Download snmp-server enable traps

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

Airborne Networking wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Cisco Systems wikipedia , lookup

Network tap wikipedia , lookup

Transcript
Configuring
SNMP
© 2012 Cisco and/or its affiliates. All rights reserved.
1
• The Simple Network Management Protocol (SNMP) is part of
TCP/IP as defined by the IETF.
• It is used by network management systems to monitor network-
attached devices for conditions that warrant administrative
attention.
• It consists of a set of standards for network management,
including an Application Layer protocol, a database schema, and
a set of data objects.
© 2012 Cisco and/or its affiliates. All rights reserved.
2
• Managers:
– In any configuration, at least one manager node runs SNMP management
software.
• Agents:
– Network devices that need to be managed, such as switches, routers,
servers, and workstations, are equipped with an agent software module.
• Management Information Base (MIB):
– The agent is responsible for providing access to a local MIB of objects that
reflects the resources and activity at the agent’s node.
© 2012 Cisco and/or its affiliates. All rights reserved.
3
• Network Management System (NMS)
• Agents
• MIB
– Managed devices
© 2012 Cisco and/or its affiliates. All rights reserved.
4
• An NMS executes applications that monitor (and possibly control)
managed devices.
• The NMS provides the bulk of the processing and memory
resources required for network management.
• One or more NMSs must exist on any SNMP network.
© 2012 Cisco and/or its affiliates. All rights reserved.
5
© 2012 Cisco and/or its affiliates. All rights reserved.
6
© 2012 Cisco and/or its affiliates. All rights reserved.
7
• Nagios:
– Is an open source management system with many features, aimed primarily at host
and service monitoring. It can, however, be used to fill the role of a full-blown SNMPbased management system by setting it up to receive SNMP traps. Nagios can then
generate alerts based on traps received from hosts and network devices. Nagios is
suited to service monitoring, with its ability to connect to SMTP, POP3, HTTP, NNTP,
PING, etc. Nagios even allows advanced monitoring of host statistics, such as disk
usage, temperature, load, etc. Nagios has the ability to produce availability charts and
graphs as well. It focuses on NOC operations by allowing you to schedule downtimes
(i.e. suppress notifications) and track problem resolutions. Being open source and
having a decent API also means that there are hundreds of plug-ins for Nagios.
Nagios does lack discovery capabilities, however.
• Netdisco:
– Is another NMS Suite designed for Linux-only that has a specific focus. As the name
implies, the focus is on network discovery. If this is most important to you, Netdisco is
definitely worth a look. Netdisco provides layer 2 discovery. It creates mappings from
IP and MAC addresses to switch ports, and provides a good interface for searching
the discovered information. Netdisco provides many useful reports as well, including: a
clickable graph of the network topology, statistics about the number of nodes
connected, and a great listing of security concerns such as rogue wireless access
points and hosts using IP addresses that aren't in DNS.
© 2012 Cisco and/or its affiliates. All rights reserved.
8
• WhatsUp:
– Is a very popular monitoring system that runs on Windows only. WhatsUp is a
fairly complete NMS, implementing: monitoring, discovery, and reporting. It can
even catch SNMP traps and provide information about devices using its SNMP
Viewer. The intuitive interface, world-class maps and diagrams, and ease of use
make WhatsUP preferred by many. It is a very popular monitoring system that
runs on Windows only.
• Big Brother's:
– Focus is purely on monitoring. Big Brother is a customizable monitoring system
that is easy to set up. It works on both Unix and Windows servers and clients. The
web interface shows a statistics page with simple "red = bad, green = good"
scheme. Big Brother can monitor services, as well as act simply as a ping tool.
• Cricket:
– Is a one-feature piece of software, but it deserves mention here. Cricket graphs
important data based on SNMP data collected from routers and switches. Most
common uses include data rate of every port and temperature/COU usage.
Virtually every site uses this package in conjunction with other NMS tools, since it
excels at gathering and displaying this important information.
• http://www.unix.com.ua/orelly/networking_2ndEd/snmp/ch05_02.htm
© 2012 Cisco and/or its affiliates. All rights reserved.
9
• An agent is a network-management software module that resides
in a managed device.
• An agent has local knowledge of management information and
translates that information into a form compatible with SNMP.
© 2012 Cisco and/or its affiliates. All rights reserved.
11
© 2012 Cisco and/or its affiliates. All rights reserved.
12
• A managed device is a network node that contains an SNMP
agent and that resides on a managed network.
• Managed devices can be routers and access servers, switches
and bridges, hubs, computer hosts, or printers.
• Managed devices collect and store management information and
make this information available to NMSs using SNMP.
© 2012 Cisco and/or its affiliates. All rights reserved.
13
• SNMP asks agents for information or tells the agents to do
something.
In SNMPv1, asynchronous
event reports are called traps
while in later versions they are
called notifications.
The actions GET
and SET are the
vulnerabilities that
open SNMP to an
attack.
© 2012 Cisco and/or its affiliates. All rights reserved.
14
GetRequest
GetNextRequest
GetBulkRequest
SetRequest
SNMP
Manager
SNMP
Agent
Response
Trap
InformRequest
To another Manager
Report
© 2012 Cisco and/or its affiliates. All rights reserved.
15
• GET REQUEST
– Used to retrieve a piece of management information.
• GETNEXT REQUEST
– Used interactively to retrieve sequences of management information.
• GET RESPONSE
– Agent responds with data to get and sends requests from the manager.
• SET REQUEST
– Used to initialize and make a change to a value of the network element.
• TRAP
– Used to report an alert or other asynchronous event about a managed
subsystem.
© 2012 Cisco and/or its affiliates. All rights reserved.
16
• Other PDUs were added in later versions, including:
– GETBULK REQUEST - a faster iterator used to retrieve sequences of
management information.
– INFORM - an acknowledged trap.
© 2012 Cisco and/or its affiliates. All rights reserved.
17
© 2012 Cisco and/or its affiliates. All rights reserved.
18
• SNMP uses:
– UDP port 161 for the agent
– UDP port 162 for the manager.
• The Manager may send Requests from any available ports
(source port) to port 161.
– The agent response will be given back to the source port.
• The Manager will receive traps on port 162.
– The agent may generate traps from any available port.
© 2012 Cisco and/or its affiliates. All rights reserved.
19
• SNMPv1 and SNMPv2 use a community string to access router
SNMP agents
– SNMP community strings act like passwords
– An SNMP community string is a text string used to authenticate messages
between a management station and an SNMP engine
• Read Only Community String:
– Community strings can obtain information but cannot set information in an
agent.
• Read-Write Community Strings:
– Community strings can obtain and set information in an agent.
© 2012 Cisco and/or its affiliates. All rights reserved.
20
• SNMP agents accept commands and requests only from SNMP
systems that use the correct community string.
• In effect, having read-write access is equivalent to having the
enable password!
• By default, most SNMP systems use a community string of
“public”
– This is a security problem!
• If the router SNMP agent is configured to “public”, anyone with an
NMS system is able to read the router MIB.
– Router MIB variables can point to entities like routing tables and other
security-critical components of a router configuration.
• It is very important that custom SNMP community strings are
created!
© 2012 Cisco and/or its affiliates. All rights reserved.
21
• A security model is an authentication strategy that is set up for a
user and the group that the user resides in.
• Currently, Cisco IOS software supports three security models:
– SNMPv1
– SNMPv2 (variations - SNMPv2p, SNMPv2c, SNMPv2 (SNMPv2u, and SNMPv2*)
– SNMPv3.
• SNMPv1 and v2 are considered obsolete, and are extremely
insecure.
– It is recommended they NOT be used on a publicly attached network.
• SNMP3 adds administration and security features.
© 2012 Cisco and/or its affiliates. All rights reserved.
22
1
2
3
No
No
Yes
• It uses cleartext authentication strings.
• Sends strings repeatedly as part of periodic
polling.
• Easily spoofable, datagram-based transaction
protocol.
• Uses the same PDUs as version 1
• Add two new PDUs called GetBulk and Inform.
• Different variations developed to address security
issues
• Username match for authentication
• Increased message integrity
• Authentication based on HMAC-MD5 or HMACSHA
• Encryption based on CBC-DES
© 2012 Cisco and/or its affiliates. All rights reserved.
23
• SNMPv3 is an interoperable standards-based protocol for
network management.
– SNMPv3 provides secure access to devices by a combination of
authenticating and encrypting packets over the network.
• There are three security features that SNMPv3 provides:
– Authentication
– Message integrity
– Encryption
© 2012 Cisco and/or its affiliates. All rights reserved.
24
© 2012 Cisco and/or its affiliates. All rights reserved.
25
• SNMP is typically used to ease troubleshooting and configuration.
– However, SNMP in a production network introduces a potential vulnerability.
• If SNMP is required, consider:
– Providing read-only access to devices via SNMP
– Treat the SNMP community string with the same care that you might use for
a root password on a critical UNIX host.
– Use SNMPv3 authentication and encryption features.
© 2012 Cisco and/or its affiliates. All rights reserved.
51
• If SNMP is not required, disable it.
• If SNMP is absolutely required, use it only in the read-only mode.
• Don’t use obvious read/write strings.
• Log the authentication failures.
• For SNMP remote access, create a basic ACL for trusted subnets
to control which hosts can access the managed device.
© 2012 Cisco and/or its affiliates. All rights reserved.
52
© 2012 Cisco and/or its affiliates. All rights reserved.
53
© 2012 Cisco and/or its affiliates. All rights reserved.
54
• SNMP Tutorial
– http://video.google.ca/videoplay?docid=5629617213275193770&ei=BlLSSJNBKC4-wGgt728Ag&q=snmp&vt=lf&hl=en
• Essential SNMP
– http://www.unix.com.ua/orelly/networking_2ndEd/snmp/index.htm
• Configuring SNMP
– http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_cfg_sn
mp_sup_ps6441_TSD_Products_Configuration_Guide_Chapter.html
• SNMP Server
– SNMP Trap Watcher http://www.bttsoftware.co.uk/snmptrap.html
– Kiwi Enterprises http://www.kiwisyslog.com/products.htm#syslog
© 2012 Cisco and/or its affiliates. All rights reserved.
55