DE CUONG SMNP

8/8/2019 DE CUONG SMNP

1/25

SNMP v3

Chng I: Giao thc qun l mng snmp1.Khi nim:

K t khi cng b u tin vo nm 1988, giao thc qun l n gin (SNMP) nhanh chng tr thnh 1 giao thc qun l mng thng dng cho cc mng my tnh datrn c s TCP/IP. SNMP nh ngha mt giao thc cho vic trao i thng tin qun l,nhng nhiu hn th. N cng nh ngha mt nh dng cho cc i din qun l thng tinv mt khun kh cho vic t chc h thng phn phi vo h thng qun l v qun l il. ngoi ra, mt s cu trc c s d liu ring, gi l c s thng tin qun l (MIBs), c nh ngha nh l mt phn ca b ng dng SNMP, nhng MIB ring qun l cc

i tng cho cc ch qun l mng chung nht. , bao gm bridge, router v cc mngLan.

SNMP l mt tp hp n gin cc hot ng gip nh qun tr mng c th qun l,thay i trng thi ca mng.SNMP c th dng qun l cc h thng Unix, Window,my in, ngun in Ni chung, tt c cc thit b c th chy cc phn mm cho php lyc thng tin SNMP u c th qun l c. Khng ch cc thit b vt l mi qun lc m c nhng phn mm nh web server, database. Hot ng theo m hnh manager/agent. Mt ng dng ca Agent c nhn dng quaa ch IP ca n v mt cng UDP.

S dng kt ni khng nh hng trao i thng tin gia cc phn t v h thngqun l mng (trng hp ny s dng UDP). UDP truyn cc gi theo cc khi ring

bit.Tuy vy c th s dng ty cc giao thc khc truyn gi tin SNMP. Cc gi tinsau khi truyn qua mng ,cc phn t mng hay h thng qun l vn gi nguyn nhdng ca SNMP. SNMP s dng UDP (User Datagram Protocol) nh l giao thc truynti thng tin gia cc manager v agent. Vic s dng UDP, thay v TCP, bi v UDP lphng thc truyn m trong hai u thng tin khng cn thit lp kt ni trc khi dliu c trao i (connectionless), thuc tnh ny ph hp trong iu kin mng gp trctrc, h hng v.v.

-i vi cc phng thc get/set/response th SNMP agent lng nghe port UDP 161,cn phng thc trap th SNMP trap receiver lng nghe port UDP 162.

-SNMP s dng 3 lnh c bn sau:+Read :c SNMP dng c thng tin t thit b .Cc thng tin ny c cung

cp qua cc bin SNMP lu tr trn thit b v c thit b cp nht.+Write :c SNMP dng ghi cc thng tin iu khin ln thit b bng cch thay

igi tr cc bin SNMP.+Trap :dng nhn cc s kin gi t thit b n SNMP.Mi khi c s kin xy ra

trn thit b mt lnh Trap s c gi ti NMS.Ngoi ra SNMP cn s dng mt s lnh ty bin qun l mng

-Trong SNMP c 3 vn cn quan tm: Manager, Agent v MIB (ManagementInformation Base).

1
http://vi.wikipedia.org/wiki/UDPhttp://vi.wikipedia.org/wiki/TCPhttp://vi.wikipedia.org/wiki/TCPhttp://vi.wikipedia.org/wiki/UDPhttp://vi.wikipedia.org/wiki/TCP


2/25

Hnh1:M hnh snmp

MIB: l c s d liu dng phc v cho Manager v Agent.Manager: l mt server c chy cc chng trnh c th thc hin mt s chc nng

qun l mng. Manager c th xem nh l NMS (Network Manager Stations). NMS c khnng thm d v thu thp cc cnh bo t cc Agent trong mng.

Agent: l mt phn trong cc chng trnh chy trn cc thit b mng cn qun l. N cth l mt chng trnh c lp nh cc deamon trong Unix,. Ngy nay, a s cc thit bhot ng ti lp IP u c ci t SMNP agent.

SMI l quy tc quy nh cu trc nh dng thng tin trong c s d liu MIBObject ID v MIB

+Object: mt thit b h tr SNMP c th cung cp nhiu thng tin khc nhau,mithng tin gi l mt object.v d nh :cc port ang up hay down ,...

+Mi object c mt tn gi v mt m s nhn dng object m s gi lobjectID (OID) hay ObjectID l nh danh ca mt i tng c th gim st c , ccthao tc get/set thng tin ca i tng u thng qua nh danh ca chng.

Tn thit b c gi l sysNameTng s port giao tip c gi l ifNumbera ch Mac address ca mt port c gi l ifPhyAddressS byte nhn trn mt port c gi l ifInOctets

-MIB(management information base) l mt cu trc d liu gm cc i tng cqun l (managed object),c dng cho vic qun l cc thit b chy trn nn TCP/IP

.MIB l kin trc chung m cc giao thc qun l trn TCP/IP nn tun theo, trong cSNMP.MIB c th hin thnh mt file v c th biu din thnh mt cy.MIB c thc chun ha hoc t to(khi bn t nh ngha mt i tng hoc mt communitystring no th bn phi to cho n mt MIB mi th cc agent mi c th truyn thngc vi nhau mi hiu c i tng m bn nh ngha )

2


3/25

2. MIB

2.1. MIB

Mt MIB l mt tp hp ca cc i tng qun l. Mt MIB lu tr thng tin cthu thp bi tc nhn qun l ni ht, trn mt thit b qun l cho vic khi phc sau bi mt giao thc qun l mng.

Mi mt i tng trong mt MIB c mt b xc nhn duy nht m t cc ngdng qun l s dng xc nhn v khi phc li gi tr ca i tng xc nh. MIB cmt cu trc ging hnh cy ni m cc i tng ging nhau c nhm li di cngmt nhnh ca cy MIB. V d, cc b m giao din khc nhau c nhm li dinhnh giao din ca cy MIB.

Cu trc MIB c biu din logic bi mt cy phn tng. Gc ca cy khng c tnv chia thnh ba nhnh chnh: y ban t vn cho mng in thoi v in bo, ISO vchung gia ISO/CCITT.

Nhng nhnh ny ri vo mi phm tr di y c xc nh vi cc chui vnbn ngn v s nguyn. Cc chui vn bn miu t cc tn i tng ngc li cc snguyn t i tng xc nh rng phn mm cho php to s tha thun, s miu tm ha ca cc tn. B xc nh i tng trong phn tng mng MIB l kt qu ca ccnhn s trn cc node dc theo ng dn t gc n i tng. MIB mng chun c biu din bi b xc nh i tng 1.3.6.1.2.1, c th c tm tt nh sauiso.org.dod.internet.mgmt.mib.

Hnh 2: Phn tng mng MIB

3


4/25

Cc chun MIB c xc nh trong cc RFC khc nhau. V d, RFC 1213, qun lthng tin c s cho qun l mng ca cc mng da trn m hnh TCP/IP: MIB-II, nhngha TCP/IP MIB.

B sung n cc chun MIB, vendors c th cha nhnh ca cy con MIB v to cci tng qun l di nhnh ny. Mt router MIB ca Cisco s dng chung c itng qun l chun v ni b.

Mt cy MIB ca router Cisco cha mt vi nh ngha i tng qun l chun, baogm t cc nhm sau:

-Nhm giao din (bao gm miu t giao din, loi, a ch vt l, m cc gi tin nv i).

-Nhm IP (bao gm thit b ang hot ng nh gateway IP, s gi tin u vo, sgi tin b loi b bi v li).

-Nhm ICMP (bao gm s gi tin ICMP nhn c, s bn tin li).

-Thnh phn ni b Cisco ca cy MIB cha cc i tng qun l ni b c giithiu bi Cisco, nh cc i tng sau y cho router:

-Cc b m nh, va, ln v cc land.

-B nh chnh v b nh ph.

-Giao thc ti nguyn.

nh ngha ni b ca cc i tng qun l phi c bin son thnh NMS trc khichng c th c s dng; kt qu l u ra nhiu miu t hn vi cc tham s v cc s

kin c th c tham chiu bng tn.2.2 MIB-II

MIB-II h tr mt s lng cc giao thc mi v cung cp cu trc thng tin chi tithn. N duy tr thch hp vi phin bn trc y, MIB-II gi li b xc nh i tngging vi MIB-I (1.3.6.1.2.1).

MIB-II c 10 nhnh con c nh ngha trong RFC 1213, k tha t MIB-I trongRFC 1066. Mi nhnh c mt chc nng ring:

system (1.3.6.1.2.1.1) nh ngha mt danh sch cc i tng gn lin vi hotng ca h thng nh: thi gian h thng khi ng ti by gi, thng tin lin lc ca h

thng v tn ca h thng.interfaces (1.3.6.1.2.1.2) Lu gi trng thi ca cc interface trn mt thc th qun

l. Theo di mt interface up hoc down, lu li cc octet gi v nhn, octet li hayb hy b.

at (1.3.6.1.2.1.3) Nhm at (address translation) b phn i, n ch cung cp khnng tng thch ngc. Nhm ny c b t MIB-III tr i.

- ip (1.3.6.1.2.1.4) Lu gi nhiu thng tin lin quan ti giao thc IP, trong c phn nh tuyn IP.

4


5/25

-icmp (1.3.6.1.2.1.5) Lu cc thng tin nh gi ICMP li, hy.- tcp (1.3.6.1.2.1.6) Lu cc thng tin khc dnh ring cho trng thi cc kt ni TCP

nh: ng, lng nghe, bo gi- udp (1.3.6.1.2.1.7) Tp hp cc thng tin thng k cho UDP, cc datagram vo v ra,

-egp (1.3.6.1.2.1.8) Lu cc tham s v EGP v bng EGP ln cn.-Transmission (1.3.6.1.2.1.10) Khng c i tng no trong nhm ny, nhng nnh ngha cc mi trng c bit ca MIB.

-snmp (1.3.6.1.2.1.11) o lng s thc thi ca SNMP trn cc thc th qun l vlu cc thng tin nh s cc gi SNMP nhn v gi.Mc d nh nga MIB-II l mt ci tin trn MIB-I, nhng vn cn nhng vn chagii quyt c:

-MIB-II vn l mt thit b trung tm, c ngha l s tp trung ca n trn cc thit bring bit, khng phi mng ton vn hoc lung d liu

-MIB-II l da trn bu chn, c ngha l d liu c lu tr trong cc thit b qun

l v mt h thng qun l phi yu cu (bu chn) n thng qua giao thc qun l;d liu khng c gi t ng.

Chng II: SNMPv3

1.Kin trc SNMPv31.1 cc thnh phn ca SNMPv3

Mt thay i quan trng trong SNMPv3 l tt c cc agent v manager u c gi

chung l thc th SNMP. Mt thc th SNMP bao gm hai thnh phn: cng c SNMP(snmp engine) v cc ng dng ( applications )

Hnh 3 :thc th snmp

5


6/25

1.1.1 snmp engine

Mt engine bao gm bn thnh phn :phn h giao vn( dispatcher) , phn h x lbn tin (message processing subsystem) ,phn h bo mt (security subsystem) , phn hiu khin truy nhp (access control subsystem). Cng vic ca dispatcher l gi v nhn

bn tin .N c gng xc nhn version ca mi bn tin nhn c v nu version c htr th iu khin message n phn h x l bn tin(message processing subsystem).Dispatcher cng gi bn tin snmp ti cc thc th khc,

Phn h x l bn tin chun b bn tin gi v tch phn d liu t cc bn tin nhnc .Mt phn h x l c th gm nhiu modules x l bn tin. V d nh phn h cmodules x l cc yu cu cho version 1,cc yu cu ca version 2 , version 3.N cngc th cha module cho cc kiu x l khc.

Phn h bo mt cung cp cc dch v xc thc v ring t .Xc thc s dng ccommunity strings hoc xc thc da trn ngi dng snmpv3.Xc thc ngi dng sdng thut ton m ha MD5 hoc SHA xc thc ngi dng m khng cn gipassword dng clear-text .Cc dch v ring t s dng thut ton DES m ha v

gii m bn tin SNMP .Hin ti DES l thut ton duy nht c s dng ,nhng thutton khc c th c s dng trong tng lai.Phn h iu khin truy nhp c kh nng p ng cho vic iu khin truy nhp i

tng MIB .Bn c th iu khin cc i tng no m ngi dng c th truy nhpcng nh hot ng no c php truy nhp thc hin i tng .V d nh bnc th mun gii hn quyn truy cp ca ngi dng mc read-write tng phn cacy mib-2 ,trong khi cho php c trn ton b cy.

1.1.2 snmpv3 applicationVersion 3 chia snmp thnh mt s ng dng sau:-B to lnh :to ra cc lnh get,getnext ,getbulk ,v set request v x l cc p ng

.Nhng ng dng ny c thc thi bi Network management station (NMS), v vy nc th s dng t vn v t yu cu tr li cc thc th trn cc router, switch ,unixhost

-B p ng lnh:p ng cc lnh get ,get-next ,get-bulk ,v set request .Nhngng dng ny c thc thi bi mt thc th trn router hoc unix host

-B pht bn tin : pht cc bn tin trap v cnh bo .ng dng ny c thc thi bimt thc th trn router hoc unix host .i vi version 1 ,version 2 b pht tin l mtphn ca snmp agent .

-B nhn bn tin:nhn cc bn tin trap v to bn tin.Nhng ng dng ny c thcthi bi NMS

-B chuyn tip y quyn :t ng chuyn tip cc bn tin gia cc thc th

6


7/25

1.2.Kin trc ca SNMPv3 manager v agent

1.2.1 kin trc snmp manager

Hnh 4 :kin trc snmp managerSNMP manager tng tc vi SNMP agents bng cch s dng lnh(get,getnext

,getbulk,set)v nhn cc bn tin cnh bo (trap ,inform).Manager c th cng tng tc

7

Mt (nhiu) ng dng:

B pht bn tin B nhn bntin

B to lnh

Phn h con x lbn tin

Phn h con bo mt

iu vn PDU

iu vn bn tin

otherMP*

v3MP*

v2cMP*

v1MP* M hnh bomt khc

M hnh bomt ngi

dng

Mng

UDP IPX other


8/25

vi cc manager khc bng cch s dng inform request pdu v nhn inform responsepdu.Trong thut ng SNMPv3 mt SNMP manager bao gm cc ng dng:

-ng dng to lnh :gim st v qun l iu khin d liu cc agent uxa.Chng s dng cc pdu ca SNMPv1 v /hoc SNMPv2 bao gm get,getnext ,getbulkv set.

-ng dng pht bn tin:bt u l cc bn tin bt ng b ,trong trng hp camt manager ,informRequest pdu c s dng cho ng dng ny .-ng dng nhn bn tin :qu trnh x l bn tin bt ng b n .Nhng bn tin ny

bao gm informRequest ,SNMPv2-Trap ,v SNMPv1 trap pdu .Trong trng hp mtpdu informRequest n ,ng dng nhn bn tin s p ng vi mt respond pdu1.2.2 kin trc snmp agent

n

8

ng dng bp ng lnh

iu khin truycp

ng dng bpht bn tin

Phn h con bomt

Phn h con x lbn tin

iu vn PDU

iu vn bn tin

otherMP*

v3MP*

v2cMP*

v1MP* M hnh bo

mt khc

M hnh bomt ngi

dng

Mng

UDP IPX other

MIB

ng dng bchuyn tip y

quyn


9/25

Hnh 5:m hnh kin trc snmp agentMt agent c th cha 3 kiu ng dng :

-ng dng p ng lnh : cung cp truy nhp qun l d liu .Nhng ng dngny p ng yu cu n bng cch ly ra v hoc thit lp cc objects c qun l v

sau s dng mt Response PDU-ng dng pht lnh ban u l cc bn tin bt n b ,trong trng hp agent , pduSNMPv2 trap hoc SNMPv1 trap c s dng cho ng dng ny.

-ng dng chuyn tip i din :chuyn tip bn tin gia cc thc thSNMP engine cho mt agent c tt c cc thnh phn tm thy trong engine SNMP

cho manager,tr mt phn h iu khin truy nhp.Phn h ny cung cp cc dch v tincy (authorization) truy nhp n MIB c v thit lp cc objects qun l .Nhngdch v ny c thc hin trn c s ni dung ca cc PDU.S thc thi ca phn h bomt c th h tr mt hoc nhiu m hnh iu khin truy nhp c trng.Bi vy mhnh bo mt VACM ch c xc nh ring cho SNMPv3,c xc nh trong RFC3415

1.3 Cc lnh trong snmpv3SNMPv3 thc hin trao i thng tin qun l da vo cc lnh sau:

Getrequest: manager gi getrequest cho agent yu cu agent cung cpthng tin no da vo objectID (trong getrequest c cha OID). V d:mun ly thng tin tn ca device 1 th manager gi bn tin getrequestOID=1.3.6.1.2.1.1.5 n device 1 ,tin trnh SNMP agent trn device 1 snhn c bn tin v to bn tin tr li. Trong mt bn tin Getrequest c thcha nhiu OID c ngha l dng mt getrequest c th ly v cng lc nhiuthng tin.

Getnextrequest : manager gi getnextrequest c cha mt objectID cho agent

yu cu cung cp thng tin nm k tip objectID trong MIB.Do mtMIB c nhiu OID c sp cp th t khng lin tc ,nu bit mt OID thkhng xc nh c OID k tip .Do ta cn getnextrequest ly gi tr

v OID k tip .Nu thc hin getnextrequest lin tc th ta s ly c tonb thng tin ca agent.

Setrequest : manager gi setrequest cho agent t gi tr cho i tng caagent da vo objectID.C th t li tn cho mt my tnh hay router bng phn mm SNMP manager bng cch gi bn tin setrequest c OIDl1.3.6.2.1.1.5.0(sysName.0)v c gi tr tn mi cn t. C th shutdown mtport trn switch bng phn mm SNMP manager bng cch gi bn tin c

9


10/25

OID l 1.3.6.1.2.1.2.2.1.7 (ifAdminstatus) v c gi tr bng 2. (ifAdminstatusc 3 gi tr 1:UP, 2 DOWN, 3 TESTING).Ch c nhng object c quynREAD_WRITE mi c th thay i c gi tr.

GetResponse : agent gi getresponse cho manager tr li khi nhn cgetrequest getnextrequest.Trong bn tin getresponse c cha OID ca objectc request v gi tr ca object .

Trap :agent t ng gi trap cho manager khi c mt s kin xy ra i vimt object no trong agent.Cc s kin ny khng phi l cc hot ngthng xuyn ca cc agent m l s kin mang tnh bin c .v d :khi cmt port down ,khi ngi dng login khng thnh cng ,khi thit b khi ngli ....agent s gi bn tin trap cho manager.Tuy nhin khng phi mi bin cu c agent gi trap ,cng khng phi mi agent u gi trap khi xy racung mt bin c .Vic agent gi hay khng gi trap cho bin c no l dohng sn xut device/agent quy nh . Phng thc trap l c lp vi ccphng thc request/reponse .SNMP request/response dng qun l cnSNMP trap dng cnh bo .Ngun gi trap gi l trap sender v ni nhntrap gi l trap receiver.Mt trap sender c th c cu hnh gi trap nnhiu trap receiver cng lc. C hai loi trap :trap ph bin (generic-trap) vtrap c th (specific trap).generic trap c quy nh trong cc chun caSNMP ,cn specific trap do ngi dng t nh ngha (hng sn xut thit bnh ngha ).Loi trap l mt s nguyn gip cha trong bn tin trap ,da vo m pha nhn trap bit bn tin trap c ngha g.Cc dng bn tin trap thng thng bao gm:

- Coldstart :thng bo rng thit b gi bn tin ny ang khi ngli v cu hnh ca n c th b thay i sau khi khi ng .

- WarmStart :thng bo rng thit b gi bn tin ny ang khing v gi nguyn cu hnh c .

- LinkDown : thng bo rng thit b gi bn tin ny pht hinc mt trong nhng kt ni truyn thng ca n b li .Trongbn tin trap c tham s ch ra ifIndex ca kt ni b li

- LinkUp :thng bo rng thit b gi bn tin ny pht hin cmt trong cc kt ni truyn thng ca n khi phc trli.Trong bn tin trap c tham s ch ra ifIndex ca kt ni ckhi phc.

- AuthenticationFailure : thng bo rng thit b gi bn tin ny nhn c mt bn tin khng c chng thc thnh cng

10


11/25

(bn tin b chng thc khng thnh cng c th thuc nhiu giaothc khc nhau nh telnet,ssh,snmp,...).Thng thng trap nyxy ra l do ngi dng ng nhp khng thnh cng vo thit b .

- EgpNeighborloss : thng bo rng mt trong s nhng exteriorgateway protocol (giao thc ca ng bn ngoi ) ca thit b gi

trap b coi l down v quan h i tc (peer relationship) giahai bn khng cn c duy tr .- EnterpriseSpecific : thng bo rng bn tin trap ny khng thuc

cc kiu generic nh trn m n l mt loi bn tin do ngi dngt nh ngha .

Ngi dng c th t nh ngha thm cc loi trap lm phong ph thmkh nng cnh bo ca thit b nh: boardFailed, configChanged,PowerLossCh nhng trap sender v trap receiver cng h tr mt MIB mic th hiu ngha ca cc specific trap.

get-bulk:cho php ly thng tin qun l t nhiu phn trong bng.Dng get

c th lm c iu ny ,tuy nhin kch thc ca cu hi c th b gii hnbi agent.Khi nu agent khng th tr li ton b yu cu ,n gi tr mtthng ip li m khng c d liu ,Vi lnh getbulkagent s gi cngnhiu tr li nu c th .Do vic tr li mt phn ca yu cu c th xyra.Hai trng cn khai bo trong getbulk l nonrepeaters(bo cho agentbit N i tng u tin c th tr li li nh mt cu lnh getn) vmax-repetition(bo cho agent bit cn c gng tng ln ti a M yu cuget-next cho i tng cn li).

notification: chun ha nh dng PDU ,nhn din cc lnh getv set. inform: cung cp c ch truyn thng gia nhng NMS vi nhau.Khi mt

NMS gi mt SNMP inform cho mt NMS khc ,NMS nhn c s gi tr

mt ACK xc nhn s kin .Vic ny ging c ch ca get vset. report :c a ra trong bn nhp ca SNMPv2 sau ny c a vo trong

SNMP v3.c dng truyn thng gia cc h thng SNMP v32. Vn bo mt trong SNMPv3 2.1 Cc nguy c b tn cng:

- Masquerading (mo danh) :c ngha l mt attacker mo danh mt ai thchin mt s cng vic da trn danh ngha ngi .Trong vn bo mt mng hinnay ,c l y l mi e da nguy him nht.Mt trong cc cch thc mo danh lspoofing (nh la ngi s dng ).Nu mt attacker mo danh nh mt managementthnh cng ,th attacker c th vo cc mc qun l mng vi s xc thc quyn hn l

ng n : attacker c th lm bt c iu g m danh ngha ngi m attacker mo danhc th lm c .- Modification of information (Chnh sa thng tin) :mi e da ca vic chnh

sa thng tin c ngha l mt ngi th 3 no c th xm nhp vo trong qu trnhtruyn dn bn tin v chnh sa chng.Sau bn tin b chnh sa ny c truyn tingi c quyn nhn bn tin tht.By gi ngi nhn gi tin ngh rng bn tin c gibn tin c gi bi mt ngun tht s ng tin trong khi ni dung ca n b thayi .Trong mng qun l ,mt qun l mng c xc thc c th to ra mt bn tin PDU

11


12/25

c ngha qun l .Nu mt attacker tn cng thnh cng vo qu trnh truyn dn, ccPDU c th b chnh sa trong khi cc thng tin xc nhn vn khng b thay i .Tuynhin y l kh nng xy ra nu nh PDU khng k hiu cng nh khng c m ha.

- Message stream modification (Chnh sa lung thng tin) :c ngha l lungthng tin b sa i bng mt s cch thc .iu ny c ngha l cc thng tin c th

c xp xp li hoc c ti hin li.Thit k ban u ca mng qun l l qun lgiao thc khng kt ni.V vy hu ht cc giao thc qun l u c thit k hot ngtrn dch v vn chuyn phi kt ni .Lung d liu chnh sa l mi e da tim nngtrong mng qun l.Mt attacker c th ghi li cc thng tin qun l m cho php ttrouter.Sau da trn c im attacker c th s dng bt cc gi tin thc hin ttrouter bt c khi no.

- Disclosure :mi e da b l thng tin c ngha l tin cy ca thng tin b r r(l ra) i vi tt c mi ngi nhng ngi khng nn nhn thy chng . bo mttrong mng thng thng ,lu lng thng tin vo khng c m ha .Tng t trongmng qun l mt vi PDU qun l c th mang mt s thng tin ct yu v mng v ccnode c qun l trong .V vy nu mt attacker theo di c lu lng trong cc

on mng ,th attacker c th ly c mt s thng tin quan trng .Cc thng tin ny cth c s dng nh l c s cho cc kiu xm nhp khc nh mo danh.Mt cch chng li mi e da b r r thng tin l m ha bn tin

- Denial of service (DoS) (t chi dch v )iu ny c ngha l mt vi dch vmng s b kha theo mt cch thc no .Attacker c th c gng m mt kt ni TCPti mt host mt cch lin tc v l cch kha tt c cc yu cu kt ni khc .Trongmng qun l iu ny cng c ngha l mt actacker tin hnh kha lung d liu cagiao thc qun l thng tin gia manager v agent.Trong mng qun l ,DoS c th lmt chui lin tip nu nh cc mi e da khc nhau din ra.V d ,nu mt attackertin hnh thnh cng vic mo danh v thc hin nh l mt ngi qun l ,attacker cth a ra lnh shutdown ti mt router xc nh no .V iu ny thc s mi e dat chi dch v din ra.

- Traffic pattern analysis (phn tch kiu lu lng )l mi e da m ni chathng tin ca bn tin b b qua.Tht s nhng thng tin thit yu ca h thng c tonn t nhng kiu lung lu lng thng thng .C hai mi e da cui cng ny rtkh c th ngn chn

2.2 Bo mt trong version 3Bo mt l vn yu km nht k t khi SNMP ra i .Vn xc thc trong

SNMP ch yu da vo password dng clear-text gia mt manager v mt agent.Password c truyn di dng clear-text r rng l khng an ton ,n hon ton c thb nh cp, truy ln li v lm sp h thng mng .

Trong SNMPv3 th vn bo mt c quan tm v m bo an ninh hn i

vi version 1 v version 2 .Vn chnh ca SNMPv3 l an ninh a ch ,khng c sthay i v giao thc ,khng i mi qu trnh hot ng .SNMPv3 tch hp tt c cchot ng ca SNMPv1 v SNMPv2.(cp quyn truy nhp)

SNMPv3 s dng MD5 v SHA to ra cc gi tr hash cho tng thng ipSNMP .Thao tc ny gip cho php xc thc u cui cng nh ngn nga thay i dliu v cc kiu tn cng .Thm vo , cc phn mm qun tr SNMPv3 v cc agent cth dng DES m ha gi tin, cho php bo mt tt hn .(ton vn ,m ha v xcthc)

12


13/25

2.2.1 cu trc bn tin SNMPv3

Cc trng trong bn tin SNMPv3Nm trng u tin (message header) c to bi phn h x l bn tin bn gi v

c x l bi phn h x l bn tin bn nhn.Phn tiu x l bn tin bao gm: msgversion: thit lp l version 3. msgID :c xc nh duy nht ,c dng gia cc thc th SNMP phi

hp bn tin request v response v bi vic x l bn tin phi hp qu trnhx l bn tin bi cc phn h khc nhau trong kin trc.Ga tr ID thuckhong [0; 2^31-1].

msgMaxSize :truyn t kch thc ln nht ca gi tin trong cc octet ch tr bi ngi gi bn tin,vi mt khong 484 n 2^31-1.Kch c on lnnht ny ngi gi c th chp nhn c t mt engine SNMP khc(bt cmt p ng hay mt s kiu bn tin khc).

msgFlags: mt chui octet cha 3 c :reportableflag ,privflag , authflag.Nu creportableflag=1 th mt Report PDU phi c gi tr v ngi gi, khi c cgi tr l 0 ,bn tin Report PDU c th khng c gi tr v .reportableflagc thit lp =1 bi ngi gi trong tt c cc bn tin cha mt request (get,set) hoc mt inform v thit lp bng 0 cho cc bn tin cha mt response,mt trap hoc mt report PDU. Mt khc, Privflag v authflag c thit lpbi ngi gi ch ra mc bo mt c p dng cho bn tin .S kt hpny c ch ra nh sau:

13


14/25

Privflag authflag Mc bo mt0 0 Khng xc thc, khng m ha0 1 Bn tin xc thc

1 1 Bn tin m ha v xc thc

msgSecurity model:xc nh trong khong [0 ;2^31-1] m ch ra rng m hnhbo mt c s dng bi bn gi chun b bn tin v bi vy m hnh bomt ny phi c s dng bn nhn x l bn tin ny.Cc gi tr cquy nh nh sau:

Value Security model1 SNMPv12 SNMPv2c3 USM

Su trng tip theo ch ra cc tham s bo mt s dng bi USM. Khi mt bn tin ira ngoi (outgoing message) c chuyn qua m hnh bo mt ngi dng USM bngphn h x l bn tin (message processor).M hnh USM s kt ni vi cc tham s linquan n bo mt trong phn tiu ca bn tin. Cc gi tr x l trong m hnh bo mtngi dng cha trong cc trng . Cc tham s lin quan n bo mt c trnh bysau y:

- msgAuthoritativeEngineID: trng snmpEngineID ca ng c snmp tin cygn vo trong qu trnh trao i thng tin.Nh vy .cc gi tr ny lin quan n nguntrong cc bn tin trap ,response, hoc report, v lin quan n ch trong cc bn tin

get,getnext, getbulk,set hoc inform.- msgAuthoritativeEngineBoots:gi tr snmpEngineBoot ca mt ng c SNMPtin cy c gn vo trong qu trnh trao i thng tin. snmpEngineBoots l mt snguyn nm trong khong t 0 n (2^31)-1,gi tr ny biu din thi gian ng cSNMP ny c cu hnh ban u hoc ly li cu hnh ban u k t khi n bt uc cu hnh

- msgAuthoritativeEngineTime:gi tr snmpEngineTime ca ng c SNMPgn vo trong qu trnh trao i thng tin.Ga tr snmpEngineTime l mt s nguyn nmtrong khong t 0 n (2^31)-1 ,gi tr ny biu din s giy k t khi ng c SNMP tincy ny tng ln n snmpEngineBoots cui cng .Mi ng c SNMP tin cy p nggi tr snmpEngineTime ca chnh n tng ln mt giy.Mt ng c khng tin cy c

kh nng p ng cho s tng ln snmpEngineTime(its notion of snmpEngineTime nim ca snmpEngineTime ca n ) cho mi ng c tin cy xa vi ng c m ngiao tip .

- msgUserName:thng tin i din cho ngi dng c thm quyn c dngtrao i thng tin .Mc ch chnh ca ngi dng l nm gi cc kha b mt v mt vithng tin lin quan n bo mt nh thut ton m ha c s dng UserName xcnh thm quyn bn trong USM s kt ni (map)mt m hnh bo mt c lp m xc

14


15/25

nh securityName bi mt s chuyn i xc nh .Bi vy userName l mt chui k tm con ngi c th c c . - msgAuthenticationParameters:l null (khng c gi tr hay b trng)nu xcnhn khng c s dng trong s trao i thng tin .Ni cch khc l mt tham sxc thc .Hin nay theo nh ngha ca m hnh USM ,tham s xc thc l mt m xc

thc bn rin HMAC.- msgPrivacyParameters:l null nu cc chnh sch ring t khng c s dng trao i thng tin.Mt khc y l mt tham s ring t.theo nh ngha ca USMtham s ring t l mt gi tr dng to nn gi t ban u ca thut ton chui s khamt hiu DES.

Cui cng l PDU tp trung cc contextEngineID v contextName to thnh phm viPDU,c s dng cho vic x l PDU.

2.2.2qu trnh gi nhn bn tin trong cc mc an ninh.

SNMPv3 cung cp c cc m hnh an ninh v cc cp an ninh:

Mt m hnh an ninh l mt chin lc nhn thc m thit lp cho mtngi s dng v mt nhm m trong cng c tr. Mt mc anh ninh l mc v an ninh c cho php trong mt m hnh an

ninh.

S kt hp ca m hnh an ninh v mc an ninh s xc nh k thut anninh no c s dng trong khi x l mt gi tin SNMP. Ba m hnh an ninh cth l: SNMPv1, v2c v v3. Bng cho thy nhng s kt hp ca m hnh vmc an ninh c ngha l g.

M hnh Mc Nhn thc M ho nghav1 noAuthNoPriv Chui chung Khng S dng s ging chuichung cho nhn thc

V2c noAuthNoPriv Chui chung Khng S dng s ging chuichung cho nhn thc

V3 noAuthNoPriv username Khng S dng s ging usernamecho nhn thc

V3 authNoPriv MD5 hoc SHA Khng Cung cp kh nng nhnthc da trn thut tonHMAC-MD5 hoc HMAC-

SHAV3 authPriv MD5 hoc SHA DES Cung cp s nhn thc datrn cc thut ton HMAC-MD5 hoc HMAC-SHA.Cung cp thm 56-bit mho DES thm vo phnnhn thc da theo chunCBC-DES (DES-56)

15


16/25


17/25

2.2.2.2 trao i bn tin authNoPrivNu chng ta gi s rng vic truyn thng gia manager v agent l xc thc (agent

mun chc chn v bn tin n t manager yu cu n v ngc li manager mun cchc chn v p ng tht s n t agent ch ) th bn gi phi phn loi bn tin theomt thut ton no (s dng MD5 hoc hm SHA ) v n thm vo trong trngmsgAuthenticationParameters ca phn msgSecurityParameters.

Bn nhn s xa phn digest t bn tin ,lu n vo trong khu vc phn phi tmthi ,ni trong khong khng gian c xa vi octets zero v tnh ton messagedigest.Nu tnh ton message digest l ging vi digest nhn c th bn tin c xcthc .Cc trng hp khc kh nng k mo danh ang c thc hin nhng hot ng bthp php.

Lu rng bn tin xc thc khng cn tr vic xem xt ni dung ca bn tin .Hnh sau ch ra s trao i bn tin c xc thc gia manager v agent.

Thc s th hnh trn cn thiu mt phn quan trng ca xc thc . ngn chnvic tn cng lp li USM s dng c ch timeliness. tng n gin l engine c thmquyn s duy tr 2 i tng l snmpEngineBoots v snmpEngineTime, tham chiuthi gian ni ht .engine khng c thm quyn cn ng b lng lo vi mi SNMP

engine c thm quyn m n giao tip vi ,V mc ch ny engine khng c thm quyngi mt bn copy cc b ca 3 bin cho mi engine ID xa.

+snmpEngineBoot ca engine xa+snmpEngineTime : khi nim engine ca snmpEngineTime cho engine c

thm quyn t xa.+latestReceivedEngineTime :gi tr cao nht ca msgAuthoritativeEngineTime

m va nhn c bi engine ny cho engine c thm quyn t xa.

17


18/25

Trong mi thc th bn tin yu cu xc thc bao gm quan im engine cathi gian v khi ng engine xa.Khi ng phi ph hp v thi gian phi nm trongca s thi gian 150 .Nu nhn c bn tin khng y iu kin ny report-pdukhng trong ca s thi gian s c gi tr li.Engine c thm quyn thm vo vickhi ng v thi gian ca n vo trong report v bn tin p ng v vy engine khng c

thm quyn c th update sao chp cc b nhng gi tr ny.iu ny c gii thchbng hnh sau y:

2.2.2.3 chuyn i bn tin authprivNu chng ta gi s rng vic truyn thng gia manager v agent c bo v

khi b l thng tin mt phng php m ha c p dng ,khng phi ton b bn tinc m ha m ch phm vi pdu .thut ton c chn trong SNMPv3 l m ha s

(cipher block chaining CBC) kiu tiu chun m ha d liu (DES).Khch hng c tdo la chn s dng thut ton khcLu rng m ha c ng dng v bn tin phi c xc thc thnh cng.

18


19/25

3. Cc loi m hnh bo mt

Trong cc RFCs cp n SNMPv3, u m t kin trc tng quan cccu trc bn tin c bit v cc c im an ninh m khng h m t mt nhdng SNMP PDU mi. iu ny c ngha l cc nh dng PDU SNMPv1 vSNMPv2 hin ti phi c s dng trong mt kin trc mi. Theo nhiu RFCs t2271 n 2275 th c th hiu l SNMPv3 l SNMPv2 thm cng thm chcnng an ninh v qun tr. Di y s trnh by nhng kh nng an ninh v nhnthc c cung cp bi SNMPv3 USM (User Security Model: M hnh an ninhngi dng), l m hnh an ninh da vo ngi dng v iu khin truy nhptrn c s thm tra. 3.1 M hnh bo mt da trn ngi dng user security model

RFC 3414 xc nh m hnh bo mt ngi dng USM.USM cung cp cc dch v ringt ,xc thc cho SNMP v n c thit k chng li cc mi e da: chnh sa thngtin, mo danh, chnh sa lung thng tin(snmp c thit k hot ng theo giao thcvn chuyn phi kt ni .Bi vy xut hin mi nguy c cc bn tin c sp xp li ,b trhoc b lp li lm cho hot ng ca management hot ng khng xc nhnc ),nguy c thng tin b l .

USM khng chng li c cc mi e da nh t chi dch v(attacker cn tr victrao i thng tin gia manager v agent) ,phn tch lu lng (attacker c th quan stc cc tham s chung v lu lng gia manager v agent).

SNMPv3 xc nh USM nh l mt s chn la m hnh bo mt nhng khch hngc t do la chn thc thi m hnh ca chnh h.

3.1.1 Chc nng bo mt.Hai chc nng bo mt c xc nh trong USM l :xc thc v m ha . h

tr chc nng ny mt SNMP engine yu cu phi c hai gi tr l t kha ring vkha xc nhn .Vic phn chia cc gi tr thnh hai t kha c duy tr bi ngi sdng sau:

+Ngi dng trong mt phm vi ni ht :bt k mt quy tc no trong SNMPengine hot ng qun l c xc thc .

19


20/25

+Ngi dng truy cp t xa:bt c mt nguyn tc no m mt SNMP engine vic truyn thng c thc thi(desired thm vo).

Cc gi tr kha ring v kha xc nhn khng c truy nhp thng qua

SNMP.USM cho php s dng mt trong hai giao thc xc thc lun phin :HMAC-MD5-96 v HMAC-SA-96. m ha USM s dng chui kha mt hiu ca chun mha d liu (DES).

3.1.2 kha

C thc th SNMP xc thc v m ha u yu cu mt key thch hp .v vy tt ccc thut ton mt m s dng l i xng ,hoc cc side phi s dng cng mt key.

n gin ha gnh nng cho vic qun l key trn nhng ngi qunl(principal),mi ngi qun l ch c yu cu duy tr mt key xc thc n v mtkey m ha n.Nhng key ny khng c lu trong mt MIB v khng c truy nhpthng qua SNMP.

vic trin khai key mt cch n gin SNMPv3 xut thut ton mt khucho key.Thc th SNMP tnh ton key t password s dng mt hm hash xc nh.Vcng mt password nn n s to ra cng mt key. lm c iu ny th n ginnhng secure khng phi kh nng tt nht c th t c ,key c tnh ton c hnnh trong mt khu vc (localized) .authoritative engine id c bc vi key c tnhton v hm hash c p dng trn chui octet.iu ny chc chn rng cng mtpasword cung cp cc key khc nhau cho cc engine id khc nhau.Nu key ca mt thcth vn khng ph v security ca nhng thc th khc .

20


21/25


22/25

3.1.4 Timeliness mechanisms(c ch tnh thi hn thi gian )

Vn xc thc d liu da trn hn nh thi gian

USM gm mt thit lp c ch timeliness m bo chng li cc bn tin tr vcc bn tin lp li.Mi SNMP engine c th tng hot ng nh mt engine c thmquyn phi duy tr gi tr trng snmpEngineBoots v snmpEngineTime n thi gianquy nh ni ht ca n.Khi mt snmp engine c ci t u tin 2 trng gi tr trn

c ci t bng 0.Ngay sau ,snmpEngineTime c tng thm 1 n v sau migiy.Nu snmpEngineTime (ever) tng n gi tr ln nht ca n (2^31) -1th,snmpEngineBoots c tng ln ,nu h thng phi khi ng li ,vsnmpEngineTime c t t 0 v li bt u tng.S dng mt c ch ng b .mtengine khng c thm quyn duy tr mt gi tr thi gian c lng cho mi engine cthm quyn m n giao tip vi(communicates).Ga tr c lng ny c t vo miouting message .v cho php nhn ra engine c thm quyn gii hn bt c khu vc

22


23/25

hoc thi hn message ti (to determine whether or not the incoming message is timelyng lc ,hp thi).

C ch ng b lm vic theo cch thc nh sau:Mt engine khng c thm quyngi mt gi tr cc b (ni ht) trong ba gi tr c th thay i c cho mi engine snmpengine c thm quyn c bit n cho mi engine (gi tr c trng cho mi engine):

SnmpEngineBoots:gi tr mi nht ca snmpEngineBoots cho mi engine c thmquyn iu khin t xa.SnmpEngineTime: l biu hin (quan im) ca mi engine trong gi tr

snmpEngineTime cho mi engine c thm quyn iu khin t xa.Ga tr ny c ngb vi engine c thm quyn iu khin t xa bi mt qu trnh x l ng b c mt di y.Gia cc s kin ng b,cc gi tr c tng ln theo logic mt n v/1sduy tr mt (loose lng lo synchronization with the remote authoritative engine).

LatestReceivedEngineTime: l gi tr cao nht ca msgAuthoritativeEngineTimem engine nhn c t mt engine c thm quyn iu khin t xa.gi tr ny c cpnht bt c khi no mt gi tr ln hn ca msgAuthoritativeEngineTime c nhn.Mcch ca vic thay i gi tr ny l bo v chng li cc tp tin lp li m cn tr cc

biu hin u im ca gi tr snmpEngineTime ca engine snmp khng c thmquyn(advancing).Thit lp 3 gi tr thay i c duy tr cho mi engine c thm quyn iu khin t

xa c bit n nhn dng cc engine ny(to this engine).Thi gian ng b xy ra nh l mt phn ca th tc nhn mt bn tin SNMP.Nh

vy khng c th tc ng b thi gian r rng c yu cu bi mt engine SNMPkhng c thm quyn .Ch rng bt c khi no gi tr ni ht snmpEngineID c thayi (v d nh thng qua vic khm ph ra)hoc khi giao tip bo mt c thit lp utin vi mt engine SNMPc thm quyn ,gi tr ni ht snmpEngineBoots vlatestReceivedEngineTime nn c t t 0.iu ny s gy ra thi gian ng b xy rakhi thng tin xc nhn tip theo c nhn.

3.2 M hnh iu khin truy nhp da trn c s thm tra

Nu ch bo mt SNMPv3 c xt trn th s xy ra vn l nu chng ta cnhng ngi dng m mun sp t cc mc phn quyn khc nhau (v d chng tamun cho php administrator c th reset/reboot thit b t xa trong khi chng ta munngn cn nhng ngi dng thng thng lm vic ny hoc cng mt thi im chngta cho php nhiu ngi c trng thi ca cc agent xa).iu ny khng phnloi ngi dng bng cch s dng xc nhn v cc key /password ring ca mi ngidng.

VACM s dng MIB xc nh nhng ngi dng no c th truy nhp phnno ca mt MIB agent vi nhng iu kin xc nh.iu kin ny bao gm securitylevel (v d phn tt yu ca MIB c th c truy cp ch khi s dng cc yu cu cxc nhn,nhng phn khc ch c truy cp khi c yu cu c m ha v xc thc),security model(v d nh chng ta khng mun cho php SNMPv1 hoc SNMPv2qun l truy nhp bng cu hnh v3),userName (v d bob c th truy nhp tt c cci tng trong MIB,trong khi liz c ch c th truy nhp 2 phn ca cyMIB),viewType(v d nh ngi s dng c th c php c nhng khng c ghi,chnh sa i tng),v conxtext i tng tn ti

23


24/25

VACM khng xc nh ng truy nhp c th cho mi i tng (instance)ntrong MIB ca agent .Hn na n xc nh chng thng qua mi nhnh cacy(subtree).Subtree l mt s thit lp tt c cc i tng v object instances m cchung phn tin t object xc nh cho tn ca chng .

Hn na chng ta gi s rng ngi dng (m agent bit) c th truy nhp tt c

cc object trong MIB.trong trng hp agent a ng (s dng nhiu mib) khng cbo v tt c,v vy chng ta c th s dng SNMPv1 hoc SNMPv2 manager ly rachnh sa tt c cc object.Nu bn c th nhn thy NVAgentCfg1.text file th bn c ththy rng VacmViewTreeFamilyTabble cha trong cc hng ring l vi viewName=every thing v subtree = 1.3.6.1.Ni theo cch khc nh v d trn bob c th truynhp tt c cc instances MIB trong agent.

iu khin truy nhp l mt chc nng bo mt c thc hin mc PDU.iukhin truy nhp xc nh c ch gii hn bt c s truy nhp no mt object ciu khin trong mt MIB ni ht bi mt ngi qun l xa(princial) c php.Vnbn SNMPv3 xc nh m hnh iu khin truy nhp da trn c s thm tra.

VACM s dng SNMP-VIEW-BASED-ACM-MIB xc nh cc chnh sch

truy nhp cho agent ny v lm cho n c kh nng cu hnh t xa s dng .RFC 3415 ch ra bng thay i nh th no trong VACM MIB n hot ngtrong vic to ra iu khin truy nhp chnh xc .

Who:s kt hp ca securityModel v securityName xc nh tn ca hot ngny.N xc nh a ra mt qun l m s giao tip ca n c bo v bi vic a rasecurityModel.S kt hp ny hu nh thuc v mt nhm trong engine SNMP ny /

vacmSecurityToGroupTable cung cp groupName,a ra securityModel vsecurityName.Where:contextName xc nh khu vc thm cc phn t qun l c tm

thy(desired management obkect is to be found).vacmContextTable cha mt danh schcc contextName c nhn bit.

How :s kt hp ca securityModel v securitylevel xc nh lm th no incomingrequest hoc inform PDU c bo v.S kt hp ca who, where,v how xc nhkhng c hoc c mt entries(u vo )trong bng vacmAccessTable.

24


25/25

Why:viewType xc nh ti sao truy nhp c yu cu hot ng : c ,vit hoccnh bo.S la chn u vo trong vacmAccessTable cha mt MIB viewName chomt trong ba kiu hot ng ny v viewType c s dng chn mt viewName xcnh .ViewName ny chn xem mt MIB ph hp(appropriate) tvacmViewTreeFamilyTable.

What:variableName l mt object ngi xc nh m tin (prefix)ca ngi xc nh mt kiu object xc nh(indentifies a specific object type and whose suffixindentifies a specific obkect instance.the object type indicates what type of managementinformation is requested).

Which :the object instance indicates which specific item of information isrequested.

5,Tm tt bo mt trong version 3III,M phng bo mt trong SNMPv3 bng phn mm1,M t cch ci t SNMP

2,V d gim st m hnh my tnh v kt qu thu c (dng phnmm wireshark bt gi tin trn card mng )

Documents

DE CUONG SMNP