Transcript Chapter 8

Network Management
Security
CS 678 Network Security, Dept. of Computer
Science, Long Island University,Brooklyn, NY
CS 678 P. T. Chung
1
Outline




Basic Concepts of SNMP
SNMPv1 Community Facility
SNMPv3
Recommended Reading and WEB Sites
CS 678 P. T. Chung
2
Basic Concepts of SNMP

An integrated collection of tools for network
monitoring and control.



Single operator interface
Minimal amount of separate equipment. Software
and network communications capability built into
the existing equipment
SNMP key elements:




Management station
Managament agent
Management information base
Network Management protocol

Get, Set and Notify
CS 678 P. T. Chung
3
PRINCIPLE OPERATION
MANAGER
SNMP
AGENTS
MIB
CS 678 P. T. Chung
4
SNMP STRUCTURE
MANAGER
AGENT
Management Application
MIB
SNMP PDUs
CONNECTIONLESS TRANSPORT SERVICE PROVIDER
UDP
CS 678 P. T. Chung
5
Protocol context of SNMP
CS 678 P. T. Chung
6
Proxy Configuration
CS 678 P. T. Chung
7
CS 678 P. T. Chung
8
SNMP v1 and v2



Trap – an unsolicited message
(reporting an alarm condition)
SNMPv1 is ”connectionless” since it
utilizes UDP (rather than TCP) as the
transport layer protocol.
SNMPv2 allows the use of TCP for
”reliable, connection-oriented” service.
CS 678 P. T. Chung
9
SNMP PROTOCOL
MANAGER
AGENT
SNMP MESSAGES
UDP
UDP
IP
IP
LINK
LINK
CS 678 P. T. Chung
MIB
10
OVERVIEW OF PDUs
manager
agent
get
manager
agent
getNext
MIB
MIB
response
manager
agent
response
manager
agent
set
MIB
trap
response
CS 678 P. T. Chung
11
manager
get
agent
MIB
response

TO REQUEST THE VALUE OF 1 OR MORE VARIABLES
POSSIBLE ERRORS:
 • noSuchName Object does not exist / Object is not
a leaf

• tooBig Result does not fit in response PDU

• genErr All other causes
CS 678 P. T. Chung
12
EXAMPLE MIB
1
address (1)
info (2)
route-table (3)
130.89.16.2
name (1)
uptime (2)
printer-1
123456
route-entry (1)
dest(1) policy(2) next(3)
2
7
1
5
9
8
3
CS 678 P. T. Chung
2
1
2
3
1
3
5
1
2
5
2
3
7
1
2
8
1
3
9
1
2
13
GET EXAMPLES
get(1.1.0)

response(1.1.0 => 130.89.16.2)












get(1.2.0)
response(error-status = noSuchName)
get(1.1)
response(error-status = noSuchName)
get(1.1.0; 1.2.2.0)
response(1.1.0 => 130.89.16.2; 1.2.2.0 => 123456)
get(1.3.1.3.5.1)
response(1.3.1.3.5.1 => 2)
get(1.3.1.1.5.1)
response(1.3.1.1.5.1 => 5)
get(1.3.1.1.5.1, 1.3.1.2.5.1, 1.3.1.3.5.1)
response(1.3.1.1.5.1 CS
=>
=> 1, 1.3.1.3.5.114
6785,P. 1.3.1.2.5.1
T. Chung
=> 2)
MESSAGE & PDU STRUCTURE
variable bindings:
NAME 1 VALUE 1 NAME 2 VALUE 2
•••
•••
NAME n VALUE n
SNMP PDU:
*
PDU TYPE
REQUEST
ID
ERROR
STATUS
ERROR
INDEX
VARIABLE BINDINGS
SNMP message:
VERSION
COMMUNITY
SNMP PDU
CS 678 P. T. Chung
15
Comparison of SNMPv1 and SNMPv2
SNMPv1 PDU
SNMPv2 PDU
Direction
Description
GetRequest
GetRequest
Manager to agent
Request value for
each listed object
GetRequest
GetRequest
Manager to agent
Request next value
for each listed object
------
GetBulkRequest
Manager to agent
Request multiple
values
SetRequest
SetRequest
Manager to agent
Set value for each
listed object
------
InformRequest
Manager to manager Transmit unsolicited
information
GetResponse
Response
Agent to manager or Respond to manager
Manage to
request
manager(SNMPv2)
Trap
SNMPv2-Trap
Agent to manager
CS 678 P. T. Chung
Transmit unsolicited
information
16
SNMPv1 Community Facility


SNMP Community – Relationship
between an SNMP agent and SNMP
managers.
Three aspect of agent control:



Authentication service
Access policy
Proxy service
CS 678 P. T. Chung
17
SNMPv1 Administrative
Concepts
CS 678 P. T. Chung
18
SNMPv2 PROTOCOL OPERATIONS
get
set
MIB
MIB
response
manager
agent
response
manager
agent
trap
getNext
MIB
MIB
response
manager
agent
manager
agent
inform
getBulk
MIB
response
manager
agent
response
manager
CS 678 P. T. Chung
MIB
"agent"
19
getBulk
GET-BULK
manager
agent
MIB
response



NEW COMMAND getBulk IN SNMPv2
TO RETRIEVE A LARGE NUMBER OF
VARBINDS
IMPROVES PERFORMANCE!
CS 678 P. T. Chung
20
GETBULK PERFORMANCE
3300
Source: Steve Waldbusser, Carnegie-Mellon University
Figures based on original (party based) SNMPv2
v1
2910
v2
1600
210
NO SECURITY
195
WITH AUTHENTICATION
110
WITH ENCRYPTION
CS 678 P. T. Chung
21
GET-BULK EXAMPLE

getBulk(max-repetitions = 4; 1.1)
response(1.1.0 => 130.89.16.2
1.2.1.0 => printer-1
1.2.2.0 => 123456
1.3.1.1.2.1 => 2 )
CS 678 P. T. Chung
22
GET-BULK EXAMPLE

getBulk(max-repetitions = 3; 1.3.1.1;
1.3.1.3)
1.3.1.2;
response(1.3.1.1.2.1 => 2; 1.3.1.2.2.1 => 1;
1.3.1.3.2.1 => 2
1.3.1.1.3.1 => 3; 1.3.1.2.3.1 => 1; 1.3.1.3.3.1 =>
3
1.3.1.1.5.1 => 5;
2)
1.3.1.2.5.1 => 1;
CS 678 P. T. Chung
1.3.1.3.5.1 =>
23
SNMPv3

SNMPv3 defines a security capability to be
used in conjunction with SNMPv1 or v2
CS 678 P. T. Chung
24
SNMP v3 DESIGN DECISIONS




ADDRESS THE NEED FOR SECURY SET
SUPPORT
DEFINE AN ARCHITECTURE THAT ALLOWS FOR
LONGEVITY OF SNMP
ALLOW THAT DIFFERENT PORTIONS OF THE
ARCHITECTURE
MOVE AT DIFFERENT SPEEDS TOWARDS
STANDARD STATUS
CS 678 P. T. Chung
25
SNMP v3 DESIGN DECISIONS






ALLOW FOR FUTURE EXTENSIONS
KEEP SNMP AS SIMPLE AS POSSIBLE
ALLOW FOR MINIMAL IMPLEMENTATIONS
SUPPORT ALSO THE MORE COMPLEX
FEATURES,
WHICH ARE REQUIRED IN LARGE NETWORKS
RE-USE EXISTING SPECIFICATIONS,
WHENEVER POSSIBLE
CS 678 P. T. Chung
26
SNMPv3 Flow
CS 678 P. T. Chung
27
SNMPv3 ARCHITECTURE
SNMP ENTITY
SNMP APPLICATIONS
COMMAND
GENERATOR
COMMAND
RESPONDER
NOTIFICATION
ORIGINATOR
NOTIFICATION
RECEIVER
PROXY
FORWARDER
OTHER
OTHER
SNMP ENGINE
DISPATCHER
MESSAGE PROCESSING
SUBSYSTEM
SECURITY
SUBSYSTEM
CS 678 P. T. Chung
ACCESS CONTROL
SUBSYSTEM
28
Traditional SNMP Manager
CS 678 P. T. Chung
29
Traditional SNMP Agent
CS 678 P. T. Chung
30
SNMPv3 MESSAGE STRUCTURE
msgVersion
msgID
msgMaxSize
msgFlags
msgSecurityModel
msgSecurityParameters
USED BY MESSAGE PROCESSING SUBSYSTEM
USED BY SNMPv3 PROCESSING MODULE
USED BY SECURITY SUBSYSTEM
contextEngineID
contextName
PDU
USED BY ACCESS CONTROL SUBSYSTEM
AND APPLICATIONS
CS 678 P. T. Chung
31
SNMP3 Message Format with USM
CS 678 P. T. Chung
32
User Security Model (USM)

Designed to secure against:





Modification of information
Masquerade
Message stream modification
Disclosure
Not intended to secure against:


Denial of Service (DoS attack)
Traffic analysis
CS 678 P. T. Chung
33
Key Localization Process
CS 678 P. T. Chung
34
View-Based Access Control
Model (VACM)

VACM has two characteristics:


Determines wheter access to a managed
object should be allowed.
Make use of an MIB that:


Defines the access control policy for this agent.
Makes it possible for remote configuration to be
used.
CS 678 P. T. Chung
35
Access control decision
CS 678 P. T. Chung
36
SECURE COMMUNICATION VERSUS
ACCESS CONTROL
MANAGER
AGENT
MIB
MANAGER
ACCESS CONTROL
APPLICATION PROCESSES
SECURE COMMUNICATION
GET / GET-NEXT / GETBULK
SET / TRAP / INFORM
TRANSPORT SERVICE
CS 678 P. T. Chung
37
USM: SECURITY THREATS
THREAT
ADDRESSED?
MECHANISM
REPLAY
YES
TIME STAMP
MASQUERADE
YES
MD5 / SHA-1
INTEGRITY
YES
(MD5 / SHA-1)
DISCLOSURE
YES
DES
DENIAL OF SERVICE
YES
TRAFFIC ANALYSIS
YES
CS 678 P. T. Chung
38
USM MESSAGE STRUCTURE
msgVersion
msgID
msgMaxSize
msgFlags
msgSecurityModel
msgAuthoritativeEngineID
msgAuthoritativeEngineBoots
msgAuthoritativeEngineTime
msgUserName
msgAuthenticationParameters
msgPrivacyParameters
contextEngineID
contextName
REPLAY
MASQUERADE/INTEGRITY/DISCLOSURE
MASQUERADE/INTEGRITY
DISCLOSURE
PDU
CS 678 P. T. Chung
39
IDEA BEHIND REPLAY PROTECTION
Nonauthoritative Engine
LOCAL NOTION OF
REMOTE CLOCK
Authoritative Engine
ALLOWED
LIFETIME
+
ID BOOTS TIME
DATA
ID BOOTS TIME
CS 678 P. T. Chung
LOCAL
CLOCK
>?
DATA
40
IDEA BEHIND DATA INTEGRITY AND
AUTHENTICATION
KEY
DATA
HASH FUNCTION
MAC
ADD THE MESSAGE AUTHENTICATION CODE (MAC) TO THE DATA
AND SEND THE RESULT
CS 678 P. T. Chung
41
IDEA BEHIND AUTHENTICATION
KEY
DATA
KEY
HASH FUNCTION
DATA
HASH FUNCTION
MAC
MAC
=?
USER
MAC
DATA
USER
CS 678 P. T. Chung
MAC
DATA
42
IDEA BEHIND THE DATA
CONFIDENTIALITY (DES)
DES-KEY
DATA
DES ALGORITHM
ENCRYPTED DATA
CS 678 P. T. Chung
43
IDEA BEHIND ENCRYPTION
DES-KEY
DATA
DES-KEY
DATA
DES ALGORITHM
DES ALGORITHM
ENCRYPTED DATA
ENCRYPTED DATA
USER
ENCRYPTED DATA
USER
CS 678 P. T. Chung
ENCRYPTED DATA
44
VIEW BASED ACCESS CONTROL
MODEL

ACCESS CONTROL TABLE

MIB VIEWS
CS 678 P. T. Chung
45
ACCESS CONTROL TABLES
MIB VIEW
ALLOWED
OPERATIONS
ALLOWED
MANAGERS
REQUIRED LEVEL
OF SECURITY
Interface Table
SET
John
Authentication
Encryption
Interface Table
GET / GETNEXT
John, Paul
Authentication
Systems Group
GET / GETNEXT
George
None
•••
•••
•••
•••
•••
•••
•••
•••
•••
•••
•••
•••
•••
•••
•••
CS 678 P. T. Chung
•••
46
MIB VIEWS
CS 678 P. T. Chung
47
SNMPv3 RFCs
RFC 2571
SNMP ENTITY
SNMP APPLICATIONS
RFC 2573
OTHER
SNMP ENGINE
RFC 2572
DISPATCHER
RFC 2572
MESSAGE PROCESSING
SUBSYSTEM
USM: RFC 2574
SECURITY
SUBSYSTEM
CS 678 P. T. Chung
VACM: RFC 2575
ACCESS CONTROL
SUBSYSTEM
48
Recommended Reading and
WEB Sites




Subramanian, Mani. Network
Management. Addison-Wesley, 2000
Stallings, W. SNMP, SNMPv1, SNMPv3
and RMON 1 and 2. Addison-Wesley,
1999
IETF SNMPv3 working group (Web
sites)
SNMPv3 Web sites
CS 678 P. T. Chung
49