Computer and Information Security Chapter 12 Network Management Security Slides by H. Johnson & S. Malladi, L. Brown -Modified by SJF-S‘12
Outline Basic Concepts of SNMP Network Management Architecture SNMPv1 Community Facility SNMPv3 Recommended Reading and WEB Sites
Basic Concepts of SNMP As a networks grow larger it becomes more indispensable to the organization more thing can go wrong disabling the network to an unacceptable level A large network is too complex to be managed by human effort and requires automated network management tools, such as the Simple Network Management Protocol (SNMP)
Basic Concepts of SNMP Network Management Architecture A network management system is an integrated collection of tools for network monitoring and control. Single operator interface Minimal amount of separate equipment. Software and network communications capability built into the existing equipment Active elements of the network provide regular feedback of status information to the network control center.
SNMP Architecture SNMP key elements: Management station -often a stand-alone device, which servesas the human interface Management agent- responds to requests for information from the maanagement station Management information base (MIB) -collection of access points at the agent for the station Network Management protocol -links station and agents and includes: Get- retrieve value of objects at agent Set - set value of objects at agent Notify - notifies station of significant events
Network Management Protocol Architecture 1988 SNMP - became dominant Most vendors of routers, workstations, PCs, etc. offer SNMP agent packages, that allow their products to be managed by an SNMP management station SNMP -easily implemented, uses minimal processor and network resources
Network Management Protocol Architecture SNMP designed to be an application level protocol that is part of TCP/IP intended to operate over the User Datagram Protocol (UDP) each agent must implement SNMP, UDP, and IP
Protocol Context of SNMP 3 Types of messages are issued: GetRequest GetNextRequest SetRequest All are acknowledged by GetResponse An agent may issue a trap message in response to an event
Protocol context of SNMP
Protocol Context of SNMP SNMP relies on UDP which is connectionless, and SNMP is also connectionless. No connections are maintained between a management station and an agent.
Proxies Proxies were developed for devices that do not support UDP or implement SNMP. An SNMP agent acts as a proxy for one or more other devices. Management station sends queries to proxy agent, which converts it to the management protocol used by the device. When agent receives a reply, it passes it to the management station.
Proxy Configuration
SNMP v1 and v2 Trap – an unsolicited message (reporting an alarm condition) SNMPv1 is ”connectionless” since it utilizes UDP (rather than TCP) as the transport layer protocol. SNMPv2 allows the use of TCP for ”reliable, connection-oriented” service. Any device that does not run SNMPv2 must be managed by proxy.
SNMPv2 Strength of SNMP is its simplicity. SNMP provides a basic set of tools that is easy to implement and configure. Deficiencies –become apparent in large networks: Lack of support for distributed network management Functional deficiencies Security deficiencies (addressed in SNMPv3)
Distributed Network Management One host has the function of a management station; two or three others may have a back-up role. Remaining devices contain agent software and MIB to allow monitoring control from management station. MIB- Management Information Base, a database of objects that can be monitored by a network management system. As network grows in size this is unmanageable and a decentralized management scheme works best.
Decentralized (Distributed) Network Management Multiple top-level management stations or management servers Each server manages a pool of agents or delegates the management to an intermediate manager Intermediate manager monitors and controls its agents Spreads the processing burden and reduces total network traffic
SNMPv2 SNMPv2 support either a centralized strategy or a distributed one. Some systems operate both in the role of manager and of agent Some commands require the agent to act as a proxy for remote devices and pproxy assumes role of manager to access information at remote device, then as an agent passes the information to a superior manager.
Functional Enhancements SNMPv1 – 5 commands (GetREquest, GetNextRequest, Set Request, GetResponse, Trap) issued as protocol data units (PDU) SNMPv2 – all 5 commands from v1, plus two new ones Inform command, sent from one management station to another GetBulk – allows manager to retrieve large block of data at once Get is atomic in SNMPv1, but not in SNMPv2- may return partial results
Comparison of SNMPv1 and SNMPv2 Transmit unsolicited information Agent to manager SNMPv2-Trap Trap Respond to manager request Agent to manager or Manager to manager(SNMPv2) Response GetResponse Manager to manager InformRequest ------ Set value for each listed object Manager to agent SetRequest Request multiple values GetBulkRequest Request next value for each listed object GetRequest Request value for each listed object Description Direction SNMPv2 PDU SNMPv1 PDU
SNMPv1 Community Facility SNMP Community – Relationship between an SNMP agent and SNMP managers-defined locally at agent. Three aspect of agent control: Authentication service- agent may limit access to MIB to authorized managers Access policy- agent may give different acceees privileges to different managers Proxy service – agent may act as a proxy to other agents All of these raise security concerns
SNMPv1 Administrative Concepts
SNMPv3 SNMPv3 defines a security capability to be used in conjunction with SNMPv1 or v2
SNMPv3 SNMPv3is not a stand alone replacement for versions1 and2 SNMPv3 defines a security capability to be used with SNMPv2 (preferred) or SNMPv1 Describes an architecture for current and future versions of SNMP Like SNMPv2 with security and administrative capabilities.
SNMPv3 Architecture Modular architecture Allows implementation over a wide range of operational environments Makes it possible to move portions of the architecture forward in the standards track even if consensus is not reached on all pieces Accommodates alternate security modes
SNMP Entity Each SNMP entity includes a single SNMP engine Engine implements functions for sending and receiving messages, authenticating, encrypting and decrypting messages and controlling access to managed objects. Both the engine and the applications are collections of discrete modules.
SNMP Entity This architecture provides advantages: Role of an entity is determined by which modules are implemented in the entity Modular structure lends itself to defining different versions of each module makes it possible to define alternative or enhanced capabilities clearly specifies coexistence and transition strategies
Traditional SNMP manager Manager interacts with agents by issuing commands(get, set) and by receiving trap messages. Manager may also interact with other managers by issuing Inform Request PDU’s, which provide alerts, and by receiving Inform Response PDU’s, which acknowledge Inform Request.
Traditional SNMP manager Includes three categories of applications: Command Generator Applications – monitor and manipulate management data at remote agents (using SNMPv1 or SNMPv2) Notification Originator Application- originates asynchronous messages (using InformRequest) Notification Receiver Application-processes incoming asynchronous messages
Traditional SNMP Manager
Traditional SNMP Manager SNMP engine performs two functions: Accepts outgoing PDUs from SNMP applications, performs necessary processing, including inserting authentication codes and encrypting, and encapsulates for transmission Accepts incoming SNMP messages from the transport layer, performs necessary processing, including inserting authentication codes and encrypting, extracts PDUs and passes thse on to SNMP applications
SNMP Engine Contains A Dispatcher – simple traffic manager- accepts PDUs, determines the type of processing and passes it to Message processor; for incoming messages from transport layer, routes it to application A Message Processing Subsystem – wraps PDUs in message and returns to the Dispatcher A Security Subsystem – performs authentication and encryption
Traditional SNMP Agent Containt 3 types of applications: Command Responder- provides access to management data Notification Originator- initiates asynchronous messages Proxy Forwarder- forwards messages between applications
Traditional SNMP Agent
SNMPv3 Flow
SNMP3 Message Format with USM
User Security Model (USM) Designed to secure against: Modification of information Masquerade Message stream modification Disclosure Not intended to secure against: Denial of Service (DoS attack) Traffic analysis
Key Localization Process
View-Based Access Control Model (VACM) VACM has two characteristics: Determines wheter access to a managed object should be allowed. Make use of an MIB that: Defines the access control policy for this agent. Makes it possible for remote configuration to be used.
Access control decision
Recommended Reading and WEB Sites Subramanian, Mani. Network Management. Addison-Wesley, 2000 Stallings, W. SNMP, SNMPv1, SNMPv3 and RMON 1 and 2. Addison-Wesley, 1999 IETF SNMPv3 working group (Web sites) SNMPv3 Web sites