4576

Get a Live Demo

You need to see DPS gear in action. Get a live demo with our engineers.

White Paper Series

Check out our White Paper Series!

A complete library of helpful advice and survival guides for every aspect of system monitoring and control.

DPS is here to help.

1-800-693-0351

Have a specific question? Ask our team of expert engineers and get a specific answer!

Learn the Easy Way

Sign up for the next DPS Factory Training!

DPS Factory Training

Whether you're new to our equipment or you've used it for years, DPS factory training is the best way to get more from your monitoring.

Reserve Your Seat Today

This SNMPv3 Converter Improves Your Cybersecurity

By Andrew Erickson

April 16, 2023

Share: 

Simple Network Management Protocol (SNMP) has been a valuable tool for network administrators to monitor and manage their network devices such as routers and switches.

SNMP operates on a client-server model where SNMP agents are installed on the devices being monitored and a central "SNMP manager" is used to manage and receive information from these agents.

SNMPv3 has encryption, unlike earlier SNMP versions

SNMPv3 was introduced to provide enhanced security features such as user-based security model (USM), based access control model, authentication, and encryption. These features provide secure and authenticated remote configuration and management of network devices.

SNMPv3 also provides enhanced security features such as message integrity and privacy. These features ensure that SNMP messages are not tampered with during transmission and that the contents of the messages are not readable by unauthorized users.

SNMPv3 includes USM (User-Based Security Model)

One of the key components of SNMP in general is the Management Information Base (MIB). This is a database that contains information about network devices and their status. MIB objects are used to provide read-write or read-only access to the information contained in the MIB.

The SNMPv3 access control model provides a view-based access control mechanism that allows network administrators to grant access to specific MIB objects based on the user's role or job function. This ensures that only authorized users have access to critical information and prevents unauthorized access to network devices.

The user-based security model (USM) in SNMPv3 provides a secure method for authentication and encryption of SNMP messages. USM uses a combination of username, authentication protocol, and encryption protocol to ensure that only authorized users can access network devices.

Due to network evolution, it's effectively guaranteed that you have non-SNMPv3 devices in your network

With the security advantages of v3 in mind, what do you do about your older SNMP equipment. Its unencrypted SNMP traps may just be something you think about from a security perspective. It's also increasingly likely that you'll get a security mandate that says "only SNMPv3 is allowed on our network to protect our network security."

Unfortunately, management initiatives and sweeping security mandates seldom come with a massive budget allocation to replace all of your older devices.

So, what can you do to satisfy everyone?

You need an SNMP-to-SNMPv3 converter device

The solution to this problem is the same as it has been during many previous protocol transitions in the remote monitoring industry.

What you need is a fairly straightforward device with two network interfaces. One of those interfaces will collect unencrypted SNMP (v1 or v2c) from your older gear. Because the converter is sitting right next to your older device, this is a "one-cable network" without outside access.

The second network interface, as you've probably guessed, converts incoming traps and sends only secure SNMPv3 traps to your SNMP manager. This is the only traffic that ever touches your actual network, creating end-to-end encryption of your network management traffic.

When you're shopping for this kind of device, remember also that there is value in bidirectionality. Some SNMP messages (ex. GETs and SETs) are initiated by your SNMP manager and sent down to your individual devices. For most situations, any converter you install should handle these messages properly as well.

Converter Device Example: The "SNMP Proxy"

The SNMPv3 proxy device offered by DPS Telecom (uncreatively named "SNMP Proxy") meets the above criteria for network administrators who need to upgrade their network to SNMPv3 without replacing their existing network gear.

The proxy device converts unencrypted SNMP traffic to SNMPv3 and provides a bidirectional proxy for receiving TRAPs and sending SETs and GETs. The easy-to-use built-in web interface

allows for quick configuration, and the device can be powered by DC or AC power at the site.

An SNMPv3 proxy device is great if you want to maintain the security of your network without having to replace older or smaller network devices that do not support SNMPv3. Remember that this label is distinct from a traditional "SNMP proxy device", which is simply an SNMP RTU.

The SNMPv3 Proxy device is built on a proven design and uses the same platform as telco-grade RTUs. This ensures that the device is reliable and can handle the demands of a network environment. The device can be easily mounted on a DIN rail or wall, and rack ears are also available.

Example: How to evaluate SNMP converter specifications

Let's now dig a bit deeper into the actual specifications of this device. I'll use this as a specific example for how you should evaluate any SNMP converter. Many of these same guidelines can be used when shopping for almost any small telecom device.

With its proven design and easy DIN-rail mounting, the SNMP Proxy is an excellent choice for network administrators who want to maintain SNMPv3 encryption across their LAN. As an alternative, it can be mounted on a wall or on a 19" or 23" rack.

Both proven design and mounting style are important here. You'll want to ask any potential manufacturer about the pedigree of this device (or similar devices in the case of new custom equipment). The mounting style obviously matters based on the rack/cabinet/room where you plan to install.

The SNMPv3 Proxy device supports SNMPv1-v3, Telnet, HTTP, and HTTPS protocols. The device's dimensions are 2.10" H x 7.25" W x 5.15" D.

Dimensions are always a big deal, but they absolutely are for some projects. I've worked with clients where they have a very specific small cabinet space available.

The device can be powered with -48VDC, +24VDC, +12VDC, or 110/220 VAC (from an included AC wall transformer). The device's current draw is 600mA @ -48 VDC, and it has a resettable internal fuse.

You should pick a device that matches the power already available at your site. For many of my clients, that's -48 VDC or +24 VDC. For other scenarios, you'll want to use an AC adapter to supply whatever native DC voltage you've ordered.

You get two RJ45 10/100BaseT Ethernet interfaces and one USB front panel craft interface. The operating temperature range is 32 - 140 F (0 - 60 C), and an industrial option is also available with a wider temperature range of -22 - 158 F (-30 - 70 C). The device's operating humidity range is 0% - 95% non-condensing, and its MTBF is 60 years.

Obviously, you have two ethernet interfaces on this device as a fundamental requirement of any security-focused mediator.

A more common specification in the above block is "operating temperature". All electronic devices have one. In this case, the SNMP Proxy is available with either a standard temperature range (suitable for temperature-controlled buildings) or an extended temperature range (suitable for most outdoor cabinets without climate control).

Call DPS to review your SNMP conversion goals

If you have legacy SNMP devices (at this point, nearly everyone does), you need a plan. Your first step is to speak with a DPS engineer to go over what you're trying to accomplish.

To get started, call DPS at 1-800-693-0351 or email sales@dpstele.com

Share: 
Andrew Erickson

Andrew Erickson

Andrew Erickson is an Application Engineer at DPS Telecom, a manufacturer of semi-custom remote alarm monitoring systems based in Fresno, California. Andrew brings more than 17 years of experience building site monitoring solutions, developing intuitive user interfaces and documentation, and opt...