Download Chapter 8

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
Document related concepts

Cyber-security regulation wikipedia , lookup

Access control wikipedia , lookup

Wireless security wikipedia , lookup

Distributed firewall wikipedia , lookup

Post-quantum cryptography wikipedia , lookup

Security-focused operating system wikipedia , lookup

Computer security wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Unix security wikipedia , lookup

Mobile security wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Information security wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Transcript 
Network
Management
Security
Ola Flygt
Växjö University, Sweden
http://w3.msi.vxu.se/users/ofl/
[email protected]
+46 470 70 86 49
1
Outline
 Basic Concepts of SNMP
 SNMPv1 Community Facility
 SNMPv3
2
The Internet Standard Management
Framework
SNMP network management consists of four parts:
 Management Information Base (MIB)
 A map of the hierarchical order of all managed objects and how
they are accessed
 Structure of Management Information (SMI)
 Rules specifying the format used to define objects managed on the
network that the SNMP protocol accesses
 SNMP Protocol
 Defines format of messages exchanged by management systems
and agents.
 Specifies the Get, GetNext, Set, and Trap operations
 Security and administration capabilities
 The addition of these capabilities represents the major
enhancement in SNMPv3 over SNMPv2
3
Basic Concepts of SNMP
 An integrated collection of tools for network
monitoring and control.
 Single operator interface
 Minimal amount of separate equipment. Software
and network communications capability built into
the existing equipment
 SNMP key elements:
 Management station
 Management agent
 Management information base
 Network Management protocol
 Get, Set and Notify
4
Management Information
Bases (MIB)
 SNMP agent is software that runs on a piece
of network equipment (host, router, printer,
or others) and that maintains information
about its configuration and current state in a
database
 Information in the database is described by
Management Information Bases (MIBs)
 The MIB specifies the managed objects
5
Management Information
Bases (MIB)
 The MIB is a text file that describes managed
objects using the syntax of ASN.1 (Abstract
Syntax Notation 1)
 ASN.1 is a formal language for describing
data and its properties
 In Linux, MIB files are in the directory
/usr/share/snmp/mibs
 Multiple MIB files
 MIB-II (defined in RFC 1213) defines the managed
objects of TCP/IP networks
6
Managed Objects
 Each managed object is assigned an object
identifier (OID)
 The OID is specified in a MIB file.
 An OID can be represented as a sequence of
integers separated by decimal points or by a
text string. Example:
 1.3.6.1.2.1.4.6.
 iso.org.dod.internet.mgmt.mib-2.ip.ipForwData
 When an SNMP manager requests an object,
it sends the OID to the SNMP agent.
7
MIB Example
ipForwDatagrams OBJECT-TYPE
SYNTAX Counter
ACCESS read-only
STATUS mandatory
DESCRIPTION
"The number of input datagrams for which this
entity was not their final IP destination, as a
result of which an attempt was made to find a
route to forward them to that final destination.
In entities which do not act as IP Gateways, this
counter will include only those packets which were
Source-Routed via this entity, and the SourceRoute option processing was successful."
::= { ip 6 }
8
Protocol context of SNMP
9
Proxy Configuration
10
11
SNMP v1 and v2
 Trap – an unsolicited message
(reporting an alarm condition)
 SNMPv1 is ”connectionless” since it
utilizes UDP (rather than TCP) as the
transport layer protocol.
 SNMPv2 allows the use of TCP for
”reliable, connection-oriented”
service.
12
Comparison of SNMPv1 and SNMPv2
SNMPv1 PDU
SNMPv2 PDU
Direction
Description
GetRequest
GetRequest
Manager to agent
Request value for each
listed object
GetRequest
GetRequest
Manager to agent
Request next value for
each listed object
------
GetBulkRequest
Manager to agent
Request multiple
values
SetRequest
SetRequest
Manager to agent
Set value for each
listed object
------
InformRequest
Manager to manager
Transmit unsolicited
information
GetResponse
Response
Agent to manager or
Manage to
manager(SNMPv2)
Respond to manager
request
Trap
SNMPv2-Trap
Agent to manager
Transmit unsolicited
information
13
SNMPv1 Community Facility
 SNMP Community – Relationship
between an SNMP agent and SNMP
managers.
 Three aspect of agent control:
Authentication service
Access policy
Proxy service
14
SNMPv1 Administrative
Concepts
15
SNMPv3
 SNMPv3 defines a security capability to
be used in conjunction with SNMPv1 or v2
16
SNMPv3 Flow
17
Traditional SNMP Manager
18
Traditional SNMP Agent
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
19
SNMP3 Message Format with USM
20
User Security Model (USM)
 Designed to secure against:
Modification of information
Masquerade
Message stream modification
Disclosure
 Not intended to secure against:
Denial of Service (DoS attack)
Traffic analysis
21
USM Encryption
 Authentication (using authKey)
HMAC-MD5-96
HMAC-SHA1-96
 Encryption (using privKey)
DES CBC
Uses first 64 bits of the 16-octet privKey
Last 64 bits used as IV to DES CBC
 Key values not accessible from SNMP
22
Authoritative Engine
 SNMP messages with payloads that
expect a response (Get…, Set, Inform)
Receiver of message is authoritative
 SNMP messages with payload that does
not expect response (Trap, Response,
Report)
Sender is authoritative
23
Key Localization
 Allows single user to own keys stored
in multiple engines
Key localized to each authoritative engine
using hash functions
Avoids problem of a single key being
stored in many places
 Greatly slows brute force attack
24
Key Localization
25
Timeliness
 Determined by a clock kept at the
authoritative engine
 When authoritative engine sends a message, it
includes the current clock value
 Nonauthoritative agent synchronizes on clock value
 When nonauthoritative engine sends a message,
it includes the estimated destination clock value
 These procedures allow assessing message
timeliness
26
View-Based Access Control
Model (VACM)
 VACM has two characteristics:
Determines whether access to a managed
object should be allowed.
Make use of an MIB that:
Defines the access control policy for this
agent.
Makes it possible for remote configuration to
be used.
27
Access control decision
28
SNMPv3 Security
 SNMPv3 solves SNMP security problems,
right?
 NOT!
 Decent security implementation, but reality
is:
 SNMPv1 still holds ~95% of the market (2005)
 Even SNMPv2 not widely deployed
 Upgrading to SNMPv3 is difficult and costly (sort
of like moving from Win95 to WinXP all at once)
 There is the issue of proxies and foreign clients
 SNMPv3 is the clear long-term choice
29
Related documents
Chapter 36 Network Management & SNMP
Chapter 36 Network Management & SNMP
BDC5eChapter19
BDC5eChapter19
Week 12
Week 12
Chapter 8
Chapter 8
SNMP and CMIP
SNMP and CMIP
ppt
ppt
Network Management
Network Management
What are SNMP Messages
What are SNMP Messages
Chapter 17 Network Management
Chapter 17 Network Management
Introduction to Network Administration
Introduction to Network Administration
Network Management
Network Management
SNMP
SNMP
A Brief Introduction to Internet Network Management and SNMP
A Brief Introduction to Internet Network Management and SNMP
SNMPv3 Fundamentals
SNMPv3 Fundamentals
Network Management - Brock Computer Science
Network Management - Brock Computer Science
EMP: A Network Management Protocol for IP
EMP: A Network Management Protocol for IP
SNMP Configuration Manager
SNMP Configuration Manager
Simple Network Management Protocol(SNMP) is simply define as
Simple Network Management Protocol(SNMP) is simply define as
Network Management
Network Management
SNMPv1 Message
SNMPv1 Message
NWM_ch_7
NWM_ch_7
2. SNMPv3 and Network Management
2. SNMPv3 and Network Management