Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Security Part I: Introduction Network Security Management.

Published byArline French Modified over 9 years ago

Similar presentations

Presentation on theme: "Network Security Part I: Introduction Network Security Management."— Presentation transcript:

1 Network Security Part I: Introduction Network Security Management

2 SECURITY INNOVATION ©2003 2Outline The subject is divided into the following:The subject is divided into the following: – Introduction – SNMP overview – SNMP security

3 SECURITY INNOVATION ©2003 3 I Introduction Network management protocols enable on- line management of computers & networks.Network management protocols enable on- line management of computers & networks. They support:They support: –configuration management, –accounting, –event logging, –help with problem diagnosis. They are application layer protocols.They are application layer protocols.

4 SECURITY INNOVATION ©2003 4 Management security Two aspects of network management security (as defined in ISO 7498-2):Two aspects of network management security (as defined in ISO 7498-2): –management of security - support provided by network management protocols for provision of security services, and –security of management - means for protecting network management communications.

5 SECURITY INNOVATION ©2003 5 Internet SNMP Overview The Simple Network Management Protocol (SNMP) is part of the Internet network management system.The Simple Network Management Protocol (SNMP) is part of the Internet network management system. –Version 1 (1990/91) is specified in RFCs 1155-1157, and 1212/1213. –Version 2 (1993), with some security features, is specified in RFCs 1441-1448. –Version 3 (1999), with more complete security features in RFCs 2570-2576

6 SECURITY INNOVATION ©2003 6 SNMP V1 Architecture UDP Physical Network Manager IP SNMP Network Central MIB UDP Agent IP SNMP Network Agent MIB

7 SECURITY INNOVATION ©2003 7 Architectural Model Model based onModel based on –a network management station (a host system running SNMP, with management s/ware) –many network elements (hosts, routers, gateways, servers). Management agent at a network device implements SNMPManagement agent at a network device implements SNMP –provides access to the Management Information Base (MIB).

8 SECURITY INNOVATION ©2003 8 SNMP Management NetworkElements Management Station

9 SECURITY INNOVATION ©2003 9 Connectionless Protocol Because V1 uses UDP, SNMP is a connectionless protocolBecause V1 uses UDP, SNMP is a connectionless protocol –No guarantee that the management traffic is received at the other entity –Advantages : reduced overheadreduced overhead protocol simplicityprotocol simplicity –Drawbacks : connection-oriented operations must be built into upper- layer applications, if reliability and accountability are neededconnection-oriented operations must be built into upper- layer applications, if reliability and accountability are needed V2 & V3 can use TCP.V2 & V3 can use TCP.

10 SECURITY INNOVATION ©2003 10 SNMP Operations SNMP provides three simple operations :SNMP provides three simple operations : –GET : Enables the management station to retrieve object values from a managed station –SET : Enables the management station to set object values in a managed station –TRAP : Enables a managed station to notify the management station of significant events SNMP allows multiple accesses with a single operationSNMP allows multiple accesses with a single operation

11 SECURITY INNOVATION ©2003 11 SNMP Protocol Data Units Get Request : Used to obtain object values from an agentGet Request : Used to obtain object values from an agent Get-Next Request : Similar to the Get Request, except it permits the retrieving of the next object instance (in lexicographical order) in the MIB treeGet-Next Request : Similar to the Get Request, except it permits the retrieving of the next object instance (in lexicographical order) in the MIB tree Set Request : Used to change object values at an agentSet Request : Used to change object values at an agent Response : Responds to the Get Request, Get-Next Request and Set Request PDUsResponse : Responds to the Get Request, Get-Next Request and Set Request PDUs Trap : Enables an agent to report an event to the management station (no response from the manager entity)Trap : Enables an agent to report an event to the management station (no response from the manager entity)

12 SECURITY INNOVATION ©2003 12 SNMP Port Numbers The UDP port numbers used for SNMP are : 161 (Requests) and 162 (Traps)The UDP port numbers used for SNMP are : 161 (Requests) and 162 (Traps) Manager behavior :Manager behavior : –listens for agent traps on local port 162 –sends requests to port 161 of remote agent Agent behavior :Agent behavior : –listens for manager requests on local port 161 –sends traps to port 162 of remote manager

13 SECURITY INNOVATION ©2003 13 SNMP Messages SNMP message GET-REQUEST GET-REQUEST UDP datagram Src Port: 3042 Dest Port: 161 UDP datagram Src Port: 3042 Dest Port: 161 IP datagram Src: 192.168.0.20 Dest: 192.168.0.254 IP datagram Src: 192.168.0.20 Dest: 192.168.0.254 192.168.0.40 192.168.0.254 192.168.1.254 192.168.2.254 192.168.254.254 SNMP message GET-REQUEST reply SNMP message GET-REQUEST reply UDP datagram Src Port: 161 Dest Port: 3042 UDP datagram Src Port: 161 Dest Port: 3042 IP datagram Src: 192.168.0.254 Dest: 192.168.0.20 IP datagram Src: 192.168.0.254 Dest: 192.168.0.20

14 SECURITY INNOVATION ©2003 14 SNMP Message Format All V1 SNMP PDUs are built in the same way :All V1 SNMP PDUs are built in the same way : Community - local concept, defined at each deviceCommunity - local concept, defined at each device SNMP community = set of SNMP managers allowed to access to this deviceSNMP community = set of SNMP managers allowed to access to this device Each community is defined using a unique (within the device) nameEach community is defined using a unique (within the device) name Each manager must indicate the name of the community it belongs in all get and set operations.Each manager must indicate the name of the community it belongs in all get and set operations. VersionCommunity SNMP PDU Local concept, defined at each agent SNMP community = set of SNMP managers allowed to access to this agent Each community is defined using a unique (within the agent) name Each manager must indicate the name of the community it belongs in all get and set operations

15 SECURITY INNOVATION ©2003 15 Trap Examples Cisco router trapsCisco router traps –authentication device is the addressee of an SNMP protocol message that is not properly authenticated. (SNMPv1 - incorrect community string)device is the addressee of an SNMP protocol message that is not properly authenticated. (SNMPv1 - incorrect community string) –linkup device recognizes that one of the communication links represented in the agent's configuration has come up.device recognizes that one of the communication links represented in the agent's configuration has come up. –linkdown device recognizes a failure in one of the communication links represented in the agent's configuration.device recognizes a failure in one of the communication links represented in the agent's configuration. –coldstart device is reinitializing itself so that the configuration may be altered.device is reinitializing itself so that the configuration may be altered. –warmstart device is reinitializing itself, but the configuration will not be altered.device is reinitializing itself, but the configuration will not be altered.

16 SECURITY INNOVATION ©2003 16SNMP Simple Network Management ProtocolSimple Network Management Protocol –The most popular network management protocol –Hosts, firewalls, routers, switches…UPS, power strips, ATM cards -- ubiquitous “One of the single biggest security nightmares on networks today”“One of the single biggest security nightmares on networks today”

17 SECURITY INNOVATION ©2003 17 SNMPv1 Security Flaws Transport MechanismTransport Mechanism –Data manipulation –Denial of Service –Replay AuthenticationAuthentication –Host Based –Community Based Information DisclosureInformation Disclosure

18 SECURITY INNOVATION ©2003 18 SNMP Transport Mechanism Flaws UDP BasedUDP Based –Unreliable - packets may or may not be received –Easily forged - trivial to forge source of packets

19 SECURITY INNOVATION ©2003 19 SNMP Authentication Flaws Host BasedHost Based –Fails due to UDP transport –DNS cache poisoning Community BasedCommunity Based –Cleartext community –Community name prediction/brute forcing –Default communities

20 SECURITY INNOVATION ©2003 20 SNMP Popular Defaults Popular defaultsPopular defaults –public –private –write –“all private” –monitor –manager –security –admin –lan –default –password –tivoli –openview –community –snmp –snmpd –system –and on and on...

21 SECURITY INNOVATION ©2003 21 SNMPv1 Information Disclosure Routing tablesRouting tables Network topologyNetwork topology Network traffic patternsNetwork traffic patterns Filter rulesFilter rules

22 SECURITY INNOVATION ©2003 22 RMON and RMON2 Security SNMPv1’s flawsSNMPv1’s flaws additional hazards by introducing “action invocation” objectsadditional hazards by introducing “action invocation” objects collects extensive info on subnetcollects extensive info on subnet packet capturespacket captures

23 SECURITY INNOVATION ©2003 23 SNMP Fixes Disable itDisable it ACL ItACL It Read-OnlyRead-Only

24 SECURITY INNOVATION ©2003 24 Base SNMP Security Mechanisms The basic SNMP Version 1 standard provides only trivial security mechanisms, based on:The basic SNMP Version 1 standard provides only trivial security mechanisms, based on: –Authentication Mechanism –Access mode Mechanism

25 SECURITY INNOVATION ©2003 25 Authentication Mechanism Authentication Service: assure the destination that the SNMP message comes from the source from which it claims to beAuthentication Service: assure the destination that the SNMP message comes from the source from which it claims to be Based on community name, included in every SNMP message from a management station to a deviceBased on community name, included in every SNMP message from a management station to a device This name functions as a password : the message is assumed to be authentic if the sender knows the passwordThis name functions as a password : the message is assumed to be authentic if the sender knows the password No encryption of the community nameNo encryption of the community name

26 SECURITY INNOVATION ©2003 26 SNMP V1 Key Vulnerability If an attacker can view the community stringIf an attacker can view the community string –They can masquerade as a member of the community by including the community string in SNMP messages. –The attacker may be able to manage any agent that shares that community string.

27 SECURITY INNOVATION ©2003 27 Access Mode Mechanism Based on community profilesBased on community profiles A community profile consists of the combination of :A community profile consists of the combination of : –a defined subset of MIB objects (MIB view) –an access mode for those objects (READ-ONLY or READ-WRITE) A community profile is associated to each community defined by an agentA community profile is associated to each community defined by an agent

28 SECURITY INNOVATION ©2003 28 Security Threats Two primary threats:Two primary threats: –data modification - to an SNMP message, –masquerade - impersonator might send false SNMP messages. Two secondary threats:Two secondary threats: –message stream modification - reordering, replay and/or delay of SNMP messages, –eavesdropping - on SNMP messages.

29 SECURITY INNOVATION ©2003 29 Security Services Identified security services to meet threats:Identified security services to meet threats: – data origin authentication, – data integrity, – message sequence integrity, – data confidentiality, – message timeliness & limited replay protection

30 SECURITY INNOVATION ©2003 30 User-based Security Model A User, identified by UserName holds:A User, identified by UserName holds: –Secret keys –Other security information such as cryptographic algorithms to be used. SNMP V3 entities are identified by snmpEngineID.SNMP V3 entities are identified by snmpEngineID. –Each managed device or management station has an snmpEngineID

31 SECURITY INNOVATION ©2003 31 Authoritative SNMP Entities Whenever a message is sent, one entity is authoritative.Whenever a message is sent, one entity is authoritative. –For get or set, receiver is authoritative. –For trap, response or report, sender is authoritative. Authoritative entity has:Authoritative entity has: –Localised keys –Timeliness indicators

32 SECURITY INNOVATION ©2003 32 Timeliness Indicators Prevent replay of messages.Prevent replay of messages. Each authoritative entity maintains a clock.Each authoritative entity maintains a clock. A non-authoritative entity has to retrieve the time from the authoritative entity, confirm the received value, then maintain a synchronised clock.A non-authoritative entity has to retrieve the time from the authoritative entity, confirm the received value, then maintain a synchronised clock. Messages can arrive within 150 seconds of their generated time.Messages can arrive within 150 seconds of their generated time.

33 SECURITY INNOVATION ©2003 33Keys Keys generated from user password.Keys generated from user password. User provides password to all entities.User provides password to all entities. Each entity generates a key from the password and generates two further keys using the entities snmpEngineID.Each entity generates a key from the password and generates two further keys using the entities snmpEngineID. –One for authentication –One for confidentiality

34 SECURITY INNOVATION ©2003 34 Data Integrity and Authenticity Generate a cryptographic “fingerprint” of any message to be protected.Generate a cryptographic “fingerprint” of any message to be protected. Send the “fingerprint” with the message.Send the “fingerprint” with the message. –Derive two temporary keys K2, K3 from localized user key K1. –Compute T = Hash(K3 | SNMP Msg) –Compute M = Hash(K2 | T) –First 96 bits of M are the MAC (Message Authentication Code) Must support HMAC-MD5-96, may support HMAC- SHA-96Must support HMAC-MD5-96, may support HMAC- SHA-96

35 SECURITY INNOVATION ©2003 35 Data Confidentiality DES in Cipher Block Chaining mode.DES in Cipher Block Chaining mode. Second localised key.Second localised key. Has to be used together with Data Integrity and Authenticity.Has to be used together with Data Integrity and Authenticity.

36 SECURITY INNOVATION ©2003 36 Management of SNMP security Following data needs to be managed:Following data needs to be managed: –secret (authentication and privacy) keys, –clock synchronization (for replay detection), –SNMP party information. SNMP can be used to provide key management and clock synchronization.SNMP can be used to provide key management and clock synchronization. After manually setting up some SNMP parties, rest can be managed using SNMP.After manually setting up some SNMP parties, rest can be managed using SNMP.

Download ppt "Network Security Part I: Introduction Network Security Management."

Similar presentations

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
CIS 203 17 : Network Management. Introduction Network, associated resources and distributed applications indispensable Complex systems —More things can.

CIS : Network Management. Introduction Network, associated resources and distributed applications indispensable Complex systems —More things can.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
CCNA – Network Fundamentals

CCNA – Network Fundamentals
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 24 Network Management: SNMP.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 24 Network Management: SNMP.
Manajemen Jaringan dan Network Security Pertemuan 26 Matakuliah: H0484/Jaringan Komputer Tahun: 2007.

Manajemen Jaringan dan Network Security Pertemuan 26 Matakuliah: H0484/Jaringan Komputer Tahun: 2007.
Dr Alejandra Flores-Mosri Network Monitoring Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Explain.

Dr Alejandra Flores-Mosri Network Monitoring Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Explain.
1 ITC242 – Introduction to Data Communications Week 12 Topic 18 Chapter 19 Network Management.

1 ITC242 – Introduction to Data Communications Week 12 Topic 18 Chapter 19 Network Management.
TCP/IP Protocol Suite 1 Chapter 21 Upon completion you will be able to: Network Management: SNMP Understand the SNMP manager and the SNMP agent Understand.

TCP/IP Protocol Suite 1 Chapter 21 Upon completion you will be able to: Network Management: SNMP Understand the SNMP manager and the SNMP agent Understand.
CSEE W4140 Networking Laboratory Lecture 11: SNMP Jong Yul Kim 04.19.2010.

CSEE W4140 Networking Laboratory Lecture 11: SNMP Jong Yul Kim
CSCE 515: Computer Network Programming Chin-Tser Huang University of South Carolina.

CSCE 515: Computer Network Programming Chin-Tser Huang University of South Carolina.
Cryptography and Network Security

Cryptography and Network Security
NS-H0503-02/11041 SNMP. NS-H0503-02/11042 Outline Basic Concepts of SNMP SNMPv1 Community Facility SNMPv3 Recommended Reading and WEB Sites.

NS-H /11041 SNMP. NS-H /11042 Outline Basic Concepts of SNMP SNMPv1 Community Facility SNMPv3 Recommended Reading and WEB Sites.
1 Pertemuan 26 Manajemen Jaringan dan Network Security Matakuliah: H0174/Jaringan Komputer Tahun: 2006 Versi: 1/0.

1 Pertemuan 26 Manajemen Jaringan dan Network Security Matakuliah: H0174/Jaringan Komputer Tahun: 2006 Versi: 1/0.
EE579T/10 #1 Spring 2005 © 2000-2005, Richard A. Stanley EE579T Network Security 10: An Overview of SNMP Prof. Richard A. Stanley.

EE579T/10 #1 Spring 2005 © , Richard A. Stanley EE579T Network Security 10: An Overview of SNMP Prof. Richard A. Stanley.
1 System support & Management Protocols Lesson 13 NETS2150/2850 School of Information Technologies.

1 System support & Management Protocols Lesson 13 NETS2150/2850 School of Information Technologies.
COMP4690, by Dr Xiaowen Chu, HKBU

COMP4690, by Dr Xiaowen Chu, HKBU
Information Security. Information Security Requirements Confidentiality: Protection from disclosure to unauthorised persons Access control: Unauthorised.

Information Security. Information Security Requirements Confidentiality: Protection from disclosure to unauthorised persons Access control: Unauthorised.
1 Network Management and SNMP  What is Network Management?  ISO Network Management Model (FCAPS)  Network Management Architecture  SNMPv1 and SNMPv2.

1 Network Management and SNMP  What is Network Management?  ISO Network Management Model (FCAPS)  Network Management Architecture  SNMPv1 and SNMPv2.
SNMP Simple Network Management Protocol

SNMP Simple Network Management Protocol

Similar presentations

Ads by Google