Title: HP OpenView Network Node Manager SPI for SNMPv3 Session #: 326 Speakers: Jeff Scheaffer, HP OpenView NSM David Reid, SNMP Research.

Slides:



Advertisements
Similar presentations
Internet Protocol Security (IP Sec)
Advertisements

HP OpenView Network Node Manager
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Chapter 19: Network Management Business Data Communications, 5e.
CIS : Network Management. Introduction Network, associated resources and distributed applications indispensable Complex systems —More things can.
Implementing a Highly Available Network
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
1 ITC242 – Introduction to Data Communications Week 12 Topic 18 Chapter 19 Network Management.
CSEE W4140 Networking Laboratory Lecture 11: SNMP Jong Yul Kim
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
NS-H /11041 SNMP. NS-H /11042 Outline Basic Concepts of SNMP SNMPv1 Community Facility SNMPv3 Recommended Reading and WEB Sites.
1 Pertemuan 26 Manajemen Jaringan dan Network Security Matakuliah: H0174/Jaringan Komputer Tahun: 2006 Versi: 1/0.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Data Security in Local Networks using Distributed Firewalls
COMP4690, by Dr Xiaowen Chu, HKBU
EE579T/9 #1 Spring 2003 © , Richard A. Stanley EE579T Network Security 9: An Overview of SNMP Prof. Richard A. Stanley.
1 Network Management and SNMP  What is Network Management?  ISO Network Management Model (FCAPS)  Network Management Architecture  SNMPv1 and SNMPv2.
SNMP & MIME Rizwan Rehman, CCS, DU. Basic tasks that fall under this category are: What is Network Management? Fault Management Dealing with problems.
SNMP Simple Network Management Protocol
Integrated Security Model for SNMPv3 (ISMS) pronounced "is" "miss" David T. Perkins & Wes Hardaker 60 th IETF August 6, 2004.
SNMPv3 Yen-Cheng Chen Department of Information Management National Chi Nan University
Session-based Security Model for SNMPv3 (SNMPv3/SBSM) David T. Perkins Wes Hardaker IETF November 12, 2003.
Chapter 6 Overview Simple Network Management Protocol
McGraw-Hill The McGraw-Hill Companies, Inc., 2000 SNMP Simple Network Management Protocol.
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
Network Protocols UNIT IV – NETWORK MANAGEMENT FUNDAMENTALS.
SNMP ( Simple Network Management Protocol ) based Network Management.
Intranet, Extranet, Firewall. Intranet and Extranet.
SNMP Simple Network Management Protocol Team: Matrix CMPE-208 Fall 2006.
Basic tasks that fall under this category are: What is Network Management? Fault Management Dealing with problems and emergencies in the network (router.
1 © 1999 BMC SOFTWARE, INC. 2/10/00 SNMP Simple Network Management Protocol.
1 Network Management Security Behzad Akbari Fall 2009 In the Name of the Most High.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Windows 7 Firewall.
Network Management Presentation HP Openview Christopher Scott December 10, 2004.
Network Security Lecture 9 Presented by: Dr. Munam Ali Shah.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Lec 3: Infrastructure of Network Management Part2 Organized by: Nada Alhirabi NET 311.
Title: New Technologies in Standards- Based Internetwork Management Session #: 327 Speaker: Jeffrey D. Case, Ph.D. Company: SNMP Research.
Overview of Microsoft ISA Server. Introducing ISA Server New Product—Proxy Server In 1996, Netscape had begun to sell a web proxy product, which optimized.
Slide 1 SNMPv3, SSH & Cisco Matthew G. Marsh Chief Scientist of the NEbraskaCERT.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 1 Network Security 2 Module 7 – Secure Network Architecture and Management.
SNMP Simple Network Management Protocol SNMP Simple Network Management Protocol Haris Ribic.
Network Management Security
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Internet Standard Management Framework
TCP/IP (Transmission Control Protocol / Internet Protocol)
SNMP.
Network Management Security
INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used? Tripwire.
Securing Access to Data Using IPsec Josh Jones Cosc352.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
ASHRAY PATEL Protection Mechanisms. Roadmap Access Control Four access control processes Managing access control Firewalls Scanning and Analysis tools.
Topic 11 Network Management. SNMPv1 This information is specific to SNMPv1. When using SNMPv1, the snmpd agent uses a simple authentication scheme to.
Network Management Presentation HP Openview. OpenView Network Node Manager (NNM) Overview How it works Capabilities Technical and business benefits Summary.
Network Management Security in distributed and remote network management protocols.
Computer and Information Security
Overview – SOE Net-SNMP v
Overview – SOE Net-SNMP v5.7.3
Securing the Network Perimeter with ISA 2004
* Essential Network Security Book Slides.
SNMP (Simple Network Management Protocol) based Network Management
Chapter 5 SNMP Management
Chapter 5 SNMP Management
Network Management Security
Presentation transcript:

Title: HP OpenView Network Node Manager SPI for SNMPv3 Session #: 326 Speakers: Jeff Scheaffer, HP OpenView NSM David Reid, SNMP Research

2 The new HP OpenView Network Node Manager SPI for SNMPv3 supports secure SNMP and SNMP management through firewalls. This session provides an overview and discussion of secure network management, including: the current Internet-Standard Management Framework; the security and administration features of SNMPv3; the technical architecture and configuration of the NNM SPI for SNMPv3; how to securely extend SNMP management through firewalls; elements of a complete solution.

3 The current Internet- Standard Management Framework The security and administration features of SNMPv3

4 SNMP in One Slide Common organization structure for management information (SMI) One naming space for all management “objects” (MIB) Communications Protocol (SNMP) Manager Agents Requests Responses Notifications Get Set Networking Equipment Servers PCs Software Applications

5 Features of SNMPv3: Security and Administrative Framework Security –Authentication – who is doing the communicating –Privacy – protection from disclosure –Authorization – what operations are allowed (e.g., read, write, notify) –Access control – what information objects can be read or written Administrative framework to support the above

6 Administrative Workstation HPOV NNM Firewall Managed Device(s) Attacker Managed System(s) SNMPv1/v2 traffic SNMPv1/SNMPv2c Not Secure

7 Administrative Workstation HP OV NNM with NNM SPI for SNMPv3 Firewall Managed Device(s) Attacker Managed System(s) SNMPv3 traffic Secure SNMPv3

8 SNMPv3 Includes Everything in Versions 1 and 2c Plus… Authentication: User-based authentication of messages Privacy: The ability to encrypt management messages Authorization: The concept of users View-based access control: Restriction on what data may be read/written Administrative framework to support the above

9 Authentication The process of reliably determining the identity of the sender of a message Verify that the message received is the one sent Protects against following threats: –Masquerade (spoof sender) –Modification of information (change content) –Modification of message stream (timing, limited replay) Standard specifies MD5 and SHA1 for strong authentication –Private key model with localized keys –More than good enough for virtually all applications today

10 Privacy Protection from the unauthorized disclosure of data Encrypt SNMP payload for privacy Private key model with localized keys Standard specifies DES (56-bit) Standard is extensible for stronger cryptography –Triple-DES (168-bit keys) –AES (128, 192, and 256 bit keys) –… Others possible …

11 Authorization Each request is associated with a SNMPv3 “user” (system, person, or role) A user is a member of a group Mechanism to specify what each network manager (user) can do (read, write, notify) The management application determines how its “users” (operators) map to SNMPv3 “users”

12 Access Control Like authorization, access control is performed by group Every SNMPv3 “group” (and therefore every user) has three associated lists of what objects can be accessed on each device (read, write, notify) This is very fine grained, down to individual instances, if desired Simple or complex combinations Examples: –Read access to all network statistics –Read/write access to configure notifications (e.g., traps)

13 SNMPv3 Administrative Framework All of this configuration information is stored in Management Information Base (MIB) tables Administrative subsystems defined by standards –User-based Security Model (USM) –View-based Access Control Model (VACM) Standard supports remote configuration of: –Users –Groups –Views –Keys (generated from pass-phrases) –Older versions including community strings, if any

14 SNMPv3 Typical Deployment Scenarios A few “user” names are associated with management stations (e.g., ow1, nnmbldg4) Authentication used for all communications Both Authentication and Privacy used for sets Authentication and Privacy used for retrieval of sensitive information (e.g., routing tables) SNMP security configuration management is done by –Hand: Editing or copying over local configuration files –Security configuration distribution application(s) via SNMPv3 set requests

15 HP OpenView NNM and SNMPv3 Desired Solution –Manage using familiar tools and procedures (e.g., NNM) –Manage using existing complementary applications –Manage using appropriate SNMP level SNMPv1 and SNMPv2c for monitoring older devices in trusted environments SNMPv3 for managing critical systems in less trusted regions SNMPv3 for managing remote sites through less trusted regions SNMPv3 for all configuration operations –Common repository for security configuration data

16 Security Solution HP OpenView NNM HP OpenView NNM SPI for SNMPv3 = Secure Management

17 HP OpenView NNM SPI for SNMPv3

18 HP OpenView NNM SPI for SNMPv3 Integration was jointly developed by HP and SNMP Research Maps outbound SNMP requests to SNMPv3 requests sent to target agent Converts SNMPv3 responses from agent and sends back to NNM Receives notifications (traps and informs) Includes security configuration datastore Includes SNMPv3 Configuration Wizard application

19 HP OpenView NNM SPI for SNMPv3 SNMPv1/v2/v3 over UDP locally secure polling agent SNMPv1/v2/v3 over UDP locally NNM NNM Secure Polling Agent Securely manage DMZ Manage SNMPv1/SNMPv2c/SNMPv3 devices behind a firewall Securely manage multiple isolated sites over insecure Internet infrastructure NNM SPI for SNMPv3 SNMPv3 SPI supporting SNMPv3 standards: User-based Security Model View-based Access Control Model Monitor network devices using appropriate SNMP security level: SNMPv3, SNMPv2c, or SNMPv1 Management Traffic in XML tunnel through Firewalls

20 secure SNMP management through firewalls

21 Management challenges presented by security firewalls Many sites continue to depend on legacy (i. e., SNMPv1 and SNMPv2c) SNMP versions which provide no security. Network administrators are reluctant to allow SNMP-based management through firewalls. –In many sites, nearly all UDP traffic is disallowed across firewalls –Many SNMP agents in managed devices are not adequately configured or configurable to restrict the management information they divulge. Many sites disable ICMP across firewalls

22 HP OpenView NNM Secure Polling Agent Manage securely to multiple isolated sites over insecure Internet infrastructure Manage SNMPv1/SNMPv2c devices behind a firewall –Preserve vast investment in SNMP-based management –Do not have to upgrade all devices inside the firewall –May want to upgrade to defend against threats from within Manage SNMPv3 devices behind a firewall that does not allow any SNMP traffic through the firewall

23 HP OpenView NNM Secure Polling Agent SNMPv1/v2/v3 over UDP locally secure polling agent SNMPv1/v2/v3 over UDP locally NNM NNM Secure Polling Agent Securely manage DMZ Manage SNMPv1/SNMPv2c/SNMPv3 devices behind a firewall Securely manage multiple isolated sites over insecure Internet infrastructure NNM SPI for SNMPv3 SNMPv3 SPI supporting SNMPv3 standards: User-based Security Model View-based Access Control Model Monitor network devices using appropriate SNMP security level: SNMPv3, SNMPv2c, or SNMPv1 Management Traffic in XML tunnel through Firewalls

24 SNMPv3 over UDP through Firewalls SNMPv3 / UDP through firewalls OV XP Sun Linux HP Internet Device with SNMP Agent Internet Device with SNMP Agent NNM plus the NNM SPI for SNMPv3

25 Management Traffic in XML tunnel through Firewalls Management Information in XML over SSL over TCP through firewalls HP OpenView NNM Secure Polling Agent SNMPv1/v2/v3 over UDP locally OV XP Sun Linux HP Internet Device with SNMP Agent Internet Device with SNMP Agent NNM plus the NNM SPI for SNMPv3 HP OpenView NNM Secure Polling Agent

26 Key Elements of a Complete Solution Secure agents Secure management applications Administrative policies Configuration management of users, keys, etc Coexist with legacy systems

27 Secure Agents SNMPv3 agents available on most networking devices SNMPv3 agents available on most open operating systems and embedded real-time operating systems For integrated network and system management, smart agents based on SNMPv3 are available –Support common SNMPV3 administrative framework –Network monitoring –Host resource monitoring –File system monitoring –Critical application monitoring –Log file monitoring –Service monitoring More info on secure agents tomorrow at 8:30, session 325

28 Secure Management Applications HP OpenView Network Node Manager with HP OpenView NNM SPI for SNMPv3 After initial configuration, NNM functions work transparently –MIB Browser –Node polling –Data collection Partner applications which use NNM SNMP stack will also work transparently

29 Administrative Policies Parts of an enterprise security policy include: –Who can see what? –Who can change what? –How are “users” defined? –What level of authentication? –What level of encryption? –How often are keys changed? –Who can change security configurations? –How are configurations changed/audited?

30 Configuration Management Issues Users, keys, notifications, etc. must be configured on both managers and agents Keys are generated from pass-phrases, pass- phrases not stored on managed devices Keys need to be changed periodically Configuration must be updated in a timely manner (e.g., deny rights to a terminated employee) Configuration needs to be done remotely from a security management station, using a secure and private method

31 Configuration Management Issues: SNMPv3 Remote Administration Need to configure manager platforms and agents in accordance with enterprise policies Can do it with “vi” or “edit” but really need something more friendly and powerful Security dependent on correct configurations Wizard and/or policy-based tools Configurable agents Configurable managers

32 Configuration Management Applications Configuration Management applications are very helpful to reduce complexity and human error –One agent at a time “wizard” application –Policy-based, multiple-target distribution application

33 SNMPv3 Configuration Wizard

34 Policy-based SNMP Configuration Management

35 Coexist with Legacy Systems Some managed systems will not have SNMPv3 agents Cannot upgrade all agents at once NNM SPI for SNMPv3 is multi-lingual, so fully supports a heterogeneous SNMPv1 / SNMPv2c/ SNMPv3 agent environment –Old agent, old packet, old rules, old response –New agent, new packet, new rules, new response Properly handle SNMPv1 traps Properly handle SNMPv2c traps and informs

36 a final comment…

37 Summary SNMPv3 provides secure management capabilities Secure SNMPv3 is available in today using the HP OpenView NNM SPI for SNMPv3 and SNMPv3 enabled agents HP OpenView Network Node Manager, the HP OpenView NNM SPI for SNMPv3, and the HP OpenView NNM Secure Polling Agent allows secure management through firewalls, even when managing SNMPv1/SNMPv2c devices After security credentials have been configured, operation using the NNM SPI for SNMPv3 is transparent to NNM functions Available today from SNMP Research. Available soon from HP.

38 Thank you!

39 HP OpenView NNM SPI for SNMPv3

40 HP OpenView NNM Secure Polling Agent HP OpenView NNM SPI for SNMPv3 HP OpenView Secure Polling Agent

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.