SNMP

CSCE 815 Network Security Lecture 17
SNMP
Simple Network Management Protocol
March 25, 2003
Need for Network Management Tools

In the early days of the Arpanet, the predecessor of the Internet, the name service was accomplished by maintaining and distributing one file with all the IP addresses of the network. But no more DNS etc As networks increase in size 1. The network becomes more indispensable to the organization. 2. More things can go wrong, disabling or degrading the performance of portions of the network.
Today a large network cannot be managed with software assistance.

2 CSCE 815 Sp 03
SNMP History
SNMP version 1
was published in 1988 Widely accepted RFC 1157
SNMP version 2 added additional functionality
RFC 1441 (1993)
SNMP v3 added security features

RFC 3410-3415 (1999) http://www.ibr.cs.tu-bs.de/projects/snmpv3/ http://www.ietf.org/html.charters/snmpv3-charter.html
CSCE 815 Sp 03
SNMP v3
Introduction and Applicability Statements for Internet Standard Management Framework, RFC 3410, Informational, December 2002 An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks, RFC 3411, STD 62, December 2002 Message Processing and Dispatching for the Simple Network Management Protocol (SNMP) RFC 3412, STD 62, December 2002 Simple Network Management Protocol (SNMP) Applications RFC 3413, STD 62, December 2002 User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3) RFC 3414, STD 62, December 2002 View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP) RFC 3415, STD 62, December 2002
CSCE 815 Sp 03
SNMP Management Station
Management station typically a stand alone device; an interface for human net manager Management agent Management information base Network Management protocol
Get, Set and Notify
CSCE 815 Sp 03
SNMP GOALS
UBIQUITY
PCs AND CRAYs
INCLUSION OF MANAGEMENT SHOULD BE INEXPENSIVE

SMALL CODE LIMITED FUNCTIONALITY
MANAGEMENT EXTENSIONS SHOULD BE POSSIBLE
NEW MIBs
MANAGEMENT SHOULD BE ROBUST
CONNECTIONLESS TRANSPORT
Resource/reference for next few slides
http://www.simpleweb.org/tutorials/slides-ppt.html
CSCE 815 Sp 03
Copyright 2001 by Aiko Pras These sheets may be used for educational purposes
SNMP OPERATION
MANAGER
POLLING TRAPS
AGENTS
MIB
CSCE 815 Sp 03
SNMP
MANAGER
GET / SET TRAP

AGENTS
MIB
CSCE 815 Sp 03
SNMP OPERATION
MANAGER
AGENTS
TABLES VARIABLES
CSCE 815 Sp 03
Basic Concepts of SNMP

A network management system is an integrated collection of tools for network monitoring and control.

Single operator interface Minimal amount of separate equipment. Software and network communications capability built into the existing equipment.
10
CSCE 815 Sp 03
SNMP Management Station

Management station will include: an interface for the human net manager for monitoring and controlling the network management applications for data analysis and fault recovery
Translation of network manager commands to actual controls of the network

A database of the MIBs of all managed entities of the network
11
CSCE 815 Sp 03
SNMP Management Agent

Key platforms: hosts, bridges, routers, hubs equipped with SNMP management agent
SNMP management agent is a program that communicates with the SNMP management station
1. 2. 3.
Responds to requests for information on network status Responds to requests for management actions May asynchronously provide the management station with unsolicited alert information
12
CSCE 815 Sp 03
SNMP Management
Information Base
Each network resource is represented as an object (data variable)
Management Information Base (MIB) is the collection of objects that an agent maintains
Objects in MIB are standardized across the type of agent such as routers, bridges, etc. A management station monitors the network by requesting values from the MIBs A management station controls the network by setting values in the MIBs of the various agents
13
CSCE 815 Sp 03
SNMP Network Management Protocol

Capabilities of SNMP 1. Get - get the value of an object from an agent 2. Set set the value of an object of an agent 3. Notify agent alerts the management station
14
CSCE 815 Sp 03
Protocol context of SNMP
15
CSCE 815 Sp 03
Notes on SNMP protocol

It was designed to be an application level protocol. It was designed to be easily implemented and consume modest processor and network resources. SNMP UDP IP data link layer (ethernet) Each agent must implement SNMP, UDP and IP.
SNMP messages
1. 2. 3.
4.
5.
GetResponse GetNextResponse SetRequest GetResponse Trap
SNMP is connectionless (because UDP is).

16 CSCE 815 Sp 03
SNMP Proxies
Note all are capable of implementing SNMP(UDP,IP) e.g., bridges, modems etc.
Concept of a proxy was added to accommodate such devices.
SNMPv2 added the capability of running on the OSI as well as the TCP/IP protocol suite
17
CSCE 815 Sp 03
Proxy Configuration
18
CSCE 815 Sp 03
SNMPv2
The strength of SNMPv1 was simplicity implying it was easy to implement and configure.
However, deficiencies arose:

1. Lack of support for distributed network management 2. Functional deficiencies 3. Security deficiencies The first two were addressed by SNMPv2 and the latter by SNMPv3.
19
CSCE 815 Sp 03
20
CSCE 815 Sp 03
SNMP v1 and v2
Trap an unsolicited message (reporting an alarm condition)
SNMPv1 is connectionless since it utilizes UDP (rather than TCP) as the transport layer protocol.
SNMPv2 allows the use of TCP for reliable, connectionoriented service.
21
CSCE 815 Sp 03
Comparison of SNMPv1 and SNMPv2 Table 8.1

SNMPv1 PDU
GetRequest GetRequest -----SetRequest -----GetResponse
SNMPv2 PDU
GetRequest GetRequest GetBulkRequest SetRequest InformRequest Response
Direction
Manager to agent Manager to agent Manager to agent Manager to agent Manager to manager Agent to manager or Manage to manager(SNMPv2) Agent to manager
Description
Request value for each listed object Request next value for each listed object Request multiple values Set value for each listed object Transmit unsolicited information Respond to manager request Transmit unsolicited information
Trap
SNMPv2-Trap
22
CSCE 815 Sp 03
SNMPv1 Community Facility

SNMP provides only rudimentary secuirty through the concept of communitiy.
SNMP Community Relationship between an SNMP agent and SNMP managers.

Maintain locally on the agent List of managers with associated access privalidges Authentication service which manager can access/control Access policy Proxy service this may involve implementing authentication service for other devices
Each agent controls its MIB; aspects of this control

23
CSCE 815 Sp 03
SNMP Access Policy

SNMP MIB view a subset of the objects
SNMP access modes: Read-Only, Read-Write
SNMP community profile = SNMP MIB view + access-mode
SNMP access policy =

SNMP community + SNMP community-profile
24 CSCE 815 Sp 03
SNMPv1 Administrative Concepts
25
CSCE 815 Sp 03
SNMPv3
SNMPv3 defines a security capability to be used in conjunction with SNMPv2 preferably or possibly v1
26
CSCE 815 Sp 03
SNMPv3 Archttecture
Consists of a distributed collection of SNMP entities
SNMP ENTITY
SNMP APPLICATIONS
COMMAND GENERATOR COMMAND RESPONDER NOTIFICATION ORIGINATOR NOTIFICATION RECEIVER PROXY FORWARDER
OTHER OTHER
SNMP ENGINE
MESSAGE PROCESSING SUBSYSTEM SECURITY SUBSYSTEM ACCESS CONTROL SUBSYSTEM
DISPATCHER
27
CSCE 815 Sp 03
SNMP Manager
COMMAND GENERATOR NOTIFICATION RECEIVER
PDU DISPATCHER
MESSAGE PROCESSING SUBSYSTEM SNMPv1
SECURITY SUBSYSTEM COMMUNITY BASED SECURITY MODEL USER BASED SECURITY MODEL OTHER SECURITY MODEL
MESSAGE DISPATCHER
SNMPv2C
SNMPv3 TRANSPORT MAPPINGS
OTHER
28
CSCE 815 Sp 03
SNMP Agent
MANAGEMENT INFORMATION BASE
ACCESS CONTROL SUBSYSTEM
COMMAND RESPONDER
VIEW BASED ACCESS CONTROL
NOTIFICATION ORIGINATOR
PDU DISPATCHER
MESSAGE PROCESSING SUBSYSTEM SNMPv1
SECURITY SUBSYSTEM COMMUNITY BASED SECURITY MODEL USER BASED SECURITY MODEL OTHER SECURITY MODEL
MESSAGE DISPATCHER
SNMPv2C
SNMPv3 TRANSPORT MAPPINGS
OTHER
29
CSCE 815 Sp 03
SNMPv3 Flow
30
CSCE 815 Sp 03
PRIMITIVES BETWEEN MODULES

Parameters
contextEngineID contextName destTransportAddress destTransportDomain expectResponse globalData maxMessageSize maxSizeResponseScopedPDU messageProcessingModel outgoingMessage outgoingMessageLength PDU pduType pduVersion scopedPDU stateReference statusInformation securityEngineID securityLevel securityModel securityName securityParameters securityStateReference sendPduHandle transportAddress transportDomain variableName viewType wholeMsg wholeMsgLength
APPLICATIONS
APPLICATIONS
DISPATCHER
SECURITY SUBSYSTEM
DISPATCHER
SECURITY SUBSYSTEM
MESSAGE PROCESSING SUBSYSTEM
31
CSCE 815 Sp 03
sendPdu
Parameters
APPLICATIONS
APPLICATIONS
sendPdu
ACCESS CONTROL SUBSYSTEM ACCESS CONTROL SUBSYSTEM
DISPATCHER
SECURITY SUBSYSTEM
DISPATCHER
SECURITY SUBSYSTEM
32
CSCE 815 Sp 03
prepareOutgoingMessage
Parameters
APPLICATIONS
APPLICATIONS
DISPATCHER
SECURITY SUBSYSTEM
DISPATCHER
SECURITY SUBSYSTEM
prepareOutgoingMessage
33
CSCE 815 Sp 03
generateRequestMsg
Parameters
APPLICATIONS
APPLICATIONS
DISPATCHER
SECURITY SUBSYSTEM
DISPATCHER
SECURITY SUBSYSTEM
generateRequestMsg
34
CSCE 815 Sp 03
send / receive
Parameters
APPLICATIONS
APPLICATIONS
DISPATCHER
SECURITY SUBSYSTEM
DISPATCHER
SECURITY SUBSYSTEM
send and receive

35
CSCE 815 Sp 03
prepareDataElements
Parameters
APPLICATIONS
APPLICATIONS
DISPATCHER
SECURITY SUBSYSTEM
DISPATCHER
SECURITY SUBSYSTEM
prepareDataElements
36
CSCE 815 Sp 03
processIncomingMsg
Parameters
APPLICATIONS
APPLICATIONS
DISPATCHER
SECURITY SUBSYSTEM
DISPATCHER
SECURITY SUBSYSTEM
processIncomingMsg
37
CSCE 815 Sp 03
processPd
Parameters
APPLICATIONS
APPLICATIONS
processPdu
DISPATCHER
SECURITY SUBSYSTEM
DISPATCHER
SECURITY SUBSYSTEM
38
CSCE 815 Sp 03
isAccessAllowed
Parameters
APPLICATIONS
APPLICATIONS
isAccessAllowed
DISPATCHER
SECURITY SUBSYSTEM
DISPATCHER
SECURITY SUBSYSTEM
39
CSCE 815 Sp 03
returnResponsePdu
Parameters
APPLICATIONS
APPLICATIONS
returnResponsePdu
DISPATCHER
SECURITY SUBSYSTEM
DISPATCHER
SECURITY SUBSYSTEM
40
CSCE 815 Sp 03
prepareResponseMessage
Parameters
APPLICATIONS
APPLICATIONS
DISPATCHER
SECURITY SUBSYSTEM
DISPATCHER
SECURITY SUBSYSTEM
prepareResponseMessage
41
CSCE 815 Sp 03
generateResponseMsg
Parameters
APPLICATIONS
APPLICATIONS
DISPATCHER
SECURITY SUBSYSTEM
DISPATCHER
SECURITY SUBSYSTEM
generateResponseMsg
42
CSCE 815 Sp 03
send / receive
Parameters
APPLICATIONS
APPLICATIONS
DISPATCHER
SECURITY SUBSYSTEM
DISPATCHER
SECURITY SUBSYSTEM
send and receive

43
CSCE 815 Sp 03
prepareDataElements
Parameters
APPLICATIONS
APPLICATIONS
DISPATCHER
SECURITY SUBSYSTEM
DISPATCHER
SECURITY SUBSYSTEM
prepareDataElements
44
CSCE 815 Sp 03
processIncomingMsg
Parameters
APPLICATIONS
APPLICATIONS
DISPATCHER
SECURITY SUBSYSTEM
DISPATCHER
SECURITY SUBSYSTEM
processIncomingMsg
45
CSCE 815 Sp 03
processResponsePdu
Parameters
APPLICATIONS
APPLICATIONS
processResponsePdu
DISPATCHER
SECURITY SUBSYSTEM
DISPATCHER
SECURITY SUBSYSTEM
46
CSCE 815 Sp 03
SNMP3 Message Format with USM
47
CSCE 815 Sp 03
User Security Model (USM)

Designed to secure against:
Modification of information Masquerade Message stream modification Disclosure
Not intended to secure against:
Denial of Service (DoS attack) Traffic analysis
48
CSCE 815 Sp 03
Key Localization Process
49
CSCE 815 Sp 03
View-Based Access Control Model (VACM)

VACM has two characteristics:

Determines wheter access to a managed object should be allowed. Make use of an MIB that:
Defines the access control policy for this agent. Makes it possible for remote configuration to be used.
50
CSCE 815 Sp 03
Access control decision
51
CSCE 815 Sp 03
Recommended Reading and WEB Sites

Subramanian, Mani. Network Management. AddisonWesley, 2000
Stallings, W. SNMP, SNMPv1, SNMPv3 and RMON 1 and 2. Addison-Wesley, 1999

IETF SNMPv3 working group (Web sites)
http://www.ietf.org/html.charters/snmpv3-charter.html
SNMPv3 Web sites http://www.simpleweb.org/tutorials/slides-ppt.html
http://www.sans.org/rr/netdevices/SNMP_sec.php
52
CSCE 815 Sp 03

SNMP

Caricato da

Informazioni sul documento

Descrizione originale:

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

SNMP

Caricato da

Copyright:

Formati disponibili

CSCE 815 Network Security Lecture 17

March 25, 2003

Need for Network Management Tools

Today a large network cannot be managed with software assistance.

was published in 1988 Widely accepted RFC 1157

SNMP version 2 added additional functionality

RFC 1441 (1993)

SNMP v3 added security features

RFC 3410-3415 (1999) http://www.ibr.cs.tu-bs.de/projects/snmpv3/ http://www.ietf.org/html.charters/snmpv3-charter.html

SNMP Management Station

PCs AND CRAYs

INCLUSION OF MANAGEMENT SHOULD BE INEXPENSIVE

SMALL CODE LIMITED FUNCTIONALITY

MANAGEMENT EXTENSIONS SHOULD BE POSSIBLE

MANAGEMENT SHOULD BE ROBUST

Resource/reference for next few slides

GET / SET TRAP

Basic Concepts of SNMP

SNMP Management Station

Translation of network manager commands to actual controls of the network

SNMP Management Agent

Each network resource is represented as an object (data variable)

SNMP Network Management Protocol

Protocol context of SNMP

Notes on SNMP protocol

GetResponse GetNextResponse SetRequest GetResponse Trap

SNMP is connectionless (because UDP is).

Concept of a proxy was added to accommodate such devices.

However, deficiencies arose:

Comparison of SNMPv1 and SNMPv2 Table 8.1

SNMPv1 Community Facility

SNMP Community Relationship between an SNMP agent and SNMP managers.

Each agent controls its MIB; aspects of this control

SNMP Access Policy

SNMP access modes: Read-Only, Read-Write

SNMP community profile = SNMP MIB view + access-mode

SNMP access policy =

SNMPv1 Administrative Concepts

MESSAGE PROCESSING SUBSYSTEM SNMPv1

SNMPv3 TRANSPORT MAPPINGS

VIEW BASED ACCESS CONTROL

MESSAGE PROCESSING SUBSYSTEM SNMPv1

SNMPv3 TRANSPORT MAPPINGS

PRIMITIVES BETWEEN MODULES

ACCESS CONTROL SUBSYSTEM

ACCESS CONTROL SUBSYSTEM

MESSAGE PROCESSING SUBSYSTEM

MESSAGE PROCESSING SUBSYSTEM

MESSAGE PROCESSING SUBSYSTEM

MESSAGE PROCESSING SUBSYSTEM

ACCESS CONTROL SUBSYSTEM

ACCESS CONTROL SUBSYSTEM

MESSAGE PROCESSING SUBSYSTEM

MESSAGE PROCESSING SUBSYSTEM

ACCESS CONTROL SUBSYSTEM

ACCESS CONTROL SUBSYSTEM

MESSAGE PROCESSING SUBSYSTEM

MESSAGE PROCESSING SUBSYSTEM

ACCESS CONTROL SUBSYSTEM

ACCESS CONTROL SUBSYSTEM

MESSAGE PROCESSING SUBSYSTEM

MESSAGE PROCESSING SUBSYSTEM

send and receive