Wednesday, 29 June 2016

SNMP v3 configuration on Citrix NetScaler and testing against an Ubuntu Based SNMP manager.


(We all know) SNMP, which stands for Simple Network Management Protocol, is an Internet-standard protocol for collecting and organizing information about managed devices on TCP layer three networks. It can also be used for modifying that information to change device behaviour, but that is beyond the scope of this document.

SNMP has been widely accepted as it is simple, easy to implement, inter-operable and is not bandwidth hungry(if used wisely, that is!)

SNMP is based on three concepts: managers, agents, and the Management Information Base (MIB).

MIB stands for Management Information Base and is a collection of information which is organized hierarchically.

OIDs or Object Identifiers uniquely identify managed objects in an MIB hierarchy.  Generally, an OID is a long sequence of numbers, coding the nodes, separated by dots.

Typically
  • Netscaler device (or any router or server for that matter) is your SNMP agent.
  • Control Center or a SolarWinds server is your SNMP manager.
  • Each of the entities (like a Load balancing virtual server or a NetScaler interface) defined on an agent are assigned an OID.


Managers send SNMP commands (Get, set, Inform, etc.) to SNMP agents about an OID. Agent authenticates the request and sends the response to the managers.

Managers, typically, store this response in a data base which helps in preparing reports and alerts.   

Sometimes, Agent initiates a TRAP on the occurrence of a pre-defined event.

What’s new in version 3

One of the most well-known issues with earlier versions of SNMP has been the lack of inherent security.

  • The Authentication was based on a community string. A preshared password which is vulnerable to theft and misuse.
  • The responses or the traps were not plain text and hence vulnerable to eves dropping.



SNMP v3 tries to address these security deficiencies of SNMPv1/v2. 

For the sake of limited scope of this document, and, as I read it in one of SNMP documents, let us say that  "SNMPv3 is SNMPv2 plus administration and security."

Network Diagram



 

Configuring SNMP manager on Ubuntu Server





ssharma@ubu02:~$ sudo apt-get install snmp snmp-mibs-downloader





There is nothing much to be configured on the SNMP manager as we will be using snmp commands to interact with SNMP daemon running on the NetScaler device. It is a recommended practise to comment out the following line in the “/etc/snmp/snmp.conf” file-

#mibs :


 I did not spend much time in trying to understand what this means, I think this configuration defines the location of MIBs for the SNMP manager, but I could be wrong. More on that, later..


SNMP v2 configuration on Netscaler v 11

Traditionally we have been adding a pre-shared community string on the Netscaler for it to be able to talk to any SNMP based server.



By default any SNMP Manager, with the correct community string, can send SNMP commands to the NetScaler and it will respond.
To configure a community string on the Netscaler, execute –

> add snmp community snmpcommunity ALL

Other options are - ALL      GET      GET_BULK GET_NEXT SET






At this point the Netscaler device is ready to respond to any SNMP manager which has the community string “snmpcommunity”

So from our SNMP manager we execute the following command to test the configuration –

ssharma@ubu02:~$ snmpget -c snmpcommunity -v 2c 192.168.1.111 .1.3.6.1.2.1.1.1.0
SNMPv2-MIB::sysDescr.0 = STRING: NetScaler NS11.0: Build 66.11.nc, Date: May  7
2016, 20:38:00





where “.1.3.6.1.2.1.1.1.0” is the OID for top level system description node. For details of NetScaler related OIDs, refer here

Here is the response with a wrong community string –

ssharma@ubu02:~$ snmpget -c snmpcommunit -v 2c 192.168.1.111 .1.3.6.1.2.1.1.1.0
Timeout: No Response from 192.168.1.111.




No Response” – So that is your first level of protection against a  DOS or a DDOS attack, if such an attack was possible through SNMP!!


Let us, now, check if the GSLB feature is enabled on our Netscaler or not –


ssharma@ubu02:~$ snmpget -c snmpcommunity -v 2c 192.168.1.111 .1.3.6.1.4.1.5951.4.1.1.20.10.0
SNMPv2-SMI::enterprises.5951.4.1.1.20.10.0 = INTEGER: 1


No it is not! Let us enable GSLB on NetScaler and check again...

> enable feature GSLB
 Done




ssharma@ubu02:~$ snmpget -c snmpcommunity -v 2c 192.168.1.111 .1.3.6.1.4.1.5951.4.1.1.20.10.0
SNMPv2-SMI::enterprises.5951.4.1.1.20.10.0 = INTEGER: 2




Configure SNMP manager



SNMP managers are configured on NetScaler to allow specific SNMP managers to query NetScaler.

If you do not configure at least one SNMP manager, the appliance accepts and responds to SNMP queries from all IP addresses on the network. If you configure one or more SNMP managers, the appliance accepts and responds only to SNMP queries from those specific IP addresses.

I am going to add an incorrect SNMP manager first to demonstrate the above point –

On the NetScaler appliance - 

add snmp manager 192.168.1.1 -netmask 255.255.255.255


 On your SNMP manager (ubu02) - 

ssharma@ubu02:~$ snmpget -c snmpcommunity -v 2c 192.168.1.111 .1.3.6.1.4.1.5951.4.1.1.20.10.0
Timeout: No Response from 192.168.1.111.

On the NetScaler appliance - 

> rm snmp manager 192.168.1.1
Done
> add snmp manager 192.168.1.5 -netmask 255.255.255.255
 Done






On your SNMP manager (ubu02) - 
ssharma@ubu02:~$ snmpget -c snmpcommunity -v 2c 192.168.1.111 .1.3.6.1.4.1.5951.4.1.1.20.10.0
SNMPv2-SMI::enterprises.5951.4.1.1.20.10.0 = INTEGER: 2



SNMP v3 Configuration

SNMP v3 configuration on NetScaler is done in three steps –




SNMP views are used to implement access control.

On the NetScaler appliance - 

add snmp view NetScalerEnterpriseOIDs 1.3.6.1.4.1 -type included
add snmp view genericMIBs 1.3.6.1.2.1 -type included




We have added two SNMP views one restricting the access to 1.3.6.1.4.1.* and the other restricting the access to 1.3.6.1.2.1.*



SNMP groups are used to implement access control and to define the security levels
On the NetScaler appliance - 
add snmp group NetScalerEnterpriseOID_readers authPriv -readViewName NetScalerEnterpriseOIDs


We have now created a group named “NetScalerEnterpriseOID_readers” with type “authenticated and private(encrypted)” and bound the view “NetScalerEnterpriseOIDs” to it.



The groups created above will now be populated with the users and their authentication credentials –
On the NetScaler appliance - 

add snmp user ssharma -group NetScalerEnterpriseOID_readers -authType MD5 -authPasswd "********" -privType DES -privPasswd "********"

A user – “ssharma” with auth type MD5 and encryption type DES is created and assigned to group “NetScalerEnterpriseOID_readers”


 On your SNMP manager (ubu02) -

ssharma@ubu02:~$ snmpget -c snmpcommunity -v 3 -u ssharma -a MD5 -A ******** -x DES -X ******** 192.168.1.111 .1.3.6.1.4.1.5951.4.1.1.20.10.0
SNMPv2-SMI::enterprises.5951.4.1.1.20.10.0 = INTEGER: 2

Reference Material


http://docs.citrix.com/en-us/netscaler/10-1/ns-system-wrapper-10-con/ns-ag-snmp-intro-wrapper-con.html


http://docs.citrix.com/en-us/netscaler/11/reference/netscaler-snmp-oid-reference.html

https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-an-snmp-daemon-and-client-on-ubuntu-14-04

Add SNMP v3 device on Citrix Command Center


http://support.citrix.com/article/CTX138839
Posted by at

1 comment:

  1. Anuradha Singhaniya 5 February 2018 at 00:34

    Your concepts about best citrix netscaler training were easy to understand. This information is definitely useful for everyone

    ReplyDelete

Subscribe to: Post Comments (Atom)