Transcript Chapter 8
Network Management Security CS 678 Network Security, Dept. of Computer Science, Long Island University,Brooklyn, NY CS 678 P. T. Chung 1 Outline Basic Concepts of SNMP SNMPv1 Community Facility SNMPv3 Recommended Reading and WEB Sites CS 678 P. T. Chung 2 Basic Concepts of SNMP An integrated collection of tools for network monitoring and control. Single operator interface Minimal amount of separate equipment. Software and network communications capability built into the existing equipment SNMP key elements: Management station Managament agent Management information base Network Management protocol Get, Set and Notify CS 678 P. T. Chung 3 PRINCIPLE OPERATION MANAGER SNMP AGENTS MIB CS 678 P. T. Chung 4 SNMP STRUCTURE MANAGER AGENT Management Application MIB SNMP PDUs CONNECTIONLESS TRANSPORT SERVICE PROVIDER UDP CS 678 P. T. Chung 5 Protocol context of SNMP CS 678 P. T. Chung 6 Proxy Configuration CS 678 P. T. Chung 7 CS 678 P. T. Chung 8 SNMP v1 and v2 Trap – an unsolicited message (reporting an alarm condition) SNMPv1 is ”connectionless” since it utilizes UDP (rather than TCP) as the transport layer protocol. SNMPv2 allows the use of TCP for ”reliable, connection-oriented” service. CS 678 P. T. Chung 9 SNMP PROTOCOL MANAGER AGENT SNMP MESSAGES UDP UDP IP IP LINK LINK CS 678 P. T. Chung MIB 10 OVERVIEW OF PDUs manager agent get manager agent getNext MIB MIB response manager agent response manager agent set MIB trap response CS 678 P. T. Chung 11 manager get agent MIB response TO REQUEST THE VALUE OF 1 OR MORE VARIABLES POSSIBLE ERRORS: • noSuchName Object does not exist / Object is not a leaf • tooBig Result does not fit in response PDU • genErr All other causes CS 678 P. T. Chung 12 EXAMPLE MIB 1 address (1) info (2) route-table (3) 130.89.16.2 name (1) uptime (2) printer-1 123456 route-entry (1) dest(1) policy(2) next(3) 2 7 1 5 9 8 3 CS 678 P. T. Chung 2 1 2 3 1 3 5 1 2 5 2 3 7 1 2 8 1 3 9 1 2 13 GET EXAMPLES get(1.1.0) response(1.1.0 => 130.89.16.2) get(1.2.0) response(error-status = noSuchName) get(1.1) response(error-status = noSuchName) get(1.1.0; 1.2.2.0) response(1.1.0 => 130.89.16.2; 1.2.2.0 => 123456) get(1.3.1.3.5.1) response(1.3.1.3.5.1 => 2) get(1.3.1.1.5.1) response(1.3.1.1.5.1 => 5) get(1.3.1.1.5.1, 1.3.1.2.5.1, 1.3.1.3.5.1) response(1.3.1.1.5.1 CS => => 1, 1.3.1.3.5.114 6785,P. 1.3.1.2.5.1 T. Chung => 2) MESSAGE & PDU STRUCTURE variable bindings: NAME 1 VALUE 1 NAME 2 VALUE 2 ••• ••• NAME n VALUE n SNMP PDU: * PDU TYPE REQUEST ID ERROR STATUS ERROR INDEX VARIABLE BINDINGS SNMP message: VERSION COMMUNITY SNMP PDU CS 678 P. T. Chung 15 Comparison of SNMPv1 and SNMPv2 SNMPv1 PDU SNMPv2 PDU Direction Description GetRequest GetRequest Manager to agent Request value for each listed object GetRequest GetRequest Manager to agent Request next value for each listed object ------ GetBulkRequest Manager to agent Request multiple values SetRequest SetRequest Manager to agent Set value for each listed object ------ InformRequest Manager to manager Transmit unsolicited information GetResponse Response Agent to manager or Respond to manager Manage to request manager(SNMPv2) Trap SNMPv2-Trap Agent to manager CS 678 P. T. Chung Transmit unsolicited information 16 SNMPv1 Community Facility SNMP Community – Relationship between an SNMP agent and SNMP managers. Three aspect of agent control: Authentication service Access policy Proxy service CS 678 P. T. Chung 17 SNMPv1 Administrative Concepts CS 678 P. T. Chung 18 SNMPv2 PROTOCOL OPERATIONS get set MIB MIB response manager agent response manager agent trap getNext MIB MIB response manager agent manager agent inform getBulk MIB response manager agent response manager CS 678 P. T. Chung MIB "agent" 19 getBulk GET-BULK manager agent MIB response NEW COMMAND getBulk IN SNMPv2 TO RETRIEVE A LARGE NUMBER OF VARBINDS IMPROVES PERFORMANCE! CS 678 P. T. Chung 20 GETBULK PERFORMANCE 3300 Source: Steve Waldbusser, Carnegie-Mellon University Figures based on original (party based) SNMPv2 v1 2910 v2 1600 210 NO SECURITY 195 WITH AUTHENTICATION 110 WITH ENCRYPTION CS 678 P. T. Chung 21 GET-BULK EXAMPLE getBulk(max-repetitions = 4; 1.1) response(1.1.0 => 130.89.16.2 1.2.1.0 => printer-1 1.2.2.0 => 123456 1.3.1.1.2.1 => 2 ) CS 678 P. T. Chung 22 GET-BULK EXAMPLE getBulk(max-repetitions = 3; 1.3.1.1; 1.3.1.3) 1.3.1.2; response(1.3.1.1.2.1 => 2; 1.3.1.2.2.1 => 1; 1.3.1.3.2.1 => 2 1.3.1.1.3.1 => 3; 1.3.1.2.3.1 => 1; 1.3.1.3.3.1 => 3 1.3.1.1.5.1 => 5; 2) 1.3.1.2.5.1 => 1; CS 678 P. T. Chung 1.3.1.3.5.1 => 23 SNMPv3 SNMPv3 defines a security capability to be used in conjunction with SNMPv1 or v2 CS 678 P. T. Chung 24 SNMP v3 DESIGN DECISIONS ADDRESS THE NEED FOR SECURY SET SUPPORT DEFINE AN ARCHITECTURE THAT ALLOWS FOR LONGEVITY OF SNMP ALLOW THAT DIFFERENT PORTIONS OF THE ARCHITECTURE MOVE AT DIFFERENT SPEEDS TOWARDS STANDARD STATUS CS 678 P. T. Chung 25 SNMP v3 DESIGN DECISIONS ALLOW FOR FUTURE EXTENSIONS KEEP SNMP AS SIMPLE AS POSSIBLE ALLOW FOR MINIMAL IMPLEMENTATIONS SUPPORT ALSO THE MORE COMPLEX FEATURES, WHICH ARE REQUIRED IN LARGE NETWORKS RE-USE EXISTING SPECIFICATIONS, WHENEVER POSSIBLE CS 678 P. T. Chung 26 SNMPv3 Flow CS 678 P. T. Chung 27 SNMPv3 ARCHITECTURE SNMP ENTITY SNMP APPLICATIONS COMMAND GENERATOR COMMAND RESPONDER NOTIFICATION ORIGINATOR NOTIFICATION RECEIVER PROXY FORWARDER OTHER OTHER SNMP ENGINE DISPATCHER MESSAGE PROCESSING SUBSYSTEM SECURITY SUBSYSTEM CS 678 P. T. Chung ACCESS CONTROL SUBSYSTEM 28 Traditional SNMP Manager CS 678 P. T. Chung 29 Traditional SNMP Agent CS 678 P. T. Chung 30 SNMPv3 MESSAGE STRUCTURE msgVersion msgID msgMaxSize msgFlags msgSecurityModel msgSecurityParameters USED BY MESSAGE PROCESSING SUBSYSTEM USED BY SNMPv3 PROCESSING MODULE USED BY SECURITY SUBSYSTEM contextEngineID contextName PDU USED BY ACCESS CONTROL SUBSYSTEM AND APPLICATIONS CS 678 P. T. Chung 31 SNMP3 Message Format with USM CS 678 P. T. Chung 32 User Security Model (USM) Designed to secure against: Modification of information Masquerade Message stream modification Disclosure Not intended to secure against: Denial of Service (DoS attack) Traffic analysis CS 678 P. T. Chung 33 Key Localization Process CS 678 P. T. Chung 34 View-Based Access Control Model (VACM) VACM has two characteristics: Determines wheter access to a managed object should be allowed. Make use of an MIB that: Defines the access control policy for this agent. Makes it possible for remote configuration to be used. CS 678 P. T. Chung 35 Access control decision CS 678 P. T. Chung 36 SECURE COMMUNICATION VERSUS ACCESS CONTROL MANAGER AGENT MIB MANAGER ACCESS CONTROL APPLICATION PROCESSES SECURE COMMUNICATION GET / GET-NEXT / GETBULK SET / TRAP / INFORM TRANSPORT SERVICE CS 678 P. T. Chung 37 USM: SECURITY THREATS THREAT ADDRESSED? MECHANISM REPLAY YES TIME STAMP MASQUERADE YES MD5 / SHA-1 INTEGRITY YES (MD5 / SHA-1) DISCLOSURE YES DES DENIAL OF SERVICE YES TRAFFIC ANALYSIS YES CS 678 P. T. Chung 38 USM MESSAGE STRUCTURE msgVersion msgID msgMaxSize msgFlags msgSecurityModel msgAuthoritativeEngineID msgAuthoritativeEngineBoots msgAuthoritativeEngineTime msgUserName msgAuthenticationParameters msgPrivacyParameters contextEngineID contextName REPLAY MASQUERADE/INTEGRITY/DISCLOSURE MASQUERADE/INTEGRITY DISCLOSURE PDU CS 678 P. T. Chung 39 IDEA BEHIND REPLAY PROTECTION Nonauthoritative Engine LOCAL NOTION OF REMOTE CLOCK Authoritative Engine ALLOWED LIFETIME + ID BOOTS TIME DATA ID BOOTS TIME CS 678 P. T. Chung LOCAL CLOCK >? DATA 40 IDEA BEHIND DATA INTEGRITY AND AUTHENTICATION KEY DATA HASH FUNCTION MAC ADD THE MESSAGE AUTHENTICATION CODE (MAC) TO THE DATA AND SEND THE RESULT CS 678 P. T. Chung 41 IDEA BEHIND AUTHENTICATION KEY DATA KEY HASH FUNCTION DATA HASH FUNCTION MAC MAC =? USER MAC DATA USER CS 678 P. T. Chung MAC DATA 42 IDEA BEHIND THE DATA CONFIDENTIALITY (DES) DES-KEY DATA DES ALGORITHM ENCRYPTED DATA CS 678 P. T. Chung 43 IDEA BEHIND ENCRYPTION DES-KEY DATA DES-KEY DATA DES ALGORITHM DES ALGORITHM ENCRYPTED DATA ENCRYPTED DATA USER ENCRYPTED DATA USER CS 678 P. T. Chung ENCRYPTED DATA 44 VIEW BASED ACCESS CONTROL MODEL ACCESS CONTROL TABLE MIB VIEWS CS 678 P. T. Chung 45 ACCESS CONTROL TABLES MIB VIEW ALLOWED OPERATIONS ALLOWED MANAGERS REQUIRED LEVEL OF SECURITY Interface Table SET John Authentication Encryption Interface Table GET / GETNEXT John, Paul Authentication Systems Group GET / GETNEXT George None ••• ••• ••• ••• ••• ••• ••• ••• ••• ••• ••• ••• ••• ••• ••• CS 678 P. T. Chung ••• 46 MIB VIEWS CS 678 P. T. Chung 47 SNMPv3 RFCs RFC 2571 SNMP ENTITY SNMP APPLICATIONS RFC 2573 OTHER SNMP ENGINE RFC 2572 DISPATCHER RFC 2572 MESSAGE PROCESSING SUBSYSTEM USM: RFC 2574 SECURITY SUBSYSTEM CS 678 P. T. Chung VACM: RFC 2575 ACCESS CONTROL SUBSYSTEM 48 Recommended Reading and WEB Sites Subramanian, Mani. Network Management. Addison-Wesley, 2000 Stallings, W. SNMP, SNMPv1, SNMPv3 and RMON 1 and 2. Addison-Wesley, 1999 IETF SNMPv3 working group (Web sites) SNMPv3 Web sites CS 678 P. T. Chung 49