Authentication in SNMP v1 and v2 is nothing but community string sent in clear text. SNMPv3 does not use community strings, but uses password based authentication and encryption depending of how the users have been defined.
SNMP v3 provides the security features like Confidentiality, Reliability, Integrity and authentication, which the connector should leverage.
The connector uses a wrapper library, AdventNetSnmp to interface with SNMP. Need to verify if v3 security features are supported by this and if not, use a newer version.
https://bugzilla.netiq.com/show_bug.cgi?id=729522
by: Srinivas R. | over a year ago | Integrations
Comments
Update from NTS about customer ING BANK SLASKI S.A:
Because of the security requirements, they moved some of the SNMP sources to Splunk. Some of them are still connected to the Sentinel but they are unable to tell me if this situation can be persistent or the will have to switch this sources to encrypted SNMP. So if at that moment we won't have this solution, they will move this remaining sources to Splunk.
Update from the customer bug for which this idea was created... https://bugzilla.novell.com/show_bug.cgi?id=729522
*******************************************************************************
Piotr Piotrowski:
Are there any plans to implement this in the "standard" Sentinel SNMP connector?
Or there won't be any changes as this can be achieved using SmartConnector for SNMP:
https://community.softwaregrp.com/t5/ArcSight-Connectors/SmartConnector-for-SNMP-Unified/ta-p/1587063?attachment-id=68444
Brandon Langley:
Piotr, only Ted can answer that definitively. I'd expect based on previous conversations that we would encourage the use of the SmartConnector as a preferred approach. That being said, if there's an issue with going that route, Ted will want to know about it so we can figure out how to best approach solving the issue.
Piotr Piotrowski:
Thanks Brandon,
I just wanted to know if the SmartConnector is the right direction and if I can send this information to the customer.
Brandon Langley:
It definitely is, just be aware that if it starts causing great heartburn for whatever reason you are encouraged to surface that to us :)
Piotr Piotrowski:
You can bet that we will :)
As SmartConnector is the solution for this enhancement, for me we can close this bug.
*******************************************************************************
So I was thinking if we can mark this idea as completed...
Sentinel now supports event feeds from ArcSight Smart Connector, but we have not certified each event feed. This is one of the event feeds that has not been certified or even validated by a customer. Any Sentinel customer is welcome to try any Smart Connector feed, but if they haven't been certified, some adjustments may need to be made to get all of the data fields reporting correctly.