 communication.

From the Manager Configuration page, you can select the "Edit USM Profiles" button to display the SNMP USM Configuration page, as shown below


Any current USM profiles are listed at the top, with options to add new profiles as needed. The image above shows the details of adding a new USM Security Profile.

The name of the profile is what is used to refer to the profile, which should be something meaningful to you.


AUTH Protocol

The AUTH Protocol can be one of the following selections:

  • None
  • HMAC-MD5
  • HMAC-SHA
  • HMAC-128-SHA-224
  • HMAC-192-SHA-256
  • HMAC-256-SHA-384
  • HMAC-384-SHA-512

The selected AUTH Protocol is used when authenticating the USM. 

Selecting the None option for AUTH Protocol does not perform any authentication, and is therefore not recommended, since the USM would not be secure, leaving the SNMP communication vulnerable. Also note that if "None" is selected as the AUTH Protocol, AUTH Password will be disabled and all PRIV Protocol (encryption) options will also be disabled.

The AUTH Password should be a strong password or passphrase between 8 and 32 characters in length - this is used in conjunction with the AUTH Protocol to perform authentication of SNMPv3 messages.


PRIV Protocol

PRIV Protocol can be one of the following selections:

  • None
  • DES
  • AES128

The selected PRIV Protocol is used to encrypt the contents of SNMPv3 messages after authentication has been performed.

Selecting the None option for PRIV Protocol disables encryption of SNMPv3 messages and is therefore not recommended.

The PRIV Protocol Password should be a strong password or passphrase between 8 and 32 characters in length - this is used with the PRIV Protocol to perform encryption of SNMPv2 messages.


Editing USM Profiles

You can select on an existing USM Profile (Security Name) to display it's details, which allows you to them modify the various settings and passwords associated with it. You can press the "Update Entry" button to apply changes, or "Cancel" to discard any changes. You may also click the "Delete Entry" to remove the USM Profile from the manager.

Note that once AUTH or PRIV Passwords have been entered, they can not be viewed later - this is a security measure. The only option available is to change these passwords if the original values are lost.

Also note that whenever USM profiles are added or edited, the Manager service needs to be restarted for these to be synchronized and enforced.


Security Level

The main list of USM Security Names (profiles) shows the name of each profile, and below each is a summary of the Security Level associated with the profile, as shown below:


Security Levels describe what type of security is applied to each profile. In the above examples, you can see that the first two profiles are assigned "AuthPriv" meaning that both Authentication and Privacy (encryption) is enabled. The THIRDPROFILE, does not have any authentication or privacy associated with it (this is not recommended)