Você está na página 1de 52

CSCE 815 Network Security Lecture 17

SNMP
Simple Network Management Protocol

March 25, 2003

Need for Network Management Tools


In the early days of the Arpanet, the predecessor of the Internet, the name service was accomplished by maintaining and distributing one file with all the IP addresses of the network. But no more DNS etc As networks increase in size 1. The network becomes more indispensable to the organization. 2. More things can go wrong, disabling or degrading the performance of portions of the network.

Today a large network cannot be managed with software assistance.


2 CSCE 815 Sp 03

SNMP History
SNMP version 1

was published in 1988 Widely accepted RFC 1157

SNMP version 2 added additional functionality

RFC 1441 (1993)

SNMP v3 added security features


RFC 3410-3415 (1999) http://www.ibr.cs.tu-bs.de/projects/snmpv3/ http://www.ietf.org/html.charters/snmpv3-charter.html

CSCE 815 Sp 03

SNMP v3

Introduction and Applicability Statements for Internet Standard Management Framework, RFC 3410, Informational, December 2002 An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks, RFC 3411, STD 62, December 2002 Message Processing and Dispatching for the Simple Network Management Protocol (SNMP) RFC 3412, STD 62, December 2002 Simple Network Management Protocol (SNMP) Applications RFC 3413, STD 62, December 2002 User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3) RFC 3414, STD 62, December 2002 View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP) RFC 3415, STD 62, December 2002
CSCE 815 Sp 03

SNMP Management Station

Management station typically a stand alone device; an interface for human net manager Management agent Management information base Network Management protocol
Get, Set and Notify

CSCE 815 Sp 03

SNMP GOALS
UBIQUITY

PCs AND CRAYs

INCLUSION OF MANAGEMENT SHOULD BE INEXPENSIVE


SMALL CODE LIMITED FUNCTIONALITY

MANAGEMENT EXTENSIONS SHOULD BE POSSIBLE

NEW MIBs

MANAGEMENT SHOULD BE ROBUST

CONNECTIONLESS TRANSPORT

Resource/reference for next few slides

http://www.simpleweb.org/tutorials/slides-ppt.html
CSCE 815 Sp 03

Copyright 2001 by Aiko Pras These sheets may be used for educational purposes

SNMP OPERATION
MANAGER

POLLING TRAPS

AGENTS

MIB

CSCE 815 Sp 03

SNMP
MANAGER

GET / SET TRAP


AGENTS

MIB

CSCE 815 Sp 03

SNMP OPERATION
MANAGER

AGENTS

TABLES VARIABLES

CSCE 815 Sp 03

Basic Concepts of SNMP


A network management system is an integrated collection of tools for network monitoring and control.

Single operator interface Minimal amount of separate equipment. Software and network communications capability built into the existing equipment.

10

CSCE 815 Sp 03

SNMP Management Station


Management station will include: an interface for the human net manager for monitoring and controlling the network management applications for data analysis and fault recovery

Translation of network manager commands to actual controls of the network


A database of the MIBs of all managed entities of the network

11

CSCE 815 Sp 03

SNMP Management Agent


Key platforms: hosts, bridges, routers, hubs equipped with SNMP management agent

SNMP management agent is a program that communicates with the SNMP management station
1. 2. 3.

Responds to requests for information on network status Responds to requests for management actions May asynchronously provide the management station with unsolicited alert information

12

CSCE 815 Sp 03

SNMP Management

Information Base

Each network resource is represented as an object (data variable)

Management Information Base (MIB) is the collection of objects that an agent maintains
Objects in MIB are standardized across the type of agent such as routers, bridges, etc. A management station monitors the network by requesting values from the MIBs A management station controls the network by setting values in the MIBs of the various agents

13

CSCE 815 Sp 03

SNMP Network Management Protocol


Capabilities of SNMP 1. Get - get the value of an object from an agent 2. Set set the value of an object of an agent 3. Notify agent alerts the management station

14

CSCE 815 Sp 03

Protocol context of SNMP

15

CSCE 815 Sp 03

Notes on SNMP protocol


It was designed to be an application level protocol. It was designed to be easily implemented and consume modest processor and network resources. SNMP UDP IP data link layer (ethernet) Each agent must implement SNMP, UDP and IP.

SNMP messages
1. 2. 3.

4.
5.

GetResponse GetNextResponse SetRequest GetResponse Trap

SNMP is connectionless (because UDP is).


16 CSCE 815 Sp 03

SNMP Proxies
Note all are capable of implementing SNMP(UDP,IP) e.g., bridges, modems etc.

Concept of a proxy was added to accommodate such devices.

SNMPv2 added the capability of running on the OSI as well as the TCP/IP protocol suite

17

CSCE 815 Sp 03

Proxy Configuration

18

CSCE 815 Sp 03

SNMPv2
The strength of SNMPv1 was simplicity implying it was easy to implement and configure.

However, deficiencies arose:


1. Lack of support for distributed network management 2. Functional deficiencies 3. Security deficiencies The first two were addressed by SNMPv2 and the latter by SNMPv3.

19

CSCE 815 Sp 03

20

CSCE 815 Sp 03

SNMP v1 and v2
Trap an unsolicited message (reporting an alarm condition)

SNMPv1 is connectionless since it utilizes UDP (rather than TCP) as the transport layer protocol.
SNMPv2 allows the use of TCP for reliable, connectionoriented service.

21

CSCE 815 Sp 03

Comparison of SNMPv1 and SNMPv2 Table 8.1


SNMPv1 PDU
GetRequest GetRequest -----SetRequest -----GetResponse

SNMPv2 PDU
GetRequest GetRequest GetBulkRequest SetRequest InformRequest Response

Direction
Manager to agent Manager to agent Manager to agent Manager to agent Manager to manager Agent to manager or Manage to manager(SNMPv2) Agent to manager

Description
Request value for each listed object Request next value for each listed object Request multiple values Set value for each listed object Transmit unsolicited information Respond to manager request Transmit unsolicited information

Trap

SNMPv2-Trap

22

CSCE 815 Sp 03

SNMPv1 Community Facility


SNMP provides only rudimentary secuirty through the concept of communitiy.

SNMP Community Relationship between an SNMP agent and SNMP managers.


Maintain locally on the agent List of managers with associated access privalidges Authentication service which manager can access/control Access policy Proxy service this may involve implementing authentication service for other devices

Each agent controls its MIB; aspects of this control


23

CSCE 815 Sp 03

SNMP Access Policy


SNMP MIB view a subset of the objects

SNMP access modes: Read-Only, Read-Write

SNMP community profile = SNMP MIB view + access-mode

SNMP access policy =


SNMP community + SNMP community-profile
24 CSCE 815 Sp 03

SNMPv1 Administrative Concepts

25

CSCE 815 Sp 03

SNMPv3
SNMPv3 defines a security capability to be used in conjunction with SNMPv2 preferably or possibly v1

26

CSCE 815 Sp 03

SNMPv3 Archttecture
Consists of a distributed collection of SNMP entities

SNMP ENTITY
SNMP APPLICATIONS
COMMAND GENERATOR COMMAND RESPONDER NOTIFICATION ORIGINATOR NOTIFICATION RECEIVER PROXY FORWARDER

OTHER OTHER

SNMP ENGINE
MESSAGE PROCESSING SUBSYSTEM SECURITY SUBSYSTEM ACCESS CONTROL SUBSYSTEM

DISPATCHER

27

CSCE 815 Sp 03

SNMP Manager
COMMAND GENERATOR NOTIFICATION RECEIVER

PDU DISPATCHER

MESSAGE PROCESSING SUBSYSTEM SNMPv1

SECURITY SUBSYSTEM COMMUNITY BASED SECURITY MODEL USER BASED SECURITY MODEL OTHER SECURITY MODEL

MESSAGE DISPATCHER

SNMPv2C

SNMPv3 TRANSPORT MAPPINGS

OTHER

28

CSCE 815 Sp 03

SNMP Agent
MANAGEMENT INFORMATION BASE
ACCESS CONTROL SUBSYSTEM

COMMAND RESPONDER

VIEW BASED ACCESS CONTROL

NOTIFICATION ORIGINATOR

PDU DISPATCHER

MESSAGE PROCESSING SUBSYSTEM SNMPv1

SECURITY SUBSYSTEM COMMUNITY BASED SECURITY MODEL USER BASED SECURITY MODEL OTHER SECURITY MODEL

MESSAGE DISPATCHER

SNMPv2C

SNMPv3 TRANSPORT MAPPINGS

OTHER

29

CSCE 815 Sp 03

SNMPv3 Flow

30

CSCE 815 Sp 03

PRIMITIVES BETWEEN MODULES


Parameters
contextEngineID contextName destTransportAddress destTransportDomain expectResponse globalData maxMessageSize maxSizeResponseScopedPDU messageProcessingModel outgoingMessage outgoingMessageLength PDU pduType pduVersion scopedPDU stateReference statusInformation securityEngineID securityLevel securityModel securityName securityParameters securityStateReference sendPduHandle transportAddress transportDomain variableName viewType wholeMsg wholeMsgLength

APPLICATIONS

APPLICATIONS

ACCESS CONTROL SUBSYSTEM

ACCESS CONTROL SUBSYSTEM

DISPATCHER

SECURITY SUBSYSTEM

DISPATCHER

SECURITY SUBSYSTEM

MESSAGE PROCESSING SUBSYSTEM

MESSAGE PROCESSING SUBSYSTEM

31

CSCE 815 Sp 03

sendPdu
Parameters
contextEngineID contextName destTransportAddress destTransportDomain expectResponse globalData maxMessageSize maxSizeResponseScopedPDU messageProcessingModel outgoingMessage outgoingMessageLength PDU pduType pduVersion scopedPDU stateReference statusInformation securityEngineID securityLevel securityModel securityName securityParameters securityStateReference sendPduHandle transportAddress transportDomain variableName viewType wholeMsg wholeMsgLength

APPLICATIONS

APPLICATIONS

sendPdu
ACCESS CONTROL SUBSYSTEM ACCESS CONTROL SUBSYSTEM

DISPATCHER

SECURITY SUBSYSTEM

DISPATCHER

SECURITY SUBSYSTEM

MESSAGE PROCESSING SUBSYSTEM

MESSAGE PROCESSING SUBSYSTEM

32

CSCE 815 Sp 03

prepareOutgoingMessage
Parameters
contextEngineID contextName destTransportAddress destTransportDomain expectResponse globalData maxMessageSize maxSizeResponseScopedPDU messageProcessingModel outgoingMessage outgoingMessageLength PDU pduType pduVersion scopedPDU stateReference statusInformation securityEngineID securityLevel securityModel securityName securityParameters securityStateReference sendPduHandle transportAddress transportDomain variableName viewType wholeMsg wholeMsgLength

APPLICATIONS

APPLICATIONS

ACCESS CONTROL SUBSYSTEM

ACCESS CONTROL SUBSYSTEM

DISPATCHER

SECURITY SUBSYSTEM

DISPATCHER

SECURITY SUBSYSTEM

MESSAGE PROCESSING SUBSYSTEM

MESSAGE PROCESSING SUBSYSTEM

prepareOutgoingMessage
33

CSCE 815 Sp 03

generateRequestMsg
Parameters
contextEngineID contextName destTransportAddress destTransportDomain expectResponse globalData maxMessageSize maxSizeResponseScopedPDU messageProcessingModel outgoingMessage outgoingMessageLength PDU pduType pduVersion scopedPDU stateReference statusInformation securityEngineID securityLevel securityModel securityName securityParameters securityStateReference sendPduHandle transportAddress transportDomain variableName viewType wholeMsg wholeMsgLength

APPLICATIONS

APPLICATIONS

ACCESS CONTROL SUBSYSTEM

ACCESS CONTROL SUBSYSTEM

DISPATCHER

SECURITY SUBSYSTEM

DISPATCHER

SECURITY SUBSYSTEM

MESSAGE PROCESSING SUBSYSTEM

MESSAGE PROCESSING SUBSYSTEM

generateRequestMsg
34

CSCE 815 Sp 03

send / receive
Parameters
contextEngineID contextName destTransportAddress destTransportDomain expectResponse globalData maxMessageSize maxSizeResponseScopedPDU messageProcessingModel outgoingMessage outgoingMessageLength PDU pduType pduVersion scopedPDU stateReference statusInformation securityEngineID securityLevel securityModel securityName securityParameters securityStateReference sendPduHandle transportAddress transportDomain variableName viewType wholeMsg wholeMsgLength

APPLICATIONS

APPLICATIONS

ACCESS CONTROL SUBSYSTEM

ACCESS CONTROL SUBSYSTEM

DISPATCHER

SECURITY SUBSYSTEM

DISPATCHER

SECURITY SUBSYSTEM

MESSAGE PROCESSING SUBSYSTEM

MESSAGE PROCESSING SUBSYSTEM

send and receive


35

CSCE 815 Sp 03

prepareDataElements
Parameters
contextEngineID contextName destTransportAddress destTransportDomain expectResponse globalData maxMessageSize maxSizeResponseScopedPDU messageProcessingModel outgoingMessage outgoingMessageLength PDU pduType pduVersion scopedPDU stateReference statusInformation securityEngineID securityLevel securityModel securityName securityParameters securityStateReference sendPduHandle transportAddress transportDomain variableName viewType wholeMsg wholeMsgLength

APPLICATIONS

APPLICATIONS

ACCESS CONTROL SUBSYSTEM

ACCESS CONTROL SUBSYSTEM

DISPATCHER

SECURITY SUBSYSTEM

DISPATCHER

SECURITY SUBSYSTEM

MESSAGE PROCESSING SUBSYSTEM

MESSAGE PROCESSING SUBSYSTEM

prepareDataElements
36

CSCE 815 Sp 03

processIncomingMsg
Parameters
contextEngineID contextName destTransportAddress destTransportDomain expectResponse globalData maxMessageSize maxSizeResponseScopedPDU messageProcessingModel outgoingMessage outgoingMessageLength PDU pduType pduVersion scopedPDU stateReference statusInformation securityEngineID securityLevel securityModel securityName securityParameters securityStateReference sendPduHandle transportAddress transportDomain variableName viewType wholeMsg wholeMsgLength

APPLICATIONS

APPLICATIONS

ACCESS CONTROL SUBSYSTEM

ACCESS CONTROL SUBSYSTEM

DISPATCHER

SECURITY SUBSYSTEM

DISPATCHER

SECURITY SUBSYSTEM

MESSAGE PROCESSING SUBSYSTEM

MESSAGE PROCESSING SUBSYSTEM

processIncomingMsg
37

CSCE 815 Sp 03

processPd
Parameters
contextEngineID contextName destTransportAddress destTransportDomain expectResponse globalData maxMessageSize maxSizeResponseScopedPDU messageProcessingModel outgoingMessage outgoingMessageLength PDU pduType pduVersion scopedPDU stateReference statusInformation securityEngineID securityLevel securityModel securityName securityParameters securityStateReference sendPduHandle transportAddress transportDomain variableName viewType wholeMsg wholeMsgLength

APPLICATIONS

APPLICATIONS

processPdu
ACCESS CONTROL SUBSYSTEM ACCESS CONTROL SUBSYSTEM

DISPATCHER

SECURITY SUBSYSTEM

DISPATCHER

SECURITY SUBSYSTEM

MESSAGE PROCESSING SUBSYSTEM

MESSAGE PROCESSING SUBSYSTEM

38

CSCE 815 Sp 03

isAccessAllowed
Parameters
contextEngineID contextName destTransportAddress destTransportDomain expectResponse globalData maxMessageSize maxSizeResponseScopedPDU messageProcessingModel outgoingMessage outgoingMessageLength PDU pduType pduVersion scopedPDU stateReference statusInformation securityEngineID securityLevel securityModel securityName securityParameters securityStateReference sendPduHandle transportAddress transportDomain variableName viewType wholeMsg wholeMsgLength

APPLICATIONS

APPLICATIONS

isAccessAllowed
ACCESS CONTROL SUBSYSTEM ACCESS CONTROL SUBSYSTEM

DISPATCHER

SECURITY SUBSYSTEM

DISPATCHER

SECURITY SUBSYSTEM

MESSAGE PROCESSING SUBSYSTEM

MESSAGE PROCESSING SUBSYSTEM

39

CSCE 815 Sp 03

returnResponsePdu
Parameters
contextEngineID contextName destTransportAddress destTransportDomain expectResponse globalData maxMessageSize maxSizeResponseScopedPDU messageProcessingModel outgoingMessage outgoingMessageLength PDU pduType pduVersion scopedPDU stateReference statusInformation securityEngineID securityLevel securityModel securityName securityParameters securityStateReference sendPduHandle transportAddress transportDomain variableName viewType wholeMsg wholeMsgLength

APPLICATIONS

APPLICATIONS

returnResponsePdu
ACCESS CONTROL SUBSYSTEM ACCESS CONTROL SUBSYSTEM

DISPATCHER

SECURITY SUBSYSTEM

DISPATCHER

SECURITY SUBSYSTEM

MESSAGE PROCESSING SUBSYSTEM

MESSAGE PROCESSING SUBSYSTEM

40

CSCE 815 Sp 03

prepareResponseMessage
Parameters
contextEngineID contextName destTransportAddress destTransportDomain expectResponse globalData maxMessageSize maxSizeResponseScopedPDU messageProcessingModel outgoingMessage outgoingMessageLength PDU pduType pduVersion scopedPDU stateReference statusInformation securityEngineID securityLevel securityModel securityName securityParameters securityStateReference sendPduHandle transportAddress transportDomain variableName viewType wholeMsg wholeMsgLength

APPLICATIONS

APPLICATIONS

ACCESS CONTROL SUBSYSTEM

ACCESS CONTROL SUBSYSTEM

DISPATCHER

SECURITY SUBSYSTEM

DISPATCHER

SECURITY SUBSYSTEM

MESSAGE PROCESSING SUBSYSTEM

MESSAGE PROCESSING SUBSYSTEM

prepareResponseMessage
41

CSCE 815 Sp 03

generateResponseMsg
Parameters
contextEngineID contextName destTransportAddress destTransportDomain expectResponse globalData maxMessageSize maxSizeResponseScopedPDU messageProcessingModel outgoingMessage outgoingMessageLength PDU pduType pduVersion scopedPDU stateReference statusInformation securityEngineID securityLevel securityModel securityName securityParameters securityStateReference sendPduHandle transportAddress transportDomain variableName viewType wholeMsg wholeMsgLength

APPLICATIONS

APPLICATIONS

ACCESS CONTROL SUBSYSTEM

ACCESS CONTROL SUBSYSTEM

DISPATCHER

SECURITY SUBSYSTEM

DISPATCHER

SECURITY SUBSYSTEM

MESSAGE PROCESSING SUBSYSTEM

MESSAGE PROCESSING SUBSYSTEM

generateResponseMsg
42

CSCE 815 Sp 03

send / receive
Parameters
contextEngineID contextName destTransportAddress destTransportDomain expectResponse globalData maxMessageSize maxSizeResponseScopedPDU messageProcessingModel outgoingMessage outgoingMessageLength PDU pduType pduVersion scopedPDU stateReference statusInformation securityEngineID securityLevel securityModel securityName securityParameters securityStateReference sendPduHandle transportAddress transportDomain variableName viewType wholeMsg wholeMsgLength

APPLICATIONS

APPLICATIONS

ACCESS CONTROL SUBSYSTEM

ACCESS CONTROL SUBSYSTEM

DISPATCHER

SECURITY SUBSYSTEM

DISPATCHER

SECURITY SUBSYSTEM

MESSAGE PROCESSING SUBSYSTEM

MESSAGE PROCESSING SUBSYSTEM

send and receive


43

CSCE 815 Sp 03

prepareDataElements
Parameters
contextEngineID contextName destTransportAddress destTransportDomain expectResponse globalData maxMessageSize maxSizeResponseScopedPDU messageProcessingModel outgoingMessage outgoingMessageLength PDU pduType pduVersion scopedPDU stateReference statusInformation securityEngineID securityLevel securityModel securityName securityParameters securityStateReference sendPduHandle transportAddress transportDomain variableName viewType wholeMsg wholeMsgLength

APPLICATIONS

APPLICATIONS

ACCESS CONTROL SUBSYSTEM

ACCESS CONTROL SUBSYSTEM

DISPATCHER

SECURITY SUBSYSTEM

DISPATCHER

SECURITY SUBSYSTEM

MESSAGE PROCESSING SUBSYSTEM

MESSAGE PROCESSING SUBSYSTEM

prepareDataElements
44

CSCE 815 Sp 03

processIncomingMsg
Parameters
contextEngineID contextName destTransportAddress destTransportDomain expectResponse globalData maxMessageSize maxSizeResponseScopedPDU messageProcessingModel outgoingMessage outgoingMessageLength PDU pduType pduVersion scopedPDU stateReference statusInformation securityEngineID securityLevel securityModel securityName securityParameters securityStateReference sendPduHandle transportAddress transportDomain variableName viewType wholeMsg wholeMsgLength

APPLICATIONS

APPLICATIONS

ACCESS CONTROL SUBSYSTEM

ACCESS CONTROL SUBSYSTEM

DISPATCHER

SECURITY SUBSYSTEM

DISPATCHER

SECURITY SUBSYSTEM

MESSAGE PROCESSING SUBSYSTEM

MESSAGE PROCESSING SUBSYSTEM

processIncomingMsg
45

CSCE 815 Sp 03

processResponsePdu
Parameters
contextEngineID contextName destTransportAddress destTransportDomain expectResponse globalData maxMessageSize maxSizeResponseScopedPDU messageProcessingModel outgoingMessage outgoingMessageLength PDU pduType pduVersion scopedPDU stateReference statusInformation securityEngineID securityLevel securityModel securityName securityParameters securityStateReference sendPduHandle transportAddress transportDomain variableName viewType wholeMsg wholeMsgLength

APPLICATIONS

APPLICATIONS

processResponsePdu
ACCESS CONTROL SUBSYSTEM ACCESS CONTROL SUBSYSTEM

DISPATCHER

SECURITY SUBSYSTEM

DISPATCHER

SECURITY SUBSYSTEM

MESSAGE PROCESSING SUBSYSTEM

MESSAGE PROCESSING SUBSYSTEM

46

CSCE 815 Sp 03

SNMP3 Message Format with USM

47

CSCE 815 Sp 03

User Security Model (USM)


Designed to secure against:

Modification of information Masquerade Message stream modification Disclosure

Not intended to secure against:

Denial of Service (DoS attack) Traffic analysis

48

CSCE 815 Sp 03

Key Localization Process

49

CSCE 815 Sp 03

View-Based Access Control Model (VACM)


VACM has two characteristics:

Determines wheter access to a managed object should be allowed. Make use of an MIB that:
Defines the access control policy for this agent. Makes it possible for remote configuration to be used.

50

CSCE 815 Sp 03

Access control decision

51

CSCE 815 Sp 03

Recommended Reading and WEB Sites


Subramanian, Mani. Network Management. AddisonWesley, 2000

Stallings, W. SNMP, SNMPv1, SNMPv3 and RMON 1 and 2. Addison-Wesley, 1999


IETF SNMPv3 working group (Web sites)

http://www.ietf.org/html.charters/snmpv3-charter.html
SNMPv3 Web sites http://www.simpleweb.org/tutorials/slides-ppt.html

http://www.sans.org/rr/netdevices/SNMP_sec.php

52

CSCE 815 Sp 03