SHA-2 for SNMP Authentication

While the internet grows, so does the online presence of businesses of every scale. Although this allows for seamless business operations, you have to also consider the risks involved. Since organizations rely on networks to carry out their activities and utilize a wide range of networking components like routers, switches, servers, firewalls, and VMs, all of which demand continuous end-to-end management, it is critical to protect and defend these networks from threats and attacks.

Damage to the network can result in damage to the organization’s data, cause service delays, and ultimately impact the reputation and revenue of the company. In light of regular occurrences of security breaches, it’s essential for security administrators to focus on the safety of the monitoring applications used within an organization.

SNMP network monitoring: Then and now

A typical network monitoring tool constantly monitors network health and reliability by tracking and logging a few network parameters. This is done using secure network management protocols like SNMP, CLI, WMI, etc., which are supported by most network devices and Linux servers. In addition to SNMP’s query (or read) actions, it also boasts of powerful write capabilities. Using these exceptional write capabilities, one can configure any device remotely. This is part of why SNMP is the most widely used protocol to monitor and manage the network devices connected over a network.

Since its inception, SNMP has gone through significant upgrades, with three versions existing currently: SNMPv1, SNMPv2c, and SNMPv3. One of the major flaws of the SNMPv1 was the use of plain-text community strings and a support for 32-bit counters. This meant little to no security; SNMP messages were sent unencrypted across the network and anyone with a packet sniffer could read the data in plain text.

Allowing SNMP read-write access gives one complete control over the device, and with write access, one could replace the entire configuration of the device. This allows attackers to leverage the vulnerabilities in the protocol, making it prone to brute-force attacks.

SNMPv1 was revised with a few enhancements in an attempt to mitigate the known security flaws. SNMPv2c was introduced with two additional protocol operations and support for 64-bit counters (as opposed to 32-bit counter support for SNMPv1). Although version v2c performed better in error handling, the risks surrounding plain-text community strings remained the same.

Is SNMPv3 enough?

SNMPv3 adds security and remote configuration capabilities to the previous versions by utilizing a combination of authentication and encryption of packets over the network. The authentication ensures that the message received is from a valid source, and encryption (privacy) enables you to hash the packets to prevent it from unauthorized access by external sources.

These aspects of SNMPv3 make it better than both SNMPv1 and SNMPv2c in terms of privacy of communication and integrity of message transfer. SNMPv3 uses a wide range of algorithms to implement authentication and encryption. They vary according to the user’s needs and the complexity of implementation.

The algorithms used for authentication are:

  • MD5: Message Digest 5 (MD5) algorithm takes a message of any length as input and changes it into a fixed-length hash output of 128 bits.

  • SHA-1: Secure Hash Algorithm 1 (SHA-1) is a standard cryptographic hash function that returns a 160-bit hash for input text.

The need for SHA-2

SHA-1 hash function algorithms have long been outdated; ever since 2017, SHA-1 has been written off as insecure. Major tech giants like Microsoft, Google, Apple, and Mozilla have stopped accepting SHA-1 SSL certificates post 2017 in their browsers. However, 93% of the internet’s pages are still vulnerable to attacks, considering the deep-seated implementation of the SHA-1. Migration to SHA-2 isn’t a matter of it, but when; and with the rapid increase in customer demand for secure environments and the widely available support for SHA-2, it’s essential for any monitoring tool to enforce it as soon as possible.

Pioneering SHA-2 support for SNMP network monitoring

SHA-2 returns a fixed-length hashed value for any given input. The higher the length of the output, the more secure it is. With enhancing user privacy and data integrity in mind, OpManager has implemented the use of SHA-2 for SNMPv3 authentication.

SHA-2, an evolution of the existing SHA-1 algorithm, returns a considerably greater number of bits in the output message than SHA-1. The SHA-2 algorithm, a family of the two hash functions SHA 256 and SHA 512, returns 256-bit hashed values and 512-bit hashed values respectively, a major improvement from the 160-bit message punched out by the older SHA-1 algorithm. This makes the SHA-2 algorithm comparatively more secure than its predecessors, SHA-1 and MD5.

SHA-1 vs. SHA-2

The security level of these algorithms is measured using an aspect called collision. For any given input, the algorithms produce a unique hashed value. If two given inputs produce the same hashed value, then it means there is collision, making the protocol vulnerable.

SHA-1, which returns a 160-bit value, is capable of producing 2^160 different values whereas SHA-256 can produce 2^256, and SHA-512 can produce 2^512 different hashed values for the given inputs. So, the larger the scope for producing values, the lesser the chance for collision. This makes the SHA-2 much more secure when compared to its previous version.

Using SHA-2 in OpManager

For every business, a secure network is essential. Investing in a robust and secure monitoring tool greatly helps in maintaining a secure environment and protecting your business from online threats. ManageEngine OpManager is a reliable one-stop network monitoring solution that helps enterprises, service providers, and small and medium-sized enterprises monitor their networks across data centers and IT infrastructure efficiently and cost-effectively. SHA-2 for SNMPv3 authentication is available in build v126116 and above and can be found in the Add Credential section of the Discovery module.

New to OpManager and want to try these features out yourself? Get a free, personalized demo here. If you’re already an OpManager user, please upgrade to the latest version for a safer, more secure SNMP monitoring experience.

John Jeremiah
Content Writer - ITOM Marketing