csce 815 network security lecture 17 snmp simple network management protocol march 25, 2003
TRANSCRIPT
CSCE 815 Network Security CSCE 815 Network Security Lecture 17 Lecture 17CSCE 815 Network Security CSCE 815 Network Security Lecture 17 Lecture 17
SNMPSNMP
Simple Network Management ProtocolSimple Network Management Protocol
March 25, 2003
– 2 – CSCE 815 Sp 03
Need for Network Management ToolsNeed for Network Management Tools
In the early days of the Arpanet, the predecessor of the In the early days of the Arpanet, the predecessor of the Internet, the name service was accomplished by Internet, the name service was accomplished by maintaining and distributing one file with all the IP maintaining and distributing one file with all the IP addresses of the network. But no more … DNS etcaddresses of the network. But no more … DNS etc
As networks increase in sizeAs networks increase in size
1.1. The network becomes more indispensable to the The network becomes more indispensable to the organization.organization.
2.2. More things can go wrong, disabling or degrading More things can go wrong, disabling or degrading the performance of portions of the network.the performance of portions of the network.
Today a large network cannot be managed with Today a large network cannot be managed with software assistance.software assistance.
– 3 – CSCE 815 Sp 03
SNMP HistorySNMP History
SNMP version 1 SNMP version 1 was published in 1988 Widely accepted RFC 1157
SNMP version 2 added additional functionalitySNMP version 2 added additional functionality RFC 1441 (1993)
SNMP v3 added security featuresSNMP v3 added security features RFC 3410-3415 (1999) http://www.ibr.cs.tu-bs.de/projects/snmpv3/ http://www.ietf.org/html.charters/snmpv3-charter.html
– 4 – CSCE 815 Sp 03
SNMP v3SNMP v3 Introduction and Applicability Statements for Internet Standa
rd Management Framework, RFC 3410, Informational, December 2002
An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks, RFC 3411, STD 62, December 2002
Message Processing and Dispatching for the Simple Network Management Protocol (SNMP) RFC 3412, STD 62, December 2002
Simple Network Management Protocol (SNMP) Applications RFC 3413, STD 62, December 2002
User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3) RFC 3414, STD 62, December 2002
View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP) RFC 3415, STD 62, December 2002
– 5 – CSCE 815 Sp 03
SNMP Management Station SNMP Management Station Management station – typically a stand alone
device; an interface for human net manager Management agent – Management information base Network Management protocol
Get, Set and Notify
– 6 – CSCE 815 Sp 03
SNMP GOALSSNMP GOALS
UBIQUITYUBIQUITY PCs AND CRAYs
INCLUSION OF MANAGEMENT SHOULD BE INCLUSION OF MANAGEMENT SHOULD BE INEXPENSIVEINEXPENSIVE SMALL CODE LIMITED FUNCTIONALITY
MANAGEMENT EXTENSIONS SHOULD BE POSSIBLEMANAGEMENT EXTENSIONS SHOULD BE POSSIBLE NEW MIBs
MANAGEMENT SHOULD BE ROBUSTMANAGEMENT SHOULD BE ROBUST CONNECTIONLESS TRANSPORT
Resource/reference for next few slidesResource/reference for next few slides http://www.simpleweb.org/tutorials/slides-ppt.html
Copyright © 2001 by Aiko Pras
These sheets may be used for educational purposes
– 7 – CSCE 815 Sp 03
SNMP OPERATIONSNMP OPERATIONMANAGER
AGENTS
TRAPS
POLLING
MIB
– 8 – CSCE 815 Sp 03
SNMP SNMP MANAGER
AGENTS
GET / SET
TRAP
MIB
– 9 – CSCE 815 Sp 03
SNMP OPERATIONSNMP OPERATIONMANAGER
AGENTS
TABLES
VARIABLES
– 10 – CSCE 815 Sp 03
Basic Concepts of SNMPBasic Concepts of SNMP
A network management system is an A network management system is an integrated collection of tools for network integrated collection of tools for network monitoring and control.monitoring and control. Single operator interface Minimal amount of separate equipment.
Software and network communications capability built into the existing equipment.
– 11 – CSCE 815 Sp 03
SNMP Management Station SNMP Management Station Management station will include:Management station will include:
an interface for the human net manager for an interface for the human net manager for monitoring and controlling the networkmonitoring and controlling the network
management applications for data analysis and management applications for data analysis and fault recoveryfault recovery
Translation of network manager commands to Translation of network manager commands to actual controls of the networkactual controls of the network
A database of the MIBs of all managed entities of A database of the MIBs of all managed entities of the networkthe network
– 12 – CSCE 815 Sp 03
SNMP Management AgentSNMP Management AgentKey platforms: hosts, bridges, routers, hubs equipped Key platforms: hosts, bridges, routers, hubs equipped
with SNMP management agentwith SNMP management agent
SNMP management agent is a program that SNMP management agent is a program that communicates with the SNMP management stationcommunicates with the SNMP management station1. Responds to requests for information on network status
2. Responds to requests for management actions
3. May asynchronously provide the management station with unsolicited “alert” information
– 13 – CSCE 815 Sp 03
SNMP Management Information BaseSNMP Management Information Base
Each network resource is represented as an object Each network resource is represented as an object (data variable) (data variable)
Management Information Base (MIB) is the collection of Management Information Base (MIB) is the collection of objects that an agent maintainsobjects that an agent maintains
Objects in MIB are standardized across theObjects in MIB are standardized across the type oftype of agent such as routers, bridges, etc.agent such as routers, bridges, etc.
A management station monitors the network by A management station monitors the network by requesting values from the MIBsrequesting values from the MIBs
A management station controls the network by setting A management station controls the network by setting values in the MIBs of the various agentsvalues in the MIBs of the various agents
– 14 – CSCE 815 Sp 03
SNMP Network Management ProtocolSNMP Network Management Protocol
Capabilities of SNMP1. Get - get the value of an object from an agent2. Set – set the value of an object of an agent3. Notify – agent alerts the management station
– 15 – CSCE 815 Sp 03
Protocol context of SNMPProtocol context of SNMP
– 16 – CSCE 815 Sp 03
Notes on SNMP protocolNotes on SNMP protocol
It was designed to be an application level protocol.It was designed to be an application level protocol.
It was designed to be easily implemented and consume It was designed to be easily implemented and consume modest processor and network resources.modest processor and network resources.
SNMP SNMP UDP UDP IP IP data link layer (ethernet) data link layer (ethernet)
Each agent must implement SNMP, UDP and IP.Each agent must implement SNMP, UDP and IP.
SNMP messagesSNMP messages1. GetResponse2. GetNextResponse3. SetRequest4. GetResponse5. Trap
SNMP is connectionless (because UDP is).SNMP is connectionless (because UDP is).
– 17 – CSCE 815 Sp 03
SNMP ProxiesSNMP Proxies
Note all are capable of implementing SNMP(UDP,IP) Note all are capable of implementing SNMP(UDP,IP) e.g., bridges, modems etc.e.g., bridges, modems etc.
Concept of a proxy was added to accommodate such Concept of a proxy was added to accommodate such devices.devices.
SNMPv2 added the capability of running on the OSI as SNMPv2 added the capability of running on the OSI as well as the TCP/IP protocol suitewell as the TCP/IP protocol suite
– 18 – CSCE 815 Sp 03
Proxy ConfigurationProxy Configuration
– 19 – CSCE 815 Sp 03
SNMPv2SNMPv2
The strength of SNMPv1 was simplicity implying it was The strength of SNMPv1 was simplicity implying it was easy to implement and configure.easy to implement and configure.
However, deficiencies arose:However, deficiencies arose:
1.1. Lack of support for distributed network managementLack of support for distributed network management
2.2. Functional deficienciesFunctional deficiencies
3.3. Security deficienciesSecurity deficiencies
The first two were addressed by SNMPv2 and the latter The first two were addressed by SNMPv2 and the latter by SNMPv3.by SNMPv3.
– 20 – CSCE 815 Sp 03
– 21 – CSCE 815 Sp 03
SNMP v1 and v2SNMP v1 and v2
Trap – an unsolicited message (reporting an alarm Trap – an unsolicited message (reporting an alarm condition)condition)
SNMPv1 is ”connectionless” since it utilizes UDP SNMPv1 is ”connectionless” since it utilizes UDP (rather than TCP) as the transport layer protocol. (rather than TCP) as the transport layer protocol.
SNMPv2 allows the use of TCP for reliable, connection-SNMPv2 allows the use of TCP for reliable, connection-oriented” service.oriented” service.
– 22 – CSCE 815 Sp 03
Comparison of SNMPv1 and SNMPv2 Table 8.1Comparison of SNMPv1 and SNMPv2 Table 8.1
SNMPv1 PDUSNMPv1 PDU SNMPv2 PDUSNMPv2 PDU DirectionDirection DescriptionDescription
GetRequestGetRequest GetRequestGetRequest Manager to agentManager to agent Request value for each Request value for each listed objectlisted object
GetRequestGetRequest GetRequestGetRequest Manager to agentManager to agent Request next value for Request next value for each listed objecteach listed object
------------ GetBulkRequestGetBulkRequest Manager to agentManager to agent Request multiple valuesRequest multiple values
SetRequestSetRequest SetRequestSetRequest Manager to agentManager to agent Set value for each listed Set value for each listed objectobject
------------ InformRequestInformRequest Manager to managerManager to manager Transmit unsolicited Transmit unsolicited informationinformation
GetResponseGetResponse ResponseResponse Agent to manager or Agent to manager or Manage to Manage to manager(SNMPv2)manager(SNMPv2)
Respond to manager Respond to manager requestrequest
TrapTrap SNMPv2-TrapSNMPv2-Trap Agent to managerAgent to manager Transmit unsolicited Transmit unsolicited informationinformation
– 23 – CSCE 815 Sp 03
SNMPv1 Community FacilitySNMPv1 Community Facility
SNMP provides only rudimentary secuirty through the SNMP provides only rudimentary secuirty through the concept of communitiy.concept of communitiy.
SNMP Community – Relationship between an SNMP SNMP Community – Relationship between an SNMP agent and SNMP managers.agent and SNMP managers. Maintain locally on the agent List of managers with associated access privalidges
Each agent controls its MIB; aspects of this controlEach agent controls its MIB; aspects of this control Authentication service – which manager can access/control Access policy Proxy service – this may involve implementing
authentication service for other devices
– 24 – CSCE 815 Sp 03
SNMP Access PolicySNMP Access Policy
SNMP MIB view – a subset of the objectsSNMP MIB view – a subset of the objects
SNMP access modes: Read-Only, Read-WriteSNMP access modes: Read-Only, Read-Write
SNMP community profile =SNMP community profile =
SNMP MIB view + access-modeSNMP MIB view + access-mode
SNMP access policy =SNMP access policy =
SNMP community + SNMP community-profileSNMP community + SNMP community-profile
– 25 – CSCE 815 Sp 03
SNMPv1 Administrative ConceptsSNMPv1 Administrative Concepts
– 26 – CSCE 815 Sp 03
SNMPv3SNMPv3SNMPv3 defines a security capability to be used in SNMPv3 defines a security capability to be used in
conjunction with SNMPv2 preferably or possibly v1conjunction with SNMPv2 preferably or possibly v1
– 27 – CSCE 815 Sp 03
SNMPv3 ArchttectureSNMPv3 Archttecture
OTHERNOTIFICATIONORIGINATOR
COMMANDRESPONDER
COMMANDGENERATOR
NOTIFICATIONRECEIVER
PROXYFORWARDER
SNMP APPLICATIONS
SNMP ENGINE
MESSAGE PROCESSINGSUBSYSTEM
DISPATCHERSECURITY
SUBSYSTEMACCESS CONTROL
SUBSYSTEM
SNMP ENTITY
OTHER
Consists of a distributed collection of SNMP entities
– 28 – CSCE 815 Sp 03
SNMP ManagerSNMP Manager
NOTIFICATIONRECEIVER
COMMANDGENERATOR
PDUDISPATCHER
COMMUNITY BASEDSECURITY MODEL
USER BASEDSECURITY MODEL
OTHERSECURITY MODEL
SECURITY SUBSYSTEM
SNMPv1
SNMPv2C
SNMPv3
OTHER
MESSAGE PROCESSINGSUBSYSTEM
MESSAGEDISPATCHER
TRANSPORTMAPPINGS
– 29 – CSCE 815 Sp 03
SNMP AgentSNMP Agent
PDUDISPATCHER
COMMUNITY BASEDSECURITY MODEL
USER BASEDSECURITY MODEL
OTHERSECURITY MODEL
SECURITY SUBSYSTEM
SNMPv1
SNMPv2C
SNMPv3
OTHER
MESSAGE PROCESSINGSUBSYSTEM
MESSAGEDISPATCHER
TRANSPORTMAPPINGS
MANAGEMENT INFORMATION BASE
VIEW BASEDACCESS CONTROL
ACCESS CONTROL SUBSYSTEM
NOTIFICATIONORIGINATOR
COMMANDRESPONDER
– 30 – CSCE 815 Sp 03
SNMPv3 FlowSNMPv3 Flow
– 31 – CSCE 815 Sp 03
PRIMITIVES BETWEEN MODULESPRIMITIVES BETWEEN MODULES
DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineIDcontextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsgwholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
– 32 – CSCE 815 Sp 03
sendPdusendPdu
DISPATCHER
ACCESSCONTROL
SUBSYSTEM
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineIDcontextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsgwholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
sendPdu
APPLICATIONS
– 33 – CSCE 815 Sp 03
prepareOutgoingMessageprepareOutgoingMessage
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineIDcontextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsgwholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
prepareOutgoingMessage
DISPATCHER
– 34 – CSCE 815 Sp 03
generateRequestMsggenerateRequestMsg
DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
SECURITYSUBSYSTEM DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineIDcontextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsgwholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
generateRequestMsg
MESSAGEPROCESSINGSUBSYSTEM
– 35 – CSCE 815 Sp 03
send / receivesend / receive
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineIDcontextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsgwholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
send and receive
DISPATCHER
– 36 – CSCE 815 Sp 03
prepareDataElementsprepareDataElements
DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineIDcontextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsgwholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
prepareDataElements
DISPATCHER
– 37 – CSCE 815 Sp 03
processIncomingMsgprocessIncomingMsg
DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
SECURITYSUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineIDcontextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsgwholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
processIncomingMsg
MESSAGEPROCESSINGSUBSYSTEM
– 38 – CSCE 815 Sp 03
processPdprocessPd
DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineIDcontextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsgwholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
processPdu
DISPATCHER
– 39 – CSCE 815 Sp 03
isAccessAllowedisAccessAllowed
DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM DISPATCHER
ACCESSCONTROL
SUBSYSTEM
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineIDcontextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsgwholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
isAccessAllowed
APPLICATIONS
– 40 – CSCE 815 Sp 03
returnResponsePdureturnResponsePdu
DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM DISPATCHER
ACCESSCONTROL
SUBSYSTEM
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineIDcontextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsgwholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
returnResponsePdu
APPLICATIONS
– 41 – CSCE 815 Sp 03
prepareResponseMessageprepareResponseMessage
DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineIDcontextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsgwholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
prepareResponseMessage
DISPATCHER
– 42 – CSCE 815 Sp 03
generateResponseMsggenerateResponseMsg
DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
SECURITYSUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineIDcontextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsgwholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
generateResponseMsg
MESSAGEPROCESSINGSUBSYSTEM
– 43 – CSCE 815 Sp 03
send / receivesend / receive
DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineIDcontextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsgwholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
send and receive
DISPATCHER
– 44 – CSCE 815 Sp 03
prepareDataElementsprepareDataElements
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineIDcontextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsgwholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
prepareDataElements
DISPATCHER
– 45 – CSCE 815 Sp 03
processIncomingMsgprocessIncomingMsg
DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
SECURITYSUBSYSTEM DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineIDcontextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsgwholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
processIncomingMsg
MESSAGEPROCESSINGSUBSYSTEM
– 46 – CSCE 815 Sp 03
processResponsePduprocessResponsePdu
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM DISPATCHER
ACCESSCONTROL
SUBSYSTEM
APPLICATIONS
MESSAGEPROCESSINGSUBSYSTEM
SECURITYSUBSYSTEM
Parameters
transportDomaintransportAddress
messageProcessingModel
securityModelsecurityName
securityLevel
contextEngineIDcontextName
pduVersion
PDU
expectResponse
maxSizeResponseScopedPDU
stateReferencestatusInformation
sendPduHandle
destTransportDomaindestTransportAddress
outgoingMessageoutgoingMessageLength
wholeMsgwholeMsgLength
pduType
viewTypevariableName
globalDatamaxMessageSize
securityEngineID
scopedPDU
securityParameterssecurityStateReference
processResponsePdu
DISPATCHER
– 47 – CSCE 815 Sp 03
SNMP3 Message Format with USMSNMP3 Message Format with USM
– 48 – CSCE 815 Sp 03
User Security Model (USM)User Security Model (USM)
Designed to secure against:Designed to secure against: Modification of information Masquerade Message stream modification Disclosure
Not intended to secure against:Not intended to secure against: Denial of Service (DoS attack) Traffic analysis
– 49 – CSCE 815 Sp 03
Key Localization ProcessKey Localization Process
– 50 – CSCE 815 Sp 03
View-Based Access Control Model (VACM)View-Based Access Control Model (VACM)VACM has two characteristics:VACM has two characteristics:
Determines wheter access to a managed object should be allowed.
Make use of an MIB that:Defines the access control policy for this agent.Makes it possible for remote configuration to be used.
– 51 – CSCE 815 Sp 03
Access control decisionAccess control decision
– 52 – CSCE 815 Sp 03
Recommended Reading and WEB SitesRecommended Reading and WEB SitesSubramanian, Mani. Subramanian, Mani. Network ManagementNetwork Management. Addison-. Addison-
Wesley, 2000Wesley, 2000
Stallings, W. Stallings, W. SNMP, SNMPv1, SNMPv3 and RMON 1 and SNMP, SNMPv1, SNMPv3 and RMON 1 and 22. Addison-Wesley, 1999. Addison-Wesley, 1999
IETF SNMPv3 working group (Web sites)IETF SNMPv3 working group (Web sites)
http://www.ietf.org/html.charters/snmpv3-charter.htmlhttp://www.ietf.org/html.charters/snmpv3-charter.html
SNMPv3 Web sitesSNMPv3 Web sites
http://www.simpleweb.org/tutorials/slides-ppt.htmlhttp://www.simpleweb.org/tutorials/slides-ppt.html
http://www.sans.org/rr/netdevices/SNMP_sec.phphttp://www.sans.org/rr/netdevices/SNMP_sec.php