Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download SNMP - Computer Science and Engineering
Document related concepts
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Distributed firewall wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Wireless security wikipedia , lookup
Network tap wikipedia , lookup
SIP extensions for the IP Multimedia Subsystem wikipedia , lookup
Computer security wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Transcript
Simple Network Management Protocol By - Suparna Sri Agenda Introduction Network Level Architecture Operation of Protocol Applications of Protocol Event flows Message Formats Extensions, Performance & Security Issue Conclusion References Introduction SNMP is an application layer protocol that facilitates the exchange of management information between network devices. It is used for collecting information from, and configuring, network devices, such as servers, printers, hubs, switches, and routers on an Internet Protocol (IP) network. SNMP enables network administrators to manage network performance, find and solve network problems, and plan for network growth. Basic Components of SNMP NMS (Network Management Station) Managed Devices Agents MIB (Management Information Base) NMS executes applications that monitor and control managed devices. It executes applications that monitor and control managed devices. One or more NMS’s must exist on any managed network. NMS is a general purpose computer running special software Managed Device is a network node that contains an SNMP agent and that resides on a managed network. Managed devices collect and store management information and make this information available to NMSs using SNMP. Managed devices, sometimes called network elements, can be routers and access servers, switches and bridges, hubs, computer hosts, or printers. Agents is a network-management software module that resides in a managed device. An agent has local knowledge of management information and translates that information into a form compatible with SNMP. Network Level Architecture MIB Structure Every management station or an agent in an SNMP architecture maintains a local database having information related to the network management. This virtual information store is called MIB- objects database An SNMP MIB contains definitions and information about the properties of managed resources and the services that the agents support. The manageable features of resources, as defined in an SNMP MIB, are called managed objects Management Information Base MIB object identifiers Each object in the MIB has an object identifier (OID) Management station uses ODI to request the object's value from the agent. An OID is a sequence of integers that uniquely identifies a managed object by defining a path to that object through a tree-like structure called the OID tree or registration tree. When an SNMP agent needs to access a specific managed object, it traverses the OID tree to find the object. SNMP ODI Hierarchy Format Operation of Protocol Read: It is used by an NMS to monitor managed devices. The NMS examines different variables that are maintained by managed devices. Write: It is used by an NMS to control managed devices. The NMS changes the values of variables stored within managed devices. Trap: The trap command is used by managed devices to asynchronously report events to the NMS. When certain types of events occur, a managed device sends a trap to the NMS. Operation of the Protocol Get Get next Get-bulk Set Set response Trap Notification Inform Report ‘get’ and ‘getnext’ Operation The get request is initiated by the NMS, which sends the request to the agent. The agent receives the request and processes it to best of its ability. The get command is useful for retrieving a single MIB object at a time. The get-next operation lets you issue a sequence of commands to retrieve a group of values from a MIB ‘get’ Operation ‘get bulk’ operation SNMPv2 defined the get-bulk operation which allows a management application to retrieve a large section of a table at once. The standard get operation can attempt to retrieve more than one MIB object at once, but message sizes are limited by the agent's capabilities. If the agent can't return all the requested responses, it returns an error message with no data. Get bulk command consists of two fields non-repeaters and max – repetitions and these fields are set when issuing a getbulk command non-repeaters and max-repetitions. Non-repeaters tells the get-bulk command that the first N objects can be retrieved with a simple get-next operation. Maxrepetitions tells the get-bulk command to attempt up to M getnext operations to retrieve the remaining objects ‘get bulk’ Operation ‘set’ Operation The set command is used to change the value of a managed object or to create a new row in a table. Objects that are defined in the MIB as read-write or write-only can be altered or created using this command. It is possible for an NMS to set more than one object at a time. ‘trap’ Operation Trap: A trap is a way for an agent to tell the NMS that something bad has happened. The trap originates from the agent and is sent to the trap destination, as configured within the agent itself. The trap destination is typically the IP address of the NMS. Scenarios when ‘trap’ occurs A network interface on the device (where the agent is running) has gone down. A network interface on the device (where the agent is running) has come back up. An incoming call to a modem rack was unable to establish a connection to a modem. The fan on a switch or router has failed. Generic types of ‘trap’ Coldstart(0) :Indicates that the agent has rebooted. All management variables will be reset; specifically, Counters and Gauges will be reset to zero (0). It can also be used to determine when new hardware is added to the network. Warmstart(1):Indicates that the agent has reinitialized itself. None of the management variables will be reset. Linkdown(2): Sent when an interface on a device goes down. The first variable binding identifies which interface went down. Linkup(3): Sent when an interface on a device comes back up. Generic types of ‘trap’ authenticationFailure(4):Indicates that someone has tried to query your agent with an incorrect community string; useful in determining if someone is trying to gain unauthorized access to one of your devices. egpNeighborloss(5): Indicates that an Exterior Gateway Protocol (EGP) neighbor has gone down. Enterprisespecific(6): Indicates that the trap is enterprise-specific which are used by SNMP to define their own traps under the private-enterprise branch of the SMI object tree. Other SNMP operations SNMP notification: As the PDUs of snmpv1,v2 and v3,notification-type is used as a means of notification for this. SNMP inform: inform mechanism provides communication between manager-manager SNMP report: Allows the SNMP engines to communicate with each other mainly to report the problems with processing SNMP messages Message Sent Between an SNMP Manager and its Managed Devices Event Flow of SNMP protocol Represents Interactions and timing of the SNMP protocol between the SNMP manager and the SNMP agent. Traps are unsolicited messages sent from the agent to the manager. There are four functions of SNMP: get request, trap, get next and set request. Event Flow of SNMP operations Network Management System SNMPv3 Applications Five types of application which can be associated with an SNMP engine are described in RFC 2273. These applications are : - Command generators, which monitor and manipulate management data, - Command responders, which provide access to management data, - Notification originators, which initiate asynchronous messages, - Notification receivers, which process asynchronous messages, and - Proxy forwarders, which forward messages between entities. Flow diagram of Command Generator and Command Responder PRIMITIVES BETWEEN MODULES APPLICATIONS APPLICATIONS ACCESS CONTROL SUBSYSTEM DISPATCHER SECURITY SUBSYSTEM MESSAGE PROCESSING SUBSYSTEM Parameters ACCESS CONTROL SUBSYSTEM DISPATCHER SECURITY SUBSYSTEM MESSAGE PROCESSING SUBSYSTEM contextEngineID contextName destTransportAddress destTransportDomain expectResponse globalData maxMessageSize maxSizeResponseScopedPDU messageProcessingModel outgoingMessage outgoingMessageLength PDU pduType pduVersion scopedPDU stateReference statusInformation securityEngineID securityLevel securityModel securityName securityParameters securityStateReference sendPduHandle transportAddress transportDomain variableName viewType wholeMsg wholeMsgLength sendPdu Parameters APPLICATIONS APPLICATIONS sendPdu ACCESS CONTROL SUBSYSTEM DISPATCHER SECURITY SUBSYSTEM MESSAGE PROCESSING SUBSYSTEM ACCESS CONTROL SUBSYSTEM DISPATCHER SECURITY SUBSYSTEM MESSAGE PROCESSING SUBSYSTEM contextEngineID contextName destTransportAddress destTransportDomain expectResponse globalData maxMessageSize maxSizeResponseScopedPDU messageProcessingModel outgoingMessage outgoingMessageLength PDU pduType pduVersion scopedPDU stateReference statusInformation securityEngineID securityLevel securityModel securityName securityParameters securityStateReference sendPduHandle transportAddress transportDomain variableName viewType wholeMsg wholeMsgLength prepareOutgoingMessage APPLICATIONS Parameters APPLICATIONS ACCESS CONTROL SUBSYSTEM DISPATCHER SECURITY SUBSYSTEM MESSAGE PROCESSING SUBSYSTEM prepareOutgoingMessage ACCESS CONTROL SUBSYSTEM DISPATCHER SECURITY SUBSYSTEM MESSAGE PROCESSING SUBSYSTEM contextEngineID contextName destTransportAddress destTransportDomain expectResponse globalData maxMessageSize maxSizeResponseScopedPDU messageProcessingModel outgoingMessage outgoingMessageLength PDU pduType pduVersion scopedPDU stateReference statusInformation securityEngineID securityLevel securityModel securityName securityParameters securityStateReference sendPduHandle transportAddress transportDomain variableName viewType wholeMsg wholeMsgLength generateRequestMsg Parameters APPLICATIONS APPLICATIONS ACCESS CONTROL SUBSYSTEM DISPATCHER SECURITY SUBSYSTEM MESSAGE PROCESSING SUBSYSTEM generateRequestMsg ACCESS CONTROL SUBSYSTEM DISPATCHER SECURITY SUBSYSTEM MESSAGE PROCESSING SUBSYSTEM contextEngineID contextName destTransportAddress destTransportDomain expectResponse globalData maxMessageSize maxSizeResponseScopedPDU messageProcessingModel outgoingMessage outgoingMessageLength PDU pduType pduVersion scopedPDU stateReference statusInformation securityEngineID securityLevel securityModel securityName securityParameters securityStateReference sendPduHandle transportAddress transportDomain variableName viewType wholeMsg wholeMsgLength send / receive Parameters APPLICATIONS APPLICATIONS ACCESS CONTROL SUBSYSTEM DISPATCHER SECURITY SUBSYSTEM MESSAGE PROCESSING SUBSYSTEM send and receive ACCESS CONTROL SUBSYSTEM DISPATCHER SECURITY SUBSYSTEM MESSAGE PROCESSING SUBSYSTEM contextEngineID contextName destTransportAddress destTransportDomain expectResponse globalData maxMessageSize maxSizeResponseScopedPDU messageProcessingModel outgoingMessage outgoingMessageLength PDU pduType pduVersion scopedPDU stateReference statusInformation securityEngineID securityLevel securityModel securityName securityParameters securityStateReference sendPduHandle transportAddress transportDomain variableName viewType wholeMsg wholeMsgLength prepareDataElements APPLICATIONS Parameters APPLICATIONS ACCESS CONTROL SUBSYSTEM DISPATCHER SECURITY SUBSYSTEM MESSAGE PROCESSING SUBSYSTEM ACCESS CONTROL SUBSYSTEM DISPATCHER SECURITY SUBSYSTEM MESSAGE PROCESSING SUBSYSTEM prepareDataElements contextEngineID contextName destTransportAddress destTransportDomain expectResponse globalData maxMessageSize maxSizeResponseScopedPDU messageProcessingModel outgoingMessage outgoingMessageLength PDU pduType pduVersion scopedPDU stateReference statusInformation securityEngineID securityLevel securityModel securityName securityParameters securityStateReference sendPduHandle transportAddress transportDomain variableName viewType wholeMsg wholeMsgLength processIncomingMsg Parameters APPLICATIONS APPLICATIONS ACCESS CONTROL SUBSYSTEM DISPATCHER SECURITY SUBSYSTEM MESSAGE PROCESSING SUBSYSTEM ACCESS CONTROL SUBSYSTEM DISPATCHER SECURITY SUBSYSTEM MESSAGE PROCESSING SUBSYSTEM processIncomingMsg contextEngineID contextName destTransportAddress destTransportDomain expectResponse globalData maxMessageSize maxSizeResponseScopedPDU messageProcessingModel outgoingMessage outgoingMessageLength PDU pduType pduVersion scopedPDU stateReference statusInformation securityEngineID securityLevel securityModel securityName securityParameters securityStateReference sendPduHandle transportAddress transportDomain variableName viewType wholeMsg wholeMsgLength processPd Parameters APPLICATIONS APPLICATIONS processPdu ACCESS CONTROL SUBSYSTEM DISPATCHER SECURITY SUBSYSTEM MESSAGE PROCESSING SUBSYSTEM ACCESS CONTROL SUBSYSTEM DISPATCHER SECURITY SUBSYSTEM MESSAGE PROCESSING SUBSYSTEM contextEngineID contextName destTransportAddress destTransportDomain expectResponse globalData maxMessageSize maxSizeResponseScopedPDU messageProcessingModel outgoingMessage outgoingMessageLength PDU pduType pduVersion scopedPDU stateReference statusInformation securityEngineID securityLevel securityModel securityName securityParameters securityStateReference sendPduHandle transportAddress transportDomain variableName viewType wholeMsg wholeMsgLength isAccessAllowed Parameters APPLICATIONS APPLICATIONS isAccessAllowed ACCESS CONTROL SUBSYSTEM DISPATCHER SECURITY SUBSYSTEM MESSAGE PROCESSING SUBSYSTEM ACCESS CONTROL SUBSYSTEM DISPATCHER SECURITY SUBSYSTEM MESSAGE PROCESSING SUBSYSTEM contextEngineID contextName destTransportAddress destTransportDomain expectResponse globalData maxMessageSize maxSizeResponseScopedPDU messageProcessingModel outgoingMessage outgoingMessageLength PDU pduType pduVersion scopedPDU stateReference statusInformation securityEngineID securityLevel securityModel securityName securityParameters securityStateReference sendPduHandle transportAddress transportDomain variableName viewType wholeMsg wholeMsgLength returnResponsePdu Parameters APPLICATIONS APPLICATIONS returnResponsePdu ACCESS CONTROL SUBSYSTEM DISPATCHER SECURITY SUBSYSTEM MESSAGE PROCESSING SUBSYSTEM ACCESS CONTROL SUBSYSTEM DISPATCHER SECURITY SUBSYSTEM MESSAGE PROCESSING SUBSYSTEM contextEngineID contextName destTransportAddress destTransportDomain expectResponse globalData maxMessageSize maxSizeResponseScopedPDU messageProcessingModel outgoingMessage outgoingMessageLength PDU pduType pduVersion scopedPDU stateReference statusInformation securityEngineID securityLevel securityModel securityName securityParameters securityStateReference sendPduHandle transportAddress transportDomain variableName viewType wholeMsg wholeMsgLength prepareResponseMessage Parameters APPLICATIONS APPLICATIONS ACCESS CONTROL SUBSYSTEM DISPATCHER SECURITY SUBSYSTEM MESSAGE PROCESSING SUBSYSTEM ACCESS CONTROL SUBSYSTEM DISPATCHER SECURITY SUBSYSTEM MESSAGE PROCESSING SUBSYSTEM prepareResponseMessage contextEngineID contextName destTransportAddress destTransportDomain expectResponse globalData maxMessageSize maxSizeResponseScopedPDU messageProcessingModel outgoingMessage outgoingMessageLength PDU pduType pduVersion scopedPDU stateReference statusInformation securityEngineID securityLevel securityModel securityName securityParameters securityStateReference sendPduHandle transportAddress transportDomain variableName viewType wholeMsg wholeMsgLength generateResponseMsg Parameters APPLICATIONS APPLICATIONS ACCESS CONTROL SUBSYSTEM DISPATCHER SECURITY SUBSYSTEM MESSAGE PROCESSING SUBSYSTEM ACCESS CONTROL SUBSYSTEM DISPATCHER SECURITY SUBSYSTEM MESSAGE PROCESSING SUBSYSTEM generateResponseMsg contextEngineID contextName destTransportAddress destTransportDomain expectResponse globalData maxMessageSize maxSizeResponseScopedPDU messageProcessingModel outgoingMessage outgoingMessageLength PDU pduType pduVersion scopedPDU stateReference statusInformation securityEngineID securityLevel securityModel securityName securityParameters securityStateReference sendPduHandle transportAddress transportDomain variableName viewType wholeMsg wholeMsgLength send / receive Parameters APPLICATIONS APPLICATIONS ACCESS CONTROL SUBSYSTEM DISPATCHER SECURITY SUBSYSTEM MESSAGE PROCESSING SUBSYSTEM send and receive ACCESS CONTROL SUBSYSTEM DISPATCHER SECURITY SUBSYSTEM MESSAGE PROCESSING SUBSYSTEM contextEngineID contextName destTransportAddress destTransportDomain expectResponse globalData maxMessageSize maxSizeResponseScopedPDU messageProcessingModel outgoingMessage outgoingMessageLength PDU pduType pduVersion scopedPDU stateReference statusInformation securityEngineID securityLevel securityModel securityName securityParameters securityStateReference sendPduHandle transportAddress transportDomain variableName viewType wholeMsg wholeMsgLength prepareDataElements Parameters APPLICATIONS APPLICATIONS ACCESS CONTROL SUBSYSTEM DISPATCHER SECURITY SUBSYSTEM MESSAGE PROCESSING SUBSYSTEM prepareDataElements ACCESS CONTROL SUBSYSTEM DISPATCHER SECURITY SUBSYSTEM MESSAGE PROCESSING SUBSYSTEM contextEngineID contextName destTransportAddress destTransportDomain expectResponse globalData maxMessageSize maxSizeResponseScopedPDU messageProcessingModel outgoingMessage outgoingMessageLength PDU pduType pduVersion scopedPDU stateReference statusInformation securityEngineID securityLevel securityModel securityName securityParameters securityStateReference sendPduHandle transportAddress transportDomain variableName viewType wholeMsg wholeMsgLength processIncomingMsg Parameters APPLICATIONS APPLICATIONS ACCESS CONTROL SUBSYSTEM DISPATCHER SECURITY SUBSYSTEM MESSAGE PROCESSING SUBSYSTEM processIncomingMsg ACCESS CONTROL SUBSYSTEM DISPATCHER SECURITY SUBSYSTEM MESSAGE PROCESSING SUBSYSTEM contextEngineID contextName destTransportAddress destTransportDomain expectResponse globalData maxMessageSize maxSizeResponseScopedPDU messageProcessingModel outgoingMessage outgoingMessageLength PDU pduType pduVersion scopedPDU stateReference statusInformation securityEngineID securityLevel securityModel securityName securityParameters securityStateReference sendPduHandle transportAddress transportDomain variableName viewType wholeMsg wholeMsgLength processResponsePdu Parameters APPLICATIONS APPLICATIONS processResponsePdu ACCESS CONTROL SUBSYSTEM DISPATCHER SECURITY SUBSYSTEM MESSAGE PROCESSING SUBSYSTEM ACCESS CONTROL SUBSYSTEM DISPATCHER SECURITY SUBSYSTEM MESSAGE PROCESSING SUBSYSTEM contextEngineID contextName destTransportAddress destTransportDomain expectResponse globalData maxMessageSize maxSizeResponseScopedPDU messageProcessingModel outgoingMessage outgoingMessageLength PDU pduType pduVersion scopedPDU stateReference statusInformation securityEngineID securityLevel securityModel securityName securityParameters securityStateReference sendPduHandle transportAddress transportDomain variableName viewType wholeMsg wholeMsgLength Five areas of network management Performance management : to quantify, measure, report, analyze and control the performance of network components. Fault management : to detect, log, notify users of, and (to the extent possible) automatically fix network problems to keep the network running effectively. Configuration management : to monitor network and system configuration information so that the effects on network operation of various versions of hardware and software elements can be tracked and managed. Accounting management : to measure network utilization parameters so that individual or group uses on the network can be regulated appropriately. Security management : to control access to network resources according to local guidelines so that the network cannot be sabotaged and sensitive information cannot be accessed by those without appropriate authorization. SNMP Message Format SNMP uses two well-known ports to operate: •UDP/TCP Port 161 – SNMP Request/Response Messages •UDP/TCP Port 162 - SNMP Trap Messages Ethernet Frame IP Packet UDP Datagram SNMPv3 defines a security capability to be used in conjunction with SNMPv1 (runs over UDP) or SNMPv2 (also runs over TCP) SNMP Message CRC SNMP General Message Format Subfield Name Object Name Table 211: SNMP Variable Binding Format Syntax Sequence of Integer Size (bytes) Variable variable bindings: NAME 1 VALUE 1 NAME 2 VALUE 2 ••• ••• NAME n VALUE n SNMP PDU: PDU TYPE * REQUEST ID ERROR STATUS ERROR INDEX VARIABLE BINDINGS SNMP message: VERSION COMMUNITY SNMP PDU Object Value Variable Variable Description Object Name: The numeric object identifier of the MIB object, specified as a sequence of integers. For example, the object sysLocation has the object identifier 1.3.6.1.2.1.1.6, so it would be specified as “1 3 6 1 2 1 1 6” using ASN.1 Object Value: In any type of “get” request, this subfield is a “placeholder”; it is structured using the appropriate syntax for the object but has no value (since the “get” request is asking for that value!) In a “set” request (SetRequest-PDU) or in a reply message carrying requested data (GetResponse-PDU or Response-PDU), the value of the object is placed here. SNMP V1 General Message Format Table 212: SNMP Version 1 (SNMPv1) General Message Format Field Name Version General Message Format Syntax Integer Size (bytes) Description 4 Version Number: Describes the SNMP version number of this message; used for ensuring compatibility between versions. For SNMPv1, this value is actually 0, not 1. Community Octet String Variable Community String: Identifies the SNMP community in which the sender and recipient of this message are located. This is used to implement the simple SNMP. PDU — Variable Protocol Data Unit: The PDU being communicated as the body of the message. SNMP v1 PDU Format PDU Format Table 213: SNMP Version 1 (SNMPv1) Common PDU Format Field Name Syntax Size (bytes) PDU Type Integer (Enumerated) 4 Request ID Integer 4 Error Status Integer (Enumerated) 4 Error Index Integer 4 Variable Bindings Variable Variable Description Request Identifier: A number used to match requests with replies. It is generated by the device that sends a request and copied into this field in a GetResponse-PDU by the responding SNMP entity. Error Index: When Error Status is nonzero, this field contains a pointer that specifies which object generated the error. Always zero in a request. Variable Bindings: A set of namevalue pairs identifying the MIB objects in the PDU, and in the case of a SetRequest-PDU or GetResponsePDU, containing their values.. SNMP V1 Trap- PDU Format Table 214: SNMP Version 1 (SNMPv1) Trap-PDU Format Field Name Syntax Size (bytes) PDU Type Integer (Enumerated) 4 Enterprise Sequence of Integer Variable Enterprise: An object identifier for a group, which indicates the type of object that generated the trap. PDU Type: An integer value that indicates the PDU type, which is 4 for a Trap-PDU message. Agent Addr NetworkAddress 4 Agent Address: The IP address of the SNMP agent that generated the trap. This is of course also in the IP header at lower levels but inclusion in the SNMP message format allows for easier trap logging within SNMP. Also, in the case of a multihomed host, this specifies the preferred address. Generic Trap Integer (Enumerated) 4 Generic Trap Code: A code value specifying one of a number of predefined “generic” trap types. Specific Trap Integer 4 Specific Trap Code: A code value indicating an implementation-specific trap type. TimeTicks 4 Time Stamp: The amount of time since the SNMP entity sending this message last initialized or reinitialized. Used to time stamp traps for logging purposes. Variable Variable Time Stamp Variable Bindings Trap-PDU Format Description Variable Bindings: A set of name-value pairs identifying the MIB objects in the PDU. SNMP v2 Message Format The SNMPv2 GetBulk PDU SNMPv2 Get, GetNext, Inform, Response, Set, and Trap PDUs Contain the Same Fields SNMP v3 General Message Format SNMP v3 General Message Format Table 221: SNMP Version 3 (SNMPv3) General Message Format Field Name Syntax Size (bytes) Msg Version Integer 4 Message Version Number: Describes the SNMP version number of this message; used for ensuring compatibility between versions. For SNMPv3, this value is 3. Description Msg ID Integer 4 Message Identifier: A number used to identify an SNMPv3 message and to match response messages to request messages. The use of this field is similar to that of the Request ID field in the PDU format, but they are not identical. This field was created to allow matching at the message processing level regardless of the contents of the PDU, to protect against certain security attacks. Thus, Msg ID and Request ID are used independently. Msg Max Size Integer 4 Maximum Message Size: The maximum size of message that the sender of this message can receive. Minimum value of this field is 484. Msg Flags Octet String 1 Msg Security Model Integer 4 Message Security Model: An integer value indicating which security model was used for this message. For the user-based security model (the default in SNMPv3) this value is 3. Message Security Parameters: A set of fields that contain parameters required to implement the particular security model used for this message. The contents of this field are specified in each document describing an SNMPv3 security model. For example, the parameters for the user-based model are in RFC 3414. Msg Security Paramete rs — Variable Scoped PDU — Variable Security services Data Integrity is provision of the property that data or data sequences has not been altered or destroyed in an unauthorized manner. Data Origin Authentication is the provision of the property that the claimed identity of the user on whose behalf received data was originated is corroborated. Data Confidentiality is the provision of the property that information is not made available or disclosed to unauthorized individuals, entities, entities, or processes. Message timeliness and limited replay protection is the provision of the property that a message whose generation time is outside of a specified time window is not accepted. Performance and Security Issues Modification of Information The modification threat is the danger that some unauthorized entity may alter in-transit SNMP messages generated on behalf of an authorized principal in such a way as to effect unauthorized management operations, including falsifying the value of an object. Masquerade The masquerade threat is the danger that management operations not authorized for some user may be attempted by assuming the identity of another user that has the appropriate authorizations. Disclosure The disclosure threat is the danger of eavesdropping on the exchanges between managed agents and a management station. Protecting against this threat may be required as a matter of local policy. Message Stream Modification The SNMP protocol is typically based upon a connection-less transport service which may operate over any sub-network service. The re-ordering, delay or replay of messages can and does occur through the natural operation of many such sub-network services. The message stream modification threat is the danger that messages may altered, in order to effect unauthorized management operations. Extensions (SNMPv2 protocol) Two new protocol operations have been added in SNMPv2. “Get-bulk-request” supports efficient transfer of large amount of MIB data, and “Inform-request” enables a manager to inform another manager of significant events. The main problems of the SNMPv1 are the authentication of the message source, protecting these message from disclosure and placing access controls on MIB database. Those problems are solved in SNPM v2 by changing the format of SNMP PDUs. In SNMPv1, traps had a different format than all of the other PDUs. SNMPv2 simplify traps by giving them the same format as the get and set PDUs. In SNMPv1, if too much data are asked in an ordinary get-request you receive a message "too big" error message without data. In SNMPv2 “Get-bulk-request” allows you to retrieve a lot of information and will receive as much data as it is possible in your response message. In SNMPv2, if a multiple requested value, in a get-request, one is not valid or does not exist, there will be answers for the other request that have been well dealt. Whereas for SNMPv1, no response at all was given, only the error message. SNMPv2 security framework deals with the problem of the authentication of the message sender, its contents and the eavesdropper problems. It also supports the use of authentication protocol to identify the sources reliability and to prevent message modification. It also supports the use of encryption to keep messages privacy. SNMPv1 don’t have all these security features. SNMP Security Security in SNMP versions SNMPv1 uses plain text community strings for authentication as plain text without encryption SNMPv2 was supposed to fix security problems, but effort de-railed. SNMPv3 has numerous security features: • • • Ensure that a packet has not been tampered with (integrity), Ensures that a message is from a valid source (authentication) Ensures that a message cannot be read by unauthorized (privacy). SNMP has three security levels for: Monitoring ( no authentication / no privacy) : Authentication with matching a user name Control (authentication / no privacy) : Authentication with MD5 or SHA message digests. Downloading secrets (authentication / privacy) : Authentication with MD5 or SHA message digests, and encryption with DES encryption. SNMP GUI OpenView Severity Levels Severity Color ------------------------------------------------------------------Unknown Blue Normal Green Warning Cyan Minor Yellow Major Orange Critical Red Conclusions Standardized universally supported extendible portable allows distributed management access lightweight protocol Review Questions 1. What are the components in network management architecture and define them? slide 5-7 2. What are MIBs, and how are they accessed? slide 9 3. What are the types of messages between SNMP manager and agent? slide 25 References http://www.faqs.org/rfcs/ http://www.ietf.org/rfcs/ http://www.icg.isy.liu.se/courses/tsin02ici/slides/11_Snmp-v3.pdf http://www.dpstele.com/layers/l2/snmp_l2_t ut_part1.html http://www.cisco.com/warp/public/535/3.ht ml THANK YOU
