Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSCE 815 Network Security Lecture 18 SNMP Simple Network Management Protocol March 25, 2003.

Published byPatience Hoover Modified over 9 years ago

Similar presentations

Presentation on theme: "CSCE 815 Network Security Lecture 18 SNMP Simple Network Management Protocol March 25, 2003."— Presentation transcript:

1 CSCE 815 Network Security Lecture 18 SNMP Simple Network Management Protocol March 25, 2003

2 – 2 – CSCE 815 Sp 03 SNMP GOALS UBIQUITY PCs AND CRAYs INCLUSION OF MANAGEMENT SHOULD BE INEXPENSIVE SMALL CODE LIMITED FUNCTIONALITY MANAGEMENT EXTENSIONS SHOULD BE POSSIBLE NEW MIBs MANAGEMENT SHOULD BE ROBUST CONNECTIONLESS TRANSPORT Resource/reference for next few slides http://www.simpleweb.org/tutorials/slides-ppt.html Copyright © 2001 by Aiko Pras These sheets may be used for educational purposes

3 – 3 – CSCE 815 Sp 03 SNMP

4 – 4 – CSCE 815 Sp 03 Protocol context of SNMP

5 – 5 – CSCE 815 Sp 03 SNMP Proxies Note all are capable of implementing SNMP(UDP,IP) e.g., bridges, modems etc. Concept of a proxy was added to accommodate such devices. SNMPv2 added the capability of running on the OSI as well as the TCP/IP protocol suite

6 – 6 – CSCE 815 Sp 03 Proxy Configuration

7 – 7 – CSCE 815 Sp 03 SNMPv2 The strength of SNMPv1 was simplicity implying it was easy to implement and configure. However, deficiencies arose:  Lack of support for distributed network management  Functional deficiencies  Security deficiencies The first two were addressed by SNMPv2 and the latter by SNMPv3.

8 – 8 – CSCE 815 Sp 03

9 – 9 – CSCE 815 Sp 03 MIB II - Objects Described in RFC 1213 http://www.freesoft.org/CIE/RFC/1213/ http://www.freesoft.org/CIE/RFC/1213/ Groups of Objects Physical addresses, system, interfaces, …, the IP group, … E.g., the IP Group contains: ipRouteMask, ipRouteInfo, ipRoutingDiscards …Definitions PhysAddress ::= OCTET STRING This data type is used to model media addresses. For many - - types of media, this will be in a binary representation. -- For example, an ethernet address would be represented as -- a string of 6 octets. Object Identifiers (OIDs) – unique integer name of object

10 – 10 – CSCE 815 Sp 03 SNMPv3 SNMPv3 defines a security capability to be used in conjunction with SNMPv2 preferably or possibly v1

11 – 11 – CSCE 815 Sp 03 SNMPv3 Architecture SNMPv3 architecture (RFC 2571) consists of a distributed collection of SNMP entities communicating together Each SNMP entity may act as manager, agent, or combination SNMP Engine - Implements functions for:  sending and receiving messages  Authenticating and encrypting/decrypting messages  Controlling access to managed objects

12 – 12 – CSCE 815 Sp 03 SNMP Engine Modules Modular nature means that upgrades to individual modules can be made without redoing the architecture Modules:  Dispatcher -  Message Processing Subsystem  Security Subsystem  Access Control Subsystem

13 – 13 – CSCE 815 Sp 03 SNMP Manager

14 – 14 – CSCE 815 Sp 03 SNMP Agent

15 – 15 – CSCE 815 Sp 03 SNMP Engine Modules: Dispatcher Dispatcher is a simple traffic manager On incoming messages It accepts incoming messages from the transport layer Routes each message to the appropriate message processing module When the message processing completes the Dispatcher sends the PDU to the appropriate application On outgoing messages  It accepts PDUs from Application layer  Sends to Message processing subsystem  Sends to Transport layer

16 – 16 – CSCE 815 Sp 03 SNMP Engine Modules: Dispatcher Dispatcher Submodules PDU Dispatcher – sends/accepts Protocol Data Units (PDUs) to/from SNMP applications Message Dispatcher – transmits to/from message processing subsystem Transport Mapping – sends/receives transport layer packets

17 – 17 – CSCE 815 Sp 03 Message Processing Module Accepts outgoing PDUs from dispatcher Passes message to the security subsytem Wraps the result with the appropriate header Sends back to the dispatcher On incoming PDUs  Accepts messages from the dispatcher  Processes the headers  Possibly sending to Security Subsystem for authenitication and decryption and  Returns the enclosed PDU to the dispatcher

18 – 18 – CSCE 815 Sp 03 Security and Access Control Modules Security modules User-based Security Model (USM) Other security models allowed for but not yet. Access Control Modules View-based access control model (VACM) Others allowed

19 – 19 – CSCE 815 Sp 03 SNMPv3 Terminology Table 8.2 snmpEngineId – unique ID to engine (Octet string) contextEngineId – unique ID to SNMP entity contextName – identifies particular context within SNMP Engine scopedPDU – block including: contextEngineId, contextName and an SNMP PDU snmpMessageProcessingModel – unique identifier snmpSecurityModel – integer indicating whether authentication and/or encryption are required principal – the entity for “Whom the Bell Tolls” securityName – string representation of the principal

20 – 20 – CSCE 815 Sp 03 SNMPv3 Applications Command generator applications Makes use of sendPdu primitive Dispatcher  Message Processing  Security subsytem Finally  UDP and later the processResponse dispatcher primitive handles the response Notification originator/receiver applications Operates similiarly sending a notification Command Responder applications use primitives RegisterContextEngineID – here is my ID (unregister also) processPDU returnRespnsePDU isAccessAllowed (Access Control Subsystem primitive) Proxy forwarder application

21 – 21 – CSCE 815 Sp 03 Message Processsing Model RFC 2572 defines the message processing model The model on outgoing messages  Accepts PDUs from the dispatcher  Encapsulates them in messages  Invokes the user Security Model (USM) to insert security related parameters in the headers On incoming  Invokes the user Security Model (USM) process the security related parameters in the header  Delivers encapsulated PDU back to dispatcher SNMP message first five fields

22 – 22 – CSCE 815 Sp 03 SNMP3 Message Format with USM

23 – 23 – CSCE 815 Sp 03 User Security Model (USM) RFC 2574 Designed to secure against: Modification of information Masquerade Message stream modification: messages reordered, delayed Disclosure Not intended to secure against: Denial of Service (DoS attack) Traffic analysis

24 – 24 – CSCE 815 Sp 03 Cryptographic Functions Privacy Key and Authentication Keys Keys maintained for  Local users any principal at this SNMP engine  Remote users USM authentication protocols  HMAC-MD-5-96  HMAC-SHA-96 USM encryption uses CBC of DES

25 – 25 – CSCE 815 Sp 03 Authoritative and Nonauthoritative Engines In any message one of the transmitter/receiver SNMP entities is designated as the Authoriatative SNMP engine When a message expects a response the receiver of such messages is aithoritative When a message expects a response the receiver of such messages is aithoritative When no response is expected the sender is authoritative When no response is expected the sender is authoritative This serves two purposes  Timeliness of message determined wrt clock of authoritative engine  Key localization process

26 – 26 – CSCE 815 Sp 03 USM Message Processing Parameters Figure 8.9 on earlier slide USM Message Processing Figure 8.10

27 – 27 – CSCE 815 Sp 03 USM Timeliness Mechanisms Non authoritative engine maintains copies of snmpEngineBoots = number of times rebooted since originally configured 0 to 231 snmpEngineTime latestReceived EngineTime USM update conditions USM update rule Message judged to be outside window …

28 – 28 – CSCE 815 Sp 03 Key Localization Process

29 – 29 – CSCE 815 Sp 03 View-Based Access Control Model (VACM) VACM has two characteristics: Determines wheter access to a managed object should be allowed. Make use of an MIB that: Defines the access control policy for this agent. Makes it possible for remote configuration to be used.

30 – 30 – CSCE 815 Sp 03 Access control decision

31 – 31 – CSCE 815 Sp 03 Recommended Reading and WEB Sites Subramanian, Mani. Network Management. Addison- Wesley, 2000 Stallings, W. SNMP, SNMPv1, SNMPv3 and RMON 1 and 2. Addison-Wesley, 1999 IETF SNMPv3 working group (Web sites) http://www.ietf.org/html.charters/snmpv3-charter.html SNMPv3 Web sites http://www.simpleweb.org/tutorials/slides-ppt.html http://www.sans.org/rr/netdevices/SNMP_sec.php

32 – 32 – CSCE 815 Sp 03 Intruders Three classes of intruders (hackers or crackers): Masquerader Misfeasor Clandestine user

33 – 33 – CSCE 815 Sp 03 Intrusion Techniques System maintain a file that associates a password with each authorized user. Password file can be protected with: One-way encryption Access Control

34 – 34 – CSCE 815 Sp 03 Intrusion Techniques Techniques for guessing passwords: Try default passwords. Try all short words, 1 to 3 characters long. Try all the words in an electronic dictionary(60,000). Collect information about the user’s hobbies, family names, birthday, etc. Try user’s phone number, social security number, street address, etc. Try all license plate numbers (MUP103). Use a Trojan horse Tap the line between a remote user and the host system. Prevention: Enforce good password selection (Ij4Gf4Se%f#)

35 – 35 – CSCE 815 Sp 03 UNIX Password Scheme Loading a new password

36 – 36 – CSCE 815 Sp 03 UNIX Password Scheme Verifying a password file

37 – 37 – CSCE 815 Sp 03 Storing UNIX Passwords UNIX passwords were kept in in a publicly readable file, etc/passwords. Now they are kept in a “shadow” directory and only visible by “root”.

38 – 38 – CSCE 815 Sp 03 ”Salt” The salt serves three purposes: Prevents duplicate passwords. Effectively increases the length of the password. Prevents the use of hardware implementations of DES

39 – 39 – CSCE 815 Sp 03 Password Selecting Strategies User ducation Computer-generated passwords Reactive password checking Proactive password checking

Download ppt "CSCE 815 Network Security Lecture 18 SNMP Simple Network Management Protocol March 25, 2003."

Similar presentations

Henric Johnson1 Chapter 12 Network Management Security Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 12 Network Management Security Henric Johnson Blekinge Institute of Technology, Sweden
CSCE 815 Network Security Lecture 17 SNMP Simple Network Management Protocol March 25, 2003.

CSCE 815 Network Security Lecture 17 SNMP Simple Network Management Protocol March 25, 2003.
Net Security1 Chapter 8 Network Management Security Henric Johnson Blekinge Institute of Technology, Sweden Revised by Andrew Yang.

Net Security1 Chapter 8 Network Management Security Henric Johnson Blekinge Institute of Technology, Sweden Revised by Andrew Yang.
Chapter 19: Network Management Business Data Communications, 5e.

Chapter 19: Network Management Business Data Communications, 5e.
CCNA – Network Fundamentals

CCNA – Network Fundamentals
1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 Intruders.

1 Ola Flygt Växjö University, Sweden Intruders.
SNMPv3 * * Mani Subramanian “Network Management: Principles and practice”, Addison-Wesley, 2000.

SNMPv3 * * Mani Subramanian “Network Management: Principles and practice”, Addison-Wesley, 2000.
1 ITC242 – Introduction to Data Communications Week 12 Topic 18 Chapter 19 Network Management.

1 ITC242 – Introduction to Data Communications Week 12 Topic 18 Chapter 19 Network Management.
CSI 400/500 Operating Systems Spring 2009 Lecture #20 – Security Measures Wednesday, April 29 th.

CSI 400/500 Operating Systems Spring 2009 Lecture #20 – Security Measures Wednesday, April 29 th.
MJ08-A/07041 Session 08 SNMP V3 Adapted from Network Management: Principles and Practice © Mani Subramanian 2000 and solely used for Network Management.

MJ08-A/07041 Session 08 SNMP V3 Adapted from Network Management: Principles and Practice © Mani Subramanian 2000 and solely used for Network Management.
MJ10/07041 Session 10 Accounting, Security Management Adapted from Network Management: Principles and Practice © Mani Subramanian 2000 and solely used.

MJ10/07041 Session 10 Accounting, Security Management Adapted from Network Management: Principles and Practice © Mani Subramanian 2000 and solely used.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
SNMP GOALS UBIQUITY PCs AND CRAYs INCLUSION OF MANAGEMENT SHOULD BE INEXPENSIVE SMALL CODE LIMITED FUNCTIONALITY MANAGEMENT EXTENSIONS SHOULD BE POSSIBLE.

SNMP GOALS UBIQUITY PCs AND CRAYs INCLUSION OF MANAGEMENT SHOULD BE INEXPENSIVE SMALL CODE LIMITED FUNCTIONALITY MANAGEMENT EXTENSIONS SHOULD BE POSSIBLE.
NS-H0503-02/11041 SNMP. NS-H0503-02/11042 Outline Basic Concepts of SNMP SNMPv1 Community Facility SNMPv3 Recommended Reading and WEB Sites.

NS-H /11041 SNMP. NS-H /11042 Outline Basic Concepts of SNMP SNMPv1 Community Facility SNMPv3 Recommended Reading and WEB Sites.
William Stallings Data and Computer Communications 7 th Edition Chapter 2 Protocols and Architecture.

William Stallings Data and Computer Communications 7 th Edition Chapter 2 Protocols and Architecture.
This presentation is based on the slides listed in references.

This presentation is based on the slides listed in references.
EE579T/10 #1 Spring 2005 © 2000-2005, Richard A. Stanley EE579T Network Security 10: An Overview of SNMP Prof. Richard A. Stanley.

EE579T/10 #1 Spring 2005 © , Richard A. Stanley EE579T Network Security 10: An Overview of SNMP Prof. Richard A. Stanley.
COMP4690, by Dr Xiaowen Chu, HKBU

COMP4690, by Dr Xiaowen Chu, HKBU
COE 342: Data & Computer Communications (T042) Dr. Marwan Abu-Amara Chapter 2: Protocols and Architecture.

COE 342: Data & Computer Communications (T042) Dr. Marwan Abu-Amara Chapter 2: Protocols and Architecture.
EE579T/9 #1 Spring 2003 © 2000-2003, Richard A. Stanley EE579T Network Security 9: An Overview of SNMP Prof. Richard A. Stanley.

EE579T/9 #1 Spring 2003 © , Richard A. Stanley EE579T Network Security 9: An Overview of SNMP Prof. Richard A. Stanley.

Similar presentations

Ads by Google