Network Management and SNMP

What is Network Management?

ISO Network Management Model

(FCAPS)

Network Management Architecture

SNMPv1 and SNMPv2

SNMPv3 whats new?

1
Network Management

Any complex system with many

interacting components must be
monitored, managed and controlled

In the early 1980 networks expansion

prompted the need for automated
network management

2
Network management
scenarios
Detecting failure of an interface card in a
device

Host monitoring

Traffic monitoring to optimize resource

deployment

Detecting rapid changes in routing tables

Intrusion detection
3
ISO Network Management Model

FCAPS:

Fault management

Configuration management

Accounting management

Performance management

Security Management

4
ISO Network Management Model

Fault management log, detect and

respond to fault conditions in the network
Configuration management track devices
and their h/w and s/w configs
Accounting management - specify, log and
control user access to network resources
Performance management quantify,
measure, report, analyze and control
performance of network components
Security Management control access to
network resources according to some well-
defined policy
5
Network Management
Architecture

6
Simple Network Management
Protocol
Protocol for network management, part of
TCP/IP suite

Current version SNMPv3

Includes communication protocol, set of

data definitions and database schema

Basic components:
Managers/NMS
Managed devices
SNMP Agents
MIB
7
SNMPv3

Was implemented as a full standard

in 2004

Only changes relate to security and

remote configuration

SNMPv3 provides for encryption,

authentication and message integrity

8
Network Management
Architecture

9
MIB (Management Information
Base)
MIB virtual information store for a collection
of managed objects

Describes structure of management data on

managed device

Each variable that describes some part of

device configuration is identified by a unique
OID (object ID)

Vendors define MIB variables for their own use

MIB II standard MIB implemented by all

managed objects
10
SMI (Structure of management
information)

SMI is the language used to define the

management information residing in a
managed object logically

SMI states that each managed object should

have a name, syntax and encoding

SMI is a subset of ASN.1 - a standard for

describing data that is independent of
machine-specific encoding.

11
Object naming by OID

12
MIB-II subtree

13
SNMP Transport

14
SNMP Transport

15
SNMP Operations
get
getnext
getbulk (SNMPv2 and SNMPv3)
set
getresponse
trap
notification (SNMPv2 and SNMPv3)
inform (SNMPv2 and SNMPv3)
report (SNMPv2 and SNMPv3)

16
SNMP Operations
Get and getresponse

17
SNMP Operations
Getnext retreive a group of values

18
SNMP Operations
Getbulk retreive a section of a table

19
SNMP Operations
Set change value or create a new row in
the table

20
SNMP Operations
Trap asynchronous operation

21
Primary Goals of SNMPv3
Check message integrity - To verify that each
received message has not been modified during its transmission .

User authentication - To verify the identity of the user

on whose behalf a received message claims to have been
generated.

Message timestamp to detect outdated messages

Message confidentiality - To assure that the contents

of each received message are protected/encrypted.

22
Primary Goals of SNMPv3

23
SNMPv3 security framework
Two core modules within the framework are the User-based Security
Model (USM) and the View-based Access Control Model (VACM).

The USM is in charge of authenticating/encrypting/decrypting SNMP

packets

The VACM is in charge of administering access to MIB data.

24
SNMPv3 security framework
Authentication -Each SNMP entity is identified by
SNMPEngineID, and SNMP communication is possible only if
an SNMP entity knows the identity of its peer. Traps and
Notifications are exceptions to this rule.

Protection against:
Modification of Information (Data Integrity)
Ensure that the data is not maliciously altered during transit by an
unauthorized entity.
Masquerading (Data Origin Authentication)
Ensure that it is known exactly who and where the data came from to
prevent an unauthorized entity from assuming the identity of an authorized
user.
Disclosure (Data Confidentiality)
Ensure that an unauthorized entity cannot eavesdrop on the data
exchanges.
Message Stream Modification (Message Timeliness)
Ensure that the data was received in a timely manner to prevent malicious
re-ordering of data by an unauthorized entity.
25
SNMPv3 User-based
Secuirity Model
USM communication mechanisms
available:
Communication without authentication and
privacy (NoAuthNoPriv).
Communication with authentication and
without privacy (AuthNoPriv).
Communication with authentication and
privacy (AuthPriv).

Different authentication and privacy protocols supported - Currently,

the MD5 and SHA authentication protocols and the CBC_DES and
CFB_AES_128 privacy protocols are supported in the USM.

26
SNMPv3 VCAM
The Access Control Subsystem of an SNMP entity has the
responsibility for checking whether a specific type of access to a
specific managed object is allowed.

Access control occurs in the agent when processing SNMP

retrieval or modification request messages from a manager, and
also when a notification message must be sent to the manager.

Elaborates on the concept of community strings in the previous

versions of SNMP

27