20 SNMPv3 User Administration (Pro Edition)
An USM User associates SNMPv3 security parameters with a user name. RFC 3414 describes how the use of the User Security Model (USM) protects SNMPv3 communication against classic threads against network protocols.
A resource is commonly secured by password protection. However, the administrative overhead for using a different password for each network device is big. On the other hand, using a single password for all network devices is very dangerous; because once an attacker has deciphered the password it compromises all devices in the network. As a consequence, the USM security model localizes a plain text password with a SNMP entity's engine ID using a hashing algorithm. The resulting key is no longer human readable and even if it is deciphered it provides only access to a single SNMP entity. Nevertheless, changing the secrets of a USM user on a regular basis is required to protect the secrets against disclosure, as stated in RFC 3414 §11.1 Recommended Practices:
The frequency with which the secrets of a User-based Security Model user should be changed is indirectly related to the frequency of their use. Protecting the secrets from disclosure is critical to the overall security of the protocols. Frequent use of a secret provides a continued source of data that may be useful to a cryptanalyst in exploiting known or perceived weaknesses in an algorithm. Frequent changes to the secret avoid this vulnerability.
MIB Explorer provides all necessary operations to:
create a new USM user by cloning it from an existing user
modifying the secrets (changing passwords) of an USM user
deleting a USM user
on more than one target at once.
20.1 Create or Modify an USM User
A new USM user is created via SNMP by cloning it from an existing user. Thus, an initial user has to be configured for each SNMP command responder (agent) by other means than SNMP, for example a configuration file. The authentication and privacy passwords of an USM user should be always changeable.
To Create an USM User
Note: A user cannot provide a higher security level than the user it has been cloned from.
1. If not done yet, configure the target(s) for which the new user should be created (see “Adding a New Target” on page 46). For each of the targets, configure the USM user you want the new user to be cloned from (see “Adding an USM User” on page 50).
2. Choose from the menu.
3. Select as the user configured in step 1, thus the user you want the new user to be cloned from.
4. Specify all necessary values for the user to be created in the pane. Fill in a SNMP engine ID, if the user should be created on behalf of an engine ID different from the targets engine ID. This is necessary for setting up a user for enabling a target to send INFORM messages or to proxy SNMP requests to other targets. In all other cases, the engine ID field can be left empty.
5. For very specific tasks it could be useful to check the „“ option. When checked, the user information of MIB Explorer will not be changed trough the operation, thus the cloned user will not be added to the user repository of MIB Explorer.
6. Press the button to get to the next step of the wizard.
7. Select the targets you want the new user to be created for from the table. It shows all targets for which the selected operational user (specified in step 3) is configured. Press the button to add the selected target to the list of targets to be changed.
8. Press the button to start the creation of the new user.
9. The status of the operation will be shown in step 3 of the wizard. You cancel the operation by pressing the button. For each target the status is shown in a table.
The new user will be added to MIB Explorer's user configuration. The configuration of the changed targets will not be changed.
10.Close the wizard by pressing the button.
To Modify an USM User
1. If not done yet, configure the target(s) for which a user should be modified (see “Adding a New Target” on page 46). Configure for each of the targets the USM user you want modify (see “Adding an USM User” on page 50).
2. Choose from the menu.
3. Select as the user configured in step 1, thus the user to be modified.
4. Change the properties of the user to be modified in the „ pane. Select the same user in both fields! Fill in a SNMP engine ID, if the user is modified on behalf of an engine ID different from the targets engine ID. This is necessary for enabling a target to send INFORM messages or to proxy SNMP requests to other targets.
Warning: When checking the option, make sure that you have configured a user with the new credentials or otherwise you will not be able to access the agent(s) any more!
5. For very specific tasks it could be useful to check the „„ option. When checked, the user information of MIB Explorer will not be changed trough the operation! As a consequence, after having successfully changed the users security credentials, you will not be able to access the agent(s) with the user you have chosen for the operation.
6. Press the button to get to the next step of the wizard.
7. Select the targets for which you want the user to be modified from the table. It shows all targets for which the selected operational user (specified in step 3) is configured. Press the button to add the selected target to the list of targets to be changed.
8. Press the button to start the creation of the new user.
9. The status of the operation will be shown in step 3 of the wizard. You cancel the operation by pressing the button. For each target the status is shown in a table.
If the operation failed or was canceled for any of the selected targets, MIB Explorer will add a new user to MIB Explorer's configuration with the current date and time appended to the user profile name of the modified user. That new user will be an exact clone of the original (unmodified) user profile. Each failed target will then be automatically configured to use the clone user, whereas each successfully updated target will use the modified user.
10. Close the wizard by pressing the button.
When deleting an USM user the user is deleted from a target's USM and thus that user cannot be used with that target anymore. That is why MIB Explorer requires that the delete operation is performed on behalf of a different user than the deleted one. This ensures, that you can still access the target agent after the operation.
To Delete an USM User
1. If not done yet, configure the target(s) for which you want to delete a user (see “Adding a New Target” on page 46). Configure for each of the targets an USM user different from the user you want to delete from their USM (see “Adding an USM User” on page 50). Add a user profile for the USM user to be deleted to MIB Explorer's configuration.
2. Choose from the menu.
3. Select as the user configured in step 1, thus not the user you want to delete.
4. Select the user to be deleted in the „ pane. Fill in a SNMP engine ID, if the user should be deleted on behalf of an engine ID different from the targets engine ID. This is necessary for deleting a user used for enabling a target to send INFORM messages or to proxy SNMP requests to other targets.
5. Press the button to get to the next step of the wizard.
6. Select the targets for which you want to delete the selected user from the table. It shows all targets for which the selected operational user (specified in step 3) is configured. Press the button to add the selected target to the list of targets to be changed.
7. Press the button to start the deletion process.
8. The status of the operation will be shown in step 3 of the wizard. You cancel the operation by pressing the button. For each target the status is shown in a table.
9. Close the wizard by pressing the button.