1

Network Management Security

Behzad AkbariFall 2009

In the Name of the Most High

Outline

Basic Concepts of SNMP Network Management Architecture SNMPv1 Community Facility SNMPv3 Recommended Reading and WEB Sites

Basic Concepts of SNMP

As a networks grow larger it becomes more indispensable to the organization more thing can go wrong disabling the network to an

unacceptable level A large network is too complex to be managed by

human effort and requires automated network management tools, such as the Simple Network Management Protocol (SNMP)

Basic Concepts of SNMP

Network Management Architecture A network management system is an integrated

collection of tools for network monitoring and control. Single operator interface Minimal amount of separate equipment. Software and

network communications capability built into the existing equipment

Active elements of the network provide regular feedback of status information to the network control center.

SNMP Architecture

SNMP key elements: Management station -often a stand-alone device, which

servesas the human interface Management agent- responds to requests for

information from the maanagement station Management information base (MIB) -collection of

access points at the agent for the station Network Management protocol -links station and

agents and includes: Get- retrieve value of objects at agent Set - set value of objects at agent Notify - notifies station of significant events

Network Management Protocol Architecture

1988 SNMP - became dominant Most vendors of routers, workstations, PCs,

etc. offer SNMP agent packages, that allow their products to be managed by an SNMP management station

SNMP -easily implemented, uses minimal processor and network resources

Network Management Protocol Architecture SNMP designed to be an application level

protocol that is part of TCP/IP intended to operate over the User Datagram

Protocol (UDP) each agent must implement SNMP, UDP, and IP

Protocol Context of SNMP

3 Types of messages are issued: GetRequest GetNextRequest SetRequest

All are acknowledged by GetResponse An agent may issue a trap message in

response to an event

Protocol context of SNMP

Protocol Context of SNMP

SNMP relies on UDP which is connectionless, and SNMP is also connectionless.

No connections are maintained between a management station and an agent.

Proxies

Proxies were developed for devices that do not support UDP or implement SNMP.

An SNMP agent acts as a proxy for one or more other devices.

Management station sends queries to proxy agent, which converts it to the management protocol used by the device.

When agent receives a reply, it passes it to the management station.

Proxy Configuration

SNMP v1 and v2

Trap – an unsolicited message (reporting an alarm condition)

SNMPv1 is ”connectionless” since it utilizes UDP (rather than TCP) as the transport layer protocol.

SNMPv2 allows the use of TCP for ”reliable, connection-oriented” service.

Any device that does not run SNMPv2 must be managed by proxy.

SNMPv2

Strength of SNMP is its simplicity. SNMP provides a basic set of tools that is easy

to implement and configure. Deficiencies –become apparent in large

networks: Lack of support for distributed network management Functional deficiencies Security deficiencies (addressed in SNMPv3)

Distributed Network Management One host has the function of a management station;

two or three others may have a back-up role. Remaining devices contain agent software and MIB

to allow monitoring control from management station.

MIB- Management Information Base, a database of objects that can be monitored by a network management system.

As network grows in size this is unmanageable and a decentralized management scheme works best.

Decentralized (Distributed)Network Management

Multiple top-level management stations or management servers

Each server manages a pool of agents or delegates the management to an intermediate manager

Intermediate manager monitors and controls its agents

Spreads the processing burden and reduces total network traffic

SNMPv2

SNMPv2 support either a centralized strategy or a distributed one.

Some systems operate both in the role of manager and of agent

Some commands require the agent to act as a proxy for remote devices and pproxy assumes role of manager to access information at remote device, then as an agent passes the information to a superior manager.

Functional Enhancements

SNMPv1 – 5 commands (GetREquest, GetNextRequest, Set Request, GetResponse, Trap) issued as protocol data units (PDU)

SNMPv2 – all 5 commands from v1, plus two new ones Inform command, sent from one management station to

another GetBulk – allows manager to retrieve large block of data

at once Get is atomic in SNMPv1, but not in SNMPv2- may

return partial results

Comparison of SNMPv1 and SNMPv2

Transmit unsolicited information

Agent to managerSNMPv2-TrapTrap

Respond to manager request

Agent to manager or Manager to manager(SNMPv2)

ResponseGetResponse

Transmit unsolicited information

Manager to manager

InformRequest------

Set value for each listed object

Manager to agentSetRequestSetRequest

Request multiple values

Manager to agentGetBulkRequest------

Request next value for each listed object

Manager to agentGetRequestGetRequest

Request value for each listed object

Manager to agentGetRequestGetRequest

DescriptionDirectionSNMPv2 PDUSNMPv1 PDU

SNMPv1 Community Facility SNMP Community – Relationship between an

SNMP agent and SNMP managers-defined locally at agent.

Three aspect of agent control: Authentication service- agent may limit access to

MIB to authorized managers Access policy- agent may give different acceees

privileges to different managers Proxy service – agent may act as a proxy to other

agents All of these raise security concerns

SNMPv1 Administrative Concepts

SNMPv3

SNMPv3 defines a security capability to be used in conjunction with SNMPv1 or v2

SNMPv3

SNMPv3is not a stand alone replacement for versions1 and2

SNMPv3 defines a security capability to be used with SNMPv2 (preferred) or SNMPv1

Describes an architecture for current and future versions of SNMP

Like SNMPv2 with security and administrative capabilities.

SNMPv3 Architecture

Modular architecture Allows implementation over a wide range of

operational environments Makes it possible to move portions of the

architecture forward in the standards track even if consensus is not reached on all pieces

Accommodates alternate security modes

SNMP Entity

Each SNMP entity includes a single SNMP engine

Engine implements functions for sending and receiving messages, authenticating, encrypting and decrypting messages and controlling access to managed objects.

Both the engine and the applications are collections of discrete modules.

SNMP Entity

This architecture provides advantages: Role of an entity is determined by which modules are

implemented in the entity Modular structure lends itself to defining different

versions of each module makes it possible to define alternative or enhanced

capabilities clearly specifies coexistence and transition strategies

Traditional SNMP manager

Manager interacts with agents by issuing commands(get, set) and by receiving trap messages.

Manager may also interact with other managers by issuing Inform Request PDU’s, which provide alerts, and by receiving Inform Response PDU’s, which acknowledge Inform Request.

Traditional SNMP manager

Includes three categories of applications: Command Generator Applications – monitor and

manipulate management data at remote agents (using SNMPv1 or SNMPv2)

Notification Originator Application- originates asynchronous messages (using InformRequest)

Notification Receiver Application-processes incoming asynchronous messages

Traditional SNMP Manager

Traditional SNMP Manager

SNMP engine performs two functions: Accepts outgoing PDUs from SNMP applications,

performs necessary processing, including inserting authentication codes and encrypting, and encapsulates for transmission

Accepts incoming SNMP messages from the transport layer, performs necessary processing, including inserting authentication codes and encrypting, extracts PDUs and passes thse on to SNMP applications

SNMP Engine Contains

A Dispatcher – simple traffic manager- accepts PDUs, determines the type of processing and passes it to Message processor; for incoming messages from transport layer, routes it to application

A Message Processing Subsystem – wraps PDUs in message and returns to the Dispatcher

A Security Subsystem – performs authentication and encryption

Traditional SNMP Agent

Containt 3 types of applications: Command Responder- provides access to

management data Notification Originator- initiates asynchronous

messages Proxy Forwarder- forwards messages between

applications

Traditional SNMP Agent

SNMPv3 Flow

SNMP3 Message Format with USM

User Security Model (USM)

Designed to secure against: Modification of information Masquerade Message stream modification Disclosure

Not intended to secure against: Denial of Service (DoS attack) Traffic analysis

Key Localization Process

View-Based Access Control Model (VACM) VACM has two characteristics:

Determines wheter access to a managed object should be allowed.

Make use of an MIB that: Defines the access control policy for this agent. Makes it possible for remote configuration to be used.

Access control decision

Recommended Reading and WEB Sites Subramanian, Mani. Network Management.

Addison-Wesley, 2000 Stallings, W. SNMP, SNMPv1, SNMPv3 and

RMON 1 and 2. Addison-Wesley, 1999 IETF SNMPv3 working group (Web sites) SNMPv3 Web sites