SNMP In Depth
SNMP u Simple Network Management Protocol –The most popular network management protocol –Hosts, firewalls, routers, switches…UPS, power strips, ATM cards -- ubiquitous u “One of the single biggest security nightmares on networks today”
SNMP Transport Mechanism Flaws u UDP Based –Unreliable - packets may or may not be received –Easily forged - trivial to forge source of packets
Management Information Base u MIB -- Management Information Base –MIBs describe object attributes –Some MIBs are pre-loaded –Additional MIBs are needed »Loaded manually »Downloaded from manufacture’s WEB sites u Standard MIBs –MIB-I –MIB-II –RMON –RMON 2 –Bridge –Repeater
iso (1) org (3) dod (6) internet (1) directory (1) mgmt (2) experimental private (4) mib-2 (1) enterprises (1) system (1) interfaces (2) snmp (11) cisco (9) hp(11) novell(23) sysObjectID (2) sysDescr (1) MIB Structure
SNMP Basics ManagerAgent MIB Data Trap Trap or Notification - A message initiated by the agent without requiring the management station to send a request Set Set request - Writes a value into a specific variable alter Get Response Retrieve Get request - Reads a value from a specific variable GetNext request - Traverse information from a table of specific variables GetBulk request - Get response - Replies to a get or a set request SNMP Router, etc.
SNMP Popular Defaults u Popular defaults –public –private –write –“all private” –monitor –manager –security –admin –lan –default –password –tivoli –openview –community –snmp –snmpd –system –and on and on...
SNMP v1 Information Disclosure u Routing tables u Network topology u Network traffic patterns u Filter rules
SNMP Options u SNMP configuration u Event Configuration –Customize event notification messages –Define the type of event notification –Define automatic actions when an event is received. –Create/modify alarm categories –Configure additional actions for the operator –Configure event correlations u SNMP data collection and threshold u SNMP MIB application builder u Load/unload MIB u Network polling configuration u License password
SNMP Tools u Remotely turn on the power of a PC u Web base access u Terminal Connect- provides the ability to establish a telnet session from a local system in order to manage a remote system u SNMP MIB Browser- provides a functional tool that can be used to explore, query, and set MIB values u DMI Browser
Agent Data Collection u Network data collected using –SNMPv1 ; SNMPv2 –IP Protocol »TCP/IP »UDP »ICMP »ARP/RARP –IPX –DMI »Desktop Management Interface for accessing information about PC and their components
Auto-discovery u Auto discovery of network objects based on –IP Protocol –Routing data on routers (ARP table) –SNMP data u Auto assignments of symbols to represent objects u Auto arrangement of symbols on the maps and submaps
SNMP Event Generation u SNMP agents continuously watch for certain incidents to occur u When an incident occurs, an event is generated u Events are categorized based on the alarm type –Alarm types are user definable u Events are displayed with color coded severity –Severity and color codes are user definable u Event trap configuration –Pre-defined –User-defined generic traps –User-defined specific traps
Event Correlation u Event correlation –Discovers events that are either the same event and/or related events –Presents these events as a single main event –Allow drill down of the main event to view the related events u Provides four pre-defined correlations: –Connector Down Correlation –Scheduled Maintenance Correlation –Repeated Event Correlation –Pair Wise Correlation u Additional correlations may be obtained –From web page –From a 3rd party for a fee –Developed by yourself -- not recommended
Performance Management u Network activities –Status of the interfaces –Error rate and percentage –Ethernet traffic –SNMP authentication failures, traffic, errors –List of TCP connections u Graph CPU load and disk space usage u Graph SNMP data collected with MIB data collector u Graph data based on Interface status polling and SNMP node polling
Configuration Management u Network Configuration (at selected remote SNMP node) –List interface properties –List IP and link addresses –List routing table –List ARP cache table –List the supported services u List the services for which the selected remote SNMP nodes are configured to support u List the management systems (by IP Address) that are configured to receive traps u Run the Microsoft Windows NT operating system Registry Editor
Performance Management u Network activities –Status of the interfaces –Error rate and percentage –Ethernet traffic –SNMP authentication failures, traffic, errors –List of TCP connections u Graph CPU load and disk space usage (HP-UX only) u Graph SNMP data collected with MIB data collector u Graph data based on Interface status polling and SNMP node polling
Fault Management u Alarms -- show all alarms of selected nodes u Network Connectivity –Poll node -- information about selected objects –Status poll -- status about selected objects –Capability poll -- check for remote DMI, web-management, and web server capabilities. –Ping –Remote ping –Locate route via SNMP u Test IP/TCP/SNMP u Interface Status -- Graphic display of number and rate of bad packets u Window NT Event Viewer u Window NT Diagnostic tool
SNMPv1 Security Flaws u Transport Mechanism –Data manipulation –Denial of Service –Replay u Authentication –Host Based –Community Based u Information Disclosure
SNMP Authentication Flaws u Host Based –Fails due to UDP transport –DNS cache poisoning u Community Based –Cleartext community –Community name prediction/brute forcing –Default communities
RMON and RMON2 Security u SNMPv1’s flaws u additional hazards by introducing “action invocation” objects u collects extensive info on subnet u packet captures
SNMP Fixes u Disable it u ACL It u Read-Only