Top
of pageIntro ( wikipedia )
Details ( from microsoft )
The Protocol : SNMP http://tools.ietf.org/html/rfc1157#page-2
| Layer | Protocols |
|---|---|
| Application | DNS, TLS/SSL, TFTP, FTP, HTTP, IMAP, IRC, NNTP, POP3, SIP, SMTP, SNMP, SSH, TELNET, BitTorrent, RTP, rlogin, … |
| Transport | TCP, UDP, DCCP, SCTP, IL, RUDP, … |
| Network | IP (IPv4, IPv6), ICMP, IGMP, ARP, RARP, … |
| Link | Ethernet, Wi-Fi, Token ring, PPP, SLIP, FDDI, ATM, DTM, Frame Relay, SMDS, … |
The simple network management protocol (SNMP) forms part of the internet protocol suite as defined by the Internet Engineering Task Force. The protocol is used by network management systems for monitoring network-attached devices for conditions that warrant administrative attention.
Contents[hide] |
The SNMP's extensible design is achieved with management information bases (MIBs), which specify the management data of a device subsystem, using a hierarchical namespace containing object identifiers, implemented via ASN.1. The MIB hierarchy can be depicted as a tree with a nameless root, the levels of which are assigned by different organizations. This model permits management across all layers of the OSI reference model, extending into applications such as databases, email, and the Java EE reference model, as MIBs can be defined for all such area-specific information and operations.
SNMP framework consists of master agents, subagents and management stations.
A master agent is a piece of software running on an SNMP-capable network component (say, a router) that responds to SNMP requests made by a management station. Thus it acts as a server in client-server architecture terminology or as a daemon in operating system terminology. A master agent relies on subagents to provide information about the management of specific functionality. Master agents can also be referred to as Managed objects.
A subagent is a piece of software running on an SNMP-capable network component that implements the information and management functionality defined by a specific MIB of a specific subsystem (e.g., the ethernet link layer). Some capabilities of the subagent are gathering information from managed objects, configuring parameters of the managed objects, responding to managers' requests, and generating alarms (or traps).
The manager or management station is the final component in the SNMP architecture. It functions as the equivalent of a client in the client-server architecture. It issues requests for management operations on behalf of an administrator or application, and receives traps from agents as well.
The SNMP protocol operates at the application layer (layer 7) of the OSI model. It specifies (in version 1) five core protocol data units (PDUs):
Other PDUs were added in later versions, including:
Typically, SNMP uses UDP ports 161 for the agent and 162 for the manager. The Manager may send Requests from any available ports (source port) to port 161 in the agent (destination port). The agent response will be given back to the source port. And the Manager will receive traps on port 162. The agent may generate trap from any available port.
The first RFCs for SNMP, now known as Simple Network Management Protocol version 1, appeared in 1988:
These protocols were obsoleted by:
Version 1 has been criticized for its poor security. Authentication of clients is performed only by a "community string", in effect a type of password, which is transmitted in cleartext. The '80s design of SNMP V1 was done by a group of collaborators who viewed the officially sponsored OSI/IETF/NSF (National Science Foundation) effort (HEMS/CMIS/CMIP) as both unimplementable in the computing platforms of the time as well as potentially unworkable. SNMP was approved based on a belief that it was an interim protocol needed for taking steps towards large scale deployment of the Internet and its commercialization. In that time period Internet standard authentication/security was both a dream and discouraged by focused protocol design groups.
Version 2 was not widely adopted due to serious disagreements over the security framework in the standard.
Simple Network Management Protocol version 2 (RFC 1441–RFC 1452), also known as SNMP v2 or SNMP v2p, revises version 1 and includes improvements in the areas of performance, security, confidentiality, and manager-to-manager communications. It introduced GETBULK, an alternative to iterative GETNEXTs for retrieving large amounts of management data in a single request. However, the new party-based security system in SNMP v2, viewed by many as overly complex, was not widely accepted. Community-Based Simple Network Management Protocol version 2, or SNMP v2c, is defined in RFC 1901–RFC 1908. In its initial stages, this was also informally known as SNMP v1.5. SNMP v2c comprises SNMP v2 without the controversial new SNMP v2 security model, using instead the simple community-based security scheme of SNMP v1. While officially only a "Draft Standard", this is widely considered the de facto SNMP v2 standard.
User-Based Simple Network Management Protocol version 2, or SNMP v2u, is defined in RFC 1909–RFC 1910. This is a compromise that attempts to offer greater security than SNMP v1, but without incurring the high complexity of SNMP v2. A variant of this was commercialized as SNMP v2*, and the mechanism was eventually adopted as one of two security frameworks in SNMP v3.
The Internet Engineering Task Force (IETF) recognizes Simple Network Management Protocol version 3 as defined by RFC 3411–RFC 3418 (also known as STD0062) as the current standard version of SNMP as of 2004. The IETF considers earlier versions as "Obsolete" or "Historical".
In practice, SNMP implementations often support multiple versions: typically SNMPv1, SNMPv2c, and SNMPv3. See RFC 3584 "Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework".
The output below is taken from snmpwalk (a Net-SNMP application) performed on a router, and shows general information about the device.
snmpwalk -c public punch system SNMPv2-MIB::sysDescr.0 = STRING: Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-IO3-M), Version 12.2(15)T5, RELEASE SOFTWARE (fc1) TAC Support: http://www.cisco.com/tac Copyright (c) 1986-2003 by cisco Systems, Inc. Compiled Thu 12-Jun-03 15:49 by eaarm SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.9.1.187 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (835747999) 96 days, 17:31:19.99 SNMPv2-MIB::sysContact.0 = STRING: wikiuser SNMPv2-MIB::sysName.0 = STRING: punch SNMPv2-MIB::sysLocation.0 = STRING: test SNMPv2-MIB::sysServices.0 = INTEGER: 78 SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00
A lot of data about the performance, load and error rates of network elements like routers and switches can be gathered through SNMP. There are a number of tools which gather this data on a regular basis and which can produce various kinds of graphs from it. Such graphs can be interpreted by network adminstrators to evaluate a network's performance, identify (potential) bottlenecks and help in (re)designing a network.
Example tools of this type are Multi Router Traffic Grapher and Cacti.
SNMP by itself is simply a protocol for collecting and organizing information. Most toolsets implementing SNMP offer some form of discovery mechanism, a standardized collection of data common to most platforms and devices, to get a new user or implementor started. One of these features is often a form of automatic discovery, where new devices discovered in the network are polled automatically. For SNMPv1 and SNMPv2c, this presents a security risk, in that your SNMP read communities will be broadcast in cleartext to the target device. While security requirements and risk profiles vary from organization to organization, care should be taken when using a feature like this, with special regard to common environments such as mixed tenant datacenters, server hosting and colocation facilities, and similar environments.
SNMP implementations vary across platform vendors. In some cases, SNMP is often an added feature, and not an element of the core design. SNMP's tree structure and linear indexing may not always mate well with the internal data structures that are elements of a platform's basic design. Using SNMP to query certain data sets may result in high CPU utilization that has negative effects on operation. One example of this would be large routing tables, such as BGP or IGP.
Modular devices may renumber their indexes whenever slotted hardware is added or removed. Index values are typically assigned at boot time and remain fixed until the next reboot. Hardware added while the device is 'live' may have their indexes assigned at the end of the existing range, only to be reassigned at the next reboot, causing a massive shift for all hardware objects that are polled *after* the new addition. Network inventory and monitoring tools may then experience corruption and mismatch polled data, if unable to account for this behaviour.
Source : http://en.wikipedia.org/wiki/Snmp#Architecture
| • | SNMP Architecture |
| • | SNMP Manager/Agent Communication |
| • | SNMP Management Systems and Agents |
| • | SNMP Messages |
| • | SNMP Communities |
| • | Related Information |
Use Simple Network Management Protocol (SNMP) management software to monitor any network device configured with SNMP agent software. The SNMP agent, which is an optional component of Windows Server 2003, interacts with third-party SNMP management software to enable the flow of network status information between monitored devices and applications and the management systems that monitor them.
You can use SNMP in environments that include large networks with hundreds or thousands of nodes that would otherwise be difficult and costly to monitor. SNMP allows monitoring of network devices such as servers, workstations, printers, routers, bridges, and hubs, as well as services such as Dynamic Host Configuration Protocol (DHCP) or Windows Internet Name Service (WINS).
The following sections describe the architecture, components, and processes used by SNMP.
| • | SNMP management systems and agents |
| • | Management Information Base (MIB) |
| • | SNMP Messages |
| • | SNMP Communities |
| • | The communication process between SNMP managers and agents |
The internal architecture of the Windows Server 2003 implementation of SNMP is divided into management and agent functions, which, in some cases, overlap. The following figure illustrates how the Windows Server 2003 SNMP structure fits into the layers of the underlying TCP/IP protocol architecture.
Windows Server 2003 SNMP Components at Each TCP/IP Layer
The following table lists the Windows Server 2003 SNMP internal components.
Windows Server 2003 SNMP Components
| Component Name | Associated Programs | Component Type | Description | ||||
| Microsoft SNMP Service
(Also called master agent or extendible agent) |
Snmp.exe | Agent | Receives SNMP requests and delivers them to the appropriate SNMP subagent DLL for processing. The service is also responsible for intercepting events (traps) from the SNMP subagents and forwarding trap messages to the appropriate management systems. | ||||
| SNMP Subagents (Also called extension agents) |
Inetmib1.dll, Hostmib.dll, Lmmib2.dll, and others | Agent | Provides a set of entry points. When an SNMP request is received, the SNMP service delivers it to the appropriate subagent by calling one of these entry points. After the subagent processes the message, it passes the information back to the SNMP service, which then forwards the message to the SNMP manager. | ||||
| SNMP Utility API | Snmpapi.dll | Both Agent and Manager | Provides utilities that the SNMP service uses for memory management
operations, address-decoding routines, object identifier handling routines,
and so forth.
Provides a set of routines that SNMP subagents use to handle and order SNMP objects. Although use of the Snmpapi.dll is not required, the framework defined by this tool greatly facilitates the development of new SNMP subagents. |
||||
| WinSNMP API -and- Management API |
Wsnmp32.dll -and- Mgmtapi.dll |
Manager | Helps develop SNMP management software applications:
|
||||
| SNMP Trap Service | Snmptrap.exe | Manager | Uses the WinSNMP API to forward a trap message sent by an SNMP agent to the appropriate SNMP manager application. | ||||
| SNMP Manager Application | Snmputil.exe | Manager | Provides a basic command-line utility with which to retrieve information from any SNMP agent in your network. This example of a management application was developed using the Management API. |
Manager Requesting Number of Sessions from an SNMP Agent
The communication between the SNMP manager and SNMP agent in the example proceeds in the following fashion:
| 1. | The SNMP manager, Host A, forms an SNMP message that contains an
information request (Get) for the number of active sessions, the name of
the community to which the SNMP manager belongs, and the destination of
the message —the IP address (131.107.3.24) of the SNMP agent, Host B.
The SNMP manager can use either the Microsoft SNMP Management API library (Mgmtapi.dll) or the Microsoft WinSNMP API library (Wsnmp32.dll) to perform this step. |
| 2. | The SNMP manager sends the information request to Host B by using the SNMP service libraries. |
| 3. | When Host B receives the message, it verifies that the community name
(MonitorInfo) contained in the packet is on its list of acceptable
community names, evaluates the request against the agent’s list of access
permissions for that community, and verifies the source IP address.
If the community name or access permission is incorrect, and the SNMP service has been configured to send an authentication trap, the agent sends an “authentication failure” trap to the specified trap destination, Host C. Hosts B and C belong to the TrapAlarm community. |
| 4. | The master agent component of the SNMP agent calls the appropriate extension agent to retrieve the requested session information from the MIB. |
| 5. | Using the session information that it retrieved from the extension agent, the SNMP service forms a return SNMP message that contains the number of active sessions and the destination — the IP address (131.107.7.29) of the SNMP manager, Host A. |
| 6. | Host B sends the response to Host A. |
| • | SNMP manager. An SNMP manager, also known as an SNMP management system or a management console, is any computer that sends queries for IP-related information to a managed computer, known as an SNMP agent. In some cases, the SNMP manager can send a request to an SNMP agent to change a configuration value. |
| • | SNMP agent. An SNMP agent is any computer or other network device that monitors and responds to queries from SNMP managers. The agent can also send a trap message to the manager when specified events, such as a system reboot or illegal access, occur. |
A computer on which you install SNMP management software is an SNMP manager, and a computer on which you install agent software, such as the Microsoft SNMP agent included with Windows Server 2003, is an SNMP agent. The SNMP manager displays the information it receives in a user-friendly graphical user interface. You configure SNMP options, including traps, on the SNMP agent, but the SNMP agent does not display the managed information that it sends to an SNMP manager. For more information about SNMP requests and trap messages, see “SNMP Messages” later in this section.
To enable SNMP communications between an SNMP manager and SNMP agents, you configure the SNMP manager and the SNMP agents that it manages as members of an SNMP community. The community name functions like a password to authenticate communications between the SNMP manager and agent. The SNMP community is an SNMP-defined group, not a group defined in the Active Directory directory service. For more information about SNMP communities, see “SNMP Communities” later in this section.
An SNMP manager can request the following types of information from the SNMP agents that it monitors:
| • | Network protocol identification and statistics |
| • | Dynamic identification (discovery) of devices attached to the network |
| • | Hardware and software configuration data |
| • | Device performance and usage statistics |
| • | Device error and event messages |
| • | Program and application usage statistics |
If you assign the SNMP manager write permission for the SNMP agent, the SNMP manager can also send a configuration request to the agent (using a Set message) to change a local parameter. However, Set requests are limited to a small set of client parameters that have read-write access defined. Most client parameters allow only read-only access.
Each system in a network (workstation, server, router, bridge, and so forth) maintains a MIB that reflects the status of the managed resources on that system, such as the version of the software running on the device, the IP address assigned to a port or interface, the amount of free hard drive space, or the number of open files. The MIB does not contain static data, but is instead an object-oriented, dynamic database that provides a logical collection of managed object definitions. The MIB defines the data type of each managed object and describes the object.
| • | Public branches (mgmt=2), which are defined by the Internet Engineering Task Force (IETF) RFCs, are the same for all SNMP-managed devices. |
| • | Private branches (private=4), which are assigned by the Internet Assigned Numbers Authority (IANA), are defined by the companies and organizations to which these branches are assigned. |
The following figure shows the structure of the SNMP MIB tree. There are no limits on the width and depth of the MIB tree.
The Structure of the SNMP MIB Tree
Immediately beneath the root of the MIB tree, International Organization for Standardization (iso), is the Organization (org) branch, followed by Department of Defense (dod), and then Internet (internet). Management (mgmt), the main public branch, defines network management parameters common to devices from all vendors. Underneath the Management branch is MIB-II (mib-2), and beneath this are branches for common management functions such as system management, printers, host resources, and interfaces.
The private branch of the MIB tree contains branches for large organizations, organized under the enterprises branch. Each organization has a root branch node under this object. Each organization creates its own subset of MIB branches and objects, which must comply with a common definition of SNMP information known as Structure of Management Information (SMI). SMI defines the allowed data types for MIB objects.
| • | The object name and object identifier (also known as an OID). |
| • | A text description of the object. |
| • | The object’s data-type definition (such as counter, string, gauge, or address). |
| • | The index for objects that are assigned complex data
types. The index specifies the key field for the table — that is, the
field that can be used to identify a row.
The only complex SNMP data type that is allowed is a table, and tables cannot be nested. Examples include the list of a system’s network interfaces, a routing table, or the Address Resolution Protocol (ARP) table. |
| • | The level of access to the object (such as read or read/write) that is allowed. |
| • | Size restrictions. |
| • | Range information. |
SNMP references each MIB variable by using its unique object identifier, which identifies the location of a given managed object within the MIB namespace. The object identifier reflects the object’s position within the hierarchy of the MIB tree, containing a sequence of subidentifiers that begin at the root of the MIB tree and end at the object (leaf node). Subidentifiers are separated with a period.
To reference a MIB object, you can use either numeric or text subidentifiers. For example, the following text-based object identifier is interchangeable with its numeric counterpart, shown beneath it. The value of this object identifier, in either format, identifies the current operational state of a network adapter.
.iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifOperStatus
.1.3.6.1.2.1.2.2.1.8
Corresponding to each object identifier is a value that represents the current state of the object. SNMP, which accesses only the leaf nodes in the MIB tree, references a MIB variable by the dotted numeric string that represents its object identifier in order to retrieve the current value of the variable.
Microsoft has the authority to assign names to objects within the 311 (microsoft) namespaces. For example, Microsoft (itself represented in MIB notation as .1.3.6.1.4.1.311) defines various MIB branches under its root node, such as:
.1.3.6.1.4.1.311.1.3 — Dynamic Host Configuration Protocol (DHCP)
.1.3.6.1.4.1.311.1.2 — Windows Internet Name Service (WINS)
.1.3.6.1.4.1.311.1.7.2 — File Transfer Protocol (FTP)
.1.3.5.1.4.1.311.1.7.3 — Hypertext Transfer Protocol (HTTP)
When the SNMP service starts, it loads each SNMP extension agent that is listed in the registry. When the master agent receives a request from the SNMP manager, it passes the request to an extension agent, which accesses the appropriate MIB and returns the current value of the relevant MIB object to the SNMP master agent. The SNMP agent then returns the information to the SNMP manager. An SNMP agent can also send unsolicited MIB information to the SNMP manager in response to an event that has been defined as an SNMP trap (unexpected event). In some cases, the SNMP agent changes (or sets) the value of the MIB object.
For example, in order to assess the network load at a particular point in your network, you can use SNMP to retrieve the value of a counter that tracks the number of packets sent over a link to the SNMP agent. Or you might use SNMP to retrieve the value that represents the amount of disk space available for storage. Although SNMP is used less commonly to set the value of a MIB object, to ensure that a link is not used, you might use SNMP to set the link state value of a MIB object to a disabled state.
If your organization adds or updates a new MIB file, use the Mibcc.exe tool to compile the MIB file so that the SNMP Management API (Mgmtapi.dll) can use the MIB objects in the new or updated MIB file. After you compile the MIB file, you can reference objects by their text object identifiers instead of their numeric object identifiers. The ASN.1 language is used to define the formats of the protocol data units (PDUs) that are exchanged by SNMP entities and to define the objects that are managed through SNMP. Mibcc.exe converts the ASN.1 MIB description into the binary Mib.bin file, which the Management API then uses to map text-based object names to numeric object identifiers.
You can find Mibcc.exe in the C:\Program Files\Resource Kit folder when you install the Windows Server 2003 Resource Kit companion CD. The Mib.bin file is located in systemroot on Windows Server 2003.
| • | When it responds to a request from an SNMP manager |
| • | When a trap event occurs |
SNMP Message Types
| SNMP Message | From / To | Message Description |
| Get | Manager / agent | Accesses and retrieves the current value of one or more MIB objects on an SNMP agent . |
| GetResponse | Agent / manager | Replies to a Get, GetNext, or Set operation. |
| GetNext | Manager / agent | Browses the entire tree of MIB objects, reading the values of variables in the MIB sequentially. Typically, you use GetNext to obtain information from selected columns from one or more rows of a table. GetNext is especially useful for browsing dynamic tables, such as an internal IP route table or an ARP table, reading through the table one row at a time. |
| GetBulk (SNMPv2c only) |
Manager / agent | Retrieves data in units as large as possible within the given
constraints on the message size. GetBulk, which accesses multiple
values at one time without using a GetNext message, minimizes the
number of protocol exchanges required to retrieve a large amount of
information.
To avoid fragmentation, restrict the maximum message size to a size smaller than the path maximum transmission unit (MTU), the largest frame size allowed for a single frame on your network. Typically, when it is not known how many rows are in a table, GetBulk is used (rather than GetNext) to browse all rows in the table. |
| Set | Manager / agent | Changes the current value of a MIB object. In order to update a MIB value on the SNMP agent, the SNMP manager must have write access to the object. Set is used infrequently, because most MIB objects are read-only by default, so that unauthorized changes cannot be made. |
| Trap | Agent / manager | Notifies the specified SNMP manager (the trap destination) when an unexpected event occurs locally on the managed host. You can use traps for limited security checking (such as notifying the trap destination if the agent receives an information request from an SNMP manager that it does not recognize) or for troubleshooting (such as notifying the trap destination if the WINS service fails). |
SNMP uses the connectionless User Datagram Protocol (UDP) service to transmit SNMP messages. SNMP uses the simple UDP transport service, which guarantees neither delivery nor correct sequencing of delivered packets, so that SNMP can continue functioning after many other network services have failed. By default, UDP port 161 is used to listen for SNMP messages and port 162 is used to listen for SNMP traps. If necessary — for example, because your organization already uses ports 161 and 162 for some other protocol or service — you can change these port settings by configuring the local Services file (this Services file is different from the Windows Services snap-in). The following figure shows messages moving between an SNMP manager and several SNMP agents.
Messages Sent Between an SNMP Manager and its Managed Devices
.iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifOperStatus
.1.3.6.1.2.1.2.2.1.8
The object identifier of a MIB object identifies the type of object. The instance identifier of a MIB object, used only in SNMP Get operations, indicates which value to retrieve. That is, a Get operation must specify ObjectIdentifier.SpecificValueToRetrieve. Two types of instance identifiers exist:
| • | Object is not in a table. If an object can return only one value (such as the description of a system), you append the suffix .0 to the end of the object identifier. |
| • | Object is in a table. If an object can return different values (such as a router that has more than one interface), you append an index at the end of the object identifier to indicate which instance to return. For example, if a router has four interfaces and you want to use a Get command with Snmputil.exe to return the current status of an interface that has an interface index (ifIndex) of 3, you type .3 at the end of the object identifier. |
SNMP Trap Types
| Trap Type | Trap Name | Description |
| 0 | ColdStart | The SNMP agent initialized its configuration tables. |
| 1 | WarmStart | The SNMP agent re-initialized its configuration tables. |
| 2 | LinkDown | The state of a network adapter on the SNMP agent changed from up to down. |
| 3 | Linkup | The state of a network adapter on the SNMP agent changed from down to up. |
| 4 | authenticationFailure | The SNMP agent received a message from an SNMP manager, but the message contained an invalid community name. |
| 5 | egpNeighborLoss | The SNMP agent could not communicate with its Exterior Gateway Protocol (EGP) peer. |
| 6 | enterpriseSpecific | Reserved for vendor-defined error conditions and error codes. |
The Windows Server 2003 SNMP service can send enterprise-specific traps on behalf of the Event To Trap Translator.
A community name acts as a password that is shared, typically, by multiple SNMP agents and one or more SNMP managers. You configure the SNMP manager and the computers or devices that it manages as members of a single SNMP community. An SNMP agent only accepts requests from SNMP managers that are on the agent’s list of acceptable community names.
When an SNMP manager sends a query or set request to the SNMP agent, the SNMP service compares the community name of the requestor with the community name of the agent and its access permissions. If the names match, the SNMP manager is successfully authenticated, and the agent replies to the query or performs the set request. If the community names do not match, the SNMP agent considers the request a failed access attempt and — if configured to do so — can send an SNMP trap message notifying the trap destination that an improper access has been attempted.
One computer or device can belong to several communities. SNMP community names are specific to SNMP and are not related to Active Directory or Workgroup names. In the past, the SNMP default community name, Public, was used widely for read-only access and the name, Private, was used for read-write access. To increase security, specify a unique community name and change it frequently, as you would a password.
By defining an SNMP community, you can group computers together for administrative convenience and provide limited security by restricting communication to only those computers that are members of the community. Two common bases for grouping computers into an SNMP community are by physical proximity or by function. The recommended practice is to create SNMP communities based on function rather than location.
In addition to specifying that the SNMP agent can communicate only with a specified set of SNMP managers, you can specify the access permission (such as Read Only or Read Write) for each community and specify that a trap be sent, alerting a trap destination to the authentication failure if either the community name or access permission is incorrect. For the community name, specify the most restrictive permission possible. For example, do not choose the Read Write permission if the Read Only permission is sufficient. Also check the permission level of the MIB access variable. It interacts with the community security level. For example, if your community access level is set to Read Only and the MIB access variable is set to Read Write, the following operations are valid: Get, GetNext, GetResponse, and Trap. However, the Set request is blocked by the more restrictive community access level.
You might want to specify one community name for the SNMP agent and its trap destination and another community name for the SNMP agent and any SNMP manager that sends the agent query and set requests. Using separate community names for requests and traps ensures that the agent has an available destination to which it can send an alert if an unauthorized SNMP manager tries to request information.
The security that the SNMP service provides through the use of community names used in conjunction with access permissions and authentication traps is rudimentary. Because community names are sent across the network as clear text (which is unencrypted), even secret and frequently changed community names with restricted permissions represent a potential security risk. Clear text messages are easily intercepted and decoded by network analyzers such as Microsoft Network Monitor. Community names sent in clear text can be captured and used by unauthorized personnel to access valuable information about network resources.
To help prevent the interception of SNMP messages, configure Internet Protocol Security (IPSec) policies on all SNMP managers and SNMP agents.
Net-SNMP is quite a safe install as well. Once you have Cygwin installed, you simply need to download the Net-SNMP source and execute a few commands from a bash shell and you will have finished.
Net-SNMP can be downloaded by following the link below:
You should download to a directory such as c:\cygwin\src\net-snmp-5.x.x. Once downloaded to that directory, open a bash shell and follow the steps below:
cd /src/net-snmp-5.x.x
./configure
make
make install
If you haven’t done so already, you need to specify the following system environment variables:
MIBS=ALL
MIBSDIR=C:/PHP/MIBS
SNMP Versions - Basically 3 versions exist v1(simple but insecure ) , v2 , v3(secure but complex)
v3 -
securityName -u NAME defSecurityName NAME
authProtocol -a (MD5|SHA) defAuthType ( MD5 | SHA )
privProtocol -x (AES | DES ) defPrivTypeDES
authKey -A PASSPHRASE &nbssp; defAuthPassphrase PASSPHRASE
privKey -X PASSPHRASE &nbssp; defPrivPassphrase PASSPHRASE
securityLevel -l ( noAuthNoPriv | authNoPriv | authPriv ) defSecurityLevel (noAuthNoPriv|authNoPriv|authPriv)
context -n CONTEXTNAME &nbbsp; defContext CONTEXTNAME
Eg.
Here is a completely unauthenticated request (which still needs a user name, none the less):
% snmpgetnext -v 3 -n "" -u noAuthUser -l noAuthNoPriv test.net-snmp.org sysUpTime system.sysUpTime.0 = Timeticks: (83467131) 9 days, 15:51:11.31
Here is a authenticated request:
% snmpgetnext -v 3 -n "" -u MD5User -a MD5 -A "The Net-SNMP Demo Password" -l authNoPriv test.net-snmp.org sysUpTime system.sysUpTime.0 = Timeticks: (83491735) 9 days, 15:55:17.35
And finally, here is an authenticated and encrypted request:
% snmpgetnext -v 3 -n "" -u MD5DESUser -a MD5 -A "The Net-SNMP Demo Password" -x DES -X "The Net-SNMP Demo Password" -l authPriv test.net-snmp.org system system.sysUpTime.0 = Timeticks: (83493111) 9 days, 15:55:31.11
To summarize the most importantly each user has a name (called a securityName) an authentication type (authProtocol) and a privacy type (privProtocol) as well as associated keys for each of these (authKey and privKey).
Authentication is performed by using a users authKey to sign the message being sent. The authProtocol can be either MD5 or SHA at this time. authKeys (and privKeys) are generated from a passphrase that must be at least 8 characters in length.
Authentication is performed by using a users privKey to encrypt the data portion the message being sent. The privProtocol can be either AES or DES.
Messages can be be sent unauthenticated, authenticated, or authenticated and encrypted by setting the securityLevel to use.
All of this information is passed to commands using the command line arguments described in the table below. Additionally, you can put default values in your ~/.snmp/snmp.conf files using the tokens specified in the 3rd column.