Secure Your Network
SNMP Research managers support IPv6 Talk Over. Learn more.
Distributed SNMP Security Pack™ (DSSP) adds SNMPv3 support to managers that natively support only SNMPv1 and SNMPv2c. Other components of DSSP provide GUI-based configuration of SNMPv3 security and the tunneling of SNMP and ICMP inside encrypted TCP through network firewalls.
DSSP provides these important benefits:
DSSP supports two local configuration datastores (LCDs), one of which is used by the BRASS™ server and the other by the EMANATE® Master Agent. The LCDs provide access control table parameters, as well as parameters for configuring trap destinations.
DSSP contains the following products:
How does using SNMPv3 improve security? By employing SNMPv3, DSSP offers five main types of threat protection (shown in Table 1 below).
Threat | Protection |
---|---|
Masquerade |
Verifies the identity of the message's origin by checking the integrity of the data. (Authentication) |
Modification of Information |
Thwarts accidental or intentional alterations of in-transit messages by checking the integrity of the data, including a time stamp. (Authentication) |
Message Stream Modification |
Thwarts replay attacks by checking message stream integrity, including a time stamp. |
Disclosure |
Prevents eavesdropping by protocol analyzers, etc. by using encryption. (Privacy) |
Unauthorized Access |
Verifies operator authorization and protects critical data from intentional and/or accidental corruption by using an Access Control Table. Supports policy-based management. (SNMPv3 View-based Configuration) |
To deploy SNMPv3, each management application must have access to the LCD that includes "secrets" shared with an agent. As a result, each copy of the vintage application (for example, HP Network Node Manager or IBM Tivoli NetView) must coordinate its use of the LCD and secrets with other managers and/or SNMPv3 entities. DSSP provides this coordination transparently by maintaining the SNMPv3 datastore and by performing SNMP operations at the management application's request. This prevents multiple NNMs or other SNMPv3 applications from conflicting in their use of the security datastore.
For additional information about SNMPv3, please refer to the SNMPv3 White Paper offered by SNMP Research.
SNMPv3 offers user-based privacy and authentication. The user-based authentication mechanism is based on either MD5 or SHA. The privacy mechanism is based on Data Encryption Standard (DES) Cipher Block Chaining (CBC) mode, 56-byte key algorithms, and multiple levels of compliance. In addition to DES, the Advanced Encryption Standard (AES)* and Triple-Des (3DES) * may also be implemented. SNMPv3 is available for networks, systems, applications, manager-to-manager communications, and proxy management of legacy systems.
Users are assigned a "Profile" or group, which determines the permissions granted to that user. These permissions are defined in an SNMPv3-based access control table stored in the agent LCD. The user profile is associated with a password. As a result, one password supports both authentication (checking the user's identity) and authorization, (discerning which actions the user is allowed to perform, and on what MIB variables.) An optional second Privacy Password is entered if encryption is to be used.
The SNMPv3 Configuration Wizard offers a complete solution to quick and easy SNMPv3-based configuration of SNMP agents and managers. The Wizard is a stand-alone Java application that guides the user through each step of configuring SNMPv3 security, including: establishment of a secure connection for initial configuration, addition of new users, configuration of pass-phrases, set-up of fine-grained access control policies, and definition of notification destinations (SNMP-based managers). The Wizard is also an excellent tool for gaining a basic understanding of how the SNMPv3 administrative model works.
Features include:Many network operators no longer permit SNMP traffic through their packet-filtering firewalls for several reasons:
For these reasons, network administrators tend to block all UDP traffic at firewalls. This creates problems when trying to manage a multi-site network, or even a local network that spans routers.
DSSP adds management through firewalls enhancing the successful SNMP Security Pack. Previously, SNMP Security Pack was an SNMPv3 plug-in for SNMP Managers that only support SNMPv1 and SNMPv2c. DSSP Server sends SNMP requests via a secure TCP connection to the DSSP Remote Forwarder (optional component). The secure connection is established using OpenSSL.
The DSSP Remote Forwarder then forwards the request to the SNMP agent as a traditional SNMP packet. This capability also gives firewall administrators the ability to perform filtering on source and destination port number as well as on source and destination address.
DSSP is a critical instrument for a company's network management solution: a plug-in that enables the use of SNMPv3 with security adding authentication, authorization, access control, data integrity, key management, and encryption options to network management software such as Concord's Spectrum® and eHealthTM Suite, HPTM OpenViewTM Network Node ManagerTM, and IBM® Tivoli® NetView®.
In summary, DSSP provides several important benefits:
DSSP is available on the following platforms:
The following network management applications are also supported:
If a particular system is not listed, please contact Sales. We are happy to work with customers to port our products to new systems.
Please note: When a product is licensed, the product will support one platform of your choosing. If you need a product to run on two or more platforms, then a separate license must be acquired for each platform.
For more information, please call +1 865 579-3311, or send email to info@snmp.com. You can also fill out a Sales Query and one of our sales people will respond to your request quickly.
Licensing terms are available from info@snmp.com.
*AES and 3-DES are subject to export restrictions.