8. SNMPv3 Objectives Architecture Security, Access Control

Slides:



Advertisements
Similar presentations
Communication and Functional Models
Advertisements

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
1 Jim Binkley snmp v3 (one more time) Network Mgmt/Sec.
Implementing Secure Converged Wide Area Networks (ISCW)
SNMPv3 * * Mani Subramanian “Network Management: Principles and practice”, Addison-Wesley, 2000.
TCP/IP Protocol Suite 1 Chapter 21 Upon completion you will be able to: Network Management: SNMP Understand the SNMP manager and the SNMP agent Understand.
MJ08-A/07041 Session 08 SNMP V3 Adapted from Network Management: Principles and Practice © Mani Subramanian 2000 and solely used for Network Management.
CSEE W4140 Networking Laboratory Lecture 11: SNMP Jong Yul Kim
NS-H /11041 SNMP. NS-H /11042 Outline Basic Concepts of SNMP SNMPv1 Community Facility SNMPv3 Recommended Reading and WEB Sites.
This presentation is based on the slides listed in references.
COMP4690, by Dr Xiaowen Chu, HKBU
1 Network Management and SNMP  What is Network Management?  ISO Network Management Model (FCAPS)  Network Management Architecture  SNMPv1 and SNMPv2.
SNMP Simple Network Management Protocol
1 Based on Behzad Akbari Fall 2011 Network Management lectures and These slides are based in parts upon slides of Prof. Dssouli (Concordia university )
SNMPv3 Yen-Cheng Chen Department of Information Management National Chi Nan University
Session-based Security Model for SNMPv3 (SNMPv3/SBSM) David T. Perkins Wes Hardaker IETF November 12, 2003.
2006-July-9IETF 661 What MIB Document Editors need to know Bert Wijnen
TCP/IP Protocol Suite 1 Chapter 21 Upon completion you will be able to: Network Management: SNMP Understand the SNMP manager and the SNMP agent Understand.
SNMP (Simple Network Management Protocol)
Network Protocols UNIT IV – NETWORK MANAGEMENT FUNDAMENTALS.
SNMP Simple Network Management Protocol Team: Matrix CMPE-208 Fall 2006.
ECE Prof. John A. Copeland Office: Klaus or call.
Agenda 1. QUIZ 2. SNMP 3. SNMPv2 4. SNMPv3.
SNMP and Network Management
Simple Network Management Protocol By - Suparna Sri.
Communication and Functional Models
1 Network Management Security Behzad Akbari Fall 2009 In the Name of the Most High.
1 SNMPv3 by Behzad Akbari Fall 2011 In the Name of the Most High These slides are based in parts upon slides of Prof. Dssouli (Concordia university )
SNMP n Where did it come from ? –Internet Engineering Task Force »Network Management Area –SNMP V1 –MIB definitions –SNMPV2.
Slide 1 SNMPv3, SSH & Cisco Matthew G. Marsh Chief Scientist of the NEbraskaCERT.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 1 Network Security 2 Module 7 – Secure Network Architecture and Management.
Network Management Security
Internet Standard Management Framework
SNMPv3 1.DESIGN REQUIREMENTS 2.BIRTH & FEATURES of SNMPv3 3.ARCHITECTURE 4.SECURE COMMUNICATION - USER SECURITY MODEL (USM) 5. ACCESS CONTROL - VIEW BASED.
CSCE 815 Network Security Lecture 18 SNMP Simple Network Management Protocol March 25, 2003.
Network Management Security
SNMP V2 & V3 W.lilakiatsakun. SNMP V2 Protocol RFC types of access to management information – Manager–agent request-response – Manager-Manager.
SNMP Simple Network Management Protocol A Standard Protocol for Systems and Network Management.
CITA 440 Week 6 SNMPv1. Internet SNMP Management Internet Engineering Task Force (IETF) –1990SNMPv1 –1996SNMPv2 –1998SNMPv3 Internet documents: –Request.
SSHSM Issues David Harrington IETF64 ISMS WG Vancouver, BC.
Presentation at ISMS WG Meeting1 ISMS – March 2005 IETF David T. Perkins.
1 Kyung Hee University Prof. Choong Seon HONG Chapter 15 SNMPV3 Architecture and Applications.
Setup a Cisco router to SNMPv3 query a 117G running ANW2 for a oid value Cisco 891 router running Version 15.1(4)M4 117G radios running ODIA code for ANW2C.
Network Management Security in distributed and remote network management protocols.
Jaringan Telekomunikasi, Sukiswo ST, MT Sukiswo
or call for office visit, or call Kathy Cheek,
Computer and Information Security
Network management Communication model
SNMP Simple network management protocol
Simple Network Management Protocol (SNMP)
Simple Network Management Protocol (SNMP)
Network Management: SNMP
SNMPv1 Network Management: Communication and Functional Models
APRICOT 2008 Network Management Taipei, Taiwan February 20-24, 2008
Introduction to Internet Network Management
Chapter 8: Monitoring the Network
2. SNMP Protocol Objectives Languages: ASN.1, SMI, BER
SNMP (Simple Network Management Protocol) based Network Management
SNMPv3 These slides are based in parts upon slides of Prof. Dssouli (Concordia university)
COMS/CSEE 4140 Networking Laboratory Lecture 10
SNMPv3 OVERVIEW: DESIGN DECISIONS ARCHITECTURE SNMP MESSAGE STRUCTURE
Chapter 5 SNMP Management
Chapter 5 SNMP Management
Network Management Security
Presentation transcript:

8. SNMPv3 Objectives Architecture Security, Access Control Message Format Engine Discovery Key Management Hands On

SNMPv3 changes Modular Architecture Security Access Control New Message Format Administration

RFCs RFC 3410: Introduction RFC 3411: Architecture RFC 3412: Message Processing / Dispatch RFC 3413: SNMP Applications RFC 3414: Security (USM) RFC 3415: Access Control (VACM)

SNMPv3 reuses Protocol Operations Transport Protocol Data Description Language MIBs

RFCs RFC 3416: Protocol Operations RFC 3417: Transport Mappings RFC 2578: SMIv2 RFC 2579: Textual Conventions RFC 2580: Conformance Statements

SNMPv3 - Modular Architecture Command Generator Notification Originator Proxy Forwarder SNMP Applications Command Responder Notification Receiver Other SNMP Entity Dispatcher Processing Message Subsystem Subsystem Security Access Control Subsystem SNMP Engine

SNMP Entity - Manager Command Generator Notification Receiver Message Processing Subsystem Security Subsystem PDU Dispatcher v1MP User-based Security Model Message Dispatcher v2cMP v3MP Other Security Model . . . UDP IPX Other Transport Mapping otherMP Network

SNMP Entity - Agent MIB Instrumentation Proxy Forwarder Command Responder Notification Originator Message Processing Subsystem Security Subsystem Access Control Subsystem PDU Dispatcher v1MP User-based Security Model View-based Access Control Model Message Dispatcher v2cMP v3MP Other Security Model Other Access Control Model . . . UDP IPX Other Transport Mapping otherMP Network

Security Requirements Secure against - Modification of Information - Masquerade - Message Stream Modification - Disclosure Not Secure against - Denial of Service - Traffic Analysis

Security Services 1(3) ? Permit the operation? - who requested the operation? - is the message unaltered? - is the message timely? USM USM USM

Security Services 2(3) ? - what objects are accessed? - has the requester access rights on these objects? VACM

Security Services 3(3) ? Message encryption? - are we sending secret information? USM

Security Levels Three Levels: - no authentication / no privacy - authentication / privacy Examples - Monitoring: noAuth / noPriv - Configuration: Auth / noPriv - Accounting Data: Auth / Priv

Message Structure Generated/ Processed by Message Processing Model msgVersion msgID Generated/ Processed by Message Processing Model msgMaxSize msgFlags msgSecurityModel msgAuthoritativeEngineID msgAuthoritativeEngineBoots Generated/ Processed by User Security Model (USM) msgAuthoritativeEngineTime scope of authentication msgUserName msgAuthenticationParameters msgPrivacyParameters contextEngineID contextName Scoped PDU (plaintext or encrypted) PDU scope of encryption

Message Transmission Retrieve user information YES Encrypt scopedPdu set msgPrivacyParameters Privacy required? NO msgPrivacyParameters  null string Authentication required? YES Compute MAC set msgAuthenticationParameters NO msgAuthenticationParameters  null string

Message Reception Retrieve message parameters YES Compute MAC; compare to msgAuthenticationParameters Authentication required? NO Determine if message is within time window NO Privacy required? YES Dencrypt scopedPdu

Engine ID 1(2) Administratively unique identifier Format - OCTET STRING; 5-32 byte long - 1st bit = 0  Enterprise Method - 1st bit = 1  Standard Method Enterprise Method (cisco) - the first 4 bytes are set to private enterprise number (00000009) - the following 8 bytes are assigned in an enterprise- specific method (mac address + 2 random bytes)

Engine ID 2(2) Standard Method (cisco) - the first 4 bytes are set to private enterprise number (80000009) - the 5th byte indicate how the rest are used: 0 – reserved 4 – admin text value 1 – IPv4 address 5 – admin hex value 2 – IPv6 address 6...127 – reserved 3 – MAC address 128...255 – enterprise specific

Reports A new PDU for Engine to Engine communiction All messages that can be responded to are reportable Gives the sender a change to send a correct request Used for discovery and synchronization Var-Bind: OID and single value indicating the problem

Timeliness Manager needs to keep track of EngineBoot/Time in the Agent Agent checks EngineBoot/Time - wrong value >> report message Default limit is 150 s

Key Management Shared secret keys 1 key for authentication 1 key for privacy Initial setup outside SNMPv3 Not accessible via SNMP Key Localization Process

Key Localization Process H(User Password) User Password Expand to 220 MD5 (16-octet key) SHA-1 (20-octet key) User Key H(User Key+ Remote EngineID+ User Key) H(User Key+ Remote EngineID+ User Key) H(User Key+ Remote EngineID+ User Key) . . . . . Localized Key Localized Key Localized Key

Agent Discovery Two step discovery depending on snmpSecurityLevel NoAuth/NoPriv - snmpEngineID Auth/NoPriv or Auth/Priv - snmpEngineBoots - snmpEngineTime

Discovery – NoAuth/NoPriv 1(4) ---------- Get Request ---------- Version = 3 Id = 4 Maximum size = 65520 Message flags = 04 .... ...0 = authFlag is off .... ..0. = privFlag is off .... .1.. = reportableFlag is on Security model = 3 Authoritative engine id = NULL Authoritative engine boots = 0 Authoritative engine time = 0 User name = NULL Authentication parameters = NULL Privacy parameters = NULL Context engine id = NULL Context name = NULL Command = Get request Request ID = 3 Error status = 0 (No error) Error index = 0 No varBindList

Discovery – NoAuth/NoPriv 2(4) ------------- Report ------------- Version = 3 Id = 4 Maximum size = 2048 Message flags = 00 .... ...0 = authFlag is off .... ..0. = privFlag is off .... .0.. = reportableFlag is off Security model = 3 Authoritative engine id= 00000009020000D006024BF4 Authoritative engine boots = 23 Authoritative engine time = 248073 User name = NULL Authentication parameters = NULL Privacy parameters = NULL Context engine id = 00000009020000D006024BF4 Context name = NULL Command = Report Request ID = 3 Error status = 0 (No error) Error index = 0 Object = internet.6.3.15.1.1.4.0 Value = 17 (counter)

Discovery – NoAuth/NoPriv 3(4) ---------- Get Request ---------- Version = 3 Id = 5 Maximum size = 65520 Message flags = 04 .... ...0 = authFlag is off .... ..0. = privFlag is off .... .1.. = reportableFlag is on Security model = 3 Authoritative engine id = 00000009020000D006024BF4 Authoritative engine boots = 0 Authoritative engine time = 0 User name = oper1 Authentication parameters = NULL Privacy parameters = NULL Context engine id = 00000009020000D006024BF4 Context name = NULL Command = Get request Request ID = 4 Error status = 0 (No error) Error index = 0 Object = mib-2.1.3.0 Value = NULL

Discovery – NoAuth/NoPriv 4(4) ------------- Response ------------- Version = 3 Id = 5 Maximum size = 2048 Message flags = 00 .... ...0 = authFlag is off .... ..0. = privFlag is off .... .0.. = reportableFlag is off Security model = 3 Authoritative engine id= 00000009020000D006024BF4 Authoritative engine boots = 23 Authoritative engine time = 248073 User name = oper1 Authentication parameters = NULL Privacy parameters = NULL Context engine id = 00000009020000D006024BF4 Context name = NULL Command = Response Request ID = 4 Error status = 0 (No error) Error index = 0 Object = mib-2.1.3.0 Value = 24807356

Discovery – Auth/NoPriv 1(6) ---------- Get Request ---------- Version = 3 Id = 5 Maximum size = 65520 Message flags = 04 .... ...0 = authFlag is off .... ..0. = privFlag is off .... .1.. = reportableFlag is on Security model = 3 Authoritative engine id = NULL Authoritative engine boots = 0 Authoritative engine time = 0 User name = NULL Authentication parameters = NULL Privacy parameters = NULL Context engine id = NULL Context name = NULL Command = Get request Request ID = 4 Error status = 0 (No error) Error index = 0 No varBindList

Discovery – Auth/NoPriv 2(6) ------------- Report ------------- Version = 3 Id = 5 Maximum size = 1500 Message flags = 00 .... ...0 = authFlag is off .... ..0. = privFlag is off .... .0.. = reportableFlag is off Security model = 3 Authoritative engine id= 00000009020000D006024BF5 Authoritative engine boots = 1 Authoritative engine time = 1296955 User name = NULL Authentication parameters = NULL Privacy parameters = NULL Context engine id = 00000009020000D006024BF5 Context name = NULL Command = Report Request ID = 4 Error status = 0 (No error) Error index = 0 Object = internet.6.3.15.1.1.4.0 Value = 6 (counter)

Discovery – Auth/NoPriv 3(6) ---------- Get Request ---------- Version = 3 Id = 6 Maximum size = 65520 Message flags = 05 .... ...1 = authFlag is on .... ..0. = privFlag is off .... .1.. = reportableFlag is on Security model = 3 Authoritative engine id = 00000009020000D006024BF5 Authoritative engine boots = 0 Authoritative engine time = 0 User name = admin1 Authentication parameters = [<0E>y<12>r!ECAu y Privacy parameters = NULL Context engine id = 00000009020000D006024BF5 Context name = NULL Command = Get request Request ID = 5 Error status = 0 (No error) Error index = 0 Object = mib-2.1.3.0 Value = NULL

Discovery – Auth/NoPriv 4(6) ------------- Report ------------- Version = 3 Id = 6 Maximum size = 1500 Message flags = 01 .... ...1 = authFlag is on .... ..0. = privFlag is off .... .0.. = reportableFlag is off Security model = 3 Authoritative engine id= 00000009020000D006024BF5 Authoritative engine boots = 1 Authoritative engine time = 1296955 User name = admin1 Authentication parameters = 3^qN<09>NCg<0B1A>v Privacy parameters = NULL Context engine id = 00000009020000D006024BF5 Context name = NULL Command = Report Request ID = 5 Error status = 0 (No error) Error index = 0 Object = internet.6.3.15.1.1.2.0 Value = 15 (counter)

Discovery – Auth/NoPriv 5(6) ---------- Get Request ---------- Version = 3 Id = 7 Maximum size = 65520 Message flags = 05 .... ...1 = authFlag is on .... ..0. = privFlag is off .... .1.. = reportableFlag is on Security model = 3 Authoritative engine id = 00000009020000D006024BF5 Authoritative engine boots = 1 Authoritative engine time = 1296955 User name = admin1 Authentication parameters = [<0E>y<12>r!ECAu y Privacy parameters = NULL Context engine id = 00000009020000D006024BF5 Context name = NULL Command = Get request Request ID = 6 Error status = 0 (No error) Error index = 0 Object = mib-2.1.3.0 Value = NULL

Discovery – Auth/NoPriv 6(6) ------------- Response ------------- Version = 3 Id = 7 Maximum size = 1500 Message flags = 01 .... ...1 = authFlag is on .... ..0. = privFlag is off .... .0.. = reportableFlag is off Security model = 3 Authoritative engine id= 00000009020000D006024BF5 Authoritative engine boots = 1 Authoritative engine time = 1296955 User name = admin1 Authentication parameters = oMpJ<1E>aWbf-$ Privacy parameters = NULL Context engine id = 00000009020000D006024BF5 Context name = NULL Command = Response Request ID = 6 Error status = 0 (No error) Error index = 0 Object = mib-2.1.3.0 Value = 129695850

ASI – Command Generator Notification Originator Message Processing Model Dispatcher Security Model sendPdu prepareOutgoingMsg generateRequestMsg Send SNMP Req Msg to Network Receive SNMP Resp Msg from Network prepareDataElements processIncomingMsg processResponsePdu

sendPdu statusInformation = sendPdu( IN transportDomain Command Generator/ Notification Originator Message Processing Model Dispatcher Security Model sendPdu prepareOutgoingMsg statusInformation = sendPdu( IN transportDomain IN transportAddress IN messageProcessingModel IN securityModel IN securityName IN securityLevel IN contextEngineID IN contextName IN pduVersion IN PDU IN expectResponse ) Error / pduHandle generateRequestMsg IP/UDP 192.10.20.1/161 SNMPv3 USM nisse noAuth/noPriv Send SNMP Req Msg to Network string (12 byte) NULL SNMPv2 the data unit True (Trap=False)

prepareOutgoingMsg prepareOutgoingMessage( IN transportDomain Command Generator/ Notification Originator Message Processing Model Dispatcher Security Model sendPdu prepareOutgoingMsg prepareOutgoingMessage( IN transportDomain IN transportAddress IN messageProcessingModel IN securityModel IN securityName IN securityLevel IN contextEngineID IN contextName IN pduVersion IN PDU IN expectResponse IN sendPduHandle OUT destTransportDomain OUT destTransportAddress OUT outgoingMessage OUT outgoingMessageLength ) generateRequestMsg Send SNMP Req Msg to Network

generateRequestMsg statusInformation = generateRequestMsg( Command Generator/ Notification Originator Message Processing Model Dispatcher Security Model sendPdu prepareOutgoingMsg statusInformation = generateRequestMsg( IN messageProcessingModel IN globalData IN maxMessageSize IN securityModel IN securityEngineID IN securityName IN securityLevel IN scopedPDU OUT securityParameters OUT wholeMsg OUT wholeMsgLength ) generateRequestMsg Send SNMP Req Msg to Network

ASI – Command Responder Message Processing Model Dispatcher Security Model registerContextEngineID Receive SNMP Req Msg from Network prepareDataElements processIncomingMsg processPdu returnResponsePdu prepareResponseMsg generateResponsetMsg Send SNMP Resp Msg to Network

registerContextEngineID Message Processing Model Command Responder Dispatcher Security Model registerContextEngineID Receive SNMP Req Msg from Network statusInformation = registerContextEngineID( IN contextEngineID IN pduType ) prepareDataElements processIncomingMsg processPdu

prepareDataElements result = prepareDataElements( IN transportDomain Message Processing Model Command Responder Dispatcher Security Model registerContextEngineID result = prepareDataElements( IN transportDomain IN transportAddress IN wholeMsg IN wholeMsgLength OUT messageProcessingModel OUT securityModel OUT securityName OUT securityLevel OUT contextEngineID OUT contextName OUT pduVersion OUT PDU OUT pduType OUT sendPduHandle OUT maxSizeResponseScopedPDU OUT statusInformation OUT stateReference ) Receive SNMP Req Msg from Network prepareDataElements processIncomingMsg processPdu

processIncomingMsg statusInformation = processIncomingMsg( Message Processing Model Command Responder Dispatcher Security Model registerContextEngineID statusInformation = processIncomingMsg( IN messageProcessingModel IN maxMessageSize IN securityParameters IN securityModel IN securityLevel IN wholeMsg IN wholeMsgLength OUT securityEngineID OUT securityName OUT scopedPDU OUT maxSizeResponseScopedPDU OUT securityStateReference ) Receive SNMP Req Msg from Network prepareDataElements processIncomingMsg processPdu

processPdu processPdu ( IN messageProcessingModel IN securityModel Command Responder Dispatcher Security Model registerContextEngineID processPdu ( IN messageProcessingModel IN securityModel IN securityName IN securityLevel IN contextEngineID IN contextName IN pduVersion IN PDU IN maxSizeResponseScopedPDU IN stateReference ) Receive SNMP Req Msg from Network prepareDataElements processIncomingMsg processPdu

View-based Access Control Model who where how why what which securityModel securityName securityModel securityLevel object-type object-instance contextName viewType (read/ write/ notify) vacmSecurityToGroupTable vacmContextTable groupName variableName (OID) vacmAccessTable viewName Yes/No vacmViewTreeFamilyTable

Administration 1(2) iso(1).org(3).dod(6).internet(1).snmpV2(6).snmpModules(3) SNMPv2-MIB SNMP-FRAMEWORK-MIB SNMP-MPD-MIB SNMP-TARGET-MIB SNMP-COMMUNITY-MIB SNMP-VIEW-BASED-VACM-MIB SNMP-USER-BASED-SM-MIB SNMP-NOTIFICATION-MIB SNMP-PROXY-MIB

Administration 2(2) mgmt private snmpV2 snmpDomains snmpProxies snmpModules snmpMIB snmpFrameworkMIB snmpMPDMIB snmpTargetMIB snmpCommunityMIB snmpVacmMIB snmpUsmMIB snmpNotificationMIB snmpProxyMIB

Trap Notification – Cisco CLI #show config ! snmp-server engineID local 00000009020000D006024BF4 snmp-server user oper1 opergr1 v3 snmp-server user admin1 admingr1 v3 auth md5 snmp-server group opergr1 v3 noauth read level-2 snmp-server group admingr1 v3 auth read level-2 write level-2 snmp-server view level-1 system included snmp-server view level-1 interfaces included snmp-server view level-2 internet included snmp-server community ardbeg view level-1 RO snmp-server community bowmore view level-1 RW snmp-server location Floor 2 snmp-server contact Leif Hagman snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps tty snmp-server host 192.10.20.4 public snmp

Notify and Target Tables 1(2) Notify Table Send all events as traps to receiver trap. Target Table Use IP/UDP and send to 192.10.20.4 on port 162. Params Table SNMPv1 message with community string public.

Notify and Target Tables 2(2) 1 2 Filter Table All traps except ciscoTelnetTrap. 3 4

User Setup – Cisco CLI #show config ! snmp-server engineID local 00000009020000D006024BF4 snmp-server user oper1 opergr1 v3 snmp-server user admin1 admingr1 v3 auth md5 snmp-server group opergr1 v3 noauth read level-2 snmp-server group admingr1 v3 auth read level-2 write level-2 snmp-server view level-1 system included snmp-server view level-1 interfaces included snmp-server view level-2 internet included snmp-server community ardbeg view level-1 RO snmp-server community bowmore view level-1 RW snmp-server location Floor 2 snmp-server contact Leif Hagman snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps tty snmp-server host 192.10.20.4 public snmp

USM Tables

VACM Setup – Cisco CLI #show config ! snmp-server engineID local 00000009020000D006024BF4 snmp-server user oper1 opergr1 v3 snmp-server user admin1 admingr1 v3 auth md5 snmp-server group opergr1 v3 noauth read level-2 snmp-server group admingr1 v3 auth read level-2 write level-2 snmp-server view level-1 system included snmp-server view level-1 interfaces included snmp-server view level-2 internet included snmp-server community ardbeg view level-1 RO snmp-server community bowmore view level-1 RW snmp-server location Floor 2 snmp-server contact Leif Hagman snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps tty snmp-server host 192.10.20.4 public snmp

VACM Tables 1(2)

VACM Tables 2(2)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.