evilrouters.net

Configuring SNMPv3 on Cisco Catalyst switches is pretty simple and is MUCH preferred over v1 or v2. SNMPv3 has three big benefits:

• authentication — we can be assured that the message originated from a valid source
• integrity — we can be assured that a packet has not been modified in transit
• encryption — no more plain-text SNMP data flying around our network

First off, we need to decide what hosts should be allowed to query our switch using SNMP. In my case, this is a single host with the IP address 192.0.2.13. We’ll create a new access control list (ACL) on the switch to restrict access to SNMP.

c3550# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
c3550(config)# ip access-list standard SNMP
c3550(config-std-nacl)# permit host 192.0.2.13
c3550(config-std-nacl)# deny any log
c3550(config-std-nacl)# exit
c3550(config)#

Next, we’ll set the system contact and system location for the device. These values are just free-text, so you can enter whatever you want. In production, you’ll like want to use something meaningful, especially when it comes to the device location.

c3550(config)# snmp-server location Bloomington, IN, USA
c3550(config)# snmp-server contact jeremy@evilrouters.net

Now, we want to create a “view” that restricts what data our SNMP user will be able to access. I’ll create a view named “MIB-2″ and allow access to the “mib-2″ MIB.

c3550(config)# snmp-server view MIB-2 mib-2 included

With our view created, we’ll create a group (“READONLY”) and assign it the read view that we just created

c3550(config)# snmp-server group READONLY v3 priv read MIB-2

Our last step is to actually create an SNMPv3 user. Here, I’ll create a user named “cacti” with randomly generated authentication and privacy passwords (used for authentication and encryption). We’ll use the HMAC SHA algorithm for authentication and 128-bit AES encryption. In addition, we’ll associate the “SNMP” ACL that we created earlier with this user.

Note #1: The passwords used here were randomly generated using “pwgen 16 2″ on FreeBSD.

Note #2: I’ve broken this command up over two lines, but the whole thing should be entered on one line.

c3550(config)# snmp-server user cacti READONLY v3 auth sha 5mJwYWFmjcgHVEP8
     priv aes 128 16Y8HHbd81nHJgYq access SNMP

Exit global configuration mode and save the config.

c3550(config)# end
c3550# wr
Building configuration...
[OK]
c3550#

We should be all set. To verify, I’ll test with “snmpget” on my FreeBSD box (192.0.2.13), which is permitted by the “SNMP” ACL I created.

[jlgaddis@homer ~]$ snmpget -v 3 -u cacti -l authPriv -a sha -A 5mJwYWFmjcgHVEP8 \
-x aes -X 16Y8HHbd81nHJgYq 198.18.0.2 sysContact.0
SNMPv2-MIB::sysContact.0 = STRING: jeremy@evilrouters.net

That’s all there is to setting up SNMPv3. Now stop using the insecure v1 and v2 on your production networks!

Executive Summary of John Goekler’s “The Most Dangerous Person in the World?”

“The things we fear most may be least likely to occur, which means the time, trauma and treasure we invest in them is a complete waste.

Security itself is an illusion. It is a perception that exists only between our ears. No army, insurance policy, hazmat team, video surveillance or explosive sniffer can protect us from our own immune system, a well-intentioned but clumsy surgeon, failing to look before crossing the street, an asteroid randomly hurtling through space or someone willing to die in order to do others harm.

In this sense, the only things that can truly make us more “secure” are not things. They are the courage to face whatever comes with dignity and intention, and the strong relationships that assure we will face the future together, and find comfort and meaning in doing so.

Imagine, then, what might happen if we simply quit listening to the scaremongers and those who profit from our paranoia. Imagine what the world could look like if we made a conscious choice to live out whatever time we have with courage, compassion, service and joy.

Terrorism is an act of the weak. But so is walking through the airport in our socks.

We can make better choices.”

[ Read More ]

I believe in security and privacy on the intarwebz. I also use PGP for e-mail and whole disk encryption (more to protect data in the event my devices are lost or stolen than to “hide” anything). Because of that, this is kinda scary:

A federal judge has ordered a criminal defendant to decrypt his hard drive by typing in his PGP passphrase so prosecutors can view the unencrypted files, a ruling that raises serious concerns about self-incrimination in an electronic age. In an abrupt reversal, U.S. District Judge William Sessions in Vermont ruled that Sebastien Boucher, who a border guard claims had child porn on his Alienware laptop, does not have a Fifth Amendment right to keep the files encrypted. “Boucher is directed to provide an unencrypted version of the Z drive viewed by the ICE agent,” Sessions wrote in an opinion last week, referring to Homeland Security’s Immigration and Customs Enforcement bureau. Police claim to have viewed illegal images on the laptop at the border, but say they couldn’t access the Z: drive when they tried again nine days after Boucher was arrested.

There is, of course, the alternative: =)

I found myself recently setting up new HP ProCurve 5400 switches in production. Because I’m a network guy, I like to keep an eye on them (interface counters, traps, etc.), thus setting up SNMPv3 was necessary. In addition, these devices come (“out of the box”) with a default read-write community string set to — you guessed it — “public”, open to anywhere. That had to be taken care of first.

Setting up SNMPv3:

First, let’s set some basic information so we can track this device amongst all the others:

SWITCH1# conf
SWITCH1(config)# snmp-server location S123
SWITCH1(config)# snmp-server contact jlgaddis

Next, we’ll enable SNMPv3 which, on these 5400s, also has the effect of creating an “initial” user:

SWITCH1(config)# snmpv3 enable
SNMPv3 Initialization process.
Creating user 'initial'
Authentication Protocol: MD5
Enter authentication password: ******
Privacy protocol is DES
Enter privacy password: ******

User 'initial' is created
Would you like to create a user that uses SHA? n

User creation is done.  SNMPv3 is now functional.
Would you like to restrict SNMPv1 and SNMPv2c messages to have read only
access (you can set this later by the command 'snmp restrict-access'): y

What happened here is that an SNMPv3 user (with username “initial”) was automatically created for us. We were prompted for the authentication password and privacy password (note that the protocols were automatically chosen). At this point, I just entered “123456″ as I have plans to delete that user anyway. I went ahead and answered “y” to the last question, but I’ll be turning off SNMPv1 and SNMPv2 in a bit moment regardless.

Let’s configure our switch to only run SNMPv3 and go ahead a create a new SNMPv3 user as well:

SWITCH1(config)# snmpv3 only
SWITCH1(config)# snmpv3 restricted-access
SWITCH1(config)# snmpv3 user cacti auth sha AUTHPASS priv aes PRIVPASS

Here I was setting up a user so that my “graphing application” of choice, cacti, can communicate with the switch to retrieve interface statistics. Substitute your own authentication password and privacy passwords above (“AUTHPASS” and “PRIVPASS”). You can change the protocols as well, if you’d like, to MD5 and DES, respectively. I prefer to go the “high security” route whenever possible, however, so that’s what I opted for here. Be sure your management software is compatible with these settings!

Now, we need to assign our “cacti” user to a group that’s appropriate for the level of access we want it to have. I won’t describe all of the ones available (see Chapter 14 of the Management and Configuration Guide for that), but the one I want (in this case) is “operatorauth”. This group provides for “operator” level access (a.k.a. “unprivileged”) and requires authentication. We’ll also specify “sec-model ver3″ as an SNMPv3 access group should only use the ver3 security model:

SWITCH1(config)# snmpv3 group operator auth user cacti sec-model ver3

Okay, almost there! Now we just need to allow SNMP access to the switch from the host that cacti is running on. In my case, it’s 172.30.144.17:

SWITCH1(config)# ip authorized-managers 172.30.144.17 255.255.255.255 access operator access-method snmp

You can change that, of course, to your own IP address (or whole networks — be sure to change the netmask, however).

At this point, we should be good to go. We could add the device into cacti’s web interface and within a few polling cycles we’ll start to see interface traffic statistics, such as this (from another device):

Finally, there’s one more step that might be necessary, depending upon your switch’s configuration. Because my switch has a loopback address assigned to it, that’s the IP address I want to tell cacti to poll. This method will still allow the switch to be reachable if one (or more) of it’s interfaces go down (there are multiple routes to it). By default, the ProCurve 5400 will respond to SNMP requests with a source IP address of the interface that the requests were received on, and NOT a source IP matching the original destination of the requests:

SWITCH1(config)# snmp-server response-source dst-ip-of-request

…and that’s it! We can now “speak” SNMPv3 (and ONLY SNMPv3) to our switch. In addition, only the “cacti” user can access it, and only from 172.30.144.17.

That’s a helluva lot better than the default read-write “public” community string that’s accessible from anywhere, huh!?

UPDATE: I forgot the part where I deleted the “initial” user that was created automatically for us. Here’s how that’s done:

SWITCH1(config)# no snmpv3 user initial

Easy enough!

computer world is reporting that:

a laptop containing “strategic information” was stolen from a campaign field office of presidential contender John McCain.

The laptop contained “strategic information for the [Republican party] on how we are going to reach out to people in the Kansas City area.”

i guess they’ve never heard of pgp or whole disk encryption, in general, both of which i use and recommend.

read more