Transcript Network Management

Network Management and SNMP
 What is Network Management?
 ISO Network Management Model
(FCAPS)
 Network Management Architecture
 SNMPv1 and SNMPv2
 SNMPv3 – what’s new?
1
Network Management
 Any complex system with many interacting
components must be monitored, managed and
controlled
 In the early 1980 networks expansion prompted
the need for automated network management
2
Network management scenarios
 Detecting failure of an interface card in a
device
 Host monitoring
 Traffic monitoring to optimize resource
deployment
 Detecting rapid changes in routing tables
 Intrusion detection
3
ISO Network Management Model
FCAPS:
 Fault management
 Configuration management
 Accounting management
 Performance management
 Security Management
4
ISO Network Management Model
 Fault management – log, detect and respond to




fault conditions in the network
Configuration management – track devices and
their h/w and s/w configs
Accounting management - specify, log and
control user access to network resources
Performance management – quantify, measure,
report, analyze and control performance of
network components
Security Management – control access to
network resources according to some welldefined policy
5
Network Management Architecture
6
Simple Network Management Protocol
 Protocol for network management, part of TCP/IP
suite
 Current version SNMPv3
 Includes communication protocol, set of data
definitions and database schema
 Basic components:
Managers/NMS
Managed devices
SNMP Agents
MIB
7
SNMPv3
 Was implemented as a full standard
in 2004
 Only changes relate to security and
remote configuration
 SNMPv3 provides for encryption,
authentication and message integrity
8
Network Management Architecture
9
MIB (Management Information Base)
 MIB – virtual information store for a collection of
managed objects
 Describes structure of management data on
managed device
 Each variable that describes some part of device
configuration is identified by a unique OID (object
ID)
 Vendors define MIB variables for their own use
 MIB II – standard MIB implemented by all
managed objects
10
SMI (Structure of management
information)
 SMI is the language used to define the
management information residing in a managed
object – logically
 SMI states that each managed object should
have a name, syntax and encoding
 SMI is a subset of ASN.1 - a standard for
describing data that is independent of machinespecific encoding.
11
Object naming by OID
12
MIB-II subtree
13
SNMP Transport
14
SNMP Transport
15
SNMP Operations
 get
 getnext
 getbulk (SNMPv2 and SNMPv3)
 set
 getresponse
 trap
 notification (SNMPv2 and SNMPv3)
 inform (SNMPv2 and SNMPv3)
 report (SNMPv2 and SNMPv3)
16
SNMP Operations
 Get and getresponse
17
SNMP Operations
 Getnext – retreive a group of values
18
SNMP Operations
 Getbulk – retreive a section of a table
19
SNMP Operations
 Set – change value or create a new row in the
table
20
SNMP Operations
 Trap – asynchronous operation
21
Primary Goals of SNMPv3
 Check message integrity -
To verify that each received
message has not been modified during its transmission .
 User authentication -
To verify the identity of the user on whose
behalf a received message claims to have been generated.
 Message timestamp –
to detect outdated messages
 Message confidentiality -
To assure that the contents of each
received message are protected/encrypted.
22
Primary Goals of SNMPv3
23
SNMPv3 security framework

Two core modules within the framework are the User-based Security Model
(USM) and the View-based Access Control Model (VACM).

The USM is in charge of authenticating/encrypting/decrypting SNMP packets

The VACM is in charge of administering access to MIB data.
24
SNMPv3 security framework
 Authentication -Each SNMP entity is identified by
SNMPEngineID, and SNMP communication is possible only if an
SNMP entity knows the identity of its peer. Traps and
Notifications are exceptions to this rule.
Protection against:

Modification of Information (Data Integrity)
Ensure that the data is not maliciously altered during transit by an unauthorized
entity.
 Masquerading (Data Origin Authentication)
Ensure that it is known exactly who and where the data came from to prevent an
unauthorized entity from assuming the identity of an authorized user.
 Disclosure (Data Confidentiality)
Ensure that an unauthorized entity cannot eavesdrop on the data exchanges.
 Message Stream Modification (Message Timeliness)
Ensure that the data was received in a timely manner to prevent malicious reordering of data by an unauthorized entity.
25
SNMPv3 User-based Secuirity
Model
 USM communication mechanisms
available:
Communication without authentication and
privacy (NoAuthNoPriv).
 Communication with authentication and
without privacy (AuthNoPriv).
 Communication with authentication and
privacy (AuthPriv).


Different authentication and privacy protocols supported - Currently, the
MD5 and SHA authentication protocols and the CBC_DES and
CFB_AES_128 privacy protocols are supported in the USM.
26
SNMPv3 VCAM

The Access Control Subsystem of an SNMP entity has the responsibility
for checking whether a specific type of access to a specific managed
object is allowed.

Access control occurs in the agent when processing SNMP retrieval or
modification request messages from a manager, and also when a
notification message must be sent to the manager.

Elaborates on the concept of community strings in the previous versions of
SNMP
27