Embed Size (px)
Citation preview
Agenda
1. QUIZ 2. SNMP 3. SNMPv2 4. SNMPv3
Managed
Object
SNMP Management-Two Tier
MIB
Managed Objects
Manager
agent
Manager
Anything that pulsesthe managed object getsa response
Managed
Object
SNMP Management-Three Tier
MIB
Managed Objects
Manager
agent
Manager
Remote Monitoring(RMON) can addpreprocessed data froma probe extension
RMON Probe
Managed
Object
SNMP Management-Proxy Server
MIB
Managed Objects
Manager
agent
Manager
Server monitors objectswithout agents by converting data into compatible formats
RMON Probe
Wireless LAN
Proxy Server
SNMP Background
Management Information Base (MIB) tree:1. Defined by ISO Abstract Syntax Notation One (ISO ASN.1).2. Each piece of info in the ASN.1 tree is a labeled node.
a. Each labeled node contains an object identifier (a seriesof integers and periods) and a short text description.
b. Labeled nodes have subtrees or leaf nodes or they havea value known as an object. Root
Directory
ccitt(0) iso(1) joint-iso-ccitt(2)
org(3) Object Identifier 1.3
ASN.1 Syntax (for MIB )1.3.6.1.2.11= ?
org(3)
dod(6)
Internet(1)
directory(1)
management(2)
experimental(3) private(4)
iso(1)
system(1) interfaces(2) at(3) ip(4) icmp(5) tcp(6)
system(1) interfaces(2) address translation(3) ip(4) icmp(5) tcp(6) udp(7) egp(8) cmot(9) tsmsn(10) snmp(11)
mib(1)
mib(2)
SNMP
SNMP MESSAGE TYPESType Purpose
Get-Request To retrieve information from a network device that has an SNMP agent
Get-Response Provide a response from the SNMP agent to an SNMP station
Get-Next-Request To retrieve the next specific object from atable in lexigraphical order
Set-Request To remotely configure parameters on a device
SNMP
SNMP TRAP TYPESType Indication
Coldstart of a system Agent is reinitializing itself since its configuration has changed
Warmstart of a system Agent is reinitializing itself but itsconfiguration has not changed
Link down Link failureLink up Link restoralFailure of Authentication Request does not have proper authentication
e.g., wrong SNMP community stringEGP neighbor loss Exterior Gateway protocol neighbor goneEnterprise specific Specific to vendor implementing it
SNMP Network Management Architecture
SNMPUDPIPData LinkPhysical
MDB
SNMP MGRSNMP Manager
Application
get-
requ
est
get-
next
-req
uest
set-
requ
est
get-
resp
onse
trap
SNMPUDPIPData LinkPhysical
SNMP AgentSNMP Manager
Application
get-
requ
est
get-
next
-req
uest
set-
requ
est
get-
resp
onse
trap
SNMPv2
SNMP DRAWBACKS1. Officially standardized only for use on IP networks2. Inefficient for large table retrievals3. Uses cleartext strings for security, leaving it relatively unsecure4. Standards are always necessary but never sufficient
SNMPv2 FEATURES INCLUDE:1. Additions to the SMI2. New Message types3. Standardized multiprotocol support4. Enhanced security5. New MIB objects6. Backward compatibility
SNMPv2
Request For Comment (RFC) StandardsRFC Description
1442 Updated SMI1443 New textual conventions1445 Administrative model1446 Security protocols1447 Party MIB1448 Protocol operations1450 SNMPv2 MIB1592 SNMP Distributed Protocol Interface
SNMPv2
SNMP MESSAGE TYPESType Purpose
Get-Request To retrieve information from a network device that has an SNMP agent
Get-Response Provide a response from the SNMP agent to an SNMP station
Get-Next-Request To retrieve the next specific object from atable in lexigraphical order
Set-Request To remotely configure parameters on a device
InformRequest Provide mgr-to-mgr communicationsGetBulkRequest Request multiple retrievals of an object
(Get-Next-Request asking for multiple #s)
SNMPv2 MIBs
SNMP uses three management information bases
• SNMPv2 MIB
• Manager-to-manager MIB
• Party MIBJMNS*
JCRD*
SNMPv2 MIBs
SNMPv2 MIB GROUPSName Provides Objects To:
SNMPv2 Statistics Group Give stats about manager or agent, mostlymsgs that could not be processed
SNMPv1 Statistics Group Give stats about manager or agent thatcommunicates with SNMPv1
PurposeObject Resource Group Provide information that defines which
objects an agent can define dynamicallyTraps Group Provides information about each of the
traps an agent can sendSet Group Provides a single object that allows
multiple managers to send SNMP Setmessages to a single agent (set serial #)
SNMPv2 MIBs
MANAGER-TO-MANAGER MIB GROUPSName PURPOSE
The Alarm Group The objects in this group allow you todefine two thresholds over a duration of time
The Event Group The objects in this group allow you todefine events. It has two tables,one to specify the type of notification the probe should invokewhen the event triggers and the second to log the event.
SNMPv2 MIBs
PARTY MIB Name PURPOSE
The Party Database Group Information which is stored on thedevice about all known local andremote parties.
The Contexts Database Group Deal with privileges
The Access Privileges Database Group between manager and agent, e.g., localMIB View Database Group and remote contexts, access control policies,
defined MIB views, etc.
SNMPv3 Architecture
The third version of the Simple Network Management Protocol (SNMPv3) was Published as proposed standard in RFCs 2271 to 2275 in January 1998. This version is build upon the two first versions of SNMP and so it reuses the SNMPv2 standards documents (RFC 1902 to RFC 1908).
The architecture of SNMPv3 is more complex than that of previous versions. This is because of added security and enhanced functionality.
Some of the most recent SNMPv3 documents are:RFC 2571 An Architecture for Describing SNMP Management
Frameworks RFC 2572 Message Processing and Dispatching for SNMP RFC 2573 SNMPv3 ApplicationsRFC 2574 User-Based Security Model for SNMPv3RFC 2575 View-Based Access Control Model (VCAM) for SNMPInternet Draft Introduction to Version 3 of the Internet Network
Management FrameworkNote: All released in December 2002
SNMPv3 Design Goals
The following design goals guided the development of SNMP architecture.
Use existing material as much as possible. Address the need for SET REQUEST message support Move portions of the architecture forward in the standards track. Design an architecture that allows implementation over a wide range of
operational environments. Keep SNMP as simple as possible Make it relatively inexpensive to deploy a minimal conforming
implementation. Make it possible to upgrade portions of SNMP as new approaches become
available. Accommodate alternate security models in large networks.
Design Decisions MadeBased on the goals, a number of decisions were made.
Architecture: Identify the conceptual boundaries between the documents. Describe the abstract services provided by specific portions of an SNMP
framework. Abstract service interfaces, define the abstract boundaries between
documents and abstract services provided by an SNMP framework.
Self-contained documents: Elements of procedure plus the MIB objects which are needed for processing
for a specific portion of an SNMP framework should be defined in the same document and, as much as possible, should not be referenced in other documents.
As portions of SNMP change over time, the documents describing other portions of SNMP should not change.
Design Decisions Made (cont.)
Remote Configuration: Frequent changes of secrets at various SNMP entities should be deployable in
large operational environments. These SNMP parameters must be able to be remotely configured.
Controlled complexity: Keep the resources used by SNMP devices to a minimum. Use resources for more complex configurations which provide more
functionality
Threats: The security model in the security subsystem should protect against the
principal threats.
Principal threats
SNMPv3 is designed to secure against the following principal threats:
Modification of Information: An entity could alter an in-transit message generated by an authorized entity in
such a way as to affect unauthorized management operations, including the settings of object values.
Masquerade: Management operations that are not authorized for some entity may be
attempted by that entity by assuming the identity of an authorized entity.
Principal threats (cont.)
Message Stream Modification:Message Stream Modification:SNMP messages could be reordered, delayed, or replayed (duplicated) to effect unauthorized management operations.
Disclosure:Disclosure:Eavesdropping on the exchanges between two SNMP entities.
SNMP is NOT intended to secure against the following two threats:
Denial of Service:Denial of Service:An attacker/hacker may prevent exchanges between manager and agent.
Traffic Analysis:Traffic Analysis:An attacker/hacker may observe the general pattern of traffic between managers and agents.
SNMP Entities (architecture)
The SNMP architecture consists of distributed, interacting collection of SNMP entities.
Each entity implements a portion of the SNMP capability and may act as an agent node, a manager node, or a combination of the two.
Each SNMP entity consists of a collection of modules that interact with each other to provide services.
Each SNMP entity includes a single SNMP engine. The engine implements functions for sending and receiving messages,
authenticating and encrypting/decrypting messages, and controlling access to managed objects.
The role of an SNMP entity is determined by which modules are implemented in that entity.
SNMP entity (RFC 2271)
Command Generator
Notification Receiver
Proxy Forwarder
Command Responder
OtherNotification Originator
DispatcherMessage
Processingsubsystem
Securitysubsystem
Accesscontrol
subsystem
SNMP Engine (identified by SNMPEngineID)
Application(s)
SNMP (architecture)
Dispatcher subsystem: One dispatcher in an SNMP engineOne dispatcher in an SNMP engine transport mapper delivers messages over the
transport protocol. Handles multiple version messagesHandles multiple version messages
- Determines version of a message and interacts with corresponding module
Interfaces with application modules, network, and Interfaces with application modules, network, and message processing modelsmessage processing models
Three components for three functionsThree components for three functions– Transport mapper delivers messages over the Transport mapper delivers messages over the
transport protocoltransport protocol– Message Dispatcher routes messages between Message Dispatcher routes messages between
network and appropriate module of MPSnetwork and appropriate module of MPS– PDU dispatcher handles messages between PDU dispatcher handles messages between
application and MSPapplication and MSP
SNMP (architecture cont.)
Message Processing Subsystem: Contains one or more Message Processing ModelsContains one or more Message Processing Models Interacts with dispatcher to handle version-specific SNMP Interacts with dispatcher to handle version-specific SNMP
messagesmessages One MPS for each SNMP versionOne MPS for each SNMP version SNMP version identified in the headerSNMP version identified in the header
Security and Access Control Subsystem:Security and Access Control Subsystem: Security at the message levelSecurity at the message level
– Authentication Authentication – Privacy of message via secure communicationPrivacy of message via secure communication
Flexible access controlFlexible access control– Who can accessWho can access– What can be accessedWhat can be accessed– Flexible MIB viewsFlexible MIB views
SNMP Manager
A software application that runs on a UNIX, PC or Macintosh computer.
In SNMPv3, SNMP manager includes three categories:
The Command Generator Applications: It monitors and manipulates management data at remote agents.
Notification Originator application:It initiates asynchronous messages
Notification Receiver Application:It processes incoming asynchronous messages and responds to them with a Response PDU
All these applications use the services provided by the SNMP engine.
SNMP Manager
NOTIFICATIONRECEIVER
COMMANDGENERATOR
PDUDISPATCHER
COMMUNITY BASEDSECURITY MODEL
USER BASEDSECURITY MODEL
OTHERSECURITY MODEL
SECURITY SUBSYSTEM
SNMPv1
SNMPv2C
SNMPv3
OTHER
MESSAGE PROCESSINGSUBSYSTEM
MESSAGEDISPATCHER
TRANSPORTMAPPINGS
SNMP Engine
The SNMP engine performs two major functions:
It accepts outgoing PDUs from SNMP applications, performs the necessary processing, including inserting authentication codes and encrypting, and then encapsulates the PDUs into messages for transmission.
It accepts incoming SNMP messages from the transport layer, performs the necessary Processing, including authentication and decryption, and than extracts the PDUs from the messages and passes these on to the appropriate SNMP application.
SNMP Agent
Agents are any devices on the network that need to be managed and that
have the SNMP protocol and the Management Information Base.
Agents monitor the desired objects in their environment. Package this information from objects in the appropriate
manner. Send it to the management station either immediately or upon
request.
Information is generated by the Agent, stored in its MIB, and made available
to the Manager.
The SNMP agent contains three types of applications:
1. Command Responder Application provides access to management data.
2. Notification Originator Application initiates asynchronous messages.
3. Proxy Forwarder Application forwards messages between entities.
SNMP Agent
PDUDISPATCHER
COMMUNITY BASEDSECURITY MODEL
USER BASEDSECURITY MODEL
OTHERSECURITY MODEL
SECURITY SUBSYSTEM
SNMPv1
SNMPv2C
SNMPv3
OTHER
MESSAGE PROCESSINGSUBSYSTEM
MESSAGEDISPATCHER
TRANSPORTMAPPINGS
MANAGEMENT INFORMATION BASE
VIEW BASEDACCESS CONTROL
ACCESS CONTROL SUBSYSTEM
NOTIFICATIONORIGINATOR
COMMANDRESPONDER
SNMPv3 Message Formats
MsgVersion
HeaderData
MsgSecurity Parameters
ScopedPDU Data
MsgID
MsgMax Size
MsgFlags
MsgSecurity Model
ContextEngine ID
ContextName
Data
Encrypted PDU
Encrypted scopedPDU (cyphertext)
or
scopedPDU(plaintext)
SNMPv3 Message
SNMP Applications:
CommandGenerator
Notification Receiver
Proxy Forwarder
CommandResponder
Notification Originator
Other
Application(s)
ApplicationApplication ExampleExample Command generator Command generator get-requestget-request Command responderCommand responder get-responseget-response Notification originatorNotification originator trap generationtrap generation Notification receiverNotification receiver trap processingtrap processing Proxy ForwarderProxy Forwarder get-bulk to get-nextget-bulk to get-next
(SNMP versions only)(SNMP versions only) OtherOther Special applicationSpecial application
SNMP Applications: (cont.)
There are no restrictions on which types of applications may be associated with a particular SNMP engine. A single SNMP engine may, in fact, be associated with both command generator and command responder applications.
Command Generator Applications:
These applications monitor and manipulate management data.
Command generator application initiates SNMP Get, GetNext,
GetBulk, and/or Set requests, as well as processing the response to a request which it generated.
The Dispatcher is responsible for delivering the response to a particular request to the correct command generator application.
Command Generator
Command Generator Dispatcher
MessageProcessing Model
SecurityModel
sendPDU prepareOutgoi
ngMessages generateRequestMsg
sendPDUHandle
Network
Send get-request msg
Receive get-response msg
prepareDataElementsprocessIncomingMsg
processResponsePDU
SNMP Applications: (cont.)
Command Responder Applications:
These applications provide access to management data.
Command responder application receives SNMP Get, GetNext, GetBulk, and/or Set requests destined for the local system as indicated by the fact that the contextEngineID in the received request is equal to that of the local engine through which the request was received.
The command responder application will perform the appropriate protocol operation, using access control, and will generate a response message to be sent to the request's originator.
Command ResponderCommand Generator Dispatcher
MessageProcessing Model
SecurityModel
processPDU
registerContext EngineID
Network
Receive get-request msg
Send get-response msg
processResponsePDU
prepareResponseMsg
generateResponseMsg
prepareDataElementsprocessIncomingMsg
SNMP Applications: (cont.)
Notification Originator Applications:
These applications initiate asynchronous messages.
A notification originator application conceptually monitors a system for particular events or conditions, and generates Trap and/or Inform messages based on these events or conditions.
A notification originator must have a mechanism for determining where to send messages, and what SNMP version and security parameters to use when sending messages.
The particular mechanism used is implementation dependent.
SNMP Applications: (cont.)
Notification Receiver Applications:
These applications process asynchronous messages.
A notification receiver application listens for notification messages, and generates response messages when a message containing an Inform PDU is received.
These applications receive SNMP Notification messages from the Dispatcher.
Before any messages can be received, the notification receiver must register with the Dispatcher.
Once the notification receiver has registered with the Dispatcher, messages are received using the processPdu abstract service interface.
SNMP Applications: (cont.)
Proxy Forwarder Applications:
They forward SNMP messages between entities.
Implementation of a proxy forwarder application is optional.
Proxy forwarder application forwards requests and/or notifications to other SNMP engines according to the context, and irrespective of the specific managed object types being accessed, and forwards the response to such previously forwarded messages back to the SNMP engine from which the original message was received.
SNMPv3 MIBs
The Management Information Base (MIB) contains data available to a network management program.
MIBs are created by management agents so that each machine with an agent will have an associated MIB.
The MIB is the definition of the data, or objects, that are stored in the agent for the manager to access.
RFC 2273 defines three MIBs to support SNMPv3 applications:
1. The Management Target MIB.2. The Notification MIB.3. The Proxy MIB.
SNMPv3 MIBs (cont.)
Management Target MIB: The SNMP-TARGET-MIB module contains objects for defining
management targets and includes a single group, the snmpTargetsObjects group.
A management target refers to a management entity that can be the recipient of messages generated by notification generators and proxy forwarders.
It consists of two tables:
• snmpTargetAddrTable: It contains information about transport domains and addresses. It also contains an object, snmpTargetAddrTagList, which provides a mechanism for grouping entries.
• snmpTargetParamsTable: It contains information about SNMP version and security information to be used when sending messages to particular transport domains and addresses.
SNMPv3 MIBs (cont.)
Notification MIB: The SNMP-NOTIFICATION-MIB module contains objects for the remote
configuration of the parameters used by an SNMP entity for the generation of notifications, and includes a single group, snmpNotifyObjectsGroup.
The group consists of three tables:1. snmpNotifyTable: It contains entries which select which entries in the
snmpTargetAddrTable should be used for generating notifications, and the type of notifications to be generated.
2. snmpNotifyFilterProfileTable: It augments the snmpTargetAddrTable with an object which is used to associate a set of filters with a particular management target.
3. snmpNotifyFilterTable: It defines filters which are used to limit the number of notifications which are generated using particular management targets.
SNMPv3 MIBs (cont.)
Proxy MIB:
It defines MIB objects that provide mechanisms to remotely configure the parameters used by an SNMP entity for proxy forwarding operations. The MIB includes a single group, snmpProxyObjectsGroup.
It contains a single table:
snmpProxyTable: It is used to define translations between management targets for use when forwarding messages.
It enables proxy forwarder to accept an incoming message, determine for each message the target or targets and construct the security parameters for the outgoing message.
SNMPv3 Security Models
SNMPv3 defines two security-related models:
1. User-Based security model (USM):It provides authentication and privacy (encryption) functions at the message level.
2. View-Based access control model (VACM):It determines whether a given principal is allowed access to particular MIB objects to perform particular functions, and operates at the PDU level.
It uses a MIB that defines the access control policy for this agent, and makes it possible for remote configuration to be used.
SNMPv3 Security Models (cont.)
User-Based security model (USM):The goals of this SNMP Security Model are as follows:
Provide for verification that each received SNMP message has not been modified during its transmission through the network.
Provide for verification of the identity of the user on whose behalf a received SNMP message claims to have been generated.
Provide for detection of received SNMP messages, which request or contain management information, whose time of generation was not recent.
Provide, when necessary, that the contents of each received SNMP message are protected from disclosure.
SNMPv3 Security Models (cont.)
Security Services:The security services necessary to support the goals of this SNMP Security Model
are as follows: Data Integrity is the provision of the property that data has not been altered or
destroyed in an unauthorized manner, nor have data sequences been altered to an extent greater than can occur non-maliciously.
Data Origin Authentication is the provision of the property that the claimed identity of the user on whose behalf received data was originated is corroborated.
Data Confidentiality is the provision of the property that information is not made available or disclosed to unauthorized individuals, entities, or processes.
Message timeliness and limited replay protection is the provision of the property that a message whose generation time is outside of a specified time
window is not accepted.
SNMPv3 Security Models (cont.)
View-Based access control model (VACM):The VACM has five elements:
1. Groups:
A group is a set of zero or more <securityModel, security Name> tuples
on whose behalf SNMP management objects can be accessed. A group
defines the access rights afforded to all securityNames which belong
to that group.
2. Security Level:
Different access rights for members of a group can be defined for different levels of security, i.e., noAuthNoPriv, authNoPriv, and authPriv. The security Level identifies the level of security that will be assumed when checking for access rights.
SNMPv3 Security Models (cont.)
3. Contexts:
An SNMP context is a collection of management information accessible
by an SNMP entity. An item of management information may exist in
more than one context. An SNMP entity potentially has access to many
contexts.
4. MIB Views:
For security reasons, it is often valuable to be able to restrict the access rights of some groups to only a subset of the management information in the management domain.
Access allowed for a group can be restricted in the desired manner by specifying a MIB view.
SNMPv3 Security Models (cont.)
5. Access Policy:
VACM enables an SNMP engine to be configured to enforce a particular set of access rights. Access determination depends on the following factors:
The principal making the access request. The security level by which the request was communicated in an
SNMP message. The security model used for processing the request message. The MIB context for the request. The specific object instance for which access is requested. The type of access requested (read, write, notify).
Compatibility with SNMPv2 and v1
SNMPv3 managers can monitor and control only SNMPv2/v3 agents. SNMPv3 managers cannot monitor SNMPv1 agents. A large percentage of products are using SNMPv2 or SNMPv3. SNMPv2 and SNMPv3 are not as simple as SNMPv1 and require more
powerful CPU, more memory, and other resources. SNMPv2 and SNMPv3 have advantage of no transition to manage. Can still use old management applications by using
1. Dual-Mode Agents
2. Dual-Mode Managers
3. Protocol Conversion Gateways
