Managing SNMP Services

Simple Network Management Protocol (SNMP) is an Internet standard application-layer protocol developed to exchange management data between network devices. SNMP-compliant devices, called agents, collect data about themselves and store that data in Management Information Bases (MIBs). These MIBs are sent to SNMP management stations or devices for storage and analysis. MIB data, such as device system messages, packets per second, or network error rates, can be used by network administrators to monitor network performance, find and solve network problems, and facilitate planning for network growth.

SNMP version 1 (SNMPv1) was developed in the early 1980s. Version 2 (SNMPv2) introduced increased security capabilities and improved interoperability by rigorously defining the specifications for SNMP implementation. The SNMPv3 Working Group is preparing recommendations for the next generation of SNMP with increasing network security as an important objective.

PIX Firewall SNMP Support

The PIX Firewall, like its router and switch cousins, is considered an SNMP agent or SNMP server that collects data in MIB form. The management station is often a UNIX or Windows network host running the SNMP program that receives and processes the SNMP MIB data. This program could be a network management program, such as CiscoWorks or HP OpenView, a tool like Fluke Networks OptiView, or one of many network mapping and analysis programs, such as nMAP or Ethereal. Figure 20-1 shows an example of an SNMP management station on the internal network. The security policy and scope of the management station might dictate whether the DMZ servers and the perimeter router would report to the station.

Figure 20-1: SNMP management station in the inside network

Accessibility to PIX Firewall MIBs is based on configuration, MIB support, and authentication based on the community string. By default, the PIX Firewall is configured to allow polling from all configured SNMP management hosts on the inside interface. Unsuccessful polling attempts, except for failed community string authentication, aren’t logged or otherwise reported.

Use the snmp-server command to identify location, management station, community string, and contact information for the PIX Firewall.

SNMP Contact and Location

You can use the configuration mode snmp-server {contact | location} command to identify the PIX Firewall system administrator and the unit location. Each item can be up to 127 characters and is case sensitive. Spaces are allowed, but multiple spaces are shortened to a single space. Some security policies might limit what’s entered here because the information could be useful to a hacker engaging in reconnaissance. Telephone numbers and contact names might be a useful tool to a person trying to act as if he belongs there or is deserving of assistance. Use the no form of the command to turn off the feature. Typing either command with new information overwrites the old entries. The syntax is

Pix(config)# snmp-server {contact | location} text
Pix(config)# no snmp-server {contact | location}

The following example shows a simple configuration:

Pix(config)# snmp-server location Building 19-67B
Pix(config)# snmp-server contact Network Security

SNMP Management Station

Use the configuration mode snmp-server host command to define the interface and the IP address of the SNMP management station(s) to which traps will be sent and/or from which the SNMP polls (requests) will be accepted. By default, both the traps and polls features are on—adding either keyword to the end of the command limits the command to only that activity. For example, using the Trap option would allow traps, but not polls. Up to 32 SNMP stations can be defined by creating multiple commands. Use the no form of the command to turn the feature off. The syntax is

Pix(config)#snmp-server host [if_name] ip_addr {trap | poll}
Pix(config)#no snmp-server [if_name] ip_addr

The default interface is “inside.” If an interface other than inside is used, a security warning like the one shown in the next example appears, but the entry will be accepted.

The following example shows a simple configuration:

Pix(config)# snmp-server host 192.168.1.3
Pix(config)# snmp-server host dmz 192.168.2.3 trap
Warning: Sending SNMP traps to a non-inside interface may be insecure
Pix(config)#

SNMP Community Key

The SNMP community string is a shared “secret” among the SNMP management station and the SNMP network agents being managed. This is called a community key because it can be used to define a data-exchanging group of agent and management stations within a larger network. The default key for the PIX Firewall, like many network devices, is public. This is also a routine default entry in most sniffer, mapping, or other reconnaissance tools, so common sense says to change it.

The PIX Firewall uses the community key to determine if the incoming SNMP request is valid. Use the configuration mode snmp-server community command to enter the key value used by the SNMP management station(s). The key is case sensitive and can be up to 32 characters long. No spaces are allowed. Typing a new snmp-server community command replaces the default public entry or any other existing community key. Use the no form of the command to turn off the feature. The syntax is

Pix(config)# snmp-server community key
Pix(config)# no snmp-server community key

Enabling SNMP Traps

Use the configuration mode snmp-server enable traps command to enable or disable sending log messages as SNMP trap notifications. Use the no form of the command to turn off the feature. The syntax is

Pix(config)# snmp-server enable traps Pix(config)# no snmp-server enable traps

Verify SNMP Configuration

Use the show snmp-server command to display the current SNMP configuration:

Pix(config)# show snmp-server
snmp-server host inside 192.168.1.3
snmp-server host dmz 192.168.2.3
snmp-server location Building 19-67B
snmp-server contact Network Security
snmp-server community MySNMP
snmp-server enable traps
Pix(config)#

The clear snmp-server command clears most of the SNMP entries. It restores the community key “public” and leaves the snmp-server enable traps command.

Logging to the SNMP Management Station

You can have PIX Firewall system messages sent to the defined SNMP management unit instead of, or in addition to, a Syslog server. Use the configuration mode logging history command to set the message level. This command is the SNMP counterpart to the logging trap command used with Syslog messages. Use the no form of the command to turn off the feature. The syntax is

Pix(config)# logging history level
Pix(config)# no logging history level

The levels are the same eight levels (0–7) covered in the “Syslog Configuration” section in Chapter 18 where the level includes all message levels up to the one used. For example, the following example would send all system messages 0 through 5 to the SNMP host(s).