Simple Network Management Protocol (SNMP) is a part of the Internet Protocol Suite. SNMP is used in network management systems (NMS). It is a standard for managing devices such as routers, switches, servers, etc.
SNMP defines a protocol that permits operations on a collection of variables.
SNMP Terms
An SNMP management system consists of (refer to RFC 3411):
- Manager—at least one SNMP entity containing command generator and/or notification receiver applications. This is a NMS that monitors the status of devices, spots problems, and exposes management data in the form of variables, which describe the system configuration. These variables can then be queried (and sometimes set) by managing applications.
- Agent or Agents—a node or several nodes, each with an SNMP entity containing command responder and notification originator applications, which have access to management instrumentation.
- Management protocol— to convey management information between the SNMP entities. The SNMP agent communicates with the SNMP manager via the standard SNMP protocol.
- MIB (Management Information Base) is a set of variables (both statistical and control)
SNMP Operations
Requests for the variable(s) are received by the SNMP agent. The SNMP agent eventually packages an SNMP response packet and sends the answer back to the remote network management station that initiated the request.
Some of the requests that can be initiated by the SNMP agent are GET, GETNEXT, GETBULK, and SET.
- SNMP GET
- GET—retrieves an object from the SNMP Agent.
- GETNEXT—retrieves the next object variable.
- GETNEXT—if the request is for a GetBulk, then the agent translates it into multiple GETNEXT packets and sends those.
- SNMP SET—it is used for modifying the value of the object variables.
- SNMP Trap and Inform—the Agent
will send data without being asked using Trap or Inform protocol
operations.
- Trap—is used to inform the Manager about the condition and is sent without acknowledgment.
- Inform—is same as the Trap or except the Manager needs to acknowledge receipt. If an acknowledgment (a response from the SNMP manager) is not received, another Inform will be sent.
- SNMPv1—this is the original version; it uses community strings with two types of communities RO and RW. There is lack of security—any community string is sent as clear text.
- SNMPv2/SNMPv2c—with improved confidentiality and communication, added GEtBulk and Inform. version 2c uses the original communities.
- SNMPv3—implements authentication / encryption user-based security.
2 new levels for authentication added. The 3 levels of authentication
are now as follows:
- NoAuthNoPriv—users who use this mode/level have No Authentication and No privacy when they send/receive messages.
- AuthNoPriv—this Level requires the user to Authenticate, but will not Encrypt Sent/Received Messages.
- AuthPriv—finally, the most secure level, where Authentication is Required and Sent/Received Messages are Encrypted.
SNMP Security per Version
Requests for the variable(s) are received by the SNMP agent. The SNMP agent eventually packages an SNMP response packet and sends the answer back to the remote network management station that initiated the request.
| Version | Level | Authentication | Encryption | Description |
|---|---|---|---|---|
| v1 | noAuthNoPriv | Community String | No | A community string match is used for authentication. |
| v2c | noAuthNoPriv | Community String | No | A community string match is used for authentication. |
| v3 | noAuthNoPriv | Username | No | A user name match is used for authentication. |
| v3 | authNoPriv | Message Digest 5 (MD5) or Secure Hash Algorithm (SHA) | No | The authentication is based on the HMAC-MD5 or HMAC-SHA algorithms. |
| v3 | authPriv | MD5 or SHA | Yes | The authentication based on the HMAC-MD5 or HMAC-SHA algorithms. Provides DES 56-bit encryption in addition to authentication based on the CBC-DES (DES-56) standard. |