SNMPv1,
SNMPv2c, and SNMPv3 security
SNMPv1 security consists of a pairing of an SNMP agent
with some arbitrary set of SNMP managers to form an SNMP community.
Each SNMP community is given a name called the community name or community
string for the community. Common community names are
public
(read-only), private
(read-write), and trap
. The permissions (read-only, read-write) for a community name indicate
the read-write permissions of an SNMP manager when using that community
name to access an agent’s MIB. Community names can be thought of as
passwords to SNMPv1 agents. Like SNMPv1, SNMPv2c uses the notion
of communities to establish trust between SNMP managers and SNMP agents.
Unlike SNMPv1, SNMPv2c uses an updated version of the structure of
management information (SMI), which extends the MIB object tree, allows
several new data types, and makes a number of other changes. SNMPv2c
is more efficient than SNMPv1 and has better error-handling capabilities.
SNMPv3 provides integrity, authenticity, data privacy, and access
control for SNMP messages exchanged between an SNMP manager and the
managed SNMP agents. Unlike the community-based administrative model
of SNMPv1 and V2C, SNMPv3 unambiguously identifies the source and
destination of each SNMP message. And instead of using community names
to establish trust between SNMP managers and SNMP agents, SNMPv3 uses
the following security-related services to establish trust:
- AuthenticationThe source includes information in each sent message that identifies the source as authentic, and performs the required functions to ensure message integrity. A typical authentication scheme requires that the source and destination parties share the same authentication key.
- PrivacyMessages are encrypted to achieve privacy. The encryption is done in such a way that only the intended destination can perform the decryption. A typical privacy scheme requires that the source and destination parties share the same privacy key.
- Access controlBoth the source and destination play a part in access control. Each destination may have a distinct access policy for each potential source, which gives an administrator considerable flexibility in setting up an SNMP management system and assigning various levels of authorization to different users.