Upload
others
View
9
Download
0
Embed Size (px)
Citation preview
Γηαρείξηζε δηθηύσλ
SNMP
SNMP: Simple Network
Management Protocol
Δίλαη έλα de facto Internet standard (βαζηζκέλν ζε
RFCs).
Τα δεδνκέλα πνπ δηαρεηξίδεηαη ην SNMP
αλαπαξηζηώληαη ζε έλα δέληξν, ην ΜΙΒ
(Management Information Base).
Tα θξηηήξηα ζρεδηαζκνύ ήηαλ:
– Simple.
– Lightweight.
– Low-bandwidth.
– Φξεζηκνπνίεζε TCP/IP πξσηνθόιισλ (επίπεδα 3 θαη 4).
SNMP
Simple Network Management Protocol
Doesn't SNMP solve all these problems ?
– Don't be silly!
SNMP
Where did it come from ?
– Internet Engineering Task Force
» Network Management Area
– SNMP V1
– MIB definitions
– SNMPV2
What is it ?
more than just a protocol …
It defines an architecture for extracting
information from the network regarding the
current operational state of the network,
using a vendor-independent family of
mechanisms
Structure of Management
Information (SMI)
identifies and defines structure of
management information
– RFC1155
defines
– commonly defined data item
– syntax of the data type
– semantics of the data object
Syntax uses ASN.1 (Abstract Syntax Notation)
– binary encoding02 01 06is a 1 byte integer, value 6
Primitive TypesINTEGER, OCTECT STRING, OBJECT IDENTIFIER, NULL
Constructor TypesSEQUENCE <primitive-type> ... ie. a record
SEQUENCE OF <primitive-type> ... ie. an array
Syntax
Defined Data TypesIpAddress what you expect
Counter non-negative integer that wraps
Gauge non-negative integer that latches
TimeTicks time in hundredths of seconds
SNMP NAMES
SNMP Name Structure
1 - directory
1 - sysDescr 2 - sysObjectID
1 - system
1 - ifIndex 2 - ifDescr 3 - ifType .... .... 10 - ifInOctets
1 - ifEntry
1 - ifTable
2 - interfaces
1 - mib
2 - mgmt 3 - expt
9 - c isco
1 - Enterprise
4 - private
1 - Internet
6 - dod
3 - org
1 - iso
SNMP
Management Information Base (MIB)
– "database"of network objects
– Groups:
» System, Interfaces, Address Translation, IP, ICMP,
TCP, UDP, EGP
– "Access" and "Status" attributes
– actual variables are "instances" of OIDs
1.3.6.1.2.1.1.1.0 sysDescr
1.3.6.1.2.1.2.1.1.10.3 ifInOctets for interface 3
1.3.6.1.2.1.4.21.1.7.130.56.0.0
ipRouteNextHop for network 130.56.0.0
SNMP
The SNMP protocol itself
– allows inspection and alteration of MIB
variables
UDP Based
– not acknowledged transactions
PUT, GET, GET-NEXT operators
SNMP
SNMP Traps
– unsolicited notification of events
– can include variable list
– ColdStart, WarmStart
– LinkUp, LinkDown
– Authentication Failure
– EGP Neighbour Loss
– Enterprise Specific
Network Management Software
SNMP Agents
– provided by all router vendors
– many expanded (enterprise) MIBs
– bridges, wiring concentrators, toasters
Network Management Software
Public Domain
– Application Programming Interfaces available
from CMU and MIT
– include variety of applications
Network Management Software
Commercially
– many offerings, UNIX and PC based
» HP OpenView
» SunNet Manager
» Cabletron Spectrum
» *MANY* others
Choosing a Management
Platform
Does it:
a) Support your systems ?
b) Run on your platforms ?
c) Meet your requirements ?
d) Match your resources ?
Choosing a Management
Platform
Maybe you can get away with something
quick and dirty using existing tools
Maybe a commercial management product
will meet your operational requirements
SNMP Tutorial
Tutorial Overview
Introduction
Management Information Base
(MIB)
Simple Network Management Protocol (SNMP)
SNMP Commands
Tools
- „SNMPwalk‟ (CLI)
- „MIB Browser‟ (GUI)
Introduction
SNMP Simple Network Management Protocol is an application layer protocol
that facilitates the exchange of management information between network
devices
- Application-layer protocol for managing TCP/IP
based networks.
- Runs over UDP, which runs over IP using Port 161
and 162
- Two versions of SNMP exist: SNMP version 1 (SNMPv1)
and SNMP version 2 (SNMPv2).
Basic tasks that fall under this
category are
Configuration Management
– Keeping track of device setting
Fault Management
– -Dealing with problems and emergencies in the
network i.e. server, router
Performance Management
Network Management Success
factors
The management interface must be
– Standardized
– Extendable
– Portable
The management mechanism must be
– In expensive
Major functions
Configuration Management - inventory, configuration, provisioning
Fault Management - reactive and proactive network fault management
Performance Management - # of packets dropped, timeouts, collisions, CRC errors
Security Management - SNMP doesn‟t provide much here
Accounting Management - cost management and chargeback assessment
Asset Management - statistics of equipment, facility, and administration personnel
Planning Management - analysis of trends to help justify a network upgrade or bandwidth increase
History
1983 - TCP/IP replaces ARPANET at U.S. Dept. of Defense, effective birth of Internet
– First model for net management - HEMS - High-Level Entity Management System (RFCs 1021,1022,1024,1076)
1987 - ISO OSI proposes CMIP - Common Management Information Protocol, and CMOT (CMIP over TCP) for the actual network management protocol for use on the internet
Nov. 1987 - SGMP - Simple Gateway Monitoring protocol (RFC 1028)
1989 - Marshall T. Rose heads up SNMP working group to create a common network management framework to be used by both SGMP and CMOT to allow for transition to CMOT
Aug. 1989 - “Internet-standard Network Management Framework” defined (RFCs 1065, 1066, 1067)
Apr. 1989 - SNMP promoted to recommended status as the de facto TCP/IP network management framework (RFC 1098)
June 1989 - IAB committee decides to let SNMP and CMOT develop separately
May 1990 - IAB promotes SNMP to a standard protocol with a recommended status (RFC 1157)
Mar. 1991 - format of MIBs and traps defined (RFCs 1212, 1215)– TCP/IP MIB definition revised to create SNMPv1 (RFC 1213)
SNMP & OSI model
7 Application Layer Management and Agent APIs
SNMP
6 Presentation Layer ASN.1 and BER
5 Session Layer RPC and NetBIOS
4 Transport Layer TCP and UDP
3 Network Layer IP and IPX
2 Data Link Layer Ethernet, Token Ring, FDDI
1 Physical Layer
Port & UDP
•SNMP uses User Datagram Protocol (UDP) as the transport
mechanism for SNMP messages
•UDP Port 161 - SNMP Messages
•UDP Port 162 - SNMP Trap Messages
•Like FTP, SNMP uses two well-known ports to operate:
Ethernet
Frame IP Packet
UDP
Datagram
SNMP MessageCRC
SNMP Components
An SNMP-managed network consists of
three key components:
– managed devices,
– agents, and
– network-management systems (NMSs).
SNMP components
A managed device is a network node that contains an SNMP agent and that resides on a managed network. Managed devices collect and store management information and make this information available to NMSs using SNMP. Managed devices, sometimes called network elements, can be routers and access servers, switches and bridges, hubs, computer hosts, or printers.
An agent is a network-management software module that resides in a managed device. An agent has local knowledge of management information and translates that information into a form compatible with SNMP.
An NMS executes applications that monitor and control managed devices. NMSs provide the bulk of the processing and memory resources required for network management. One or more NMSs must exist on any managed network.
Basic Command
Managed devices are monitored and controlled using four basic SNMP commands: read, write, trap, and traversal operations.
– The read command is used by an NMS to monitor managed devices. The NMS examines different variables that are maintained by managed devices.
– The write command is used by an NMS to control managed devices. The NMS changes the values of variables stored within managed devices.
– The trap command is used by managed devices to asynchronously report events to the NMS. When certain types of events occur, a managed device sends a trap to the NMS.
– Traversal operations are used by the NMS to determine which variables a managed device supports and to sequentially gather information in variable tables, such as a routing table.
Language of SNMP
•Structure of Management Information (SMI)
•Abstract Syntax Notation One (ASN.1)
•Basic Encoding Rules (BER)
specifies the format used for defining managed
objects that are accessed via the SNMP protocol
used to define the format of SNMP messages and
managed objects (MIB modules) using an unambiguous
data description format
used to encode the SNMP messages into a format
suitable for transmission across a network
Abstract Syntax Notation One
ASN.1 is nothing more than a language definition. It is
similar to C/C++ and other programming languages.
Syntax examples:
-- two dashes is a comment -- The C equivalent is written in the comment
MostSevereAlarm ::= INTEGER -- typedef MostSevereAlarm int;
circuitAlarms MostSevereAlarm ::= 3 -- MostSevereAlarm circuitAlarms = 3;
MostSevereAlarm ::= INTEGER (1..5) -- specify a valid range
ErrorCounts ::= SEQUENCE {
circuitID OCTET STRING,
erroredSeconds INTEGER,
unavailableSeconds INTEGER
} -- data structures are defined using the SEQUENCE keyword
Simple Data Types
•INTEGER -- signed 32-bit integer
•OCTET STRING
•OBJECT IDENTIFIER (OID)
•NULL -- not actually data type, but data value
•IpAddress -- OCTET STRING of size 4, in network byte order (B.E.)
•Counter -- unsigned 32-bit integer (rolls over)
•Gauge -- unsigned 32-bit integer (will top out and stay there)
•TimeTicks -- unsigned 32-bit integer (rolls over after 497 days)
•Opaque -- used to create new data types not in SNMPv1
•DateAndTime, DisplayString, MacAddress, PhysAddress,
TimeInterval, TimeStamp, TruthValue, VariablePointer -- textual
conventions used as types
RED items defined by
ASN.1
Blue items defined by
RFC 1155
SNMP overview: 4 key parts
Management information base (MIB):
– distributed information store of network
management data
Structure of Management Information (SMI):
– data definition language for MIB objects
SNMP protocol
– convey manager<->managed object info, commands
security, administration capabilities
– major addition in SNMPv3
MIB
Management Information Base (MIB) is a
collection of information that is organized
hierarchically. MIBs are accessed using a
network-management protocol such as
SNMP. They are comprised of managed
objects and are identified by object
identifiers.
Two types of managed objects exist: scalar
and tabular
– Scalar objects define a single object instance.
– Tabular objects define multiple related object
instances that are grouped in MIB tables.
Always defined and referenced within the context of a MIB
A typical MIB variable definition:
sysContact OBJECT-TYPE -- OBJECT-TYPE is a macro
SYNTAX DisplayString (SIZE (0..255))
ACCESS read-write -- or read-write, write-only, not-
accessible
STATUS mandatory -- or optional, deprecated,
obsolete
DESCRIPTION
“CEPN1331 Computer Network”
::= { system 4 }
MIB – Management Information Base
MIB Breakdown…
- OBJECT-TYPE- String that describes the MIB object.
- Object IDentifier (OID).
- SYNTAX- Defines what kind of info is stored in the
MIB object.
- ACCESS- READ-ONLY, READ-WRITE.
- STATUS- State of object in regards the SNMP
community.
- DESCRIPTION- Reason why the MIB object exists.
Standard MIB Object:
sysUpTime OBJECT-TYPE
SYNTAX Time-Ticks
ACCESS read-only
STATUS mandatory
DESCRIPTION
“Time since the
network
management
portion of the
system was last re-
initialised.::= {system 3}
MIB – Management Information Base
Object IDentifier (OID)
- Example .1.3.6.1.2.1.1
- iso(1) org(3) dod(6) internet(1)
mgmt(2)
mib-2(1)
system(1)
Note:- .1.3.6.1 ~100% present.
- mgmt and private most common.
- MIB-2 successor to original MIB.
- STATUS „mandatory‟, All or nothing in group
1
3
6
1
1
2 3
4
1
1
2 4
6
iso(1)
org(3)
dod(6)
internet(1)
directory(1)
mgmt(2) experimental(3)
private(4)
mib-2(1)
system(1)
interfaces(2) ip(4)
tcp(6)
MIB – Management Information Base
system(1) group
- Contains objects that describe some basic information on an entity.
- An entity can be the agent itself or the network object that the agent is on.
1
1
2
mib-2(1)
system(1)
interfaces(2)
system(1) group objects
- sysDescr(1) Description of the entity.
- sysObjectID(2) Vendor defined OID string.
- sysUpTime(3) Time since net-mgt was last re-initialised.
- sysContact(4) Name of person responsible for the entity.
MIB – Management Information Base
MIB - tree view MIB - syntax view
1
1
mib-2(1)
system(1)
1
2
3
4
sysDesc(1)
sysObjectID(2)
sysUpTime(3)
sysUpTime OBJECT-TYPE
SYNTAX INTEGER
ACCESS read-only
STATUS mandatory
DESCRIPTION
“The time (in
hundredths of a
second) since the
network
management
portion of the
system was last re-
initialized.”
sysContact(3)
MIB – Management Information Base
SNMP Instances
- Each MIB object can have an instance.
- A MIB for a router‟s (entity) interface
information…
iso(1) org(3) dod(6) internet(1) mgmt(2) mib-2(1) interfaces(2) ifTable(2) ifEntry(1) ifType(3)
- Require one ifType value per interface (e.g. 3)
- One MIB object definition can represent multiple
instances through Tables, Entries, and Indexes.
MIB – Management Information Base
Tables, Entries, and Indexes.
- Imagine tables as spreadsheets…- Three interface types require 3 rows (index no.s)
- Each column represents a MIB object, as defined by the
entry node.
ifType(3)
Index #2
Index #3
Index #1
ifMtu(4) Etc…
ifType.3:[15]
ifType.2:[9]ifType.1[6] ifMtu.1
ifMtu.2
ifMtu.3
ENTRY + INDEX = INSTANCE
Simple Network Management Protocol
Retrieval protocol for MIB.
Can retrieve by
- CLI (snmpwalk),
- GUI (MIB Browser), or
- Larger applications (Sun Net Manager) called Network Management Software (NMS).
NMS collection of smaller applications to manage network with illustrations, graphs, etc.
NMS run on Network Management Stations (also NMS), which can run several different NMS software applications.
SMI: data definition language
Purpose: syntax, semantics of
management data well-defined,
unambiguous
base data types:
– straightforward, boring
OBJECT-TYPE
– data type, status, semantics
of managed object
MODULE-IDENTITY
– groups related objects into
MIB module
Basic Data Types
INTEGER
Integer32
Unsigned32
OCTET STRING
OBJECT IDENTIFIED
IPaddress
Counter32
Counter64
Guage32
Time Ticks
Opaque
SNMP MIB
OBJECT TYPE:
OBJECT TYPE:OBJECT TYPE:
objects specified via SMIOBJECT-TYPE construct
MIB module specified via SMI MODULE-IDENTITY(100 standardized MIBs, more vendor-specific)
MODULE
SMI: Object, module examples
OBJECT-TYPE: ipInDelivers MODULE-IDENTITY: ipMIB
ipInDelivers OBJECT TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
“The total number of input
datagrams successfully
delivered to IP user-
protocols (including ICMP)”
::= { ip 9}
ipMIB MODULE-IDENTITY
LAST-UPDATED “941101000Z”
ORGANZATION “IETF SNPv2
Working Group”
CONTACT-INFO
“ Keith McCloghrie
……”
DESCRIPTION
“The MIB module for managing IP
and ICMP implementations, but
excluding their management of
IP routes.”
REVISION “019331000Z”
………
::= {mib-2 48}
MIB example: UDP module
Object ID Name Type Comments
1.3.6.1.2.1.7.1 UDPInDatagrams Counter32 total # datagrams delivered
at this node
1.3.6.1.2.1.7.2 UDPNoPorts Counter32 # underliverable datagrams
no app at portl
1.3.6.1.2.1.7.3 UDInErrors Counter32 # undeliverable datagrams
all other reasons
1.3.6.1.2.1.7.4 UDPOutDatagrams Counter32 # datagrams sent
1.3.6.1.2.1.7.5 udpTable SEQUENCE one entry for each port
in use by app, gives port #
and IP address
SNMP Naming
question: how to name every possible standard object (protocol,
data, more..) in every possible network standard??
answer: ISO Object Identifier tree:
– hierarchical naming of all objects
– each branchpoint has name, number
1.3.6.1.2.1.7.1
ISOISO-ident. Org.
US DoDInternet
udpInDatagramsUDPMIB2management
Check out www.alvestrand.no/harald/objectid/top.html
OSI
Object
Identifier
Tree
SNMP protocol
Two ways to convey MIB info, commands:
agent data
Managed device
managingentity
response
agent data
Managed device
managingentity
trap msgrequest
request/response mode trap mode
SNMP protocol: message types
GetRequestGetNextRequestGetBulkRequest
Mgr-to-agent: “get me data”(instance,next in list, block)
Message type Function
InformRequest Mgr-to-Mgr: here’s MIB value
SetRequest Mgr-to-agent: set MIB value
Response Agent-to-mgr: value, response to Request
Trap Agent-to-mgr: inform managerof exceptional event
SNMP protocol: message formats
SNMP security and administration
encryption: DES-encrypt SNMP message
authentication: compute, send MIC(m,k):
compute hash (MIC) over message (m),
secret shared key (k)
protection against playback: use nonce
view-based access control
– SNMP entity maintains database of access
rights, policies for various users
– database itself accessible as managed object!
SNMP Commands
SNMP has 5 different functions referred to
as Protocol Data Units (PDU‟s), which are:
(1) GetRequest, aka Get
(2) GetNextRequest, aka GetNext
(3) GetResponse, aka Response
(4) SetRequest, aka Set
(5) Trap
SNMP Commands [Get]
GetRequest [Get]
- Most common PDU.
- Used to ask SNMP agent for value of a particular
MIB agent.
- NMS sends out 1 Get PDU for each instance,
which is a unique OID string.
- What happens if you don‟t know how many
instances of a MIB object exist?
SNMP Commands [GetNext]
GetNextRequest [GetNext]
- NMS application uses GetNext to „walk‟ down a table within a MIB.
- Designed to ask for the OID and value of the MIB instance that comes after the one asked for.
- Once the agent responds the NMS application can increment its count and generate a GetNext.
- This can continue until the NMS application detects that the OID has changed, i.e. it has reached the end of the table.
SNMP Commands [GetResponse]
GetResponse [Response]
- Simply a response to a Get, GetNext or Set.
- SNMP agent responds to all requests or
commands via this PDU.
SNMP Commands [SetRequest]
SetRequest [Set]
- Issued by an NMS application to change a MIB instance to the variable within the Set PDU.
- For example, you could issue a
- GetRequest against a KDEG server asking for sysLocation.0 and may get „ORI‟ as the response.
- Then, if the server was moved, you could issue a Set against that KDEG server to change its location to „INS‟.
- You must have the correct permissions when using the set PDU.
SNMP Commands [Trap]
Trap
- Asynchronous notification.
- SNMP agents can be programmed to send a
trap when a certain set of circumstances arise.
- Circumstances can be view as thresholds, i.e. a
trap may be sent when the temperature of the
core breaches a predefined level.
SNMP Security
SNMP Community Strings (like passwords)
- 3 kinds:
- READ-ONLY: You can send out a Get & GetNext
to the SNMP agent, and if the agent is using the
same read-only string it will process the request.
- READ-WRITE: Get, GetNext, and Set. If a MIB
object has an ACCESS value of read-write, then a
Set PDU can change the value of that object with the
correct read-write community string.
- TRAP: Allows administrators to cluster network
entities into communities. Fairly redundant.
SNMP Tools
Command Line Interface
– e.g. „snmpwalk‟
Graphical User Interface
– e.g. iReasoning‟s MIB Browser» Or via www.ireasoning.com
SNMP – MIB Browser (1)
Initial set-up... java -Xmx384m -jar “XYZ\lib\browser.jar” (where XYZ = your specific path)
Breakdown…
- LHS is the
SNMP MIB
structure.
- Lower LHS has
details of MIB
structure.
- RHS will
present MIB
values.
SNMP – MIB Browser (2)
Discovery…
- Subnet: 134.XXX.XXX.*
- Read Community: public
Start
Note IP Address.
Stop
SNMP – MIB Browser (3)
Navigation…
- MIB Tree
System
sysUpTime
-Notice Lower LHS
- Notice OID
SNMP – MIB Browser (4)
SNMP PDU’s…
(1) Get
- Select „Go‟
„Get‟
- RHS has values.
- OID – Value
SNMP – MIB Browser (5)
SNMP PDU’s…
(2) GetNext
-Selected OID is:
.1.3.6.1.2.1.1.5
-Returned value:
(.1.3.6.1.2.1.1.6)
or
“DSG, O‟Reilly Institute,
F.35”
SNMP – MIB Browser (6)
SNMP…
(3) Get SubTree
-Position of MIB:
.1.3.6.1.2.1.1
(a.k.a. system)
-RHS values:
Returns all values
below system.
SNMP – MIB Browser (7)
SNMP…
(4) Walk
-MIB Location:
.1.3.6.1.2.1
(a.k.a. mib-2)
- Returns *ALL*
values under mib-2
SNMP – MIB Browser (8)
Tables…
- MIB Location:
.1.3.6.1.2.1.2.2
(or interfaces)
- Select ifTable,
Go, then Table
View.
- Refresh/Poll
SNMP – MIB Browser (9)
SNMP…
- Graph
- Select a value from the RHS, say sysUpTime
- Highlight and select „Go‟, then „Graph‟.
- Interval = 1s set.
The presentation problem
Q: does perfect memory-to-memory copy
solve “the communication problem”?
A: not always!
problem: different data format, storage conventions
struct {
char code;
int x;
} test;
test.x = 256;
test.code=„a‟
a
00000001
00000011
a
00000011
00000001
test.code
test.x
test.code
test.x
host 1 format host 2 format
A real-life presentation problem:
aging 60‟s
hippie
2004 teenagergrandma
Presentation problem: potential solutions
1. Sender learns receiver‟s format. Sender translates into receiver‟s format. Sender sends.
real-world analogy? pros and cons?
2. Sender sends. Receiver learns sender‟s format. Receiver translate into receiver-local format
real-world-analogy pros and cons?
3. Sender translates host-independent format. Sends. Receiver translates to receiver-local format.
real-world analogy? pros and cons?
Solving the presentation problem
1. Translate local-host format to host-independent format
2. Transmit data in host-independent format
3. Translate host-independent format to remote-host format
aging 60‟s
hippie 2004 teenagergrandma
ASN.1: Abstract Syntax Notation 1
ISO standard X.680
– used extensively in Internet
– like eating vegetables, knowing this “good for
you”!
defined data types, object constructors
– like SMI
BER: Basic Encoding Rules
– specify how ASN.1-defined data objects to be
transmitted
– each transmitted object has Type, Length, Value
(TLV) encoding
TLV Encoding
Idea: transmitted data is self-identifying
– T: data type, one of ASN.1-defined types
– L: length of data in bytes
– V: value of data, encoded according to ASN.1
standard
1
2
3
4
5
6
9
Boolean
Integer
Bitstring
Octet string
Null
Object Identifier
Real
Tag Value Type
TLV
encoding:
example
Value, 5 octets (chars)Length, 5 bytes
Type=4, octet string
Value, 259Length, 2 bytesType=2, integer
Network Management: summary
network management
– extremely important: 80% of network “cost”
– ASN.1 for data description
– SNMP protocol as a tool for conveying information
Network management: more art than science
– what to measure/monitor
– how to respond to failures?
– alarm correlation/filtering?
Network Management and
Security
Outline
Basic Concepts of SNMP
SNMPv1 Community Facility
SNMPv3
Basic Concepts of SNMP
An integrated collection of tools for network monitoring and control.
– Single operator interface
– Minimal amount of separate equipment. Software and network communications capability built into the existing equipment
SNMP key elements:
– Management station
– Managament agent
– Management information base
– Network Management protocol
» Get, Set and Notify
Protocol context of SNMP
Proxy Configuration
SNMP v1 and v2
Trap – an unsolicited message (reporting an alarm condition)
SNMPv1 is ”connectionless” since it utilizes UDP (rather than TCP) as the transport layer protocol.
SNMPv2 allows the use of TCP for ”reliable, connection-oriented” service.
Comparison of SNMPv1 and SNMPv2SNMPv1 PDU SNMPv2 PDU Direction Description
GetRequest GetRequest Manager to agent Request value for each listed object
GetRequest GetRequest Manager to agent Request next value for each listed object
------ GetBulkRequest Manager to agent Request multiple values
SetRequest SetRequest Manager to agent Set value for each listed object
------ InformRequest Manager to manager
Transmit unsolicited information
GetResponse Response Agent to manager or Manage to manager(SNMPv2)
Respond to manager request
Trap SNMPv2-Trap Agent to manager Transmit unsolicited information
SNMPv1 Community Facility
SNMP Community – Relationship between
an SNMP agent and SNMP managers.
Three aspect of agent control:
– Authentication service
» Access to MIB is restricted to authorised managers
– Access policy
» Different access rights to different managers
– Proxy service
» The agent as a broker for other agents
Access policy (Πνιηηηθή
πξόζβαζεο)
Με ηνλ θαζνξηζκό κηαο θνηλόηεηαο ν πξάθηνξαο
πεξηνξίδεη ηελ πξόζβαζε ζηε βάζε ΜΙΒ
Διεγρνο πξόζβαζεο:
– Πξνβνιή SNMP MIB: έλα ππνζύλνιν από αληηθείκελα
κέζα ζε κηα ΜΙΒ. Μπνξνύλ λα νξηζηνύλ δηαθνξεηηθέο
πξνβνιέο. Τν ζύλνιν αληηθεηκέλσλ ηεο πξνβνιήο δε
ρξεηάδεηαη λα αλήθεη ζε ελα κόλν ππνδέλδξν ηεο ΜΙΒ
– Καηάζηαζε πξόζβαζεο SNMP: έλα ζηνηρείην από ην
ζύλνιν {READ-ONLY, READ-WRITE}. Οξίδεηαη κηα
θαηάζηαζε πξόζβαζεο γηα θάζε θνηλόηεηα.
Πξνθίι θνηλόηεηαο SNMP (SNMP community
profile)
SNMPv1 Administrative
Concepts
SNMPv3
SNMPv3 defines a security capability to be
used in conjunction with SNMPv1 or v2
User security model USM
Traditional SNMP Manager
Traditional SNMP Agent
SNMPv3 Flow
SNMP3 Message Format with
USM
User Security Model (USM)
Designed to secure against:
– Modification of information (Τξνπνπνίεζε πιεξνθνξηώλ)
– Masquerade (Μεηακθίεζε)
– Message stream modification (Τξνπνπνίεζε ξνήο κελπκάησλ)
– Disclosure (Απνθάιπςε)
Not intended to secure against:
– Denial of Service (DoS attack) (Αξλεζε παξνρήο ππεξεζηώλ)
– Traffic analysis (Αλάιπζε θίλεζεο)
Key Localization Process
View-Based Access Control
Model (VACM)
VACM has two characteristics:
– Determines whether access to a managed object
should be allowed.
– Make use of an MIB that:
» Defines the access control policy for this agent.
» Makes it possible for remote configuration to be
used.
Access control decision
Network security
Intruders and Viruses
Outline
Intruders
– Intrusion Techniques
– Password Protection
– Password Selection Strategies
– Intrusion Detection
Viruses and Related Threats
– Malicious Programs
– The Nature of Viruses
– Antivirus Approaches
– Advanced Antivirus Techniques
Intruders
Three classes of intruders (hackers or
crackers):
– Masquerader (κεηακθηεζκέλνο)
– Misfeasor (παξάλνκνο)
– Clandestine user (θξπθόο ρξήζηεο)
Intrusion Techniques
System maintain a file that associates a
password with each authorized user.
Password file can be protected with:
– One-way encryption (κνλόδξνκε
θξππηνγξάθεζε: απνζήθεπζε
θξππηνγξαθεκέλεο κνξθήο ζπλζεκαηηθνύ
ρξήζηε)
– Access Control (έιεγρνο πξόζβαζεο ζην αξρείν
ζπλζεκαηηθώλ)
Intrusion Techniques
Techniques for guessing passwords:• Try default passwords.• Try all short words, 1 to 3 characters long.• Try all the words in an electronic dictionary(60,000).• Collect information about the user‟s hobbies, family
names, birthday, etc.• Try user‟s phone number, social security number,
street address, etc.• Try all license plate numbers (MUP103).• Use a Trojan horse• Tap the line between a remote user and the host
system.
Prevention: Enforce good password selection (Ij4Gf4Se%f#)
UNIX Password Scheme
Loading a new password
UNIX Password Scheme
Verifying a password file
Storing UNIX Passwords
UNIX passwords were kept in a publicly
readable file, etc/passwords.
Now they are kept in a “shadow” directory
and only visible by “root”.
”Salt”
The salt serves three purposes:
– Prevents duplicate passwords.
– Effectively increases the length of the
password.
– Prevents the use of hardware implementations
of DES
Password Selecting Strategies
User ducation (εθπαίδεπζε ρξεζηώλ)
Computer-generated passwords
(παξαγόκελα από ηνλ ππνινγηζηή
ζπλζεκαηηθά)
Reactive password checking (ζηξαηεγηθή
αληηδξαζηηθνύ ειέγρνπ ζπλζεκαηηθνύ: ην
ζύζηεκα εθηειεί πεξηνδηθά ην δηθό ηνπ
πξνγξακκα ζπαζίκαηνο ζπλζεκαηηθώλ)
Proactive password checking (πξνιεπηηθόο
έιεγρνο ζπλζεκαηηθώλ)
Markov Model: ηερληθή
πξνιεπηηθνύ ειεγθηή
Μνληέιν γηα
ηελ παξαγσγή
πξνβιέςηκσλ
ζπλζεκαηηθώλ:
m: ν αξηζκόο
θαηαζηάζεσλ
ζην κνληειν
Α: ν ρώξνο
θαηαζηάζεσλ
Τ: πηλαθαο
πηζαλνηεησλ
K: ε ηάμε ηνπ
κνληέινπ
Transition Matrix
1. Determine the frequency matrix f, where f(i,j,k) is the number of occurrences of the trigram consisting of the ith, jth and kth character.
2. For each bigram ij, calculate f(i,j, ) as the total number of trigrams beginning with ij.
3. Compute the entries of T as follows:
),,(),,(
),,(
jif
kjifkjiT
Spafford (Bloom Filter)
where
10;1;1)( NyDjkiyXH ii
dictionarypasswordinwordofnumberD
dictionarypasswordinwordjthX i
The following procedure is then applied to the dictionary:
1. A hash table of N bits is definied, with all bits initially set to 0.
2. For each password, its k hash values are calculated, and the responding bits in the hash table are set to 1
Spafford (Bloom Filter)
Design the hash scheme to minimize false
positive.
Probability of false positive:
)()(,/
)1ln(
,,
)1()1(
/1
//
wordssizedictionarytobitssizetablehashofratioDNR
dictionaryinwordsofnumberD
tablehashinbitsofnumberN
functionhashofnumberk
where
P
kR
lyequivalentor
eeP
k
kRkkNkD
Performance of Bloom Filter
The Stages of a Network
Intrusion1. Scan the network to:
• locate which IP addresses are in use, • what operating system is in use, • what TCP or UDP ports are “open” (being listened to by Servers).
2. Run “Exploit” scripts against open ports3. Get access to Shell program which is “suid” (has “root”
privileges).4. Download from Hacker Web site special versions of
systems files that will let Cracker have free access in the future without his cpu time or disk storage space being noticed by auditing programs.
5. Use IRC (Internet Relay Chat) to invite friends to the feast.
Intusion Detection
The intruder can be identified and ejected from the
system.
An effective intrusion detection can prevent
intrusions.
Intrusion detection enables the collection of
information about intrusion techniques that can be
used to strengthen the intrusion prevention
facility.
Profiles of Behavior of Intruders and
Authorized Users
Intrusion Detection
Statistical anomaly detection (αλίρλεπζε
ζηαηηζηηθώλ αλσκαιηώλ)
– Treshold detection (αλίρλεπζε κε θαηώθιηα)
– Profile based (αλίρλεπζε βαζηζκάλε ζε πξνθίι)
Rule based detection (Αλίρλεπζε βαζηζκέλε
ζε θαλόλεο)
– Anomaly detection (αλίρλεπζε αλσκαιηώλ)
– Penetration identidication (αλαγλσ΄ξηζε
δηείζδπζεο)
Measures used for Intrusion
Detection Login frequency by day and time.
Frequency of login at different locations.
Time since last login.
Password failures at login.
Execution frequency.
Execution denials.
Read, write, create, delete frequency.
Failure count for read, write, create and delete.
Distributed Intrusion Detection
Developed at University of California at Davis
Distributed Intrusion Detection
Viruses and ”Malicious Programs”
Computer “Viruses” and related programs have the ability to
replicate themselves on an ever increasing number of
computers. They originally spread by people sharing floppy
disks. Now they spread primarily over the Internet (a “Worm”).
Other “Malicious Programs” may be installed by hand on a
single machine. They may also be built into widely distributed
commercial software packages. These are very hard to detect
before the payload activates (Trojan Horses, Trap Doors, and
Logic Bombs).
Taxonomy of Malicious Programs
Need Host
Program
Independent
Trapdoors Logic
Bombs
Trojan
Horses
Viruses Bacteria Worms
Malicious
Programs
Definitions
Virus (Ινο) - code that copies itself into other programs.
A “Bacteria” replicates until it fills all disk space, or CPU cycles.
Payload - harmful things the malicious program does, after it has had time to spread.
Worm (Σθνπιήθη) - a program that replicates itself across the network (usually riding on email messages or attached documents (e.g., macro viruses).
Definitions
Trojan Horse (Γνύξεηνο Ιππνο) - instructions in an otherwise good program that cause bad things to happen (sending your data or password to an attacker over the net).
Logic Bomb (Λνγηθή Βόκβα) - malicious code that activates on an event (e.g., date).
Trap Door (or Back Door) (Κεξθόπνξηα) - undocumented entry point written into code for debugging that can allow unwanted users.
Definitions
Exploits (Σεκεία Δθκεηάιεπζεο) – Πξνγξάκκαηα πνπ εθκεηαιεύνληαη ζπγθεθξηκέλεο αδπλακίεο.
Downloaders (Πξνγξάκκαηα Καηεβάζκαηνο) – εγθαζηζηά άιια πξνγξάκκαηα ζην ζύζηεκα ζην νπνίν βξίζθεηαη.Σπλήζσο κεηαδίδνληαη κέζσ ει. ηαρπδξνκείνπ
Spammer – εξγαιεία πνπ ζηέιλνπλ κεγάιν όγθν κελπκάησλ ει. Ταρπδξνκείνπ
Flooder – ρξεζηκνπνηνύληαη ζε επηζέζεηο θαηά δηθηπσκέλσλ ζπζηεκάησλ θαη πξνθαινύλ επηζέζεηο άξλεζεο εμππεξέηεζεο.
Zombie – πξόγξακκα ην νπνίν νηαλ ελεξγνπνηείηαη ζε ελαλ ππνινγηζηή, μεθηλά επηζέζεηο ζε άιινπο ππνινγηζηέο
Virus Phases
Dormant phase (θάζη ύπνωζης) - the virus is
idle
Propagation phase (θάζη διάδοζης) - the virus
places an identical copy of itself into other
programs
Triggering phase (θάζη πσροδόηηζης) – the
virus is activated to perform the function for
which it was intended
Execution phase (θάζη εκηέλεζης) – the
function is performed
Virus Protection
Have a well-known virus protection program, configured to
scan disks and downloads automatically for known viruses.
Do not execute programs (or "macro's") from unknown
sources (e.g., PS files, Hypercard files, MS Office documents,
Avoid the most common operating systems and email
programs, if possible.
Virus Structure
1ε γξακκή: άικα ζην θπξην
πξόγξακκα ηνύ
2ε γξακκή: αλαδεηά ακόιπληα
εθηειέζηκα θαη ηα κνιύλεη
....
Ο ηόο πξαγκαηνπνηεί θάπνηα επδήκηα
ελέξγεηα (κπνξεί λα εθηειείηαη θαζε
θνξά πνπ ηξέρεη ην πξόγξακκα ή λα
είλαη κηα ινγηθή βόκβα)
A Compression Virus
Types of Viruses
Parasitic Virus (παξαζηηηθόο) - attaches itself to executable files as part of their code. Runs whenever the host program runs.
Memory-resident Virus (ιός μόνιμα εγκαηεζηημένος ζηη μνήμη) -Lodges in main memory as part of the residual operating system.
Boot Sector Virus (ιός ηομέα εκκίνηζης) - infects the boot sector of a disk, and spreads when the operating system boots up (original DOS viruses).
Stealth Virus (αόξαηνο ηόο) - explicitly designed to hide from Virus Scanning programs.
Polymorphic Virus (πνιπκνξθηθόο ηόο)- mutates with every new host to prevent signature detection.
Metamorphic Virus (κεηακνξθηθόο ηόο) – mutates with every new host, rewrites itself and changes its behavior and appearance
Macro Viruses
Microsoft Office applications allow “macros” to
be part of the document. The macro could run
whenever the document is opened, or when a
certain command is selected (Save File).
Platform independent.
Infect documents, delete files, generate email and
edit letters.
Φαξαθηεξηζηηθά Ινί ει. ηαρπδξνκείνπ
– Σηέιλεηαη ζε όια ηα άηνκα πνπ ππάξρνπλ ζηε ιίζηα επαθώλ ηνπ ρξήζηε
– Ο ηόο πξνθαιεί ηνπηθή δεκηά – ελεξγνπνίεζε θαη κε απιό άλνηγκα ηνπ κελύκαηνο
ει. ηαρπδξ. – δπλαηόηεηεο ηαρείαο δηάδνζεο κέζσ Γηαδηθηύνπ
Σθνπιήθηα
– Χάρλεη ελεξγεηηθά γηα άιια ζπζηήκαηα πξνθεηκέλνπ λα δηαδνζεί – ρξεζηκνπνηεί
«δηθηπαθό όρεκα»:
» Υπεξεζία ει. ηαρπδξνκείνπ
» Γπλαηόηεηα απνκαθξπζκέλεο εθηέιεζεο (εθηειεί ελα αληηγξαθό ηνπ ζε ελα αιιν
ζύζηεκα)
» Γπλαηόηεηα απνκαθξπζκέλεο ζύλδεζεο (ζπλδέεηαη σο ρξήζηεο ζε απνκαθξπζκέλν
ζύζηεκα θαη ρξεζηκνπνηεί εληνιεο γηα λα αληηγξαθεί από ην έλα ζύζηεκα ζην άιιν)
– Τν ζθνπιήθη Morris: Robert Morris 1998, γηα ζπζηήκαηα UNIX,
αλαθάιπςε άιισλ ππνινγηζηώλ ηνπο νπνηνπο εκπηζηεπόηαλ ν ππνινγηζηήο
Τερλνινγία Σθνπιεθηώλ
Πνιππιαηθνξκηθά: κπνξνύλ λα επηηεζνύλ ζε WINDOWS,
UNIX θιπ
Πνιιαπιήο εθκεηάιιεπζεο: πνηθίινη ηξόπνη
δηείζδπζεο(ρξεζηκνπνηώληαο εππάζεηεο ζε δηαθνκηζηέο
Γηαδηθηύνπ, θνηλνρξεζηία αξρείσλ θιπ)
Δμαηξεηηθά γξήγνξε εμάπισζε: ηερληθή γηα επηηάρπλζε
ηεο εμάπισζεο-αλίρλεπζε ζην Γηαδηθηπν γηα ηελ
ζπγθέληξσζε δηεπζύλζεσλ
Πνιπκνξθηζκόο – Μεηακνξθηζκόο
Μεηαθνξηθά νρήκαηα: είλαη ηδαληθά κέζα κεηαθνξάο γηα
άιια εξγαιεία θαηαλεκεκέλεο επίζεζεο
Δθκεηάιιεπζε ηελ «εκέξα κεδελ»: γηα επίηεπμε κέγηζηνπ
βαζκνύ αηθληδηαζκνύ θαη δηάδνζεο ην ζθνπιήθη
εθκεηαιεύεηαη κηα άγλσζηε εππάζεηα
Μέηξα αληηκηώπηζεο Ιώλ
Αλίρλεπζε: δηαπηζηώλεηαη ε κόιπλζε θαη
εληνπίδεηαη ν ηόο
Αλαγλώξηζε: αλαγλσξίδεηαη ν
ζπγθεθξηκέλνο ηόο πνπ έρεη πξνζβάιιεη ην
ζύζηεκα
Καηάξγεζε: αθνπ αλαγλσξηζηεί ν ηνο,
αθαηξνύληαη ηα ίρλε ηνπ
Antivirus Approaches1st Generation, Scanners (απινί αληρλεπηέο): searched files
for any of a library of known virus “signatures.” Checked executable files for length changes.
2nd Generation, Heuristic Scanners (επξεηηθνί αληρλεπηέο): looks for more general signs than specific signatures (code segments common to many viruses). Checked files for checksum or hash changes. Διεγρνο αθεξαηόηεηαο –integrity checking: checksum-πξνζάξηεζε αζξνίζκαηνο ειεγρνπ
3rd Generation, Activity Traps (παγίδεο δξαζηεξηόηεηαο): stay resident in memory and look for certain patterns of software behavior (e.g., scanning files).
4th Generation, Full Featured (πιήξεο πξνζηαζία): combine the best of the techniques above.
Πξνεγκέλεο ηερληθέο
αληηβηνηηθώλ
Χεθηαθό αλνζνπνηεηηθό
ζύζηεκα
Advanced Antivirus Techniques
Δπίζεζε εζσηεξηθνύ πόξνπ
Δπίζεζε πνπ θαηαλαιώλεη
πόξνπο κεηάδνζεο δεδνκέλσλ
Σηξαηεγηθέο ζάξσζεο
ινγηζκηθνύ δόκπη γηα κόιπλζε
ζπζηεκάησλ
Advanced Antivirus Techniques
Generic Decryption (GD)
– CPU Emulator
– Virus Signature Scanner
– Emulation Control Module
For how long should a GD scanner run each
interpretation?