SNMP, DHCP and Security
Download
Report
Transcript SNMP, DHCP and Security
Network Management
and Initialization
Based on Computer Networks
and Internets, Comer
CSIT 220 (Blum)
1
Network management:
What is it?
A network manager is responsible for monitoring
and controlling the hardware and software that
make up a network.
The network manager works to repair the network when it
goes down.
The network manager also attempts to tune and tweak the
network so that it operates more efficiently.
There is a variety of software and hardware to help
network managers in their work.
CSIT 220 (Blum)
2
Network management
Network management can include:
Security: Making sure that the network is
protected from hackers, viruses, denial of service
(DoS) attacks, etc.
Performance: Making sure the bandwidth is used
to the fullest, eliminating bottlenecks, etc.
Reliability: Making sure the network is up and
running as much as possible.
“Anticipate to Avoid”
CSIT 220 (Blum)
3
Difficulty of Network
Management
Some failures, like a cut cable, while catastrophic
are easy to detect.
Intermittent or partial failures can be more difficult
to find because TCP (with its retransmission
procedure) is designed to “hide” (work in spite of)
these problems.
However, retransmission uses bandwidth that
could be used for other traffic if the error did not
occur.
A good network manager will root out such
problems before they become more severe.
CSIT 220 (Blum)
4
SNMP
Simple Network Management Protocol is a
set of rules for exchanging messages that allow a
network manager to monitor and control network
hosts/nodes.
The messages are called Protocol Data Units (PDUs)
and are sent using User Datagram Protocol (UDP).
SNMP is part of TCP/IP and as with many other
application layers services it is a separate install.
The term “manager” refers not only to the person
overseeing the network but also to special
software used.
CSIT 220 (Blum)
5
Uses
UDP
CSIT 220 (Blum)
6
Vocabulary change
SNMP follows the standard client-server
paradigm — a client requests and a server
responds/replies.
But the situation is somewhat unusual in that
there are more servers than clients in this case
and the client’s machine is probably the better
machine.
The SNMP client runs on the manager’s
computer and is called the manager.
The SNMP server runs on various hosts and
is called the agent.
CSIT 220 (Blum)
7
Vocabulary change II
Client
Server
Manager
Agent
Client is to server as manager is to agent, i.e.
the manager requests information from the
agent, the manager initiates.
CSIT 220 (Blum)
8
A community
The manager (a person) organizes the
computers into groups for management
purposes, these are called communities.
A computer can belong to more than one
community.
The manager (software) requests information
(network statistics, such as how many packets
required retransmission) from the agents in its
community.
The manager can set parameters on the agents
and thus change delivery routes, configure
network interfaces, etc.
CSIT 220 (Blum)
9
Fetch and Store
The S in SNMP is “simple” because it has a small
set of commands.
The manager can request a value from an agent
— a fetch.
the agent receives the request, retrieves information
from an MIB (management information base) and
sends it to the manager.
The manager can request an agent to set a
parameter to a particular value — a store.
Certain parameter values are interpreted by the agents
as a command and cause them to initiate a sequence
of events, such as a reboot.
CSIT 220 (Blum)
10
MIB
The information (and procedures) accessed by
SNMP are stored in the Management
Information Base (MIB).
The SNMP specifies a few simple messages.
The complexity and flexibility (how to handle new
software or hardware) is in MIB.
A separate standard defines MIB variables and
the meaning of the operations on each variable.
CSIT 220 (Blum)
11
SNMP Messages
Get: The simplest SNMP request message. A
manager sends a get message requesting a
single MIB entry (e.g., the amount of free
drive space); the agent responds with the
entry — provided the manager belongs to the
same community as the agent.
CSIT 220 (Blum)
12
SNMP Messages
Get-next: A type of request message that can be
used to browse the entire collection of management
objects. When a manager sends a get-next request
for a particular object, the agent replies with the
identity and value of the object which follows the
object in the request message.
Get-next is useful for accessing tables, such as
internal IP route tables.
CSIT 220 (Blum)
13
SNMP Messages
Getbulk: Requests that the data packets
sent by the agent be as large as possible.
This minimizes the number of protocol
exchanges required.
The maximum message size should not be
larger than the path MTU.
Set: If the manager has write privileges,
this message is used to update an agent’s
MIB value.
CSIT 220 (Blum)
14
SNMP Messages
Trap: Typically the manager (client) requests and
the agent (server) responds. However, some
situations require the agent to initiate an interaction.
A trap is an unsolicited message sent by an agent to
a manager when certain predefined conditions occur
in the agent.
The manager that receives a trap message is known as a
trap destination. There may be more than one manager.
E.g., a trap might be sent if a host is about to go down.
E.g. a trap might be sent if a manager without permission
contacts an agent.
CSIT 220 (Blum)
15
SNMP Help
CSIT 220 (Blum)
16
SNMP Help
CSIT 220 (Blum)
17
SNMP Help
CSIT 220 (Blum)
18
SNMP Help
CSIT 220 (Blum)
19
Scenario from Help
The management system (Host A), sends an SNMP
datagram to the agent (Host B), using the agent's
host name, IP address or IPX address.
The SNMP agent receives the datagram and
verifies the community name to which the
management system belongs.
1.
2.
A.
B.
If it is a valid community name, the agent retrieves the
data requested from the appropriate SNMP subagent.
The SNMP agent returns the datagram to the
management system with the requested information.
If the community name is incorrect, the agent sends an
"authentication failure" trap to its trap destinations
(Hosts C and D).
CSIT 220 (Blum)
20
And now for something
completely different
CSIT 220 (Blum)
21
DHCP
Dynamic Host Configuration Protocol does
not require an administrator to add an entry
for a computer into the database.
Instead DHCP is “plug-and-play” networking.
The computer runs a client to
obtain configuration info from DHCP
obtain a permanent address if the computer
is nonmobile.
CSIT 220 (Blum)
22
DHCP
DHCP uses permanent address that are
assigned to server computers and a pool of
addresses that are allocated on demand.
Based on the computer’s entry in the server’s
database, the DHCP decides the type of
address to assign.
For dynamic addresses, the computers IP may
change with each boot.
This challenges internet connections. (Recall dynamic
DNS.)
CSIT 220 (Blum)
23
DHCP Considerations
When a system reboots, there is a flood of DHCP
requests. This is handled by using a random wait
time before transmitting an address request.
Caching allows the computer to save the DHCP
server’s address in a cache on a permanent
storage, and use the cache information on reboot
once it has been validated.
CSIT 220 (Blum)
24
Lease
DHCP uses the concept of a "lease" or amount of
time that a given IP address will be valid for a
computer.
The lease time can vary depending on how long
a user is likely to require the Internet connection
at a particular location.
It's especially useful in education and other
environments where users change frequently.
Using very short leases, DHCP can dynamically
reconfigure networks in which there are more
computers than there are available IP addresses
CSIT 220 (Blum)
25
APIPA
Automatic Private IP Addressing, a feature of
the Windows 98 and Windows 2000
If a DHCP client finds no DHCP server when it
boots, it uses APIPA to automatically configure
itself with an IP address from a range that has
been reserved especially for Microsoft.
The IP address range is 169.254.0.1 through
169.254.255.254. The client also configures itself
with a default class B subnet mask of
255.255.0.0. A client uses the self-configured IP
address until a DHCP server becomes available.
CSIT 220 (Blum)
26
Network Security
Based on Computer Networks
and Internets, Comer
CSIT 220 (Blum)
27
Security Policy
Information must be seen as part of a
company’s assets and thus worth securing.
On the other hand, if the information is not
accessible to an appropriate set of people, it is
worthless.
Thus security and accessibility must be
balanced. There is no ideal blend that is right for
all companies.
An important step toward securing a network is to
develop a security policy.
CSIT 220 (Blum)
28
Security policy
A security policy is a written document stating
how a company intends to protect its information.
While written, it must be flexible so it can adapt to
changes in technology and so forth.
A security policy might include
A description of who has access to what information
and for what use.
A description of security measurements and
penalties for the violation thereof.
An evaluation procedure.
A policy for educating users.
CSIT 220 (Blum)
29
Security Aspects
Some aspects of data security to address are
Integrity: the data should be protected from
corruption (accidental or intentional).
Availability: the data should be readily
accessible by designated users.
Confidentiality: the data should not be
accessible by undesignated users.
Privacy: in some situations it is the user’s data
that requires protecting.
CSIT 220 (Blum)
30
Protecting Data from
Accidental Corruption
Checksum, CRC and parity are used to ensure
integrity during transmission, similar approaches can
be used on information in storage.
A backup scheme can be seen as protecting data
integrity.
A RAID (Redundant Array of Independent/
Inexpensive Disks) scheme protects integrity while
maintaining availability.
Protect hardware from power surges, water
damage, etc.
CSIT 220 (Blum)
31
Protecting Data from
Intentional Corruption
Authenticate users before giving them access
to information.
Restrict access to hardware, computers,
servers, hubs, etc.
Protect the network against viruses and
hacker attacks.
Have a recovery plan.
CSIT 220 (Blum)
32
Data Availability/User Privacy
The whole reason for a network is sharing
information and resources.
Data and resources must be accessible to
authenticated users.
Protecting system data and resources should
not violate the user’s privacy rights or at least
the user’s level of privacy should be
acknowledged.
CSIT 220 (Blum)
33
Audit trail
One mechanism for tracking security is an “audit
trail.” The term comes from accounting where it
means the set of paperwork used to validate or
invalidate an accounting procedure.
Any logging of activity (paper or electronic) is
known as an audit trail. One can track:
The information a user accesses or attempts to access
Businesses maintain an audit trail for customer
transactions.
Some ISPs and chat rooms maintain logs of users.
Etc.
CSIT 220 (Blum)
34
Authorization and
Authentication
Authorization is the setting of user’s
permissions
Can a user read a file? Edit a file? Delete a file? Etc.
Space and/or time limits on access, e.g. a user has so
much space on a drive
Location limits, certain information can only be
accessed from certain locations
Authentication is the attempt to ensure that the
user is who he or she claims to be
Username and password
Biometric devices
Possessed object
CSIT 220 (Blum)
35
Sniffing Passwords
The problem with the username/password approach
to authentication in networks is that the password
information must be sent over the network where it
can be read by a sniffer (computer with MAC card
in promiscuous mode).
The best defense here is to encrypt the
communication. The password packet can still be
sniffed but it is unintelligible to the hacker.
CSIT 220 (Blum)
36
Cryptography
One way to secure data, be it in storage or in
transit, is encryption.
Encryption coverts information in its usual
readable form (called plaintext) to
information in an encoded, unreadable form
(called cyphertext).
PGP (Pretty Good Privacy) program: a good
encrypter that works with most email systems.
CSIT 220 (Blum)
37
Encryption
The data is stored or transmitted in binary
(numerical) form.
To encrypt data one applies some mathematical
operation to it.
The mathematical operation should have an
inverse so that one can recover the original data
(decrypt the message).
The mathematical operation often has a
parameter (known as a key in encryption) which
specifies the precise operation within a family of
operations.
CSIT 220 (Blum)
38
Caesar Shift Example
The Caesar shift is an early form of encryption.
The mathematical operation is addition.
The key (parameter) is the amount added, e.g. 3
CAT FDW (ASCII for C + 3 is ASCII for F)
The inverse operation is subtraction which uses the
same key.
FDW CAT (ASCII for F - 3 is ASCII for C)
CSIT 220 (Blum)
39
Public Key Encryption
In some cases, the parameters for the mathematical
operation and its inverse are not the same. Then
one is said to have two keys.
For purposes of encryption, it is ideal if knowledge of
one of the parameters does not (easily) lead to
knowledge of the other.
Such a mathematical operation is the basis for
public key encryption.
CSIT 220 (Blum)
40
Public Key/Private Key
A user is assigned two keys (a private key and a
public key).
The private key should be known only to the user.
The public key is published along with the user’s name.
Someone can send the user a private message by
using the user’s public key to encrypt, then the
user is the only person (presumably) who can
decrypt the message.
CSIT 220 (Blum)
41
Digital signature
Use this process in reverse.
The user encrypts the message with his or her
private key.
Anyone with the users’ public key can decrypt it.
BUT since the user’s public key decoded the
message, the message must have come from the
user
This does not give privacy but authentication.
CSIT 220 (Blum)
42
Double Key Encryption
To have a private and authenticated transaction
use two keys.
Mary encrypts a message with John’s public key
and then does a second encryption using her
private key.
The message must be decrypted using Mary’s
public key (authenticated: we know it’s from
Mary) and further decrypted using John’s private
key (private: only John can do this).
CSIT 220 (Blum)
43
Firewalls
A firewall guards the perimeter of a network, all
traffic flows through and is examined by the
firewall.
The earliest firewalls performed a packet filtering
service.
If sending packets is analogous to sending mail then a
having a firewall is analogous to having the mail
censored.
Certain packets are not allowed in based on their
content or source; certain packets are not allowed in
based on their content or destination.
CSIT 220 (Blum)
44
Firewall
A firewall can help centralize part of a
network’s security effort.
A firewall can prevent
outsiders from probing all computers in an
organization
flooding the network with unwanted traffic
attacking a computer by causing it to crash.
CSIT 220 (Blum)
45
Firewall: Fig. 40.1
CSIT 220 (Blum)
46
Packet filter
CSIT 220 (Blum)
47
Firewall
The firewall working closely with the router, it
examines each packet to determine whether or
not to forward it.
The filtering may be based on any number of
criteria:
Source or destination IP address
Allow only certain addresses or rule out certain
addresses
Direction
Service type (FTP, SMTP, telnet, etc., identified by port
number)
Time
CSIT 220 (Blum)
48
Firewall
A firewall can also maintain an audit trail (log file).
A firewall can be trained to look for virus signatures.
The firewall can scan for tokens or tickets which
authenticate users.
A pair of firewalls can agree on an encryption
scheme, for instance if two private networks are
connected by a public line (a virtual private network).
CSIT 220 (Blum)
49
Tunneling
If one encrypted an entire packet it could not be
delivered.
But if one encrypts only the data then there are
all those fields supplying information about the
source, destination, etc.
One can encrypt an entire packet and then place
it in another packet (encapsulate it).
The destination of this outer packet must then
decrypt the original packet and forward it, but by
then it has presumably reached a private, secure
network.
CSIT 220 (Blum)
50
Tunneling
CSIT 220 (Blum)
51
Proxy server
A proxy is somebody who is authorized to stand
in for somebody else.
A proxy server stands in for the client on a
private network in that when the client makes a
request of a server outside the network, the
request is made of the proxy server, the proxy
server then makes the request of the destination
— that is it stands in for the client.
The reply is then passed from the proxy to
original client.
This way the destination does not learn the
address of the true client, only that of the proxy.
CSIT 220 (Blum)
52
Caching too
The proxy server hides the private network’s
addresses.
Another benefit of a proxy is that it can cache
results for the entire network. Like any host
client, it checks its cache before requesting
something. But the proxy had made the
requests for all of the computers on the
network.
CSIT 220 (Blum)
53
Proxy server
CSIT 220 (Blum)
54
Other References
http://www.webopedia.com
http://www.whatis.com
Computer Dictionary, Shnier
Microsoft 2000 help
CSIT 220 (Blum)
55