EE579T-Class 9B - Electrical & Computer Engineering
Download
Report
Transcript EE579T-Class 9B - Electrical & Computer Engineering
EE579T
Network Security
9: An Overview of SNMP
Prof. Richard A. Stanley
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/9 #1
Overview of Tonight’s Class
• Review last week’s lesson
• Security in the news
• SNMP
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/9 #2
Summary
• TCP/IP was not intended as a secure
protocol; as a result, it has vulnerabilities
that can be exploited
• There are many ways to get access to info
• There are many types of attacks that can be
mounted over network connections in order
to gain unauthorized access to resources
• Never forget, the best access is hands-on
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/9 #3
Top Ten Security Concerns
1- Security infrastructure
2- Security policies/user compliance
3- Intrusion-detection systems
4- Operating system security
5- Virus management
6- Employee education
7- Remote security
8- Authentication/Access control
9- E-commerce security
10- Encryption
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/9 #4
Crypto Security--Again
• Bugtraq reports 1024-bit RSA encryption
should be “considered compromised”
• Estimates factoring can be done for <$1B
• What uses a key stronger than 1024 bits?
• So, are SSL, S/MIME, all toast?
• What about risk management?
– Is what you have worth $1B to someone?
– If so, do they have the $1B to spend on it?
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/9 #5
SNMP Outline
•
•
•
•
Basic Concepts of SNMP
SNMPv1 Community Facility
SNMPv2
SNMPv3
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/9 #6
Why SNMP?
• To provide a simple means of managing
objects across a network
– These objects need not be network elements
– The objects need not support SNMP (although
it makes things easier if they do!)
– “Management” can be tailored to mean what
we need it to mean
• First introduced in 1988
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/9 #7
Basic Concepts of SNMP
• An integrated collection of tools for network
monitoring and control.
– Single operator interface
– Minimal amount of separate equipment. Software and
network communications capability built into the
existing equipment
• SNMP key elements:
–
–
–
–
Management station (physical device)
Management agent (software implementation)
Management information base (collection of objects)
Network Management protocol
• Get, Set and Trap
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/9 #8
SNMP MIB
• Management Information Base = MIB
– Database held at the managed client
– Scalar variables
– 2D tables
• Uses streamlined protocol to:
– Allow manager to Get and Set MIB variables
– Enable agent to issue unsolicited notifications
• These are called traps
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/9 #9
SNMP Characteristics
• Runs over UDP/IP or TCP/IP, depending on
version
• Uses
– Port 161 (for messages)
– Port 162 (for traps)
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/9 #10
SNMP Protocol
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/9 #11
SNMP Commands
• Get
– Query a MIB for information
• Set
– Set values in a MIB
• Trap
– Send condition information
– Asynchronous
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/9 #12
SNMP Proxies
• SNMPv1 supports UDP over IP
– Period!
• There are lots of clients out there that need
to be managed that don’t speak UDP
• Proxies bridge the gap
– Provide translation of client management
language to SNMP
– Interfaces to SNMP for the client
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/9 #13
Proxy Configuration
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/9 #14
SNMPv2
• Allows use of TCP/IP, and others
• Provides additional management features
– Distributed network management
• Single-server hierarchical networks get overloaded
– Functional enhancements
• GetBulk – retrieve block of data at once
• Inform – intra-management station communications
of events and/or conditions
• Removes atomicity from the Get command
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/9 #15
SNMP v1 and v2
• SNMPv2 intended deal with deficiencies of
SNMPv1
– Introduced first in 1993
• SNMPv1 is “connectionless”
– Just like HTTP
– Why?
• Utilizes UDP as the transport layer protocol.
• SNMPv2 allows use of TCP for “reliable,
connection-oriented” service
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/9 #16
SNMPv2 Distributed Management
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/9 #17
SNMPv1 vs. SNMPv2
SNMPv1
SNMPv2
Direction
Description
GetRequest
GetRequest
Manager to agent
Request value for
each listed object
GetRequest
GetRequest
Manager to agent
Request next value
for each listed object
------
GetBulkRequest
Manager to agent
Request multiple
values
SetRequest
SetRequest
Manager to agent
Set value for each
listed object
------
InformRequest
Manager to manager
Transmit unsolicited
information
GetResponse
Response
Agent to manager or
Manage to
manager(SNMPv2)
Respond to manager
request
Trap
SNMPv2-Trap
Agent to manager
Transmit unsolicited
information
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/9 #18
SNMPv1 Community Facility
• SNMP Community – Relationship between
an SNMP agent and SNMP managers
– Think of a network domain as an analog
• Three aspects of agent control:
– Authentication service
– Access policy
– Proxy service
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/9 #19
SNMPv1 Administrative
Concepts
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/9 #20
Access Policy
• SNMP MIB View
– Subset of objects within the MIB
– May be on different MIB sub-trees
• SNMP Access Mode
– Element of the set of MIB objects
– Defined for each community
• These two together are the SNMP
Community Profile
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/9 #21
What About Proxied Clients?
• Supported within community concept
• Proxy is an SNMP agent that acts on behalf
of other (foreign) devices
– For each device supported, SNMP proxy
maintains an access policy
– Therefore, proxy knows which MIB objects can
be used to manage the proxied system, and their
access mode
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/9 #22
Where is the Security?
• SNMPv1 has no inherent security
– Messages can be spoofed, altered, or deleted
– Does this have a potential for evil?
• SNMPv2 doesn’t have any, either
– It actually makes things worse by introducing
the distributed management concept
• What to do?
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/9 #23
Enter SNMPv3
• Framework for incorporating security into
SNMPv1 or SNMPv2
– Introduced 1998
• Not a standalone replacement for either v1
or v2 !!
– Adds security
– Requires underlying SNMP system
• Not yet completely standardized
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/9 #24
SNMPv3 Architecture
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/9 #25
Traditional SNMP Manager
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/9 #26
Traditional SNMP Agent
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/9 #27
SNMPv3 Message Flow
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/9 #28
SNMP3 Message Format with
USM
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/9 #29
User Security Model (USM)
• Designed to secure against:
–
–
–
–
Modification of information (integrity)
Masquerade (authentication)
Message stream modification (stream integrity)
Disclosure (confidentiality)
• Not intended to secure against:
– Denial of Service (DoS attack)
– Traffic analysis
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/9 #30
In Theory…
• DoS attacks may look like network failure
(imagine that!)
• DoS should be dealt with by an overall
network security capability, not one
embedded in a protocol
• Traffic analysis no problem, as management
traffic highly predictable anyway
• What do you think?
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/9 #31
USM Encryption
• Authentication (using authKey)
– HMAC-MD5-96
– HMAC-SHA1-96
• Encryption (using privKey)
– DES CBC
– Uses first 64 bits of the 16-octet privKey
– Last 64 bits used as IV to DES CBC
• Key values not accessible from SNMP
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/9 #32
Authoritative Engine
• SNMP messages with payloads that expect
a response (Get…, Set, Inform)
– Receiver of message is authoritative
• SNMP messages with payload that does not
expect response (Trap, Response, Report)
– Sender is authoritative
• So what?
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/9 #33
Key Localization
• Allows single user to own keys stored in
multiple engines
– Key localized to each authoritative engine using
hash functions
– Avoids problem of a single key being stored in
many places
• Greatly slows brute force attack
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/9 #34
Key Localization Process
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/9 #35
Timeliness
• Determined by a clock kept at the authoritative
engine
– When authoritative engine sends a message, it includes
the current clock value
• Nonauthoritative agent synchronizes on clock value
– When nonauthoritative engine sends a message, it
includes the estimated destination clock value
• These procedures allow assessing message
timeliness
• Why do we care?
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/9 #36
View-Based Access Control
Model (VACM)
• VACM has two characteristics:
– Determines whether access to a managed object
should be allowed.
– Make use of an MIB that:
• Defines the access control policy for this agent.
• Makes it possible for remote configuration to be
used.
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/9 #37
Access Control Logic in VACM
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/9 #38
SNMPv3 Security
• SNMPv3 solves SNMP security problems, right?
– NOT!
• Decent security implementation, but reality is:
– SNMPv1 still holds ~95% of the market
– Even SNMPv2 not widely deployed
– Upgrading to SNMPv3 is difficult and costly (sort of
like moving from Win95 to WinXP all at once)
– There is the issue of proxies and foreign clients
• SNMPv3 is the clear long-term choice
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/9 #39
Recent SNMP Security Events
• CERT Advisory 12 Feb 02, Revised
26 Mar 02, warns about potential for
– unauthorized privileged access (which allows,
inter alia, enumeration of SNMP agents)
– denial of service attacks
– unstable behavior
• Vulnerabilities in both messages and traps
• Vulnerabilities are in SNMPv1!
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/9 #40
This is Not New News!
• After this class, are you surprised?
• These vulnerabilities have been in SNMP
since Day One
• Only now, with an increased emphasis on
security, are they getting the attention they
deserve
• Officially, the vulnerabilities have not been
exploited. Unofficially, they have.
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/9 #41
Summary
• SNMP is widely-used for managing clients
distributed across a network
• SNMPv1 is simple, effective, and provides
the majority of SNMP service in the field
• SNMPv2 adds some functionality to v1
• SNMPv3 is a security overlay for either
version, not a standalone replacement
• SNMP security is a major issue!
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/9 #42
Homework
• Read Stallings, Chapters 8 & 10
• Do Problems 8.2, 8.4, 8.8
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/9 #43