Network Security Essentials 2/e

Download Report

Transcript Network Security Essentials 2/e

CSCE 815 Network Security
Lecture 18
SNMP
Simple Network Management Protocol
March 25, 2003
SNMP GOALS
UBIQUITY

PCs AND CRAYs
INCLUSION OF MANAGEMENT SHOULD BE
INEXPENSIVE


SMALL CODE
LIMITED FUNCTIONALITY
MANAGEMENT EXTENSIONS SHOULD BE POSSIBLE

NEW MIBs
MANAGEMENT SHOULD BE ROBUST

CONNECTIONLESS TRANSPORT
Resource/reference for next few slides

http://www.simpleweb.org/tutorials/slides-ppt.html
Copyright © 2001 by Aiko Pras
–2–
These sheets may be used for
educational purposes
CSCE 815 Sp 03
SNMP
MANAGER
GET / SET
TRAP
AGENTS
MIB
–3–
CSCE 815 Sp 03
Protocol context of SNMP
–4–
CSCE 815 Sp 03
SNMP Proxies
Note all are capable of implementing SNMP(UDP,IP)
e.g., bridges, modems etc.
Concept of a proxy was added to accommodate such
devices.
SNMPv2 added the capability of running on the OSI as
well as the TCP/IP protocol suite
–5–
CSCE 815 Sp 03
Proxy Configuration
–6–
CSCE 815 Sp 03
SNMPv2
The strength of SNMPv1 was simplicity implying it was
easy to implement and configure.
However, deficiencies arose:
1. Lack of support for distributed network management
2. Functional deficiencies
3. Security deficiencies
The first two were addressed by SNMPv2 and the latter
by SNMPv3.
–7–
CSCE 815 Sp 03
–8–
CSCE 815 Sp 03
MIB II - Objects
Described in RFC 1213
http://www.freesoft.org/CIE/RFC/1213/
Groups of Objects


Physical addresses, system, interfaces, … , the IP group, …
E.g., the IP Group contains: ipRouteMask, ipRouteInfo,
ipRoutingDiscards …
Definitions


PhysAddress ::= OCTET STRING
This data type is used to model media addresses. For many - types of media, this will be in a binary representation. -- For
example, an ethernet address would be represented as -- a
string of 6 octets.
Object Identifiers (OIDs) – unique integer name of
object
–9–
CSCE 815 Sp 03
SNMPv3
SNMPv3 defines a security capability to be used in
conjunction with SNMPv2 preferably or possibly v1
– 10 –
CSCE 815 Sp 03
SNMPv3 Architecture
SNMPv3 architecture (RFC 2571) consists of a
distributed collection of SNMP entities
communicating together
Each SNMP entity may act as manager, agent, or
combination
SNMP Engine - Implements functions for:
1.
2.
3.
– 11 –
sending and receiving messages
Authenticating and encrypting/decrypting messages
Controlling access to managed objects
CSCE 815 Sp 03
SNMP Engine Modules
Modular nature means that upgrades to individual
modules can be made without redoing the
architecture
Modules:
1. Dispatcher -
2. Message Processing Subsystem
3. Security Subsystem
4. Access Control Subsystem
– 12 –
CSCE 815 Sp 03
SNMP Manager
COMMAND
GENERATOR
PDU
DISPATCHER
MESSAGE
DISPATCHER
NOTIFICATION
RECEIVER
MESSAGE PROCESSING
SUBSYSTEM
SECURITY SUBSYSTEM
SNMPv1
COMMUNITY BASED
SECURITY MODEL
SNMPv2C
USER BASED
SECURITY MODEL
SNMPv3
TRANSPORT
MAPPINGS
– 13 –
OTHER
OTHER
SECURITY MODEL
CSCE 815 Sp 03
SNMP Agent
MANAGEMENT INFORMATION BASE
ACCESS CONTROL SUBSYSTEM
COMMAND
RESPONDER
PDU
DISPATCHER
MESSAGE
DISPATCHER
VIEW BASED
ACCESS CONTROL
NOTIFICATION
ORIGINATOR
MESSAGE PROCESSING
SUBSYSTEM
SECURITY SUBSYSTEM
SNMPv1
COMMUNITY BASED
SECURITY MODEL
SNMPv2C
USER BASED
SECURITY MODEL
SNMPv3
TRANSPORT
MAPPINGS
– 14 –
OTHER
OTHER
SECURITY MODEL
CSCE 815 Sp 03
SNMP Engine Modules: Dispatcher
Dispatcher is a simple traffic manager
On incoming messages



It accepts incoming messages from the transport layer
Routes each message to the appropriate message
processing module
When the message processing completes the Dispatcher
sends the PDU to the appropriate application
On outgoing messages
1.
2.
3.
– 15 –
It accepts PDUs from Application layer
Sends to Message processing subsystem
Sends to Transport layer
CSCE 815 Sp 03
SNMP Engine Modules: Dispatcher
Dispatcher Submodules



– 16 –
PDU Dispatcher – sends/accepts Protocol Data Units
(PDUs) to/from SNMP applications
Message Dispatcher – transmits to/from message
processing subsystem
Transport Mapping – sends/receives transport layer
packets
CSCE 815 Sp 03
Message Processing Module
Accepts outgoing PDUs from dispatcher



Passes message to the security subsytem
Wraps the result with the appropriate header
Sends back to the dispatcher
On incoming PDUs
1.
2.
3.
4.
– 17 –
Accepts messages from the dispatcher
Processes the headers
Possibly sending to Security Subsystem for
authenitication and decryption and
Returns the enclosed PDU to the dispatcher
CSCE 815 Sp 03
Security and Access Control Modules
Security modules


User-based Security Model (USM)
Other security models allowed for but not yet.
Access Control Modules


– 18 –
View-based access control model (VACM)
Others allowed
CSCE 815 Sp 03
SNMPv3 Terminology Table 8.2
snmpEngineId – unique ID to engine (Octet string)
contextEngineId – unique ID to SNMP entity
contextName – identifies particular context within
SNMP Engine
scopedPDU – block including: contextEngineId,
contextName and an SNMP PDU
snmpMessageProcessingModel – unique identifier
snmpSecurityModel – integer indicating whether
authentication and/or encryption are required
principal – the entity for “Whom the Bell Tolls”
securityName – string representation of the principal
– 19 –
CSCE 815 Sp 03
SNMPv3 Applications
Command generator applications




Makes use of sendPdu primitive
Dispatcher  Message Processing  Security subsytem
Finally  UDP
and later the processResponse dispatcher primitive handles the
response
Notification originator/receiver applications

Operates similiarly sending a notification
Command Responder applications use primitives




RegisterContextEngineID – here is my ID (unregister also)
processPDU
returnRespnsePDU
isAccessAllowed (Access Control Subsystem primitive)
Proxy forwarder application
– 20 –
CSCE 815 Sp 03
Message Processsing Model
RFC 2572 defines the message processing model
The model on outgoing messages
1.
2.
3.
Accepts PDUs from the dispatcher
Encapsulates them in messages
Invokes the user Security Model (USM) to insert security
related parameters in the headers
On incoming
1.
2.
Invokes the user Security Model (USM) process the
security related parameters in the header
Delivers encapsulated PDU back to dispatcher
SNMP message first five fields
– 21 –
CSCE 815 Sp 03
SNMP3 Message Format with USM
– 22 –
CSCE 815 Sp 03
User Security Model (USM)
RFC 2574
Designed to secure against:




Modification of information
Masquerade
Message stream modification: messages reordered, delayed
Disclosure
Not intended to secure against:


– 23 –
Denial of Service (DoS attack)
Traffic analysis
CSCE 815 Sp 03
Cryptographic Functions
Privacy Key and Authentication Keys
Keys maintained for
1.
2.
Local users any principal at this SNMP engine
Remote users
USM authentication protocols
1.
2.
HMAC-MD-5-96
HMAC-SHA-96
USM encryption uses CBC of DES
– 24 –
CSCE 815 Sp 03
Authoritative and Nonauthoritative Engines
In any message one of the transmitter/receiver SNMP
entities is designated as the Authoriatative SNMP
engine
 When a message expects a response the receiver of
such messages is aithoritative
 When no response is expected the sender is
authoritative
This serves two purposes
1. Timeliness of message determined wrt clock of
authoritative engine
2. Key localization process
– 25 –
CSCE 815 Sp 03
USM Message Processing
Parameters

Figure 8.9 on earlier slide
USM Message Processing Figure 8.10
– 26 –
CSCE 815 Sp 03
USM Timeliness Mechanisms
Non authoritative engine maintains copies of



snmpEngineBoots = number of times rebooted since
originally configured 0 to 231
snmpEngineTime
latestReceived EngineTime
USM update conditions
USM update rule
Message judged to be outside window …
– 27 –
CSCE 815 Sp 03
Key Localization Process
– 28 –
CSCE 815 Sp 03
View-Based Access Control Model
(VACM)
VACM has two characteristics:


Determines wheter access to a managed object should be
allowed.
Make use of an MIB that:
 Defines the access control policy for this agent.
 Makes it possible for remote configuration to be used.
– 29 –
CSCE 815 Sp 03
Access control decision
– 30 –
CSCE 815 Sp 03
Recommended Reading and WEB
Sites
Subramanian, Mani. Network Management. AddisonWesley, 2000
Stallings, W. SNMP, SNMPv1, SNMPv3 and RMON 1 and
2. Addison-Wesley, 1999
IETF SNMPv3 working group (Web sites)
http://www.ietf.org/html.charters/snmpv3-charter.html
SNMPv3 Web sites
http://www.simpleweb.org/tutorials/slides-ppt.html
http://www.sans.org/rr/netdevices/SNMP_sec.php
– 31 –
CSCE 815 Sp 03
Intruders
Three classes of intruders (hackers or crackers):



– 32 –
Masquerader
Misfeasor
Clandestine user
CSCE 815 Sp 03
Intrusion Techniques
System maintain a file that associates a password with
each authorized user.
Password file can be protected with:


– 33 –
One-way encryption
Access Control
CSCE 815 Sp 03
Intrusion Techniques
Techniques for guessing passwords:
•
•
•
•
•
•
•
•
Try default passwords.
Try all short words, 1 to 3 characters long.
Try all the words in an electronic dictionary(60,000).
Collect information about the user’s hobbies, family names,
birthday, etc.
Try user’s phone number, social security number, street
address, etc.
Try all license plate numbers (MUP103).
Use a Trojan horse
Tap the line between a remote user and the host system.
Prevention: Enforce good password selection (Ij4Gf4Se%f#)
– 34 –
CSCE 815 Sp 03
UNIX Password Scheme
Loading a new password
– 35 –
CSCE 815 Sp 03
UNIX Password Scheme
Verifying a password file
– 36 –
CSCE 815 Sp 03
Storing UNIX Passwords
UNIX passwords were kept in in a publicly readable file,
etc/passwords.
Now they are kept in a “shadow” directory and only
visible by “root”.
– 37 –
CSCE 815 Sp 03
”Salt”
The salt serves three purposes:



– 38 –
Prevents duplicate passwords.
Effectively increases the length of the password.
Prevents the use of hardware implementations of DES
CSCE 815 Sp 03
Password Selecting Strategies
User ducation
Computer-generated passwords
Reactive password checking
Proactive password checking
– 39 –
CSCE 815 Sp 03