Network Management
Download
Report
Transcript Network Management
In the Name of the Most High
Network Management Security
Behzad Akbari
Fall 2009
1
Outline
Basic Concepts of SNMP
Network Management Architecture
SNMPv1 Community Facility
SNMPv3
Recommended Reading and WEB Sites
Basic Concepts of SNMP
As a networks grow larger
it becomes more indispensable to the organization
more thing can go wrong disabling the network to an
unacceptable level
A large network is too complex to be managed by
human effort and requires automated network
management tools, such as the Simple Network
Management Protocol (SNMP)
Basic Concepts of SNMP
Network Management Architecture
A network management system is an integrated
collection of tools for network monitoring and
control.
Single operator interface
Minimal amount of separate equipment. Software and
network communications capability built into the
existing equipment
Active elements of the network provide regular
feedback of status information to the network
control center.
SNMP Architecture
SNMP key elements:
Management station -often a stand-alone device, which
servesas the human interface
Management agent- responds to requests for
information from the maanagement station
Management information base (MIB) -collection of
access points at the agent for the station
Network Management protocol -links station and
agents and includes:
Get- retrieve value of objects at agent
Set - set value of objects at agent
Notify - notifies station of significant events
Network Management Protocol
Architecture
1988 SNMP - became dominant
Most vendors of routers, workstations, PCs,
etc. offer SNMP agent packages, that allow
their products to be managed by an SNMP
management station
SNMP -easily implemented, uses minimal
processor and network resources
Network Management Protocol
Architecture
SNMP designed to be an application level
protocol that is part of TCP/IP
intended to operate over the User Datagram
Protocol (UDP)
each agent must implement SNMP, UDP, and IP
Protocol Context of SNMP
3 Types of messages are issued:
GetRequest
GetNextRequest
SetRequest
All are acknowledged by GetResponse
An agent may issue a trap message in
response to an event
Protocol context of SNMP
Protocol Context of SNMP
SNMP relies on UDP which is connectionless,
and SNMP is also connectionless.
No connections are maintained between a
management station and an agent.
Proxies
Proxies were developed for devices that do not
support UDP or implement SNMP.
An SNMP agent acts as a proxy for one or more
other devices.
Management station sends queries to proxy
agent, which converts it to the management
protocol used by the device.
When agent receives a reply, it passes it to the
management station.
Proxy Configuration
SNMP v1 and v2
Trap – an unsolicited message (reporting an
alarm condition)
SNMPv1 is ”connectionless” since it utilizes
UDP (rather than TCP) as the transport layer
protocol.
SNMPv2 allows the use of TCP for ”reliable,
connection-oriented” service.
Any device that does not run SNMPv2 must
be managed by proxy.
SNMPv2
Strength of SNMP is its simplicity.
SNMP provides a basic set of tools that is easy
to implement and configure.
Deficiencies –become apparent in large
networks:
Lack of support for distributed network management
Functional deficiencies
Security deficiencies (addressed in SNMPv3)
Distributed Network Management
One host has the function of a management station;
two or three others may have a back-up role.
Remaining devices contain agent software and MIB
to allow monitoring control from management
station.
MIB- Management Information Base, a database of
objects that can be monitored by a network
management system.
As network grows in size this is unmanageable and
a decentralized management scheme works best.
Decentralized (Distributed)
Network Management
Multiple top-level management stations or
management servers
Each server manages a pool of agents or
delegates the management to an intermediate
manager
Intermediate manager monitors and controls its
agents
Spreads the processing burden and reduces total
network traffic
SNMPv2
SNMPv2 support either a centralized strategy or a
distributed one.
Some systems operate both in the role of manager
and of agent
Some commands require the agent to act as a
proxy for remote devices and pproxy assumes
role of manager to access information at remote
device, then as an agent passes the information to
a superior manager.
Functional Enhancements
SNMPv1 – 5 commands (GetREquest,
GetNextRequest, Set Request, GetResponse,
Trap) issued as protocol data units (PDU)
SNMPv2 – all 5 commands from v1, plus two new
ones
Inform command, sent from one management station to
another
GetBulk – allows manager to retrieve large block of data
at once
Get is atomic in SNMPv1, but not in SNMPv2- may
return partial results
Comparison of
SNMPv1 and SNMPv2
SNMPv1 PDU
SNMPv2 PDU
Direction
Description
GetRequest
GetRequest
Manager to agent
GetRequest
GetRequest
Manager to agent
------
GetBulkRequest
Manager to agent
SetRequest
SetRequest
Manager to agent
------
InformRequest
Manager to
manager
GetResponse
Response
Trap
SNMPv2-Trap
Agent to manager
or Manager to
manager(SNMPv2)
Agent to manager
Request value for
each listed object
Request next value
for each listed
object
Request multiple
values
Set value for each
listed object
Transmit
unsolicited
information
Respond to
manager request
Transmit
unsolicited
information
SNMPv1 Community Facility
SNMP Community – Relationship between an
SNMP agent and SNMP managers-defined
locally at agent.
Three aspect of agent control:
Authentication service- agent may limit access to
MIB to authorized managers
Access policy- agent may give different acceees
privileges to different managers
Proxy service – agent may act as a proxy to other
agents
All of these raise security concerns
SNMPv1 Administrative Concepts
SNMPv3
SNMPv3 defines a security capability to be used
in conjunction with SNMPv1 or v2
SNMPv3
SNMPv3is not a stand alone replacement for
versions1 and2
SNMPv3 defines a security capability to be used
with SNMPv2 (preferred) or SNMPv1
Describes an architecture for current and future
versions of SNMP
Like SNMPv2 with security and administrative
capabilities.
SNMPv3 Architecture
Modular architecture
Allows implementation over a wide range of
operational environments
Makes it possible to move portions of the
architecture forward in the standards track even if
consensus is not reached on all pieces
Accommodates alternate security modes
SNMP Entity
Each SNMP entity includes a single SNMP
engine
Engine implements functions for sending and
receiving messages, authenticating, encrypting
and decrypting messages and controlling
access to managed objects.
Both the engine and the applications are
collections of discrete modules.
SNMP Entity
This architecture provides advantages:
Role of an entity is determined by which modules are
implemented in the entity
Modular structure lends itself to defining different
versions of each module
makes it possible to define alternative or enhanced
capabilities
clearly specifies coexistence and transition strategies
Traditional SNMP manager
Manager interacts with agents by issuing
commands(get, set) and by receiving trap
messages.
Manager may also interact with other
managers by issuing Inform Request
PDU’s, which provide alerts, and by
receiving Inform Response PDU’s, which
acknowledge Inform Request.
Traditional SNMP manager
Includes three categories of applications:
Command Generator Applications – monitor and
manipulate management data at remote agents
(using SNMPv1 or SNMPv2)
Notification Originator Application- originates
asynchronous messages (using InformRequest)
Notification Receiver Application-processes
incoming asynchronous messages
Traditional SNMP Manager
Traditional SNMP Manager
SNMP engine performs two functions:
Accepts outgoing PDUs from SNMP applications,
performs necessary processing, including inserting
authentication codes and encrypting, and
encapsulates for transmission
Accepts incoming SNMP messages from the
transport layer, performs necessary processing,
including inserting authentication codes and
encrypting, extracts PDUs and passes thse on to
SNMP applications
SNMP Engine
Contains
A Dispatcher – simple traffic manager- accepts PDUs,
determines the type of processing and passes it to
Message processor; for incoming messages from transport
layer, routes it to application
A Message Processing Subsystem – wraps PDUs in
message and returns to the Dispatcher
A Security Subsystem – performs authentication and
encryption
Traditional SNMP Agent
Containt 3 types of applications:
Command Responder- provides access to
management data
Notification Originator- initiates asynchronous
messages
Proxy Forwarder- forwards messages between
applications
Traditional SNMP Agent
SNMPv3 Flow
SNMP3 Message Format with USM
User Security Model (USM)
Designed to secure against:
Modification of information
Masquerade
Message stream modification
Disclosure
Not intended to secure against:
Denial of Service (DoS attack)
Traffic analysis
Key Localization Process
View-Based Access Control Model
(VACM)
VACM has two characteristics:
Determines wheter access to a managed object
should be allowed.
Make use of an MIB that:
Defines the access control policy for this agent.
Makes it possible for remote configuration to be used.
Access control decision
Recommended Reading and WEB
Sites
Subramanian, Mani. Network Management.
Addison-Wesley, 2000
Stallings, W. SNMP, SNMPv1, SNMPv3 and
RMON 1 and 2. Addison-Wesley, 1999
IETF SNMPv3 working group (Web sites)
SNMPv3 Web sites