SNMP - eclass.uoa.gr · Protocol, and CMOT (CMIP over TCP) for the actual network management protocol for use on the internet Nov. 1987-SGMP - Simple Gateway Monitoring protocol (RFC

Γηαρείξηζε δηθηύσλ

SNMP

SNMP: Simple Network

Management Protocol

Δίλαη έλα de facto Internet standard (βαζηζκέλν ζε

RFCs).

Τα δεδνκέλα πνπ δηαρεηξίδεηαη ην SNMP

αλαπαξηζηώληαη ζε έλα δέληξν, ην ΜΙΒ

(Management Information Base).

Tα θξηηήξηα ζρεδηαζκνύ ήηαλ:

– Simple.

– Lightweight.

– Low-bandwidth.

– Φξεζηκνπνίεζε TCP/IP πξσηνθόιισλ (επίπεδα 3 θαη 4).

SNMP

Simple Network Management Protocol

Doesn't SNMP solve all these problems ?

– Don't be silly!

SNMP

Where did it come from ?

– Internet Engineering Task Force

» Network Management Area

– SNMP V1

– MIB definitions

– SNMPV2

What is it ?

more than just a protocol …

It defines an architecture for extracting

information from the network regarding the

current operational state of the network,

using a vendor-independent family of

mechanisms

Structure of Management

Information (SMI)

identifies and defines structure of

management information

– RFC1155

defines

– commonly defined data item

– syntax of the data type

– semantics of the data object

Syntax uses ASN.1 (Abstract Syntax Notation)

– binary encoding02 01 06is a 1 byte integer, value 6

Primitive TypesINTEGER, OCTECT STRING, OBJECT IDENTIFIER, NULL

Constructor TypesSEQUENCE <primitive-type> ... ie. a record

SEQUENCE OF <primitive-type> ... ie. an array

Syntax

Defined Data TypesIpAddress what you expect

Counter non-negative integer that wraps

Gauge non-negative integer that latches

TimeTicks time in hundredths of seconds

SNMP NAMES

SNMP Name Structure

1 - directory

1 - sysDescr 2 - sysObjectID

1 - system

1 - ifIndex 2 - ifDescr 3 - ifType .... .... 10 - ifInOctets

1 - ifEntry

1 - ifTable

2 - interfaces

1 - mib

2 - mgmt 3 - expt

9 - c isco

1 - Enterprise

4 - private

1 - Internet

6 - dod

3 - org

1 - iso

SNMP

Management Information Base (MIB)

– "database"of network objects

– Groups:

» System, Interfaces, Address Translation, IP, ICMP,

TCP, UDP, EGP

– "Access" and "Status" attributes

– actual variables are "instances" of OIDs

1.3.6.1.2.1.1.1.0 sysDescr

1.3.6.1.2.1.2.1.1.10.3 ifInOctets for interface 3

1.3.6.1.2.1.4.21.1.7.130.56.0.0

ipRouteNextHop for network 130.56.0.0

SNMP

The SNMP protocol itself

– allows inspection and alteration of MIB

variables

UDP Based

– not acknowledged transactions

PUT, GET, GET-NEXT operators

SNMP

SNMP Traps

– unsolicited notification of events

– can include variable list

– ColdStart, WarmStart

– LinkUp, LinkDown

– Authentication Failure

– EGP Neighbour Loss

– Enterprise Specific

Network Management Software

SNMP Agents

– provided by all router vendors

– many expanded (enterprise) MIBs

– bridges, wiring concentrators, toasters


Public Domain

– Application Programming Interfaces available

from CMU and MIT

– include variety of applications


Commercially

– many offerings, UNIX and PC based

» HP OpenView

» SunNet Manager

» Cabletron Spectrum

» *MANY* others

Choosing a Management

Platform

Does it:

a) Support your systems ?

b) Run on your platforms ?

c) Meet your requirements ?

d) Match your resources ?

Choosing a Management

Platform

Maybe you can get away with something

quick and dirty using existing tools

Maybe a commercial management product

will meet your operational requirements

SNMP Tutorial

Tutorial Overview

Introduction

Management Information Base

(MIB)

Simple Network Management Protocol (SNMP)

SNMP Commands

Tools

- „SNMPwalk‟ (CLI)

- „MIB Browser‟ (GUI)

Introduction

SNMP Simple Network Management Protocol is an application layer protocol

that facilitates the exchange of management information between network

devices

- Application-layer protocol for managing TCP/IP

based networks.

- Runs over UDP, which runs over IP using Port 161

and 162

- Two versions of SNMP exist: SNMP version 1 (SNMPv1)

and SNMP version 2 (SNMPv2).

Basic tasks that fall under this

category are

Configuration Management

– Keeping track of device setting

Fault Management

– -Dealing with problems and emergencies in the

network i.e. server, router

Performance Management

Network Management Success

factors

The management interface must be

– Standardized

– Extendable

– Portable

The management mechanism must be

– In expensive

Major functions

Configuration Management - inventory, configuration, provisioning

Fault Management - reactive and proactive network fault management

Performance Management - # of packets dropped, timeouts, collisions, CRC errors

Security Management - SNMP doesn‟t provide much here

Accounting Management - cost management and chargeback assessment

Asset Management - statistics of equipment, facility, and administration personnel

Planning Management - analysis of trends to help justify a network upgrade or bandwidth increase

History

1983 - TCP/IP replaces ARPANET at U.S. Dept. of Defense, effective birth of Internet

– First model for net management - HEMS - High-Level Entity Management System (RFCs 1021,1022,1024,1076)

1987 - ISO OSI proposes CMIP - Common Management Information Protocol, and CMOT (CMIP over TCP) for the actual network management protocol for use on the internet

Nov. 1987 - SGMP - Simple Gateway Monitoring protocol (RFC 1028)

1989 - Marshall T. Rose heads up SNMP working group to create a common network management framework to be used by both SGMP and CMOT to allow for transition to CMOT

Aug. 1989 - “Internet-standard Network Management Framework” defined (RFCs 1065, 1066, 1067)

Apr. 1989 - SNMP promoted to recommended status as the de facto TCP/IP network management framework (RFC 1098)

June 1989 - IAB committee decides to let SNMP and CMOT develop separately

May 1990 - IAB promotes SNMP to a standard protocol with a recommended status (RFC 1157)

Mar. 1991 - format of MIBs and traps defined (RFCs 1212, 1215)– TCP/IP MIB definition revised to create SNMPv1 (RFC 1213)

SNMP & OSI model

7 Application Layer Management and Agent APIs

SNMP

6 Presentation Layer ASN.1 and BER

5 Session Layer RPC and NetBIOS

4 Transport Layer TCP and UDP

3 Network Layer IP and IPX

2 Data Link Layer Ethernet, Token Ring, FDDI

1 Physical Layer

Port & UDP

•SNMP uses User Datagram Protocol (UDP) as the transport

mechanism for SNMP messages

•UDP Port 161 - SNMP Messages

•UDP Port 162 - SNMP Trap Messages

•Like FTP, SNMP uses two well-known ports to operate:

Ethernet

Frame IP Packet

UDP

Datagram

SNMP MessageCRC

SNMP Components

An SNMP-managed network consists of

three key components:

– managed devices,

– agents, and

– network-management systems (NMSs).

SNMP components

A managed device is a network node that contains an SNMP agent and that resides on a managed network. Managed devices collect and store management information and make this information available to NMSs using SNMP. Managed devices, sometimes called network elements, can be routers and access servers, switches and bridges, hubs, computer hosts, or printers.

An agent is a network-management software module that resides in a managed device. An agent has local knowledge of management information and translates that information into a form compatible with SNMP.

An NMS executes applications that monitor and control managed devices. NMSs provide the bulk of the processing and memory resources required for network management. One or more NMSs must exist on any managed network.

Basic Command

Managed devices are monitored and controlled using four basic SNMP commands: read, write, trap, and traversal operations.

– The read command is used by an NMS to monitor managed devices. The NMS examines different variables that are maintained by managed devices.

– The write command is used by an NMS to control managed devices. The NMS changes the values of variables stored within managed devices.

– The trap command is used by managed devices to asynchronously report events to the NMS. When certain types of events occur, a managed device sends a trap to the NMS.

– Traversal operations are used by the NMS to determine which variables a managed device supports and to sequentially gather information in variable tables, such as a routing table.

Language of SNMP

•Structure of Management Information (SMI)

•Abstract Syntax Notation One (ASN.1)

•Basic Encoding Rules (BER)

specifies the format used for defining managed

objects that are accessed via the SNMP protocol

used to define the format of SNMP messages and

managed objects (MIB modules) using an unambiguous

data description format

used to encode the SNMP messages into a format

suitable for transmission across a network

Abstract Syntax Notation One

ASN.1 is nothing more than a language definition. It is

similar to C/C++ and other programming languages.

Syntax examples:

-- two dashes is a comment -- The C equivalent is written in the comment

MostSevereAlarm ::= INTEGER -- typedef MostSevereAlarm int;

circuitAlarms MostSevereAlarm ::= 3 -- MostSevereAlarm circuitAlarms = 3;

MostSevereAlarm ::= INTEGER (1..5) -- specify a valid range

ErrorCounts ::= SEQUENCE {

circuitID OCTET STRING,

erroredSeconds INTEGER,

unavailableSeconds INTEGER

} -- data structures are defined using the SEQUENCE keyword

Simple Data Types

•INTEGER -- signed 32-bit integer

•OCTET STRING

•OBJECT IDENTIFIER (OID)

•NULL -- not actually data type, but data value

•IpAddress -- OCTET STRING of size 4, in network byte order (B.E.)

•Counter -- unsigned 32-bit integer (rolls over)

•Gauge -- unsigned 32-bit integer (will top out and stay there)

•TimeTicks -- unsigned 32-bit integer (rolls over after 497 days)

•Opaque -- used to create new data types not in SNMPv1

•DateAndTime, DisplayString, MacAddress, PhysAddress,

TimeInterval, TimeStamp, TruthValue, VariablePointer -- textual

conventions used as types

RED items defined by

ASN.1

Blue items defined by

RFC 1155

SNMP overview: 4 key parts

Management information base (MIB):

– distributed information store of network

management data

Structure of Management Information (SMI):

– data definition language for MIB objects

SNMP protocol

– convey manager<->managed object info, commands

security, administration capabilities

– major addition in SNMPv3

MIB

Management Information Base (MIB) is a

collection of information that is organized

hierarchically. MIBs are accessed using a

network-management protocol such as

SNMP. They are comprised of managed

objects and are identified by object

identifiers.

Two types of managed objects exist: scalar

and tabular

– Scalar objects define a single object instance.

– Tabular objects define multiple related object

instances that are grouped in MIB tables.

Always defined and referenced within the context of a MIB

A typical MIB variable definition:

sysContact OBJECT-TYPE -- OBJECT-TYPE is a macro

SYNTAX DisplayString (SIZE (0..255))

ACCESS read-write -- or read-write, write-only, not-

accessible

STATUS mandatory -- or optional, deprecated,

obsolete

DESCRIPTION

“CEPN1331 Computer Network”

::= { system 4 }

MIB – Management Information Base

MIB Breakdown…

- OBJECT-TYPE- String that describes the MIB object.

- Object IDentifier (OID).

- SYNTAX- Defines what kind of info is stored in the

MIB object.

- ACCESS- READ-ONLY, READ-WRITE.

- STATUS- State of object in regards the SNMP

community.

- DESCRIPTION- Reason why the MIB object exists.

Standard MIB Object:

sysUpTime OBJECT-TYPE

SYNTAX Time-Ticks

ACCESS read-only

STATUS mandatory

DESCRIPTION

“Time since the

network

management

portion of the

system was last re-

initialised.::= {system 3}


Object IDentifier (OID)

- Example .1.3.6.1.2.1.1

- iso(1) org(3) dod(6) internet(1)

mgmt(2)

mib-2(1)

system(1)

Note:- .1.3.6.1 ~100% present.

- mgmt and private most common.

- MIB-2 successor to original MIB.

- STATUS „mandatory‟, All or nothing in group

1

3

6

1

1

2 3

4

1

1

2 4

6

iso(1)

org(3)

dod(6)

internet(1)

directory(1)

mgmt(2) experimental(3)

private(4)

mib-2(1)

system(1)

interfaces(2) ip(4)

tcp(6)


system(1) group

- Contains objects that describe some basic information on an entity.

- An entity can be the agent itself or the network object that the agent is on.

1

1

2

mib-2(1)

system(1)

interfaces(2)

system(1) group objects

- sysDescr(1) Description of the entity.

- sysObjectID(2) Vendor defined OID string.

- sysUpTime(3) Time since net-mgt was last re-initialised.

- sysContact(4) Name of person responsible for the entity.


MIB - tree view MIB - syntax view

1

1

mib-2(1)

system(1)

1

2

3

4

sysDesc(1)

sysObjectID(2)

sysUpTime(3)

sysUpTime OBJECT-TYPE

SYNTAX INTEGER

ACCESS read-only

STATUS mandatory

DESCRIPTION

“The time (in

hundredths of a

second) since the

network

management

portion of the

system was last re-

initialized.”

sysContact(3)


SNMP Instances

- Each MIB object can have an instance.

- A MIB for a router‟s (entity) interface

information…

iso(1) org(3) dod(6) internet(1) mgmt(2) mib-2(1) interfaces(2) ifTable(2) ifEntry(1) ifType(3)

- Require one ifType value per interface (e.g. 3)

- One MIB object definition can represent multiple

instances through Tables, Entries, and Indexes.


Tables, Entries, and Indexes.

- Imagine tables as spreadsheets…- Three interface types require 3 rows (index no.s)

- Each column represents a MIB object, as defined by the

entry node.

ifType(3)

Index #2

Index #3

Index #1

ifMtu(4) Etc…

ifType.3:[15]

ifType.2:[9]ifType.1[6] ifMtu.1

ifMtu.2

ifMtu.3

ENTRY + INDEX = INSTANCE

Simple Network Management Protocol

Retrieval protocol for MIB.

Can retrieve by

- CLI (snmpwalk),

- GUI (MIB Browser), or

- Larger applications (Sun Net Manager) called Network Management Software (NMS).

NMS collection of smaller applications to manage network with illustrations, graphs, etc.

NMS run on Network Management Stations (also NMS), which can run several different NMS software applications.

SMI: data definition language

Purpose: syntax, semantics of

management data well-defined,

unambiguous

base data types:

– straightforward, boring

OBJECT-TYPE

– data type, status, semantics

of managed object

MODULE-IDENTITY

– groups related objects into

MIB module

Basic Data Types

INTEGER

Integer32

Unsigned32

OCTET STRING

OBJECT IDENTIFIED

IPaddress

Counter32

Counter64

Guage32

Time Ticks

Opaque

SNMP MIB

OBJECT TYPE:

OBJECT TYPE:OBJECT TYPE:

objects specified via SMIOBJECT-TYPE construct

MIB module specified via SMI MODULE-IDENTITY(100 standardized MIBs, more vendor-specific)

MODULE

SMI: Object, module examples

OBJECT-TYPE: ipInDelivers MODULE-IDENTITY: ipMIB

ipInDelivers OBJECT TYPE

SYNTAX Counter32

MAX-ACCESS read-only

STATUS current

DESCRIPTION

“The total number of input

datagrams successfully

delivered to IP user-

protocols (including ICMP)”

::= { ip 9}

ipMIB MODULE-IDENTITY

LAST-UPDATED “941101000Z”

ORGANZATION “IETF SNPv2

Working Group”

CONTACT-INFO

“ Keith McCloghrie

……”

DESCRIPTION

“The MIB module for managing IP

and ICMP implementations, but

excluding their management of

IP routes.”

REVISION “019331000Z”

………

::= {mib-2 48}

MIB example: UDP module

Object ID Name Type Comments

1.3.6.1.2.1.7.1 UDPInDatagrams Counter32 total # datagrams delivered

at this node

1.3.6.1.2.1.7.2 UDPNoPorts Counter32 # underliverable datagrams

no app at portl

1.3.6.1.2.1.7.3 UDInErrors Counter32 # undeliverable datagrams

all other reasons

1.3.6.1.2.1.7.4 UDPOutDatagrams Counter32 # datagrams sent

1.3.6.1.2.1.7.5 udpTable SEQUENCE one entry for each port

in use by app, gives port #

and IP address

SNMP Naming

question: how to name every possible standard object (protocol,

data, more..) in every possible network standard??

answer: ISO Object Identifier tree:

– hierarchical naming of all objects

– each branchpoint has name, number

1.3.6.1.2.1.7.1

ISOISO-ident. Org.

US DoDInternet

udpInDatagramsUDPMIB2management

Check out www.alvestrand.no/harald/objectid/top.html

OSI

Object

Identifier

Tree

SNMP protocol

Two ways to convey MIB info, commands:

agent data

Managed device

managingentity

response

agent data

Managed device

managingentity

trap msgrequest

request/response mode trap mode

SNMP protocol: message types

GetRequestGetNextRequestGetBulkRequest

Mgr-to-agent: “get me data”(instance,next in list, block)

Message type Function

InformRequest Mgr-to-Mgr: here’s MIB value

SetRequest Mgr-to-agent: set MIB value

Response Agent-to-mgr: value, response to Request

Trap Agent-to-mgr: inform managerof exceptional event

SNMP protocol: message formats

SNMP security and administration

encryption: DES-encrypt SNMP message

authentication: compute, send MIC(m,k):

compute hash (MIC) over message (m),

secret shared key (k)

protection against playback: use nonce

view-based access control

– SNMP entity maintains database of access

rights, policies for various users

– database itself accessible as managed object!

SNMP Commands

SNMP has 5 different functions referred to

as Protocol Data Units (PDU‟s), which are:

(1) GetRequest, aka Get

(2) GetNextRequest, aka GetNext

(3) GetResponse, aka Response

(4) SetRequest, aka Set

(5) Trap

SNMP Commands [Get]

GetRequest [Get]

- Most common PDU.

- Used to ask SNMP agent for value of a particular

MIB agent.

- NMS sends out 1 Get PDU for each instance,

which is a unique OID string.

- What happens if you don‟t know how many

instances of a MIB object exist?

SNMP Commands [GetNext]

GetNextRequest [GetNext]

- NMS application uses GetNext to „walk‟ down a table within a MIB.

- Designed to ask for the OID and value of the MIB instance that comes after the one asked for.

- Once the agent responds the NMS application can increment its count and generate a GetNext.

- This can continue until the NMS application detects that the OID has changed, i.e. it has reached the end of the table.

SNMP Commands [GetResponse]

GetResponse [Response]

- Simply a response to a Get, GetNext or Set.

- SNMP agent responds to all requests or

commands via this PDU.

SNMP Commands [SetRequest]

SetRequest [Set]

- Issued by an NMS application to change a MIB instance to the variable within the Set PDU.

- For example, you could issue a

- GetRequest against a KDEG server asking for sysLocation.0 and may get „ORI‟ as the response.

- Then, if the server was moved, you could issue a Set against that KDEG server to change its location to „INS‟.

- You must have the correct permissions when using the set PDU.

SNMP Commands [Trap]

Trap

- Asynchronous notification.

- SNMP agents can be programmed to send a

trap when a certain set of circumstances arise.

- Circumstances can be view as thresholds, i.e. a

trap may be sent when the temperature of the

core breaches a predefined level.

SNMP Security

SNMP Community Strings (like passwords)

- 3 kinds:

- READ-ONLY: You can send out a Get & GetNext

to the SNMP agent, and if the agent is using the

same read-only string it will process the request.

- READ-WRITE: Get, GetNext, and Set. If a MIB

object has an ACCESS value of read-write, then a

Set PDU can change the value of that object with the

correct read-write community string.

- TRAP: Allows administrators to cluster network

entities into communities. Fairly redundant.

SNMP Tools

Command Line Interface

– e.g. „snmpwalk‟

Graphical User Interface

– e.g. iReasoning‟s MIB Browser» Or via www.ireasoning.com

http://www.ireasoning.com/

SNMP – MIB Browser (1)

Initial set-up... java -Xmx384m -jar “XYZ\lib\browser.jar” (where XYZ = your specific path)

Breakdown…

- LHS is the

SNMP MIB

structure.

- Lower LHS has

details of MIB

structure.

- RHS will

present MIB

values.


Discovery…

- Subnet: 134.XXX.XXX.*

- Read Community: public

Start

Note IP Address.

Stop


Navigation…

- MIB Tree

System

sysUpTime

-Notice Lower LHS

- Notice OID


SNMP PDU’s…

(1) Get

- Select „Go‟

„Get‟

- RHS has values.

- OID – Value


SNMP PDU’s…

(2) GetNext

-Selected OID is:

.1.3.6.1.2.1.1.5

-Returned value:

(.1.3.6.1.2.1.1.6)

or

“DSG, O‟Reilly Institute,

F.35”


SNMP…

(3) Get SubTree

-Position of MIB:

.1.3.6.1.2.1.1

(a.k.a. system)

-RHS values:

Returns all values

below system.


SNMP…

(4) Walk

-MIB Location:

.1.3.6.1.2.1

(a.k.a. mib-2)

- Returns *ALL*

values under mib-2


Tables…

- MIB Location:

.1.3.6.1.2.1.2.2

(or interfaces)

- Select ifTable,

Go, then Table

View.

- Refresh/Poll


SNMP…

- Graph

- Select a value from the RHS, say sysUpTime

- Highlight and select „Go‟, then „Graph‟.

- Interval = 1s set.

The presentation problem

Q: does perfect memory-to-memory copy

solve “the communication problem”?

A: not always!

problem: different data format, storage conventions

struct {

char code;

int x;

} test;

test.x = 256;

test.code=„a‟

a

00000001

00000011

a

00000011

00000001

test.code

test.x

test.code

test.x

host 1 format host 2 format

A real-life presentation problem:

aging 60‟s

hippie

2004 teenagergrandma

Presentation problem: potential solutions

1. Sender learns receiver‟s format. Sender translates into receiver‟s format. Sender sends.

real-world analogy? pros and cons?

2. Sender sends. Receiver learns sender‟s format. Receiver translate into receiver-local format

real-world-analogy pros and cons?

3. Sender translates host-independent format. Sends. Receiver translates to receiver-local format.

real-world analogy? pros and cons?

Solving the presentation problem

1. Translate local-host format to host-independent format

2. Transmit data in host-independent format

3. Translate host-independent format to remote-host format

aging 60‟s

hippie 2004 teenagergrandma

ASN.1: Abstract Syntax Notation 1

ISO standard X.680

– used extensively in Internet

– like eating vegetables, knowing this “good for

you”!

defined data types, object constructors

– like SMI

BER: Basic Encoding Rules

– specify how ASN.1-defined data objects to be

transmitted

– each transmitted object has Type, Length, Value

(TLV) encoding

TLV Encoding

Idea: transmitted data is self-identifying

– T: data type, one of ASN.1-defined types

– L: length of data in bytes

– V: value of data, encoded according to ASN.1

standard

1

2

3

4

5

6

9

Boolean

Integer

Bitstring

Octet string

Null

Object Identifier

Real

Tag Value Type

TLV

encoding:

example

Value, 5 octets (chars)Length, 5 bytes

Type=4, octet string

Value, 259Length, 2 bytesType=2, integer

Network Management: summary

network management

– extremely important: 80% of network “cost”

– ASN.1 for data description

– SNMP protocol as a tool for conveying information

Network management: more art than science

– what to measure/monitor

– how to respond to failures?

– alarm correlation/filtering?

Network Management and

Security

Outline

Basic Concepts of SNMP

SNMPv1 Community Facility

SNMPv3

Basic Concepts of SNMP

An integrated collection of tools for network monitoring and control.

– Single operator interface

– Minimal amount of separate equipment. Software and network communications capability built into the existing equipment

SNMP key elements:

– Management station

– Managament agent

– Management information base

– Network Management protocol

» Get, Set and Notify

Protocol context of SNMP

Proxy Configuration

SNMP v1 and v2

Trap – an unsolicited message (reporting an alarm condition)

SNMPv1 is ”connectionless” since it utilizes UDP (rather than TCP) as the transport layer protocol.

SNMPv2 allows the use of TCP for ”reliable, connection-oriented” service.

Comparison of SNMPv1 and SNMPv2SNMPv1 PDU SNMPv2 PDU Direction Description

GetRequest GetRequest Manager to agent Request value for each listed object

GetRequest GetRequest Manager to agent Request next value for each listed object

------ GetBulkRequest Manager to agent Request multiple values

SetRequest SetRequest Manager to agent Set value for each listed object

------ InformRequest Manager to manager

Transmit unsolicited information

GetResponse Response Agent to manager or Manage to manager(SNMPv2)

Respond to manager request

Trap SNMPv2-Trap Agent to manager Transmit unsolicited information

SNMPv1 Community Facility

SNMP Community – Relationship between

an SNMP agent and SNMP managers.

Three aspect of agent control:

– Authentication service

» Access to MIB is restricted to authorised managers

– Access policy

» Different access rights to different managers

– Proxy service

» The agent as a broker for other agents

Access policy (Πνιηηηθή

πξόζβαζεο)

Με ηνλ θαζνξηζκό κηαο θνηλόηεηαο ν πξάθηνξαο

πεξηνξίδεη ηελ πξόζβαζε ζηε βάζε ΜΙΒ

Διεγρνο πξόζβαζεο:

– Πξνβνιή SNMP MIB: έλα ππνζύλνιν από αληηθείκελα

κέζα ζε κηα ΜΙΒ. Μπνξνύλ λα νξηζηνύλ δηαθνξεηηθέο

πξνβνιέο. Τν ζύλνιν αληηθεηκέλσλ ηεο πξνβνιήο δε

ρξεηάδεηαη λα αλήθεη ζε ελα κόλν ππνδέλδξν ηεο ΜΙΒ

– Καηάζηαζε πξόζβαζεο SNMP: έλα ζηνηρείην από ην

ζύλνιν {READ-ONLY, READ-WRITE}. Οξίδεηαη κηα

θαηάζηαζε πξόζβαζεο γηα θάζε θνηλόηεηα.

Πξνθίι θνηλόηεηαο SNMP (SNMP community

profile)

SNMPv1 Administrative

Concepts

SNMPv3

SNMPv3 defines a security capability to be

used in conjunction with SNMPv1 or v2

User security model USM

Traditional SNMP Manager

Traditional SNMP Agent

SNMPv3 Flow

SNMP3 Message Format with

USM

User Security Model (USM)

Designed to secure against:

– Modification of information (Τξνπνπνίεζε πιεξνθνξηώλ)

– Masquerade (Μεηακθίεζε)

– Message stream modification (Τξνπνπνίεζε ξνήο κελπκάησλ)

– Disclosure (Απνθάιπςε)

Not intended to secure against:

– Denial of Service (DoS attack) (Αξλεζε παξνρήο ππεξεζηώλ)

– Traffic analysis (Αλάιπζε θίλεζεο)

Key Localization Process

View-Based Access Control

Model (VACM)

VACM has two characteristics:

– Determines whether access to a managed object

should be allowed.

– Make use of an MIB that:

» Defines the access control policy for this agent.

» Makes it possible for remote configuration to be

used.

Access control decision

Network security

Intruders and Viruses

Outline

Intruders

– Intrusion Techniques

– Password Protection

– Password Selection Strategies

– Intrusion Detection

Viruses and Related Threats

– Malicious Programs

– The Nature of Viruses

– Antivirus Approaches

– Advanced Antivirus Techniques

Intruders

Three classes of intruders (hackers or

crackers):

– Masquerader (κεηακθηεζκέλνο)

– Misfeasor (παξάλνκνο)

– Clandestine user (θξπθόο ρξήζηεο)

Intrusion Techniques

System maintain a file that associates a

password with each authorized user.

Password file can be protected with:

– One-way encryption (κνλόδξνκε

θξππηνγξάθεζε: απνζήθεπζε

θξππηνγξαθεκέλεο κνξθήο ζπλζεκαηηθνύ

ρξήζηε)

– Access Control (έιεγρνο πξόζβαζεο ζην αξρείν

ζπλζεκαηηθώλ)

Intrusion Techniques

Techniques for guessing passwords:• Try default passwords.• Try all short words, 1 to 3 characters long.• Try all the words in an electronic dictionary(60,000).• Collect information about the user‟s hobbies, family

names, birthday, etc.• Try user‟s phone number, social security number,

street address, etc.• Try all license plate numbers (MUP103).• Use a Trojan horse• Tap the line between a remote user and the host

system.

Prevention: Enforce good password selection (Ij4Gf4Se%f#)

UNIX Password Scheme

Loading a new password

UNIX Password Scheme

Verifying a password file

Storing UNIX Passwords

UNIX passwords were kept in a publicly

readable file, etc/passwords.

Now they are kept in a “shadow” directory

and only visible by “root”.

”Salt”

The salt serves three purposes:

– Prevents duplicate passwords.

– Effectively increases the length of the

password.

– Prevents the use of hardware implementations

of DES

Password Selecting Strategies

User ducation (εθπαίδεπζε ρξεζηώλ)

Computer-generated passwords

(παξαγόκελα από ηνλ ππνινγηζηή

ζπλζεκαηηθά)

Reactive password checking (ζηξαηεγηθή

αληηδξαζηηθνύ ειέγρνπ ζπλζεκαηηθνύ: ην

ζύζηεκα εθηειεί πεξηνδηθά ην δηθό ηνπ

πξνγξακκα ζπαζίκαηνο ζπλζεκαηηθώλ)

Proactive password checking (πξνιεπηηθόο

έιεγρνο ζπλζεκαηηθώλ)

Markov Model: ηερληθή

πξνιεπηηθνύ ειεγθηή

Μνληέιν γηα

ηελ παξαγσγή

πξνβιέςηκσλ

ζπλζεκαηηθώλ:

m: ν αξηζκόο

θαηαζηάζεσλ

ζην κνληειν

Α: ν ρώξνο

θαηαζηάζεσλ

Τ: πηλαθαο

πηζαλνηεησλ

K: ε ηάμε ηνπ

κνληέινπ

Transition Matrix

1. Determine the frequency matrix f, where f(i,j,k) is the number of occurrences of the trigram consisting of the ith, jth and kth character.

2. For each bigram ij, calculate f(i,j, ) as the total number of trigrams beginning with ij.

3. Compute the entries of T as follows:

),,(),,(

),,(

jif

kjifkjiT

Spafford (Bloom Filter)

where

10;1;1)( NyDjkiyXH ii

dictionarypasswordinwordofnumberD

dictionarypasswordinwordjthX i

The following procedure is then applied to the dictionary:

1. A hash table of N bits is definied, with all bits initially set to 0.

2. For each password, its k hash values are calculated, and the responding bits in the hash table are set to 1

Spafford (Bloom Filter)

Design the hash scheme to minimize false

positive.

Probability of false positive:

)()(,/

)1ln(

,,

)1()1(

/1

//

wordssizedictionarytobitssizetablehashofratioDNR

dictionaryinwordsofnumberD

tablehashinbitsofnumberN

functionhashofnumberk

where

P

kR

lyequivalentor

eeP

k

kRkkNkD

Performance of Bloom Filter

The Stages of a Network

Intrusion1. Scan the network to:

• locate which IP addresses are in use, • what operating system is in use, • what TCP or UDP ports are “open” (being listened to by Servers).

2. Run “Exploit” scripts against open ports3. Get access to Shell program which is “suid” (has “root”

privileges).4. Download from Hacker Web site special versions of

systems files that will let Cracker have free access in the future without his cpu time or disk storage space being noticed by auditing programs.

5. Use IRC (Internet Relay Chat) to invite friends to the feast.

Intusion Detection

The intruder can be identified and ejected from the

system.

An effective intrusion detection can prevent

intrusions.

Intrusion detection enables the collection of

information about intrusion techniques that can be

used to strengthen the intrusion prevention

facility.

Profiles of Behavior of Intruders and

Authorized Users

Intrusion Detection

Statistical anomaly detection (αλίρλεπζε

ζηαηηζηηθώλ αλσκαιηώλ)

– Treshold detection (αλίρλεπζε κε θαηώθιηα)

– Profile based (αλίρλεπζε βαζηζκάλε ζε πξνθίι)

Rule based detection (Αλίρλεπζε βαζηζκέλε

ζε θαλόλεο)

– Anomaly detection (αλίρλεπζε αλσκαιηώλ)

– Penetration identidication (αλαγλσ΄ξηζε

δηείζδπζεο)

Measures used for Intrusion

Detection Login frequency by day and time.

Frequency of login at different locations.

Time since last login.

Password failures at login.

Execution frequency.

Execution denials.

Read, write, create, delete frequency.

Failure count for read, write, create and delete.

Distributed Intrusion Detection

Developed at University of California at Davis

Distributed Intrusion Detection

Viruses and ”Malicious Programs”

Computer “Viruses” and related programs have the ability to

replicate themselves on an ever increasing number of

computers. They originally spread by people sharing floppy

disks. Now they spread primarily over the Internet (a “Worm”).

Other “Malicious Programs” may be installed by hand on a

single machine. They may also be built into widely distributed

commercial software packages. These are very hard to detect

before the payload activates (Trojan Horses, Trap Doors, and

Logic Bombs).

Taxonomy of Malicious Programs

Need Host

Program

Independent

Trapdoors Logic

Bombs

Trojan

Horses

Viruses Bacteria Worms

Malicious

Programs

Definitions

Virus (Ινο) - code that copies itself into other programs.

A “Bacteria” replicates until it fills all disk space, or CPU cycles.

Payload - harmful things the malicious program does, after it has had time to spread.

Worm (Σθνπιήθη) - a program that replicates itself across the network (usually riding on email messages or attached documents (e.g., macro viruses).

Definitions

Trojan Horse (Γνύξεηνο Ιππνο) - instructions in an otherwise good program that cause bad things to happen (sending your data or password to an attacker over the net).

Logic Bomb (Λνγηθή Βόκβα) - malicious code that activates on an event (e.g., date).

Trap Door (or Back Door) (Κεξθόπνξηα) - undocumented entry point written into code for debugging that can allow unwanted users.

Definitions

Exploits (Σεκεία Δθκεηάιεπζεο) – Πξνγξάκκαηα πνπ εθκεηαιεύνληαη ζπγθεθξηκέλεο αδπλακίεο.

Downloaders (Πξνγξάκκαηα Καηεβάζκαηνο) – εγθαζηζηά άιια πξνγξάκκαηα ζην ζύζηεκα ζην νπνίν βξίζθεηαη.Σπλήζσο κεηαδίδνληαη κέζσ ει. ηαρπδξνκείνπ

Spammer – εξγαιεία πνπ ζηέιλνπλ κεγάιν όγθν κελπκάησλ ει. Ταρπδξνκείνπ

Flooder – ρξεζηκνπνηνύληαη ζε επηζέζεηο θαηά δηθηπσκέλσλ ζπζηεκάησλ θαη πξνθαινύλ επηζέζεηο άξλεζεο εμππεξέηεζεο.

Zombie – πξόγξακκα ην νπνίν νηαλ ελεξγνπνηείηαη ζε ελαλ ππνινγηζηή, μεθηλά επηζέζεηο ζε άιινπο ππνινγηζηέο

Virus Phases

Dormant phase (θάζη ύπνωζης) - the virus is

idle

Propagation phase (θάζη διάδοζης) - the virus

places an identical copy of itself into other

programs

Triggering phase (θάζη πσροδόηηζης) – the

virus is activated to perform the function for

which it was intended

Execution phase (θάζη εκηέλεζης) – the

function is performed

Virus Protection

Have a well-known virus protection program, configured to

scan disks and downloads automatically for known viruses.

Do not execute programs (or "macro's") from unknown

sources (e.g., PS files, Hypercard files, MS Office documents,

Avoid the most common operating systems and email

programs, if possible.

Virus Structure

1ε γξακκή: άικα ζην θπξην

πξόγξακκα ηνύ

2ε γξακκή: αλαδεηά ακόιπληα

εθηειέζηκα θαη ηα κνιύλεη

....

Ο ηόο πξαγκαηνπνηεί θάπνηα επδήκηα

ελέξγεηα (κπνξεί λα εθηειείηαη θαζε

θνξά πνπ ηξέρεη ην πξόγξακκα ή λα

είλαη κηα ινγηθή βόκβα)

A Compression Virus

Types of Viruses

Parasitic Virus (παξαζηηηθόο) - attaches itself to executable files as part of their code. Runs whenever the host program runs.

Memory-resident Virus (ιός μόνιμα εγκαηεζηημένος ζηη μνήμη) -Lodges in main memory as part of the residual operating system.

Boot Sector Virus (ιός ηομέα εκκίνηζης) - infects the boot sector of a disk, and spreads when the operating system boots up (original DOS viruses).

Stealth Virus (αόξαηνο ηόο) - explicitly designed to hide from Virus Scanning programs.

Polymorphic Virus (πνιπκνξθηθόο ηόο)- mutates with every new host to prevent signature detection.

Metamorphic Virus (κεηακνξθηθόο ηόο) – mutates with every new host, rewrites itself and changes its behavior and appearance

Macro Viruses

Microsoft Office applications allow “macros” to

be part of the document. The macro could run

whenever the document is opened, or when a

certain command is selected (Save File).

Platform independent.

Infect documents, delete files, generate email and

edit letters.

Φαξαθηεξηζηηθά Ινί ει. ηαρπδξνκείνπ

– Σηέιλεηαη ζε όια ηα άηνκα πνπ ππάξρνπλ ζηε ιίζηα επαθώλ ηνπ ρξήζηε

– Ο ηόο πξνθαιεί ηνπηθή δεκηά – ελεξγνπνίεζε θαη κε απιό άλνηγκα ηνπ κελύκαηνο

ει. ηαρπδξ. – δπλαηόηεηεο ηαρείαο δηάδνζεο κέζσ Γηαδηθηύνπ

Σθνπιήθηα

– Χάρλεη ελεξγεηηθά γηα άιια ζπζηήκαηα πξνθεηκέλνπ λα δηαδνζεί – ρξεζηκνπνηεί

«δηθηπαθό όρεκα»:

» Υπεξεζία ει. ηαρπδξνκείνπ

» Γπλαηόηεηα απνκαθξπζκέλεο εθηέιεζεο (εθηειεί ελα αληηγξαθό ηνπ ζε ελα αιιν

ζύζηεκα)

» Γπλαηόηεηα απνκαθξπζκέλεο ζύλδεζεο (ζπλδέεηαη σο ρξήζηεο ζε απνκαθξπζκέλν

ζύζηεκα θαη ρξεζηκνπνηεί εληνιεο γηα λα αληηγξαθεί από ην έλα ζύζηεκα ζην άιιν)

– Τν ζθνπιήθη Morris: Robert Morris 1998, γηα ζπζηήκαηα UNIX,

αλαθάιπςε άιισλ ππνινγηζηώλ ηνπο νπνηνπο εκπηζηεπόηαλ ν ππνινγηζηήο

Τερλνινγία Σθνπιεθηώλ

Πνιππιαηθνξκηθά: κπνξνύλ λα επηηεζνύλ ζε WINDOWS,

UNIX θιπ

Πνιιαπιήο εθκεηάιιεπζεο: πνηθίινη ηξόπνη

δηείζδπζεο(ρξεζηκνπνηώληαο εππάζεηεο ζε δηαθνκηζηέο

Γηαδηθηύνπ, θνηλνρξεζηία αξρείσλ θιπ)

Δμαηξεηηθά γξήγνξε εμάπισζε: ηερληθή γηα επηηάρπλζε

ηεο εμάπισζεο-αλίρλεπζε ζην Γηαδηθηπν γηα ηελ

ζπγθέληξσζε δηεπζύλζεσλ

Πνιπκνξθηζκόο – Μεηακνξθηζκόο

Μεηαθνξηθά νρήκαηα: είλαη ηδαληθά κέζα κεηαθνξάο γηα

άιια εξγαιεία θαηαλεκεκέλεο επίζεζεο

Δθκεηάιιεπζε ηελ «εκέξα κεδελ»: γηα επίηεπμε κέγηζηνπ

βαζκνύ αηθληδηαζκνύ θαη δηάδνζεο ην ζθνπιήθη

εθκεηαιεύεηαη κηα άγλσζηε εππάζεηα

Μέηξα αληηκηώπηζεο Ιώλ

Αλίρλεπζε: δηαπηζηώλεηαη ε κόιπλζε θαη

εληνπίδεηαη ν ηόο

Αλαγλώξηζε: αλαγλσξίδεηαη ν

ζπγθεθξηκέλνο ηόο πνπ έρεη πξνζβάιιεη ην

ζύζηεκα

Καηάξγεζε: αθνπ αλαγλσξηζηεί ν ηνο,

αθαηξνύληαη ηα ίρλε ηνπ

Antivirus Approaches1st Generation, Scanners (απινί αληρλεπηέο): searched files

for any of a library of known virus “signatures.” Checked executable files for length changes.

2nd Generation, Heuristic Scanners (επξεηηθνί αληρλεπηέο): looks for more general signs than specific signatures (code segments common to many viruses). Checked files for checksum or hash changes. Διεγρνο αθεξαηόηεηαο –integrity checking: checksum-πξνζάξηεζε αζξνίζκαηνο ειεγρνπ

3rd Generation, Activity Traps (παγίδεο δξαζηεξηόηεηαο): stay resident in memory and look for certain patterns of software behavior (e.g., scanning files).

4th Generation, Full Featured (πιήξεο πξνζηαζία): combine the best of the techniques above.

Πξνεγκέλεο ηερληθέο

αληηβηνηηθώλ

Χεθηαθό αλνζνπνηεηηθό

ζύζηεκα

Advanced Antivirus Techniques

Δπίζεζε εζσηεξηθνύ πόξνπ

Δπίζεζε πνπ θαηαλαιώλεη

πόξνπο κεηάδνζεο δεδνκέλσλ

Σηξαηεγηθέο ζάξσζεο

ινγηζκηθνύ δόκπη γηα κόιπλζε

ζπζηεκάησλ

Advanced Antivirus Techniques

Generic Decryption (GD)

– CPU Emulator

– Virus Signature Scanner

– Emulation Control Module

For how long should a GD scanner run each

interpretation?

Documents

SNMP - eclass.uoa.gr · Protocol, and CMOT (CMIP over TCP) for the actual network management protocol for use on the internet Nov. 1987-SGMP - Simple Gateway Monitoring protocol (RFC