CSCE 815 Network Security Lecture 18 SNMP Simple Network Management Protocol March 25, 2003.

Slides:



Advertisements
Similar presentations
Henric Johnson1 Chapter 12 Network Management Security Henric Johnson Blekinge Institute of Technology, Sweden
Advertisements

CSCE 815 Network Security Lecture 17 SNMP Simple Network Management Protocol March 25, 2003.
Net Security1 Chapter 8 Network Management Security Henric Johnson Blekinge Institute of Technology, Sweden Revised by Andrew Yang.
Chapter 19: Network Management Business Data Communications, 5e.
CCNA – Network Fundamentals
1 Ola Flygt Växjö University, Sweden Intruders.
SNMPv3 * * Mani Subramanian “Network Management: Principles and practice”, Addison-Wesley, 2000.
1 ITC242 – Introduction to Data Communications Week 12 Topic 18 Chapter 19 Network Management.
CSI 400/500 Operating Systems Spring 2009 Lecture #20 – Security Measures Wednesday, April 29 th.
MJ08-A/07041 Session 08 SNMP V3 Adapted from Network Management: Principles and Practice © Mani Subramanian 2000 and solely used for Network Management.
MJ10/07041 Session 10 Accounting, Security Management Adapted from Network Management: Principles and Practice © Mani Subramanian 2000 and solely used.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
SNMP GOALS UBIQUITY PCs AND CRAYs INCLUSION OF MANAGEMENT SHOULD BE INEXPENSIVE SMALL CODE LIMITED FUNCTIONALITY MANAGEMENT EXTENSIONS SHOULD BE POSSIBLE.
NS-H /11041 SNMP. NS-H /11042 Outline Basic Concepts of SNMP SNMPv1 Community Facility SNMPv3 Recommended Reading and WEB Sites.
William Stallings Data and Computer Communications 7 th Edition Chapter 2 Protocols and Architecture.
This presentation is based on the slides listed in references.
EE579T/10 #1 Spring 2005 © , Richard A. Stanley EE579T Network Security 10: An Overview of SNMP Prof. Richard A. Stanley.
COMP4690, by Dr Xiaowen Chu, HKBU
COE 342: Data & Computer Communications (T042) Dr. Marwan Abu-Amara Chapter 2: Protocols and Architecture.
EE579T/9 #1 Spring 2003 © , Richard A. Stanley EE579T Network Security 9: An Overview of SNMP Prof. Richard A. Stanley.
1 Network Management and SNMP  What is Network Management?  ISO Network Management Model (FCAPS)  Network Management Architecture  SNMPv1 and SNMPv2.
SNMP Simple Network Management Protocol
1 Based on Behzad Akbari Fall 2011 Network Management lectures and These slides are based in parts upon slides of Prof. Dssouli (Concordia university )
SNMPv3 Yen-Cheng Chen Department of Information Management National Chi Nan University
Session-based Security Model for SNMPv3 (SNMPv3/SBSM) David T. Perkins Wes Hardaker IETF November 12, 2003.
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.
SNMP (Simple Network Management Protocol)
Network Protocols UNIT IV – NETWORK MANAGEMENT FUNDAMENTALS.
SNMP Simple Network Management Protocol Team: Matrix CMPE-208 Fall 2006.
What is a Protocol A set of definitions and rules defining the method by which data is transferred between two or more entities or systems. The key elements.
Chapter 13 – Network Security
Hyung-Min Lee©Networking Lab., 2001 Chapter 11 User Datagram Protocol (UDP)
Protocols and the TCP/IP Suite
ECE Prof. John A. Copeland Office: Klaus or call.
William Stallings Data and Computer Communications 7 th Edition Data Communications and Networks Overview Protocols and Architecture.
1 Network Management Security Behzad Akbari Fall 2009 In the Name of the Most High.
1 SNMPv3 by Behzad Akbari Fall 2011 In the Name of the Most High These slides are based in parts upon slides of Prof. Dssouli (Concordia university )
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
Lec 3: Infrastructure of Network Management Part2 Organized by: Nada Alhirabi NET 311.
NS-H /11041 Intruder. NS-H /11042 Intruders Three classes of intruders (hackers or crackers): –Masquerader –Misfeasor –Clandestine user.
1 Network Management: SNMP The roots of education are bitter, but the fruit is sweet. - Aristotle.
1 Chapter 8 Network Management Security. 2 Outline Basic Concepts of SNMP SNMPv1 Community Facility SNMPv3 Recommended Reading and WEB Sites.
Network Management Security
1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.
Internet Standard Management Framework
SNMPv3 1.DESIGN REQUIREMENTS 2.BIRTH & FEATURES of SNMPv3 3.ARCHITECTURE 4.SECURE COMMUNICATION - USER SECURITY MODEL (USM) 5. ACCESS CONTROL - VIEW BASED.
1 Chapter 9 Intruders. 2 Outline Intruders –Intrusion Techniques –Password Protection –Password Selection Strategies –Intrusion Detection Statistical.
Network Management Security
SNMP V2 & V3 W.lilakiatsakun. SNMP V2 Protocol RFC types of access to management information – Manager–agent request-response – Manager-Manager.
IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.
Chapter 9 Intruders.
SSHSM Issues David Harrington IETF64 ISMS WG Vancouver, BC.
Presentation at ISMS WG Meeting1 ISMS – March 2005 IETF David T. Perkins.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
TCP/IP Protocol Suite Suresh Kr Sharma 1 The OSI Model and the TCP/IP Protocol Suite Established in 1947, the International Standards Organization (ISO)
Topic 11 Network Management. SNMPv1 This information is specific to SNMPv1. When using SNMPv1, the snmpd agent uses a simple authentication scheme to.
Chapter 27 Network Management Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Lec 3: Infrastructure of Network Management Part2 Organized by: Nada Alhirabi NET 311.
Network Management Security in distributed and remote network management protocols.
or call for office visit, or call Kathy Cheek,
Computer and Information Security
Chapter 9 Intruders.
Chapter 9 Intruders.
SNMPv3 These slides are based in parts upon slides of Prof. Dssouli (Concordia university)
Chapter 5 SNMP Management
Chapter 5 SNMP Management
Network Management Security
Presentation transcript:

CSCE 815 Network Security Lecture 18 SNMP Simple Network Management Protocol March 25, 2003

– 2 – CSCE 815 Sp 03 SNMP GOALS UBIQUITY PCs AND CRAYs INCLUSION OF MANAGEMENT SHOULD BE INEXPENSIVE SMALL CODE LIMITED FUNCTIONALITY MANAGEMENT EXTENSIONS SHOULD BE POSSIBLE NEW MIBs MANAGEMENT SHOULD BE ROBUST CONNECTIONLESS TRANSPORT Resource/reference for next few slides Copyright © 2001 by Aiko Pras These sheets may be used for educational purposes

– 3 – CSCE 815 Sp 03 SNMP

– 4 – CSCE 815 Sp 03 Protocol context of SNMP

– 5 – CSCE 815 Sp 03 SNMP Proxies Note all are capable of implementing SNMP(UDP,IP) e.g., bridges, modems etc. Concept of a proxy was added to accommodate such devices. SNMPv2 added the capability of running on the OSI as well as the TCP/IP protocol suite

– 6 – CSCE 815 Sp 03 Proxy Configuration

– 7 – CSCE 815 Sp 03 SNMPv2 The strength of SNMPv1 was simplicity implying it was easy to implement and configure. However, deficiencies arose:  Lack of support for distributed network management  Functional deficiencies  Security deficiencies The first two were addressed by SNMPv2 and the latter by SNMPv3.

– 8 – CSCE 815 Sp 03

– 9 – CSCE 815 Sp 03 MIB II - Objects Described in RFC Groups of Objects Physical addresses, system, interfaces, …, the IP group, … E.g., the IP Group contains: ipRouteMask, ipRouteInfo, ipRoutingDiscards …Definitions PhysAddress ::= OCTET STRING This data type is used to model media addresses. For many - - types of media, this will be in a binary representation. -- For example, an ethernet address would be represented as -- a string of 6 octets. Object Identifiers (OIDs) – unique integer name of object

– 10 – CSCE 815 Sp 03 SNMPv3 SNMPv3 defines a security capability to be used in conjunction with SNMPv2 preferably or possibly v1

– 11 – CSCE 815 Sp 03 SNMPv3 Architecture SNMPv3 architecture (RFC 2571) consists of a distributed collection of SNMP entities communicating together Each SNMP entity may act as manager, agent, or combination SNMP Engine - Implements functions for:  sending and receiving messages  Authenticating and encrypting/decrypting messages  Controlling access to managed objects

– 12 – CSCE 815 Sp 03 SNMP Engine Modules Modular nature means that upgrades to individual modules can be made without redoing the architecture Modules:  Dispatcher -  Message Processing Subsystem  Security Subsystem  Access Control Subsystem

– 13 – CSCE 815 Sp 03 SNMP Manager

– 14 – CSCE 815 Sp 03 SNMP Agent

– 15 – CSCE 815 Sp 03 SNMP Engine Modules: Dispatcher Dispatcher is a simple traffic manager On incoming messages It accepts incoming messages from the transport layer Routes each message to the appropriate message processing module When the message processing completes the Dispatcher sends the PDU to the appropriate application On outgoing messages  It accepts PDUs from Application layer  Sends to Message processing subsystem  Sends to Transport layer

– 16 – CSCE 815 Sp 03 SNMP Engine Modules: Dispatcher Dispatcher Submodules PDU Dispatcher – sends/accepts Protocol Data Units (PDUs) to/from SNMP applications Message Dispatcher – transmits to/from message processing subsystem Transport Mapping – sends/receives transport layer packets

– 17 – CSCE 815 Sp 03 Message Processing Module Accepts outgoing PDUs from dispatcher Passes message to the security subsytem Wraps the result with the appropriate header Sends back to the dispatcher On incoming PDUs  Accepts messages from the dispatcher  Processes the headers  Possibly sending to Security Subsystem for authenitication and decryption and  Returns the enclosed PDU to the dispatcher

– 18 – CSCE 815 Sp 03 Security and Access Control Modules Security modules User-based Security Model (USM) Other security models allowed for but not yet. Access Control Modules View-based access control model (VACM) Others allowed

– 19 – CSCE 815 Sp 03 SNMPv3 Terminology Table 8.2 snmpEngineId – unique ID to engine (Octet string) contextEngineId – unique ID to SNMP entity contextName – identifies particular context within SNMP Engine scopedPDU – block including: contextEngineId, contextName and an SNMP PDU snmpMessageProcessingModel – unique identifier snmpSecurityModel – integer indicating whether authentication and/or encryption are required principal – the entity for “Whom the Bell Tolls” securityName – string representation of the principal

– 20 – CSCE 815 Sp 03 SNMPv3 Applications Command generator applications Makes use of sendPdu primitive Dispatcher  Message Processing  Security subsytem Finally  UDP and later the processResponse dispatcher primitive handles the response Notification originator/receiver applications Operates similiarly sending a notification Command Responder applications use primitives RegisterContextEngineID – here is my ID (unregister also) processPDU returnRespnsePDU isAccessAllowed (Access Control Subsystem primitive) Proxy forwarder application

– 21 – CSCE 815 Sp 03 Message Processsing Model RFC 2572 defines the message processing model The model on outgoing messages  Accepts PDUs from the dispatcher  Encapsulates them in messages  Invokes the user Security Model (USM) to insert security related parameters in the headers On incoming  Invokes the user Security Model (USM) process the security related parameters in the header  Delivers encapsulated PDU back to dispatcher SNMP message first five fields

– 22 – CSCE 815 Sp 03 SNMP3 Message Format with USM

– 23 – CSCE 815 Sp 03 User Security Model (USM) RFC 2574 Designed to secure against: Modification of information Masquerade Message stream modification: messages reordered, delayed Disclosure Not intended to secure against: Denial of Service (DoS attack) Traffic analysis

– 24 – CSCE 815 Sp 03 Cryptographic Functions Privacy Key and Authentication Keys Keys maintained for  Local users any principal at this SNMP engine  Remote users USM authentication protocols  HMAC-MD-5-96  HMAC-SHA-96 USM encryption uses CBC of DES

– 25 – CSCE 815 Sp 03 Authoritative and Nonauthoritative Engines In any message one of the transmitter/receiver SNMP entities is designated as the Authoriatative SNMP engine When a message expects a response the receiver of such messages is aithoritative When a message expects a response the receiver of such messages is aithoritative When no response is expected the sender is authoritative When no response is expected the sender is authoritative This serves two purposes  Timeliness of message determined wrt clock of authoritative engine  Key localization process

– 26 – CSCE 815 Sp 03 USM Message Processing Parameters Figure 8.9 on earlier slide USM Message Processing Figure 8.10

– 27 – CSCE 815 Sp 03 USM Timeliness Mechanisms Non authoritative engine maintains copies of snmpEngineBoots = number of times rebooted since originally configured 0 to 231 snmpEngineTime latestReceived EngineTime USM update conditions USM update rule Message judged to be outside window …

– 28 – CSCE 815 Sp 03 Key Localization Process

– 29 – CSCE 815 Sp 03 View-Based Access Control Model (VACM) VACM has two characteristics: Determines wheter access to a managed object should be allowed. Make use of an MIB that: Defines the access control policy for this agent. Makes it possible for remote configuration to be used.

– 30 – CSCE 815 Sp 03 Access control decision

– 31 – CSCE 815 Sp 03 Recommended Reading and WEB Sites Subramanian, Mani. Network Management. Addison- Wesley, 2000 Stallings, W. SNMP, SNMPv1, SNMPv3 and RMON 1 and 2. Addison-Wesley, 1999 IETF SNMPv3 working group (Web sites) SNMPv3 Web sites

– 32 – CSCE 815 Sp 03 Intruders Three classes of intruders (hackers or crackers): Masquerader Misfeasor Clandestine user

– 33 – CSCE 815 Sp 03 Intrusion Techniques System maintain a file that associates a password with each authorized user. Password file can be protected with: One-way encryption Access Control

– 34 – CSCE 815 Sp 03 Intrusion Techniques Techniques for guessing passwords: Try default passwords. Try all short words, 1 to 3 characters long. Try all the words in an electronic dictionary(60,000). Collect information about the user’s hobbies, family names, birthday, etc. Try user’s phone number, social security number, street address, etc. Try all license plate numbers (MUP103). Use a Trojan horse Tap the line between a remote user and the host system. Prevention: Enforce good password selection (Ij4Gf4Se%f#)

– 35 – CSCE 815 Sp 03 UNIX Password Scheme Loading a new password

– 36 – CSCE 815 Sp 03 UNIX Password Scheme Verifying a password file

– 37 – CSCE 815 Sp 03 Storing UNIX Passwords UNIX passwords were kept in in a publicly readable file, etc/passwords. Now they are kept in a “shadow” directory and only visible by “root”.

– 38 – CSCE 815 Sp 03 ”Salt” The salt serves three purposes: Prevents duplicate passwords. Effectively increases the length of the password. Prevents the use of hardware implementations of DES

– 39 – CSCE 815 Sp 03 Password Selecting Strategies User ducation Computer-generated passwords Reactive password checking Proactive password checking

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.