1

Ola FlygtVäxjö University, Sweden

http://w3.msi.vxu.se/users/ofl/Ola.Flygt@msi.vxu.se

+46 470 70 86 49

Network Management

Security

2

Outline

Basic Concepts of SNMPSNMPv1 Community FacilitySNMPv3

3

The Internet Standard Management Framework

SNMP network management consists of four parts: Management Information Base (MIB)

A map of the hierarchical order of all managed objects and how they are accessed

Structure of Management Information (SMI) Rules specifying the format used to define objects managed on the

network that the SNMP protocol accesses SNMP Protocol

Defines format of messages exchanged by management systems and agents.

Specifies the Get, GetNext, Set, and Trap operations Security and administration capabilities

The addition of these capabilities represents the major enhancement in SNMPv3 over SNMPv2

4

Basic Concepts of SNMPAn integrated collection of tools for network

monitoring and control.Single operator interfaceMinimal amount of separate equipment. Software

and network communications capability built into the existing equipment

SNMP key elements:Management stationManagement agentManagement information baseNetwork Management protocol

Get, Set and Notify

5

Management Information Bases

(MIB)SNMP agent is software that runs on a

piece of network equipment (host, router, printer, or others) and that maintains information about its configuration and current state in a database

Information in the database is described by Management Information Bases (MIBs)

The MIB specifies the managed objects

6

Management Information Bases

(MIB)The MIB is a text file that describes

managed objects using the syntax of ASN.1 (Abstract Syntax Notation 1)

ASN.1 is a formal language for describing data and its properties

In Linux, MIB files are in the directory /usr/share/snmp/mibsMultiple MIB filesMIB-II (defined in RFC 1213) defines the

managed objects of TCP/IP networks

7

Managed Objects

Each managed object is assigned an object identifier (OID)

The OID is specified in a MIB file.An OID can be represented as a sequence

of integers separated by decimal points or by a text string. Example: 1.3.6.1.2.1.4.6. iso.org.dod.internet.mgmt.mib-2.ip.ipForwData

When an SNMP manager requests an object, it sends the OID to the SNMP agent.

8

MIB ExampleipForwDatagrams OBJECT-TYPE SYNTAX Counter ACCESS read-only STATUS mandatory DESCRIPTION "The number of input datagrams for which this entity was not their final IP destination, as a result of which an attempt was made to find a route to forward them to that final destination. In entities which do not act as IP Gateways, this counter will include only those packets which were Source-Routed via this entity, and the Source- Route option processing was successful." ::= { ip 6 }

9

Protocol context of SNMP

10

Proxy Configuration

11

12

SNMP v1 and v2

Trap – an unsolicited message (reporting an alarm condition)

SNMPv1 is ”connectionless” since it utilizes UDP (rather than TCP) as the transport layer protocol.

SNMPv2 allows the use of TCP for ”reliable, connection-oriented” service.

13

Comparison of SNMPv1 and SNMPv2SNMPv1 PDU SNMPv2 PDU Direction Description

GetRequest GetRequest Manager to agent Request value for each listed object

GetRequest GetRequest Manager to agent Request next value for each listed object

------ GetBulkRequest Manager to agent Request multiple values

SetRequest SetRequest Manager to agent Set value for each listed object

------ InformRequest Manager to manager Transmit unsolicited information

GetResponse Response Agent to manager or Manage to manager(SNMPv2)

Respond to manager request

Trap SNMPv2-Trap Agent to manager Transmit unsolicited information

14

SNMPv1 Community Facility

SNMP Community – Relationship between an SNMP agent and SNMP managers.

Three aspect of agent control:Authentication serviceAccess policyProxy service

15

SNMPv1 Administrative Concepts

16

SNMPv3SNMPv3 defines a security capability

to be used in conjunction with SNMPv1 or v2

17

SNMPv3 Flow

18

Traditional SNMP Manager

19

Traditional SNMP Agent

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.

20

SNMP3 Message Format with USM

21

User Security Model (USM)

Designed to secure against:Modification of informationMasqueradeMessage stream modificationDisclosure

Not intended to secure against:Denial of Service (DoS attack)Traffic analysis

22

USM Encryption

Authentication (using authKey)HMAC-MD5-96HMAC-SHA1-96

Encryption (using privKey)DES CBCUses first 64 bits of the 16-octet privKeyLast 64 bits used as IV to DES CBC

Key values not accessible from SNMP

23

Authoritative Engine

SNMP messages with payloads that expect a response (Get…, Set, Inform)Receiver of message is authoritative

SNMP messages with payload that does not expect response (Trap, Response, Report)Sender is authoritative

24

Key Localization

Allows single user to own keys stored in multiple enginesKey localized to each authoritative

engine using hash functionsAvoids problem of a single key being

stored in many placesGreatly slows brute force attack

25

Key Localization

26

Timeliness

Determined by a clock kept at the authoritative engineWhen authoritative engine sends a message,

it includes the current clock valueNonauthoritative agent synchronizes on clock value

When nonauthoritative engine sends a message, it includes the estimated destination clock value

These procedures allow assessing message timeliness

27

View-Based Access Control Model (VACM)

VACM has two characteristics:Determines whether access to a

managed object should be allowed.Make use of an MIB that:

Defines the access control policy for this agent.

Makes it possible for remote configuration to be used.

28

Access control decision

29

SNMPv3 Security

SNMPv3 solves SNMP security problems, right?NOT!

Decent security implementation, but reality is:SNMPv1 still holds ~95% of the market (2005)Even SNMPv2 not widely deployedUpgrading to SNMPv3 is difficult and costly (sort of

like moving from Win95 to WinXP all at once)There is the issue of proxies and foreign clients

SNMPv3 is the clear long-term choice