Reluctant to deploy SNMPv3?

Often I hear organizations complain about SNMPv3 being too complex to deploy. A lot of TCP/IP protocols in networks today have some level of complexity, encryption, hashed passwords, double authentication, shared key, triple handshake mechanism, etc.
But yet SNMPv2 still has community strings sent in “clear text” over the network.

In a Cisco network, you can tighten SNMPv2 security by binding it to an ACL, but isn’t that just telling a potential hacker who the NMS systems are? I always say: Whoever owns the NMS server(s), owns the network.

Recently I have deployed SNMPv3 onto a Cisco Network and surprisingly to my delight, found that I needed only to spend two hours on research.
The following SNMPv3 configuration is for a Cisco IOS device and it turned out to be very useful, secure and versatile for various NMS systems to manage the network.

I think the core concept to understand about SNMPv3 is users, groups and views. Some of the online PDFs and bulletins I’ve come across so far, has this in common when it comes to creating a SNMP v3 configuration.
–
Conceptually, here are the steps, in this exact order.

1. Assign an Engine ID for the SNMP Entity (its optional, but a very good idea)
2. Define a view and select a MIB
3. Define a group and tie it to a “view”
4. Define a user, add it to a group and add a password.

Example:
1. server engineID local 111100000000000000000000
2.
a. snmp-server view NOCview mib-2 included
b. snmp-server view NOCview cisco included
c. snmp-server view NOCview v1default included

3. snmp-server group NOCengineers v3 auth write NOCview
4. snmp-server user NMSops NOCengineers v3 auth md5 passW0rd20systemX487

Of course, there are more options available with regards to security like adding the “priv” command to the group for instance. All it means is that data will be encrypted: des56 encryption is such an option.

Oh yes, when you display the configuration, you won’t see any users – they’re hidden. The only way you can “see” them is through the “show snmp users/groups” command. I truly hope my explanation was understandable and simple enough to tame the perception of SNMPv3.
All the best.

Cheers
Pierre

[wp_campaign_2]

(4 votes, average: 4.50 out of 5)
 Loading ...

FCAPS

Faults,

Configuration,

Accounting,

Performance,

Security.

Definitions and Facts:

FCAPS  is an ITU-T standard model for enterprise or network management.

The Telecommunication Standardization Sector (ITU-T) coordinates standards for telecommunications on behalf of the ITU and is based in Geneva, Switzerland. The ITU was established 17 May 1865 of which South Africa is a member since 1910.

FCAPS is an acronym for a categorical model of the working objectives of network management .

FCAPS is also an extension of the popular network management conceptual frameworks called Telecommunication Management Network (TMN), which describes network management in 4 layers. Each TMN layer needs to perform some or all FCAPS functions in certain ways.

Network Management FCAPS and TMN Model:

There are many network management technologies and protocols which address some of the FCAPS functions.

Some Vendors have developed large integrated applications for Network Management, often providing an end –to–end solution for FCAPS functions. In reality, there will always be some room for another feature, report, or capability. It is therefore up to a proficient Network Management Architect or Engineer to integrate such applications in the best way possible according to the business needs.

The Five Domains:

• 1. Fault management

A fault is an event which has a negative significance. The goal of fault management is to recognize, isolate, correct and log faults that occur in the network. Because faults can cause downtime or unacceptable network degradation, fault management is perhaps the most widely implemented of the ISO network management elements.

Examples:

CiscoWorks LMS – Device Fault Manager (DFM)

EMC  Smarts Family

CA Spectrum

HP Openview

• 2. Configuration management

Hardware and programming (configurations) changes, including the addition of new equipment and programs, modification of existing systems, and removal of obsolete systems and programs, are coordinated. Also used to simplify the configuration of devices. Used for inventory of equipment and programs is kept and updated regularly.

Examples:

CiscoWorks LMS – Resource Manager Essential (RME)

EMC  Voyence Control

• 3. Accounting management

Often referred to as billing or allocation management. The goal is to gather usage statistics for users. To measure network utilization and activities of individual or group uses on the network for the purpose of network usage regulation and billing. For non-billed networks, “administration” replaces “accounting”. The goals of administration are to administer the set of authorized users by establishing users, passwords, and permissions, and to administer the operations of the equipment such as by performing software backup and synchronization.

Examples:

Cisco Access Control Server (ACS)

Mind CTI

• 4. Performance management

To measure and make available various aspects of network performance for network performance monitoring and optimization. The network performance variables include network throughput, user response times, and line utilization.  It also helps an IT manager to prepare the network for the future, as well as to determine the efficiency of the current network, for example, in relation to the investments done to set it up. The network performance also addresses error rates and response times areas. By collecting and analysing performance data, the network health can be monitored. Trends can indicate capacity or reliability issues before they become service affecting.

Performance thresholds can be set in order to trigger an alarm. The alarm would be handled by the normal fault management process.

Examples:

CA eHealth

Netscout

Infovista

Opnet

NetQos (By the way:  CA acquired NetQoS, Inc. for $200 Million in middle September 2009.)

• 5. Security management

Security management is the process of controlling access to assets in the network. Data security can be achieved mainly with authentication and encryption. To control access to network resources so that the network cannot be sabotaged and sensitive information can only be accessed by those with authorization. This level is also to help protected against hackers, unauthorized users, and physical or electronic sabotage. Confidentiality of user information is maintained where necessary or warranted. The security systems also allow network administrators to control what each individual authorized user can (and cannot) do with the system.

Examples:

Cisco Access Control Server (ACS)

CS-MARS

[wp_campaign_1]

(No Ratings Yet)
 Loading ...