08-SNMP - No Slide Title - Georgia Institute of Technology

Download Report

Transcript 08-SNMP - No Slide Title - Georgia Institute of Technology

ECE-6612
http://www.csc.gatech.edu/copeland/jac/6612/
Prof. John A. Copeland
[email protected]
404 894-5177
Office: Klaus 3362
email or call for office visit
Chap 8: SNMP - Simple Network Mgmt Protocol
Includes copies of figures from Chap. 8 of
“Network Security Essentials, Applications and Standards”
by William Stallings
Network Management Architecture
An integrated collection of tools for network monitoring and
control.
• Single operator interface.
• Minimal amount of separate equipment – software and
network communications capability built into the existingequipment.
The primary parts are:
• Management station (central control, has a “agent”)
• Management agents (software in network equipment)
• Management Information Base (MIB)
• Network management protocol (rules for communication)
2
3
SNMP Terminology
“SNMP Management Station” - central control. It can set
parameters and collect information from the
“SNMP Agents” located on the controlled network systems.
“Proxy” – an add-on box to add SNMP features to a network unit
(router, modem, PC, …) that does not have built-in SNMP
capability.
“Trap” – an unsolicited message, perhaps reporting an alarm
condition (to UDP port 162).
“Intermediate Management Station” - for distributed control. It
can set parameters and collect information from the Agents on a
local region of the network. Only the more important
information would be passed up to the Management Station.
4
SNMP v1, v2, and v3
SNMPv1 (version 1) is “connectionless” since it utilizes UDP (rather
than TCP) as the transport layer protocol.
SNMPv2 allows the use of TCP for “reliable, connection-oriented”
service.
Problems with SNMP v1 addressed by version 2:
• Lack of support for distributed network management.
• Functional deficiencies - v2 can use TCP/IP and Novell IPX
Problem addressed by version 3:
• Security - version 1 used a community name as a password.
• Version 3 adds encryption, and host authentication,
5
The Role of SNMP
6
Proxy Configuration
7
SNMP v3 – a Security Add-on
SNMP v3 “engine” operating at the Application Layer:
• On outgoing PDU’s inserts authentication codes (MACs),
encrypts certain fields, encapsulates the PDU into a message
for transmission.
• For incoming messages (from the Transport Layer)
performs authentication verification, decryption, and extracts
PDU’s from the message to pass up to the SNMP applications
above.
• Security Subsystem- performs the authentication and
encryption tasks.
8
SNMP Protocol Architecture
9
SNMPv3 PDU with User Security Model (USM)
10
Messages Use the Management Info. Base (MIB) and ASN.1
(Abstract Syntax Notation)
Objects (Parameters ) are expressed as leaves on the MIB tree.
Object
+--iso(1)
+--org(3)
+--dod(6)
+--internet(1)
+--directory(1)
+--mgmt(2)
| +--mib-2(1)
| +--transmission(10)
+--experimental(3)
+--private(4)
| +--enterprises(1)
+--security(5)
+--snmpV2(6)
+--snmpDomains(1)
+--snmpProxys(2)
+--snmpModules(3)
Object ID (OID)
.1
.1.3
.1.3.6
.1.3.6.1
.1.3.6.1.1
.1.3.6.1.2
.1.3.6.1.2.1
.1.3.6.1.2.10
.1.3.6.1.3
.1.3.6.1.4
.1.3.6.1.4.1 [next number is company ID]*
.1.3.6.1.5
.1.3.6.1.6
.1.3.6.1.6.1
.1.3.6.1.6.2
.1.3.6.1.6.3
* when a company gets a number from IANA, it can extend the tree to cover a new system.
11
Decoding a UDP Trap Message
trap_server.pl 9/26/04 22:45
[data has the form: 30(length), (6)OID, (42) value or (44) string]
From: 209.128.181.100 Mon Sep 27 21:24:26 EDT 2004
Len: 82 1 26 - 294 Version: 2 Domain: public Reg_ID: 391 Error: 0 Index: 0
Byte: 29 Type: 30 0 82 1 9 - 265
Byte: 33 Type: 30 1 f - 15
Byte: 35 Type: 6 1 .1.3.6.1.2.1.1.3.0
System Up Time (0.01 s)
Byte: 45 Type: 43 1 1977555
-> sysUpTime = 19775.55 s
Byte: 50 Type: 30 1 1c - 28
Byte: 52 Type: 6 2 .1.3.6.1.6.3.1.1.4.1.0
Type of Event
Byte: 64 Type: 6 2 .1.3.6.1.4.1.8712.4.1.1.2.1.7.5 Indicates that the IP has a profile violation.
-> snmpTrapOID = swCoreEventOOP
Byte: 80 Type: 30 2 2a - 42
Byte: 82 Type: 6 3 .1.3.6.1.4.1.8712.4.1.1.2.1.1.1
Byte: 98 Type: 44 3 StealthWatch+Therminator
-> stealthwatchCoreConfig = StealthWatch+Therminator
Byte: 124 Type: 30 3 16 - 22
Byte: 126 Type: 6 4 .1.3.6.1.4.1.8712.4.1.1.2.1.6.1.1 The unique alarm identifier (serial no).
Byte: 143 Type: 42 4 207986
-> stealthwatchCoreAlarmsId = 207986
Byte: 148 Type: 30 4 22 - 34
Byte: 150 Type: 6 5 .1.3.6.1.4.1.8712.4.1.1.2.1.6.1.3 Host Ip Address of [that caused] the alarm.
Byte: 167 Type: 44 5 209.182.185.012
-> stealthwatchCoreAlarmsHost = 209.182.185.012
12
Sources of SNMP Information on the Web
To work with SNMP messages on a unix system, install the NetSNMP utilitys, available at “www.net-snmp.org
A number of standard MIBs will then be found in
/usr/share/snmp/mibs
To look up Enterprise Numbers, go to Web site of the Internet
Assigned Numbers Authority (IANA),
“www.iana.org/assignments/enterprise-numbers”.
The “List of Lists” at “www.iana.org/numbers.html” is a
wonderful body of information on all the Internet assigned
numbers (protocols, ports, IPs vs. area, AS numbers, ...).
For information on ASN.1 “www.cs.columbia.edu/~hgs/internet/asn.1.html”
RFC’s on SNMP: 788, 1098, 1215, 1442, 1592, 1906, 2578. To
get them, use “www.ietf.org/rfc/rfc<number_here>.txt”
13