SNMP In Depth - Best IT Documents

Download Report

Transcript SNMP In Depth - Best IT Documents 

SNMP In Depth
SNMP


Simple Network Management Protocol
– The most popular network management protocol
– Hosts, firewalls, routers, switches…UPS, power strips,
ATM cards -- ubiquitous
“One of the single biggest security nightmares on
networks today”
SNMP Transport Mechanism Flaws
 UDP
Based
– Unreliable - packets may or may not be
received
– Easily forged - trivial to forge source of
packets
Management Information Base


MIB -- Management Information Base
– MIBs describe object attributes
– Some MIBs are pre-loaded
– Additional MIBs are needed
» Loaded manually
» Downloaded from manufacture’s WEB sites
Standard MIBs
– MIB-I
– MIB-II
– RMON
– RMON 2
– Bridge
– Repeater
MIB Structure
iso (1)
org (3)
dod (6)
internet (1)
directory (1)
mgmt (2)
experimental
mib-2 (1)
system (1) interfaces (2) snmp (11)
sysObjectID (2) sysDescr (1)
private (4)
enterprises (1)
cisco (9) hp(11) novell(23)
SNMP Basics
Get
Response
Manager
Set
Retrieve
MIB
Data
Agent
alter
SNMP
Trap
Router, etc.

Get request - Reads a value from a specific variable
GetNext request - Traverse information from a table of specific variables
GetBulk request -

Get response - Replies to a get or a set request

Set request - Writes a value into a specific variable
Trap or Notification - A message initiated by the agent without requiring the
management station to send a request



SNMP Popular Defaults
 Popular
–
–
–
–
–
–
–
–
–
defaults
public
private
write
“all private”
monitor
manager
security
admin
lan
–
–
–
–
–
–
–
–
–
default
password
tivoli
openview
community
snmp
snmpd
system
and on and on...
SNMP v1 Information Disclosure
 Routing
tables
 Network topology
 Network traffic patterns
 Filter rules
SNMP Options







SNMP configuration
Event Configuration
– Customize event notification messages
– Define the type of event notification
– Define automatic actions when an event is received.
– Create/modify alarm categories
– Configure additional actions for the operator
– Configure event correlations
SNMP data collection and threshold
SNMP MIB application builder
Load/unload MIB
Network polling configuration
License password
SNMP Tools





Remotely turn on the power of a PC
Web base access
Terminal Connect- provides the ability to establish a telnet
session from a local system in order to manage a remote system
SNMP MIB Browser- provides a functional tool that can be used
to explore, query, and set MIB values
DMI Browser
Agent Data Collection

Network data collected using
– SNMPv1 ; SNMPv2
– IP Protocol
» TCP/IP
» UDP
» ICMP
» ARP/RARP
– IPX
– DMI
» Desktop Management Interface for accessing information
about PC and their components
Auto-discovery



Auto discovery of network objects based on
– IP Protocol
– Routing data on routers (ARP table)
– SNMP data
Auto assignments of symbols to represent objects
Auto arrangement of symbols on the maps and
submaps
SNMP Event Generation



SNMP agents continuously watch for certain
incidents to occur
When an incident occurs, an event is generated
Events are categorized based on the alarm type
– Alarm types are user definable

Events are displayed with color coded severity
– Severity and color codes are user definable

Event trap configuration
– Pre-defined
– User-defined generic traps
– User-defined specific traps
Event Correlation
 Event
correlation
– Discovers events that are either the same event and/or related
events
– Presents these events as a single main event
– Allow drill down of the main event to view the related events
 Provides
–
–
–
–
four pre-defined correlations:
Connector Down Correlation
Scheduled Maintenance Correlation
Repeated Event Correlation
Pair Wise Correlation
 Additional
correlations may be obtained
– From web page
– From a 3rd party for a fee
– Developed by yourself -- not recommended
Performance Management




Network activities
– Status of the interfaces
– Error rate and percentage
– Ethernet traffic
– SNMP authentication failures, traffic, errors
– List of TCP connections
Graph CPU load and disk space usage
Graph SNMP data collected with MIB data collector
Graph data based on Interface status polling and SNMP node
polling
Configuration Management




Network Configuration (at selected remote SNMP node)
– List interface properties
– List IP and link addresses
– List routing table
– List ARP cache table
– List the supported services
List the services for which the selected remote SNMP
nodes are configured to support
List the management systems (by IP Address) that are
configured to receive traps
Run the Microsoft Windows NT operating system Registry
Editor
Performance Management




Network activities
– Status of the interfaces
– Error rate and percentage
– Ethernet traffic
– SNMP authentication failures, traffic, errors
– List of TCP connections
Graph CPU load and disk space usage (HP-UX only)
Graph SNMP data collected with MIB data collector
Graph data based on Interface status polling and SNMP node
polling
Fault Management






Alarms -- show all alarms of selected nodes
Network Connectivity
– Poll node -- information about selected objects
– Status poll -- status about selected objects
– Capability poll -- check for remote DMI, web-management,
and web server capabilities.
– Ping
– Remote ping
– Locate route via SNMP
Test IP/TCP/SNMP
Interface Status -- Graphic display of number and rate of bad
packets
Window NT Event Viewer
Window NT Diagnostic tool
SNMPv1 Security Flaws



Transport Mechanism
– Data manipulation
– Denial of Service
– Replay
Authentication
– Host Based
– Community Based
Information Disclosure
SNMP Authentication Flaws


Host Based
– Fails due to UDP transport
– DNS cache poisoning
Community Based
– Cleartext community
– Community name prediction/brute forcing
– Default communities
RMON and RMON2 Security




SNMPv1’s flaws
additional hazards by introducing “action invocation”
objects
collects extensive info on subnet
packet captures
SNMP Fixes



Disable it
ACL It
Read-Only