4.6.4 V3 Security Validation

Overview

V3 Security Validation performs various checks, on SNMP v3 agents, based on the user's privilege on various security levels, such as NoAuthNoPriv, AuthNoPriv, and AuthPriv.

Viewing Test Cases

SNMP Agent Tester has a set of built-in test cases grouped based on the security level of user names defined in USM table for validating the security of a V3 agent. These test cases require the v3 security user names as their input. Once the user names are added, SNMP Agent Tester automatically maps the users with the built-in test cases and displays the total number of test cases that it would validate. In other words, the actual number of test cases for validating the V3 security will depend on the number of users added under different security levels.

As you come down in the Project Tree, under the V3 Security node, there are four groups for testing. You can view the individual test case description by clicking the sub-nodes within each group.

There are two categories of built-in test cases, one named TYPE and other without TYPE. The test cases named as TYPE are dynamic in nature. This means that this test case will be performed 'n' number of times, where n is the total number of users that were mapped with that particular test case. These test cases are displayed in blue color in the Project tree.

You also have an option to choose the users. By default, all the users will be selected. You can deselect the user names for which you do not want to perform the validation. After the validation, in the reports, 001, 002, 003 .... will be appended to the test case ID based on the number of users selected.

The other category of test case will be validated only once by sending a request with the user name specified in the Testcase Editor

Note: Test cases in the Project Tree marked italics represent that none of the added users matches those particular test cases.

Grouping of Test Cases

SNMP Agent Tester has a set of built-in test cases for checking the security of SNMP v3 agents. These test cases are grouped based on the security levels. The following are the different groups of V3 Security test cases:

V3-GENERAL

Checks if the wrong engine time for the valid user throws general error.
Checks if the wrong engine ID for the valid user throws general error.

V3-NOAUTH-NOPRIV

Checks if usmStatsUnknownUserNames is present in the response varbind, if a request is sent with user name not present in the NoAuthNoPriv module.
Checks if all valid users of NoAuthNoPriv security level are able to make an SNMP request.
Checks if all AuthNoPriv users are able to make an SNMP request with NoAuthNoPriv security level.
Checks if all AuthPriv users are able to make an SNMP request with NoAuthNoPriv security level.

V3-AUTH-NOPRIV

Checks if usmStatsUnknownUserNames is present in the response varbind, if a request is sent with a user name not present in the AuthNoPriv module.
Checks if usmStatsWrongDigests is present in the response varbind, if a request is sent with a wrong auth password.
Checks if usmStatsWrongDigests is present in the response varbind, if a request is sent with a wrong protocol.
Checks if all AuthNoPriv users are able to make an SNMP request with AuthNoPriv security level.
Checks if all AuthPriv users are able to make an SNMP request with AuthNoPriv security level.
Checks if usmStatsUnsupportedSecurityLevel is present in the response varbind, if a request is sent with a NoAuthNoPriv user name.

V3-AUTH-PRIV

Checks if usmStatsUnknownUserNames is present in the response varbind, if a request is sent with a user name not present in the AuthPriv module.
Checks if usmStatsWrongDigests is present in the response varbind, if a request is sent with a wrong auth password.
Checks if the request is timed out after discovery and timesync, if a request is sent with a wrong priv password.
Checks if usmStatsWrongDigests is present in the response varbind, if a request is sent with a wrong protocol.
Checks if all AuthPriv users are able to make an SNMP request with AuthPriv security level.
Checks if usmStatsUnsupportedSecurityLevel is present in the response varbind, if a request is sent with a AuthNoPriv user name.
Checks if usmStatsUnsupportedSecurityLevel is present in the response varbind, if a request is sent with a NoAuthNoPriv user name.

Steps Involved in V3 Security Validation

Create a project.
Provide the agent information.
Click the V3Security node from the project tree.
Click Add to specify the user details. The SNMPV3 User Details dialog pops up.
Specify the user details, such as user name, context name, security level, security model, authorization, and privacy password. Please note that the authorization and privacy password fields will be enabled based on the chosen security level.
Click OK.
Repeat steps four to six for adding more users.
Click V3Security Validation button to begin validation. You also have an option to test specific group of test cases by right-clicking the respective group and selecting Validation.

Viewing the Validation Reports

The result of the validation can be viewed by selecting the Report Viewer tab. You have the following options to view the report:

You can view the reports based on the result status by selecting the required option from the Select a view combo box.
You can view the reports based on the test case grouping by selecting the appropriate group from the project tree.
You van view the details of a specific test case by selecting a row from the report. You can view the SNMP PDU Dump by clicking the Decode button from the test case summary report.
You have an option to view the graphical representation of the reports by clicking the bar graph or pie chart icon.
The report summary and the summary of the failed test cases are displayed at the bottom of the report viewer based on the node selected in the project tree.

You can also generate HTML reports of the performed validation.

Clearing the Validation Reports

To clear the validation reports, select Reports --> Clear Reports --> Clear V3 Security Reports from the menu bar.