Transcript Network Management

Computer and Information
Security
Chapter 12
Network Management
Security
Slides by H. Johnson & S.
Malladi, L. Brown -Modified by
SJF-S‘12
1
Outline
•
•
•
•
•
Basic Concepts of SNMP
Network Management Architecture
SNMPv1 Community Facility
SNMPv3
Recommended Reading and WEB Sites
Basic Concepts of SNMP
• As a networks grow larger
– it becomes more indispensable to the
organization
– more thing can go wrong disabling the
network to an unacceptable level
• A large network is too complex to be managed
by human effort and requires automated
network management tools, such as the Simple
Network Management Protocol (SNMP)
Basic Concepts of SNMP
• Network Management Architecture
• A network management system is an
integrated collection of tools for network
monitoring and control.
– Single operator interface
– Minimal amount of separate equipment. Software
and network communications capability built into
the existing equipment
• Active elements of the network provide
regular feedback of status information to the
network control center.
SNMP Architecture
• SNMP key elements:
– Management station -often a stand-alone device,
which servesas the human interface
– Management agent- responds to requests for
information from the maanagement station
– Management information base (MIB) -collection of
access points at the agent for the station
– Network Management protocol -links station and
agents and includes:
• Get- retrieve value of objects at agent
• Set - set value of objects at agent
• Notify - notifies station of significant events
Network Management
Protocol Architecture
• 1988 SNMP - became dominant
• Most vendors of routers, workstations,
PCs, etc. offer SNMP agent packages,
that allow their products to be managed
by an SNMP management station
• SNMP -easily implemented, uses minimal
processor and network resources
Network Management
Protocol Architecture
• SNMP designed to be an application
level protocol that is part of TCP/IP
– intended to operate over the User
Datagram Protocol (UDP)
– each agent must implement SNMP, UDP,
and IP
Protocol Context of SNMP
• 3 Types of messages are issued:
– GetRequest
– GetNextRequest
– SetRequest
• All are acknowledged by GetResponse
• An agent may issue a trap message in
response to an event
Protocol context of SNMP
Protocol Context of SNMP
• SNMP relies on UDP which is
connectionless, and SNMP is also
connectionless.
• No connections are maintained between
a management station and an agent.
Proxies
• Proxies were developed for devices that
do not support UDP or implement SNMP.
• An SNMP agent acts as a proxy for one or
more other devices.
• Management station sends queries to
proxy agent, which converts it to the
management protocol used by the device.
• When agent receives a reply, it passes it
to the management station.
Proxy Configuration
SNMP v1 and v2
• Trap – an unsolicited message (reporting
an alarm condition)
• SNMPv1 is ”connectionless” since it
utilizes UDP (rather than TCP) as the
transport layer protocol.
• SNMPv2 allows the use of TCP for
”reliable, connection-oriented” service.
• Any device that does not run SNMPv2
must be managed by proxy.
SNMPv2
• Strength of SNMP is its simplicity.
• SNMP provides a basic set of tools that is
easy to implement and configure.
• Deficiencies –become apparent in large
networks:
– Lack of support for distributed network
management
– Functional deficiencies
– Security deficiencies (addressed in SNMPv3)
Distributed Network
Management
• One host has the function of a management
station; two or three others may have a back-up
role.
• Remaining devices contain agent software and
MIB to allow monitoring control from
management station.
• MIB- Management Information Base, a database
of objects that can be monitored by a network
management system.
• As network grows in size this is unmanageable
and a decentralized management scheme works
best.
Decentralized (Distributed)
Network Management
• Multiple top-level management stations or
management servers
• Each server manages a pool of agents or
delegates the management to an intermediate
manager
• Intermediate manager monitors and controls
its agents
• Spreads the processing burden and reduces
total network traffic
SNMPv2
• SNMPv2 support either a centralized strategy
or a distributed one.
• Some systems operate both in the role of
manager and of agent
• Some commands require the agent to act as a
proxy for remote devices and pproxy assumes
role of manager to access information at
remote device, then as an agent passes the
information to a superior manager.
Functional Enhancements
• SNMPv1 – 5 commands (GetREquest,
GetNextRequest, Set Request, GetResponse,
Trap) issued as protocol data units (PDU)
• SNMPv2 – all 5 commands from v1, plus two new
ones
– Inform command, sent from one management station
to another
– GetBulk – allows manager to retrieve large block of
data at once
• Get is atomic in SNMPv1, but not in SNMPv2may return partial results
Comparison of
SNMPv1 and SNMPv2
SNMPv1 PDU
SNMPv2 PDU
Direction
Description
GetRequest
GetRequest
Manager to agent
GetRequest
GetRequest
Manager to agent
------
GetBulkRequest
Manager to agent
SetRequest
SetRequest
Manager to agent
------
InformRequest
Manager to
manager
GetResponse
Response
Trap
SNMPv2-Trap
Agent to manager
or Manager to
manager(SNMPv2)
Agent to manager
Request value for
each listed object
Request next value
for each listed
object
Request multiple
values
Set value for each
listed object
Transmit
unsolicited
information
Respond to
manager request
Transmit
unsolicited
information
SNMPv1 Community Facility
• SNMP Community – Relationship between
an SNMP agent and SNMP managersdefined locally at agent.
• Three aspect of agent control:
– Authentication service- agent may limit
access to MIB to authorized managers
– Access policy- agent may give different
acceees privileges to different managers
– Proxy service – agent may act as a proxy to
other agents
• All of these raise security concerns
SNMPv1 Administrative
Concepts
SNMPv3
• SNMPv3 defines a security capability to be
used in conjunction with SNMPv1 or v2
SNMPv3
• SNMPv3is not a stand alone replacement
for versions1 and2
• SNMPv3 defines a security capability to
be used with SNMPv2 (preferred) or
SNMPv1
• Describes an architecture for current and
future versions of SNMP
• Like SNMPv2 with security and
administrative capabilities.
SNMPv3 Architecture
• Modular architecture
– Allows implementation over a wide range of
operational environments
– Makes it possible to move portions of the
architecture forward in the standards track
even if consensus is not reached on all pieces
– Accommodates alternate security modes
SNMP Entity
• Each SNMP entity includes a single SNMP
engine
• Engine implements functions for sending
and receiving messages, authenticating,
encrypting and decrypting messages and
controlling access to managed objects.
• Both the engine and the applications are
collections of discrete modules.
SNMP Entity
• This architecture provides advantages:
– Role of an entity is determined by which
modules are implemented in the entity
– Modular structure lends itself to defining
different versions of each module
• makes it possible to define alternative or enhanced
capabilities
• clearly specifies coexistence and transition
strategies
Traditional SNMP manager
• Manager interacts with agents by
issuing commands(get, set) and by
receiving trap messages.
• Manager may also interact with other
managers by issuing Inform Request
PDU’s, which provide alerts, and by
receiving Inform Response PDU’s,
which acknowledge Inform Request.
Traditional SNMP manager
• Includes three categories of applications:
– Command Generator Applications – monitor
and manipulate management data at remote
agents (using SNMPv1 or SNMPv2)
– Notification Originator Applicationoriginates asynchronous messages (using
InformRequest)
– Notification Receiver Application-processes
incoming asynchronous messages
Traditional SNMP Manager
Traditional SNMP Manager
• SNMP engine performs two functions:
– Accepts outgoing PDUs from SNMP
applications, performs necessary processing,
including inserting authentication codes and
encrypting, and encapsulates for transmission
– Accepts incoming SNMP messages from the
transport layer, performs necessary
processing, including inserting authentication
codes and encrypting, extracts PDUs and
passes thse on to SNMP applications
SNMP Engine
• Contains
– A Dispatcher – simple traffic manager- accepts PDUs,
determines the type of processing and passes it to
Message processor; for incoming messages from
transport layer, routes it to application
– A Message Processing Subsystem – wraps PDUs in
message and returns to the Dispatcher
– A Security Subsystem – performs authentication and
encryption
Traditional SNMP Agent
• Containt 3 types of applications:
– Command Responder- provides access to
management data
– Notification Originator- initiates
asynchronous messages
– Proxy Forwarder- forwards messages
between applications
Traditional SNMP Agent
SNMPv3 Flow
SNMP3 Message Format
with USM
User Security Model (USM)
• Designed to secure against:
–
–
–
–
Modification of information
Masquerade
Message stream modification
Disclosure
• Not intended to secure against:
– Denial of Service (DoS attack)
– Traffic analysis
Key Localization Process
View-Based Access Control
Model (VACM)
• VACM has two characteristics:
– Determines wheter access to a managed
object should be allowed.
– Make use of an MIB that:
• Defines the access control policy for this
agent.
• Makes it possible for remote configuration
to be used.
Access control decision
Recommended Reading and
WEB Sites
• Subramanian, Mani. Network
Management. Addison-Wesley, 2000
• Stallings, W. SNMP, SNMPv1,
SNMPv3 and RMON 1 and 2. AddisonWesley, 1999
• IETF SNMPv3 working group (Web
sites)
• SNMPv3 Web sites