SNMP In Depth

SNMP

Simple Network Management Protocol

– The most popular network management protocol

– Hosts, firewalls, routers, switches…UPS, power strips, ATM cards -- ubiquitous

“One of the single biggest security nightmares on networks today”

SNMP Transport Mechanism Flaws

UDP Based– Unreliable - packets may or may not be

received– Easily forged - trivial to forge source of

packets

Management Information Base

MIB -- Management Information Base– MIBs describe object attributes– Some MIBs are pre-loaded– Additional MIBs are needed

» Loaded manually» Downloaded from manufacture’s WEB sites

Standard MIBs– MIB-I– MIB-II – RMON– RMON 2– Bridge– Repeater

iso (1)

org (3)

dod (6)

internet (1)

directory (1) mgmt (2) experimental private (4)

mib-2 (1) enterprises (1)

system (1) interfaces (2) snmp (11) cisco (9) hp(11) novell(23)

sysObjectID (2) sysDescr (1)

MIB Structure

SNMP Basics

Manager Agent MIBData

Trap

Trap or Notification - A message initiated by the agent without requiring the management station to send a request

Set

Set request - Writes a value into a specific variable

alter

Get

Response Retrieve

Get request - Reads a value from a specific variable GetNext request - Traverse information from a table of specific variables GetBulk request -

Get response - Replies to a get or a set request

SNMP Router, etc.

SNMP Popular Defaults

Popular defaults– public

– private

– write

– “all private”

– monitor

– manager

– security

– admin

– lan

– default

– password

– tivoli

– openview

– community

– snmp

– snmpd

– system

– and on and on...

SNMP v1 Information Disclosure

Routing tables Network topology Network traffic patterns Filter rules

SNMP Options

SNMP configuration Event Configuration

– Customize event notification messages– Define the type of event notification– Define automatic actions when an event is received.– Create/modify alarm categories– Configure additional actions for the operator– Configure event correlations

SNMP data collection and threshold SNMP MIB application builder Load/unload MIB Network polling configuration License password

SNMP Tools

Remotely turn on the power of a PC Web base access Terminal Connect- provides the ability to establish a telnet

session from a local system in order to manage a remote system SNMP MIB Browser- provides a functional tool that can be used

to explore, query, and set MIB values DMI Browser

Agent Data Collection

Network data collected using– SNMPv1 ; SNMPv2– IP Protocol

» TCP/IP» UDP» ICMP» ARP/RARP

– IPX– DMI

» Desktop Management Interface for accessing information about PC and their components

Auto-discovery

Auto discovery of network objects based on– IP Protocol– Routing data on routers (ARP table)– SNMP data

Auto assignments of symbols to represent objects Auto arrangement of symbols on the maps and

submaps

SNMP Event Generation

SNMP agents continuously watch for certain incidents to occur

When an incident occurs, an event is generated Events are categorized based on the alarm type

– Alarm types are user definable Events are displayed with color coded severity

– Severity and color codes are user definable Event trap configuration

– Pre-defined– User-defined generic traps– User-defined specific traps

Event Correlation

Event correlation– Discovers events that are either the same event and/or related

events – Presents these events as a single main event– Allow drill down of the main event to view the related events

Provides four pre-defined correlations:– Connector Down Correlation– Scheduled Maintenance Correlation– Repeated Event Correlation– Pair Wise Correlation

Additional correlations may be obtained– From web page– From a 3rd party for a fee– Developed by yourself -- not recommended

Performance Management

Network activities

– Status of the interfaces

– Error rate and percentage

– Ethernet traffic

– SNMP authentication failures, traffic, errors

– List of TCP connections Graph CPU load and disk space usage Graph SNMP data collected with MIB data collector Graph data based on Interface status polling and SNMP node

polling

Configuration Management

Network Configuration (at selected remote SNMP node)– List interface properties– List IP and link addresses– List routing table– List ARP cache table– List the supported services

List the services for which the selected remote SNMP nodes are configured to support

List the management systems (by IP Address) that are configured to receive traps

Run the Microsoft Windows NT operating system Registry Editor

Performance Management

Network activities

– Status of the interfaces

– Error rate and percentage

– Ethernet traffic

– SNMP authentication failures, traffic, errors

– List of TCP connections Graph CPU load and disk space usage (HP-UX only) Graph SNMP data collected with MIB data collector Graph data based on Interface status polling and SNMP node

polling

Fault Management

Alarms -- show all alarms of selected nodes Network Connectivity

– Poll node -- information about selected objects– Status poll -- status about selected objects– Capability poll -- check for remote DMI, web-

management, and web server capabilities. – Ping – Remote ping– Locate route via SNMP

Test IP/TCP/SNMP Interface Status -- Graphic display of number and rate of bad

packets Window NT Event Viewer Window NT Diagnostic tool

SNMPv1 Security Flaws

Transport Mechanism

– Data manipulation

– Denial of Service

– Replay Authentication

– Host Based

– Community Based Information Disclosure

SNMP Authentication Flaws

Host Based

– Fails due to UDP transport

– DNS cache poisoning Community Based

– Cleartext community

– Community name prediction/brute forcing

– Default communities

RMON and RMON2 Security

SNMPv1’s flaws additional hazards by introducing “action invocation”

objects collects extensive info on subnet packet captures

SNMP Fixes

Disable it ACL It Read-Only