Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Jim Binkley SNMP overview Network Mgmt/Sec.. 2 Jim Binkley Outline u snmp components –architecture/MIBS/naming –protocol –security u snmp history and.

Published byCalvin Benson Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Jim Binkley SNMP overview Network Mgmt/Sec.. 2 Jim Binkley Outline u snmp components –architecture/MIBS/naming –protocol –security u snmp history and."— Presentation transcript:

1 1 Jim Binkley SNMP overview Network Mgmt/Sec.

2 2 Jim Binkley Outline u snmp components –architecture/MIBS/naming –protocol –security u snmp history and versions u summary

3 3 Jim Binkley snmp elements u client/server - architecture u database elements (MIB) –ASN.1 –naming –it’s the contents JIM (too) u protocol u security (or lack therein)

4 4 Jim Binkley e.g., SNMP approach host web server router toaster (ups/hub/switch) manager/net console manager polls all nodes (send/response) with SNMP/displays data

5 5 Jim Binkley architecture u in general u manager requests individual data items –in v2 tables, in v1 table elements 1 at a time u from agent u manager is client/client-server sense u agent consists of MIB database + snmp code to respond to manager, server (serves database)

6 6 Jim Binkley manager/agent agent get database item (OID) MIBS manager sends agent sends response

7 7 Jim Binkley proxy agent possible but rare u proxy agent u speaks SNMP to manager u but “MIB” does not exist u instead agent might speak another protocol entirely out the other side –level of indirection u proxies for MIB capability u might use RPC to talk out other end

8 8 Jim Binkley proxy agent proxy agent agent might send messages to emulate MIB values MIB simulation manager

9 9 Jim Binkley database elements u agent has 1 or more sets of variables u grouped in MIB u MIB - management information base u MIB is in some sense a formal specification –in ASCII and a parseable grammar u basically just variables with naming mechanism plus values u variables are typed and grouped in data structure

10 10 Jim Binkley MIB, more u the language for encoding MIB variables is called u ASN.1 - Abstract Syntax Notation u “Pascal-like” data description language u basic and structured types u variables consist of (name, value) and a type (e.g., displayString) u types usually ints, strings, addresses, arrays

11 11 Jim Binkley MIB, more u simple example of MIB values might include u system MIB vars as (type,name,value): –DisplayString sysDescr (“cisco 2924”) –TimeTicks sysUpTime (“up since yesterday”) –DisplayString sysContact (“Charlie S.”) –INTEGER sysServices (“internet layer (router)”)

12 12 Jim Binkley MIB does not mean “Men In Black” u can include more complex values including u tables (2-dimensional scalars) –ip routing table –arp table –list of interfaces with associated ip addresses, netmasks –tcp connections that are open

13 13 Jim Binkley a MIB by any other name u the miracle is the naming mechanism –a COMPLEX miracle... u borrowed from ISO/OSI protocol suite u applies both to SNMP PDU and data –in ISO ASN.1 was used to describe all packet elements too, e.g., CLNP u attributes include: –lexicographical ordering; i.e., if you know the predecessor, you can always get the next value –and you always know a predecessor therefore

14 14 Jim Binkley magical MIB marvels u any manager can always find any or all of a MIB u without a priori knowing its elements, or table size (how big it is) u you can walk all of it a priori u this is due to the basic tree structure of all MIB data

15 15 Jim Binkley a MIB data item u is called or named by its associated u Object Identifier or OID u fundamental base type u universal prefix is: u internet OBJECT IDENTIFIER::={ iso(1), org(3), dod(6), internet(1)} u 1.3.6.1 (iso.org.dod.internet) u note associated string labels (but the numbers are used in the protocol)

16 16 Jim Binkley org(3) iso(1) dod(6) internet(1) directory(1) X.500 mgmt(2) mib-2(1) experimental(3) private(4) enterprises(1) top part of OID tree

17 17 Jim Binkley important SNMP variables live in: u 1. MIB-2 subtree u prefix: 1.3.6.1.2.1 –1.3.6.1.2.1.1.1 (system.sysDescr} u 2. private/enterprises subtree –for proprietary MIB values –e.g., Cisco Mibs quite extensive –1.3.6.1.4.1 (enterprises is last prefix)

18 18 Jim Binkley u MIB-2: 1.3.6.1.2.1 –{iso.org.dod.internet.mgmt.mib-2} u enterprise: 1.3.6.1.4.1 –{iso.org.dod.internet.private.enterprises} so remember these two:

19 19 Jim Binkley system.sysDescr 1.3. 6. 1. 2. 1. 1. 1 iso.org.dod.internet.mgmt.mib2.system.sysDescr sw note: depending on manager, possible that rooted OID starts with 1 or.1. read the documentation.

20 20 Jim Binkley MIB-2(1) subtree system (1) interfaces(2) at(3) ip(4) icmp(5) tcp(6) udp(7) egp(8) transmission(10) { specific link types } snmp(11) and more (bridge/ethernet stats, repeaters/UPS)

21 21 Jim Binkley some enterprise MIB values u from Cisco-land u environmental mib can contain temperatures! u router may provide load average u big switch may have traffic meter (how much is backplane utilized) u CDP values and VLAN values in MIBS u although not totally related, Cisco has so-called community-based VLAN indexing –allows per VLAN bridge/STP information

22 22 Jim Binkley protocol u on top of UDP u manager “probes” agent (sends request), –gets back result (send/receive) u SNMP v1 defines 5 message types –get, and get-next (reads) –set (write) –response (ACK if set, or value if get) –trap

23 23 Jim Binkley traps u asynchronously sent by agent to manager u most important type is linkDown - interface crashed (e.g., router interface) u common to have linkDown caught by some manager as part of trap/event analysis –HPOV can do this, or net-snmp trapd can be setup to do this –send page to network manager (human being)

24 24 Jim Binkley SNMPv1 trap types include: –coldStart(0) - unexpected restart(crash) –warmStart(1) - soft reboot –linkDown(2) - if down, the most imprint! –linkUp(3) - the opposite of linkDown –(snmp) authenticationFailure(4) –egpNeighborLoss(5) –enterpriseSpecific(6) - proprietary with sub- code »Cisco has lots of these

25 25 Jim Binkley get and get-next u get specifies a single variable by name; e.g., u system.sysDescr –get at ip X, OID=1.3.6.1.2.1.1.1 –response returns value “cisco 5505” u get-next specifies OID, but value returned is next lexicographic OID and its value u thus get-next can be used to query the entire tree, get tables, heal the sick, etc.

26 26 Jim Binkley the amazing get-next mib-2 system sysDescrsysObjectId... sysServices get-next sysDescr, and you get sysObjectId get-next sysObjectId and get sysUpTime get-next sysServices and get what?

27 27 Jim Binkley security (bwaa-ha-ha) u starting point: security is poor u SNMPv1 relies on “passwords in the clear” like telnet/ftp/pop, etc. u OID objects have attributes, include –readonly –read/write –write-only (never mind) –not implemented (at least be honest)

28 28 Jim Binkley in practice, u SNMPv1 agent has a set of community strings (passwords applied to a set of agents) u these must be supplied with get/set requests, etc (traps too) from manager/agent u traps are the other way of course, agent to manager u SET of 1 or more strings for readonly/read-write request u if PDU/packet community string matches, value returned

29 29 Jim Binkley universal community strings u readonly - public (common default) u readwrite - private (default) u usually applies to ENTIRE SET OF MIBS at agent u authentication-only service in SNMPv1, i.e., no privacy (no encryption)

30 30 Jim Binkley security constraints u typically imposed by border router access- lists u may block all but given ip address from talking to it u assume can’t send snmp requests from WAN/Internet into site (make that so)

31 31 Jim Binkley picture of possible SNMP security setup border router WAN telco link internal LAN network monitor host average host 1. block SNMP in here 2. only allow monitor to access router

32 32 Jim Binkley common-practice (v1 continued) u by very wary of snmp “writes” - may disallow them entirely u do not allow any snmp from outside world-in u worry about “interior lines”, make sure manager is close to agents so that promiscuous mode sniffing cannot occur –with some routers/switches can start to use ssh u you NEVER know what might be in a MIB and settable (catch fire on command ) –could be buggy too

33 33 Jim Binkley snmp writes may be unavoidable u some tools may assume snmp writes ok u cisco ciscoview, rmon probe config u if you want to use these tools, must design network for secure access u if hacker could break into probe, can use built-in sniffer u hacker could manipulate vlans in switches (too awful to think about)

34 34 Jim Binkley network snmp write design router uses ACL to block access to net 1 net 1, use vlans to group switches here dual-homed console net 2 Inet access exists Inet - can’t get to net 1

35 35 Jim Binkley SNMP-short history u late 80’s, early 90’s presumed by IETF that ISO would win out in protocol stack race u thus SNMP was viewed as temporary compromise u but was oddly based on ISO mechanisms (ASN.1...) (not necessarily a bad thing) u ISO didn’t happen and SNMP crushed its ISO competition

36 36 Jim Binkley SNMP versions u v1 - widely implemented –many new RFCS added for mib-2 new variables sets associated with new network entities –RMON added for more instrumentation (especially on ethernet) –RMON-2 added as RMON-1 ethernet only, RMON-2 added network/transport-layer stats

37 37 Jim Binkley v2 (aka v2c) u v2 was supposed to add better security u and some optimizations u security modifications were good, and ahead of their time BUT u IETF wg couldn’t agree, security ideas were not standardized u all that remained of v2 practically was –get-bulk (get a table in one go) –64 bit integers used for some counters

38 38 Jim Binkley v3 u focus is on security (crypto wrappers) –and finer grain access control to MIBS u packets may be authenticated and/or encrypted u view as authentication wrapper on v2/v1 pkt u simple session-key (change of key) exists u big ticket item: writes may be made secure u one may still disallow snmp across net –basic security policy: just say no …

39 39 Jim Binkley rmon u remote monitoring (more real-time) –includes real-time promiscuous based ethernet sampling/threshold mgmt/packet sniffing/topn u rmon I (layer 2) –ethernet/link-layer stats only –e.g., top N talkers src/dest u rmon II (layer 3/4) –includes IP addr/tcp&&udp port stats

40 40 Jim Binkley rmon statement: u hint to jim: say something about rmon probes/expense/functionality u functionality: –layer 2 stats collected over short time snapshots –layer 3 stats the same –host 1 by host 2 traffic flow information –thresholds - event on too much/too little X –promiscuous mode sniffing

41 41 Jim Binkley summary u snmp consists of –grammar (ASN) for defining data –variables (MIBS) associated with device »standard, optional, and enterprise-specific »depends on the device though (hub/printer/router) –UDP-based L7 protocol including get-next, and trap –naming convention (OID/tree) that allows »lexicographic walk - you may but do not need to know variables names ahead of time (or number) u security bad in v1, v3 to “fix”, v2c may be norm

42 42 Jim Binkley more summary u manager is client in client-server sense u agent (or proxy) is server (where the MIBS are) u manager polls (usually periodically as with HPOV, MRTG, or by hand as with ucd- snmp snmpwalk or HPOV mib browser) agents –displays data

43 43 Jim Binkley some common tools u HPOV –ip map and built-in mib browser u MRTG/rrdtool/Cricket and friends –periodic graphing of snmp elements u ucd-snmp, now net-snmp (command shell utilities) –snmpget, snmpset, snmpwalk –note HPOV supplied version similar but different in terms of command-line options

Download ppt "1 Jim Binkley SNMP overview Network Mgmt/Sec.. 2 Jim Binkley Outline u snmp components –architecture/MIBS/naming –protocol –security u snmp history and."

Similar presentations

Implementing a Highly Available Network

Implementing a Highly Available Network
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 24 Network Management: SNMP.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 24 Network Management: SNMP.
Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 1 Simple Network Management Protocol (SNMP) Shivkumar Kalyanaraman Rensselaer Polytechnic Institute.

Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 1 Simple Network Management Protocol (SNMP) Shivkumar Kalyanaraman Rensselaer Polytechnic Institute.
TCP/IP Protocol Suite 1 Chapter 21 Upon completion you will be able to: Network Management: SNMP Understand the SNMP manager and the SNMP agent Understand.

TCP/IP Protocol Suite 1 Chapter 21 Upon completion you will be able to: Network Management: SNMP Understand the SNMP manager and the SNMP agent Understand.
CSEE W4140 Networking Laboratory Lecture 11: SNMP Jong Yul Kim 04.19.2010.

CSEE W4140 Networking Laboratory Lecture 11: SNMP Jong Yul Kim
CSCE 515: Computer Network Programming Chin-Tser Huang University of South Carolina.

CSCE 515: Computer Network Programming Chin-Tser Huang University of South Carolina.
CSEE W4140 Networking Laboratory Lecture 11: SNMP Jong Yul Kim 04.15.2009.

CSEE W4140 Networking Laboratory Lecture 11: SNMP Jong Yul Kim
Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 1 Simple Network Management Protocol (SNMP) Shivkumar Kalyanaraman Rensselaer Polytechnic Institute.

Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 1 Simple Network Management Protocol (SNMP) Shivkumar Kalyanaraman Rensselaer Polytechnic Institute.
COMP4690, by Dr Xiaowen Chu, HKBU

COMP4690, by Dr Xiaowen Chu, HKBU
1 Network Management and SNMP  What is Network Management?  ISO Network Management Model (FCAPS)  Network Management Architecture  SNMPv1 and SNMPv2.

1 Network Management and SNMP  What is Network Management?  ISO Network Management Model (FCAPS)  Network Management Architecture  SNMPv1 and SNMPv2.
SNMP Simple Network Management Protocol

SNMP Simple Network Management Protocol
Agenda SNMP Review SNMP Manager Management Information Base (MIB)

Agenda SNMP Review SNMP Manager Management Information Base (MIB)
Guide to TCP/IP, Third Edition Chapter 11: Monitoring and Managing IP Networks.

Guide to TCP/IP, Third Edition Chapter 11: Monitoring and Managing IP Networks.
SNMP Terms SNMP Agent (network element to monitor) SNMP Management Station Community String (password) SMI (Structure of Management Info) MIB (Management.

SNMP Terms SNMP Agent (network element to monitor) SNMP Management Station Community String (password) SMI (Structure of Management Info) MIB (Management.
Introduction to SNMP AfNOG 11, Kigali/Rwanda.

Introduction to SNMP AfNOG 11, Kigali/Rwanda.
Ch. 31 Q and A IS 333 Spring 2015 Victor Norman. SNMP, MIBs, and ASN.1 SNMP defines the protocol used to send requests and get responses. MIBs are like.

Ch. 31 Q and A IS 333 Spring 2015 Victor Norman. SNMP, MIBs, and ASN.1 SNMP defines the protocol used to send requests and get responses. MIBs are like.
Ch. 31 Q and A CS332 Spring 2014. Network management more than just Ethernet Q: Comer mentions that network managers need to be able to account for different.

Ch. 31 Q and A CS332 Spring Network management more than just Ethernet Q: Comer mentions that network managers need to be able to account for different.
ENS 1 SNMP M Clements. ENS 2 Simple Network Management Protocol Manages elements in networks – E.g. routers, switches, IP phones, printers etc. Uses manager.

ENS 1 SNMP M Clements. ENS 2 Simple Network Management Protocol Manages elements in networks – E.g. routers, switches, IP phones, printers etc. Uses manager.
Chapter 6 Overview Simple Network Management Protocol

Chapter 6 Overview Simple Network Management Protocol
McGraw-Hill The McGraw-Hill Companies, Inc., 2000 SNMP Simple Network Management Protocol.

McGraw-Hill The McGraw-Hill Companies, Inc., 2000 SNMP Simple Network Management Protocol.

Similar presentations

Ads by Google