csce 815 network security lecture 17 snmp simple network management protocol march 25, 2003

CSCE 815 Network Security CSCE 815 Network Security Lecture 17 Lecture 17CSCE 815 Network Security CSCE 815 Network Security Lecture 17 Lecture 17

SNMPSNMP

Simple Network Management ProtocolSimple Network Management Protocol

March 25, 2003

– 2 – CSCE 815 Sp 03

Need for Network Management ToolsNeed for Network Management Tools

In the early days of the Arpanet, the predecessor of the In the early days of the Arpanet, the predecessor of the Internet, the name service was accomplished by Internet, the name service was accomplished by maintaining and distributing one file with all the IP maintaining and distributing one file with all the IP addresses of the network. But no more … DNS etcaddresses of the network. But no more … DNS etc

As networks increase in sizeAs networks increase in size

1.1. The network becomes more indispensable to the The network becomes more indispensable to the organization.organization.

2.2. More things can go wrong, disabling or degrading More things can go wrong, disabling or degrading the performance of portions of the network.the performance of portions of the network.

Today a large network cannot be managed with Today a large network cannot be managed with software assistance.software assistance.

– 3 – CSCE 815 Sp 03

SNMP HistorySNMP History

SNMP version 1 SNMP version 1 was published in 1988 Widely accepted RFC 1157

SNMP version 2 added additional functionalitySNMP version 2 added additional functionality RFC 1441 (1993)

SNMP v3 added security featuresSNMP v3 added security features RFC 3410-3415 (1999) http://www.ibr.cs.tu-bs.de/projects/snmpv3/ http://www.ietf.org/html.charters/snmpv3-charter.html

– 4 – CSCE 815 Sp 03

SNMP v3SNMP v3 Introduction and Applicability Statements for Internet Standa

rd Management Framework, RFC 3410, Informational, December 2002

An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks, RFC 3411, STD 62, December 2002

Message Processing and Dispatching for the Simple Network Management Protocol (SNMP) RFC 3412, STD 62, December 2002

Simple Network Management Protocol (SNMP) Applications RFC 3413, STD 62, December 2002

User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3) RFC 3414, STD 62, December 2002

View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP) RFC 3415, STD 62, December 2002

– 5 – CSCE 815 Sp 03

SNMP Management Station SNMP Management Station Management station – typically a stand alone

device; an interface for human net manager Management agent – Management information base Network Management protocol

Get, Set and Notify

– 6 – CSCE 815 Sp 03

SNMP GOALSSNMP GOALS

UBIQUITYUBIQUITY PCs AND CRAYs

INCLUSION OF MANAGEMENT SHOULD BE INCLUSION OF MANAGEMENT SHOULD BE INEXPENSIVEINEXPENSIVE SMALL CODE LIMITED FUNCTIONALITY

MANAGEMENT EXTENSIONS SHOULD BE POSSIBLEMANAGEMENT EXTENSIONS SHOULD BE POSSIBLE NEW MIBs

MANAGEMENT SHOULD BE ROBUSTMANAGEMENT SHOULD BE ROBUST CONNECTIONLESS TRANSPORT

Resource/reference for next few slidesResource/reference for next few slides http://www.simpleweb.org/tutorials/slides-ppt.html

Copyright © 2001 by Aiko Pras

These sheets may be used for educational purposes

– 7 – CSCE 815 Sp 03

SNMP OPERATIONSNMP OPERATIONMANAGER

AGENTS

TRAPS

POLLING

MIB

– 8 – CSCE 815 Sp 03

SNMP SNMP MANAGER

AGENTS

GET / SET

TRAP

MIB

– 9 – CSCE 815 Sp 03

SNMP OPERATIONSNMP OPERATIONMANAGER

AGENTS

TABLES

VARIABLES

– 10 – CSCE 815 Sp 03

Basic Concepts of SNMPBasic Concepts of SNMP

A network management system is an A network management system is an integrated collection of tools for network integrated collection of tools for network monitoring and control.monitoring and control. Single operator interface Minimal amount of separate equipment.

Software and network communications capability built into the existing equipment.

– 11 – CSCE 815 Sp 03

SNMP Management Station SNMP Management Station Management station will include:Management station will include:

an interface for the human net manager for an interface for the human net manager for monitoring and controlling the networkmonitoring and controlling the network

management applications for data analysis and management applications for data analysis and fault recoveryfault recovery

Translation of network manager commands to Translation of network manager commands to actual controls of the networkactual controls of the network

A database of the MIBs of all managed entities of A database of the MIBs of all managed entities of the networkthe network

– 12 – CSCE 815 Sp 03

SNMP Management AgentSNMP Management AgentKey platforms: hosts, bridges, routers, hubs equipped Key platforms: hosts, bridges, routers, hubs equipped

with SNMP management agentwith SNMP management agent

SNMP management agent is a program that SNMP management agent is a program that communicates with the SNMP management stationcommunicates with the SNMP management station1. Responds to requests for information on network status

2. Responds to requests for management actions

3. May asynchronously provide the management station with unsolicited “alert” information

– 13 – CSCE 815 Sp 03

SNMP Management Information BaseSNMP Management Information Base

Each network resource is represented as an object Each network resource is represented as an object (data variable) (data variable)

Management Information Base (MIB) is the collection of Management Information Base (MIB) is the collection of objects that an agent maintainsobjects that an agent maintains

Objects in MIB are standardized across theObjects in MIB are standardized across the type oftype of agent such as routers, bridges, etc.agent such as routers, bridges, etc.

A management station monitors the network by A management station monitors the network by requesting values from the MIBsrequesting values from the MIBs

A management station controls the network by setting A management station controls the network by setting values in the MIBs of the various agentsvalues in the MIBs of the various agents

– 14 – CSCE 815 Sp 03

SNMP Network Management ProtocolSNMP Network Management Protocol

Capabilities of SNMP1. Get - get the value of an object from an agent2. Set – set the value of an object of an agent3. Notify – agent alerts the management station

– 15 – CSCE 815 Sp 03

Protocol context of SNMPProtocol context of SNMP

– 16 – CSCE 815 Sp 03

Notes on SNMP protocolNotes on SNMP protocol

It was designed to be an application level protocol.It was designed to be an application level protocol.

It was designed to be easily implemented and consume It was designed to be easily implemented and consume modest processor and network resources.modest processor and network resources.

SNMP SNMP UDP UDP IP IP data link layer (ethernet) data link layer (ethernet)

Each agent must implement SNMP, UDP and IP.Each agent must implement SNMP, UDP and IP.

SNMP messagesSNMP messages1. GetResponse2. GetNextResponse3. SetRequest4. GetResponse5. Trap

SNMP is connectionless (because UDP is).SNMP is connectionless (because UDP is).

– 17 – CSCE 815 Sp 03

SNMP ProxiesSNMP Proxies

Note all are capable of implementing SNMP(UDP,IP) Note all are capable of implementing SNMP(UDP,IP) e.g., bridges, modems etc.e.g., bridges, modems etc.

Concept of a proxy was added to accommodate such Concept of a proxy was added to accommodate such devices.devices.

SNMPv2 added the capability of running on the OSI as SNMPv2 added the capability of running on the OSI as well as the TCP/IP protocol suitewell as the TCP/IP protocol suite

– 18 – CSCE 815 Sp 03

Proxy ConfigurationProxy Configuration

– 19 – CSCE 815 Sp 03

SNMPv2SNMPv2

The strength of SNMPv1 was simplicity implying it was The strength of SNMPv1 was simplicity implying it was easy to implement and configure.easy to implement and configure.

However, deficiencies arose:However, deficiencies arose:

1.1. Lack of support for distributed network managementLack of support for distributed network management

2.2. Functional deficienciesFunctional deficiencies

3.3. Security deficienciesSecurity deficiencies

The first two were addressed by SNMPv2 and the latter The first two were addressed by SNMPv2 and the latter by SNMPv3.by SNMPv3.

– 20 – CSCE 815 Sp 03

– 21 – CSCE 815 Sp 03

SNMP v1 and v2SNMP v1 and v2

Trap – an unsolicited message (reporting an alarm Trap – an unsolicited message (reporting an alarm condition)condition)

SNMPv1 is ”connectionless” since it utilizes UDP SNMPv1 is ”connectionless” since it utilizes UDP (rather than TCP) as the transport layer protocol. (rather than TCP) as the transport layer protocol.

SNMPv2 allows the use of TCP for reliable, connection-SNMPv2 allows the use of TCP for reliable, connection-oriented” service.oriented” service.

– 22 – CSCE 815 Sp 03

Comparison of SNMPv1 and SNMPv2 Table 8.1Comparison of SNMPv1 and SNMPv2 Table 8.1

SNMPv1 PDUSNMPv1 PDU SNMPv2 PDUSNMPv2 PDU DirectionDirection DescriptionDescription

GetRequestGetRequest GetRequestGetRequest Manager to agentManager to agent Request value for each Request value for each listed objectlisted object

GetRequestGetRequest GetRequestGetRequest Manager to agentManager to agent Request next value for Request next value for each listed objecteach listed object

------------ GetBulkRequestGetBulkRequest Manager to agentManager to agent Request multiple valuesRequest multiple values

SetRequestSetRequest SetRequestSetRequest Manager to agentManager to agent Set value for each listed Set value for each listed objectobject

------------ InformRequestInformRequest Manager to managerManager to manager Transmit unsolicited Transmit unsolicited informationinformation

GetResponseGetResponse ResponseResponse Agent to manager or Agent to manager or Manage to Manage to manager(SNMPv2)manager(SNMPv2)

Respond to manager Respond to manager requestrequest

TrapTrap SNMPv2-TrapSNMPv2-Trap Agent to managerAgent to manager Transmit unsolicited Transmit unsolicited informationinformation

– 23 – CSCE 815 Sp 03

SNMPv1 Community FacilitySNMPv1 Community Facility

SNMP provides only rudimentary secuirty through the SNMP provides only rudimentary secuirty through the concept of communitiy.concept of communitiy.

SNMP Community – Relationship between an SNMP SNMP Community – Relationship between an SNMP agent and SNMP managers.agent and SNMP managers. Maintain locally on the agent List of managers with associated access privalidges

Each agent controls its MIB; aspects of this controlEach agent controls its MIB; aspects of this control Authentication service – which manager can access/control Access policy Proxy service – this may involve implementing

authentication service for other devices

– 24 – CSCE 815 Sp 03

SNMP Access PolicySNMP Access Policy

SNMP MIB view – a subset of the objectsSNMP MIB view – a subset of the objects

SNMP access modes: Read-Only, Read-WriteSNMP access modes: Read-Only, Read-Write

SNMP community profile =SNMP community profile =

SNMP MIB view + access-modeSNMP MIB view + access-mode

SNMP access policy =SNMP access policy =

SNMP community + SNMP community-profileSNMP community + SNMP community-profile

– 25 – CSCE 815 Sp 03

SNMPv1 Administrative ConceptsSNMPv1 Administrative Concepts

– 26 – CSCE 815 Sp 03

SNMPv3SNMPv3SNMPv3 defines a security capability to be used in SNMPv3 defines a security capability to be used in

conjunction with SNMPv2 preferably or possibly v1conjunction with SNMPv2 preferably or possibly v1

– 27 – CSCE 815 Sp 03

SNMPv3 ArchttectureSNMPv3 Archttecture

OTHERNOTIFICATIONORIGINATOR

COMMANDRESPONDER

COMMANDGENERATOR

NOTIFICATIONRECEIVER

PROXYFORWARDER

SNMP APPLICATIONS

SNMP ENGINE

MESSAGE PROCESSINGSUBSYSTEM

DISPATCHERSECURITY

SUBSYSTEMACCESS CONTROL

SUBSYSTEM

SNMP ENTITY

OTHER

Consists of a distributed collection of SNMP entities

– 28 – CSCE 815 Sp 03

SNMP ManagerSNMP Manager

NOTIFICATIONRECEIVER

COMMANDGENERATOR

PDUDISPATCHER

COMMUNITY BASEDSECURITY MODEL

USER BASEDSECURITY MODEL

OTHERSECURITY MODEL

SECURITY SUBSYSTEM

SNMPv1

SNMPv2C

SNMPv3

OTHER


MESSAGEDISPATCHER

TRANSPORTMAPPINGS

– 29 – CSCE 815 Sp 03

SNMP AgentSNMP Agent

PDUDISPATCHER

COMMUNITY BASEDSECURITY MODEL

USER BASEDSECURITY MODEL

OTHERSECURITY MODEL

SECURITY SUBSYSTEM

SNMPv1

SNMPv2C

SNMPv3

OTHER


MESSAGEDISPATCHER

TRANSPORTMAPPINGS

MANAGEMENT INFORMATION BASE

VIEW BASEDACCESS CONTROL

ACCESS CONTROL SUBSYSTEM

NOTIFICATIONORIGINATOR

COMMANDRESPONDER

– 30 – CSCE 815 Sp 03

SNMPv3 FlowSNMPv3 Flow

– 31 – CSCE 815 Sp 03

PRIMITIVES BETWEEN MODULESPRIMITIVES BETWEEN MODULES

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

MESSAGEPROCESSINGSUBSYSTEM

SECURITYSUBSYSTEM DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS


SECURITYSUBSYSTEM

Parameters

transportDomaintransportAddress

messageProcessingModel

securityModelsecurityName

securityLevel

contextEngineIDcontextName

pduVersion

PDU

expectResponse

maxSizeResponseScopedPDU

stateReferencestatusInformation

sendPduHandle

destTransportDomaindestTransportAddress

outgoingMessageoutgoingMessageLength

wholeMsgwholeMsgLength

pduType

viewTypevariableName

globalDatamaxMessageSize

securityEngineID

scopedPDU

securityParameterssecurityStateReference

– 32 – CSCE 815 Sp 03

sendPdusendPdu

DISPATCHER

ACCESSCONTROL

SUBSYSTEM



ACCESSCONTROL

SUBSYSTEM

APPLICATIONS


SECURITYSUBSYSTEM

Parameters




securityLevel


pduVersion

PDU

expectResponse



sendPduHandle




pduType



securityEngineID

scopedPDU


sendPdu

APPLICATIONS

– 33 – CSCE 815 Sp 03

prepareOutgoingMessageprepareOutgoingMessage

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS



ACCESSCONTROL

SUBSYSTEM

APPLICATIONS


SECURITYSUBSYSTEM

Parameters




securityLevel


pduVersion

PDU

expectResponse



sendPduHandle




pduType



securityEngineID

scopedPDU


prepareOutgoingMessage

DISPATCHER

– 34 – CSCE 815 Sp 03

generateRequestMsggenerateRequestMsg

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS


ACCESSCONTROL

SUBSYSTEM

APPLICATIONS


SECURITYSUBSYSTEM

Parameters




securityLevel


pduVersion

PDU

expectResponse



sendPduHandle




pduType



securityEngineID

scopedPDU


generateRequestMsg


– 35 – CSCE 815 Sp 03

send / receivesend / receive

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS



ACCESSCONTROL

SUBSYSTEM

APPLICATIONS


SECURITYSUBSYSTEM

Parameters




securityLevel


pduVersion

PDU

expectResponse



sendPduHandle




pduType



securityEngineID

scopedPDU


send and receive

DISPATCHER

– 36 – CSCE 815 Sp 03

prepareDataElementsprepareDataElements

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS


SECURITYSUBSYSTEM

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS


SECURITYSUBSYSTEM

Parameters




securityLevel


pduVersion

PDU

expectResponse



sendPduHandle




pduType



securityEngineID

scopedPDU


prepareDataElements

DISPATCHER

– 37 – CSCE 815 Sp 03

processIncomingMsgprocessIncomingMsg

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS



ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

SECURITYSUBSYSTEM

Parameters




securityLevel


pduVersion

PDU

expectResponse



sendPduHandle




pduType



securityEngineID

scopedPDU


processIncomingMsg


– 38 – CSCE 815 Sp 03

processPdprocessPd

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS


SECURITYSUBSYSTEM

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS


SECURITYSUBSYSTEM

Parameters




securityLevel


pduVersion

PDU

expectResponse



sendPduHandle




pduType



securityEngineID

scopedPDU


processPdu

DISPATCHER

– 39 – CSCE 815 Sp 03

isAccessAllowedisAccessAllowed

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS



ACCESSCONTROL

SUBSYSTEM


SECURITYSUBSYSTEM

Parameters




securityLevel


pduVersion

PDU

expectResponse



sendPduHandle




pduType



securityEngineID

scopedPDU


isAccessAllowed

APPLICATIONS

– 40 – CSCE 815 Sp 03

returnResponsePdureturnResponsePdu

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS



ACCESSCONTROL

SUBSYSTEM


SECURITYSUBSYSTEM

Parameters




securityLevel


pduVersion

PDU

expectResponse



sendPduHandle




pduType



securityEngineID

scopedPDU


returnResponsePdu

APPLICATIONS

– 41 – CSCE 815 Sp 03

prepareResponseMessageprepareResponseMessage

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS


SECURITYSUBSYSTEM

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS


SECURITYSUBSYSTEM

Parameters




securityLevel


pduVersion

PDU

expectResponse



sendPduHandle




pduType



securityEngineID

scopedPDU


prepareResponseMessage

DISPATCHER

– 42 – CSCE 815 Sp 03

generateResponseMsggenerateResponseMsg

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS



ACCESSCONTROL

SUBSYSTEM

APPLICATIONS

SECURITYSUBSYSTEM

Parameters




securityLevel


pduVersion

PDU

expectResponse



sendPduHandle




pduType



securityEngineID

scopedPDU


generateResponseMsg


– 43 – CSCE 815 Sp 03

send / receivesend / receive

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS


SECURITYSUBSYSTEM

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS


SECURITYSUBSYSTEM

Parameters




securityLevel


pduVersion

PDU

expectResponse



sendPduHandle




pduType



securityEngineID

scopedPDU


send and receive

DISPATCHER

– 44 – CSCE 815 Sp 03

prepareDataElementsprepareDataElements

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS



ACCESSCONTROL

SUBSYSTEM

APPLICATIONS


SECURITYSUBSYSTEM

Parameters




securityLevel


pduVersion

PDU

expectResponse



sendPduHandle




pduType



securityEngineID

scopedPDU


prepareDataElements

DISPATCHER

– 45 – CSCE 815 Sp 03

processIncomingMsgprocessIncomingMsg

DISPATCHER

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS


ACCESSCONTROL

SUBSYSTEM

APPLICATIONS


SECURITYSUBSYSTEM

Parameters




securityLevel


pduVersion

PDU

expectResponse



sendPduHandle




pduType



securityEngineID

scopedPDU


processIncomingMsg


– 46 – CSCE 815 Sp 03

processResponsePduprocessResponsePdu

ACCESSCONTROL

SUBSYSTEM

APPLICATIONS



ACCESSCONTROL

SUBSYSTEM

APPLICATIONS


SECURITYSUBSYSTEM

Parameters




securityLevel


pduVersion

PDU

expectResponse



sendPduHandle




pduType



securityEngineID

scopedPDU


processResponsePdu

DISPATCHER

– 47 – CSCE 815 Sp 03

SNMP3 Message Format with USMSNMP3 Message Format with USM

– 48 – CSCE 815 Sp 03

User Security Model (USM)User Security Model (USM)

Designed to secure against:Designed to secure against: Modification of information Masquerade Message stream modification Disclosure

Not intended to secure against:Not intended to secure against: Denial of Service (DoS attack) Traffic analysis

– 49 – CSCE 815 Sp 03

Key Localization ProcessKey Localization Process

– 50 – CSCE 815 Sp 03

View-Based Access Control Model (VACM)View-Based Access Control Model (VACM)VACM has two characteristics:VACM has two characteristics:

Determines wheter access to a managed object should be allowed.

Make use of an MIB that:Defines the access control policy for this agent.Makes it possible for remote configuration to be used.

– 51 – CSCE 815 Sp 03

Access control decisionAccess control decision

– 52 – CSCE 815 Sp 03

Recommended Reading and WEB SitesRecommended Reading and WEB SitesSubramanian, Mani. Subramanian, Mani. Network ManagementNetwork Management. Addison-. Addison-

Wesley, 2000Wesley, 2000

Stallings, W. Stallings, W. SNMP, SNMPv1, SNMPv3 and RMON 1 and SNMP, SNMPv1, SNMPv3 and RMON 1 and 22. Addison-Wesley, 1999. Addison-Wesley, 1999

IETF SNMPv3 working group (Web sites)IETF SNMPv3 working group (Web sites)

http://www.ietf.org/html.charters/snmpv3-charter.htmlhttp://www.ietf.org/html.charters/snmpv3-charter.html

SNMPv3 Web sitesSNMPv3 Web sites

http://www.simpleweb.org/tutorials/slides-ppt.htmlhttp://www.simpleweb.org/tutorials/slides-ppt.html

http://www.sans.org/rr/netdevices/SNMP_sec.phphttp://www.sans.org/rr/netdevices/SNMP_sec.php

csce 815 network security lecture 17 snmp simple network management protocol march 25, 2003

Documents

network management tools

network management system

network slide

snmp protocol

management actions

network monitoring

network resource

network status