1 Network Management Security Behzad Akbari Fall 2009 In the Name of the Most High.
-
Upload
trevor-reynolds -
Category
Documents
-
view
215 -
download
0
Transcript of 1 Network Management Security Behzad Akbari Fall 2009 In the Name of the Most High.
1
Network Management Security
Behzad AkbariFall 2009
In the Name of the Most High
Outline
Basic Concepts of SNMP Network Management Architecture SNMPv1 Community Facility SNMPv3 Recommended Reading and WEB Sites
Basic Concepts of SNMP
As a networks grow larger it becomes more indispensable to the organization more thing can go wrong disabling the network to an
unacceptable level A large network is too complex to be managed by
human effort and requires automated network management tools, such as the Simple Network Management Protocol (SNMP)
Basic Concepts of SNMP
Network Management Architecture A network management system is an integrated
collection of tools for network monitoring and control. Single operator interface Minimal amount of separate equipment. Software and
network communications capability built into the existing equipment
Active elements of the network provide regular feedback of status information to the network control center.
SNMP Architecture
SNMP key elements: Management station -often a stand-alone device, which
servesas the human interface Management agent- responds to requests for
information from the maanagement station Management information base (MIB) -collection of
access points at the agent for the station Network Management protocol -links station and
agents and includes: Get- retrieve value of objects at agent Set - set value of objects at agent Notify - notifies station of significant events
Network Management Protocol Architecture
1988 SNMP - became dominant Most vendors of routers, workstations, PCs,
etc. offer SNMP agent packages, that allow their products to be managed by an SNMP management station
SNMP -easily implemented, uses minimal processor and network resources
Network Management Protocol Architecture SNMP designed to be an application level
protocol that is part of TCP/IP intended to operate over the User Datagram
Protocol (UDP) each agent must implement SNMP, UDP, and IP
Protocol Context of SNMP
3 Types of messages are issued: GetRequest GetNextRequest SetRequest
All are acknowledged by GetResponse An agent may issue a trap message in
response to an event
Protocol context of SNMP
Protocol Context of SNMP
SNMP relies on UDP which is connectionless, and SNMP is also connectionless.
No connections are maintained between a management station and an agent.
Proxies
Proxies were developed for devices that do not support UDP or implement SNMP.
An SNMP agent acts as a proxy for one or more other devices.
Management station sends queries to proxy agent, which converts it to the management protocol used by the device.
When agent receives a reply, it passes it to the management station.
Proxy Configuration
SNMP v1 and v2
Trap – an unsolicited message (reporting an alarm condition)
SNMPv1 is ”connectionless” since it utilizes UDP (rather than TCP) as the transport layer protocol.
SNMPv2 allows the use of TCP for ”reliable, connection-oriented” service.
Any device that does not run SNMPv2 must be managed by proxy.
SNMPv2
Strength of SNMP is its simplicity. SNMP provides a basic set of tools that is easy
to implement and configure. Deficiencies –become apparent in large
networks: Lack of support for distributed network management Functional deficiencies Security deficiencies (addressed in SNMPv3)
Distributed Network Management One host has the function of a management station;
two or three others may have a back-up role. Remaining devices contain agent software and MIB
to allow monitoring control from management station.
MIB- Management Information Base, a database of objects that can be monitored by a network management system.
As network grows in size this is unmanageable and a decentralized management scheme works best.
Decentralized (Distributed)Network Management
Multiple top-level management stations or management servers
Each server manages a pool of agents or delegates the management to an intermediate manager
Intermediate manager monitors and controls its agents
Spreads the processing burden and reduces total network traffic
SNMPv2
SNMPv2 support either a centralized strategy or a distributed one.
Some systems operate both in the role of manager and of agent
Some commands require the agent to act as a proxy for remote devices and pproxy assumes role of manager to access information at remote device, then as an agent passes the information to a superior manager.
Functional Enhancements
SNMPv1 – 5 commands (GetREquest, GetNextRequest, Set Request, GetResponse, Trap) issued as protocol data units (PDU)
SNMPv2 – all 5 commands from v1, plus two new ones Inform command, sent from one management station to
another GetBulk – allows manager to retrieve large block of data
at once Get is atomic in SNMPv1, but not in SNMPv2- may
return partial results
Comparison of SNMPv1 and SNMPv2
Transmit unsolicited information
Agent to managerSNMPv2-TrapTrap
Respond to manager request
Agent to manager or Manager to manager(SNMPv2)
ResponseGetResponse
Transmit unsolicited information
Manager to manager
InformRequest------
Set value for each listed object
Manager to agentSetRequestSetRequest
Request multiple values
Manager to agentGetBulkRequest------
Request next value for each listed object
Manager to agentGetRequestGetRequest
Request value for each listed object
Manager to agentGetRequestGetRequest
DescriptionDirectionSNMPv2 PDUSNMPv1 PDU
SNMPv1 Community Facility SNMP Community – Relationship between an
SNMP agent and SNMP managers-defined locally at agent.
Three aspect of agent control: Authentication service- agent may limit access to
MIB to authorized managers Access policy- agent may give different acceees
privileges to different managers Proxy service – agent may act as a proxy to other
agents All of these raise security concerns
SNMPv1 Administrative Concepts
SNMPv3
SNMPv3 defines a security capability to be used in conjunction with SNMPv1 or v2
SNMPv3
SNMPv3is not a stand alone replacement for versions1 and2
SNMPv3 defines a security capability to be used with SNMPv2 (preferred) or SNMPv1
Describes an architecture for current and future versions of SNMP
Like SNMPv2 with security and administrative capabilities.
SNMPv3 Architecture
Modular architecture Allows implementation over a wide range of
operational environments Makes it possible to move portions of the
architecture forward in the standards track even if consensus is not reached on all pieces
Accommodates alternate security modes
SNMP Entity
Each SNMP entity includes a single SNMP engine
Engine implements functions for sending and receiving messages, authenticating, encrypting and decrypting messages and controlling access to managed objects.
Both the engine and the applications are collections of discrete modules.
SNMP Entity
This architecture provides advantages: Role of an entity is determined by which modules are
implemented in the entity Modular structure lends itself to defining different
versions of each module makes it possible to define alternative or enhanced
capabilities clearly specifies coexistence and transition strategies
Traditional SNMP manager
Manager interacts with agents by issuing commands(get, set) and by receiving trap messages.
Manager may also interact with other managers by issuing Inform Request PDU’s, which provide alerts, and by receiving Inform Response PDU’s, which acknowledge Inform Request.
Traditional SNMP manager
Includes three categories of applications: Command Generator Applications – monitor and
manipulate management data at remote agents (using SNMPv1 or SNMPv2)
Notification Originator Application- originates asynchronous messages (using InformRequest)
Notification Receiver Application-processes incoming asynchronous messages
Traditional SNMP Manager
Traditional SNMP Manager
SNMP engine performs two functions: Accepts outgoing PDUs from SNMP applications,
performs necessary processing, including inserting authentication codes and encrypting, and encapsulates for transmission
Accepts incoming SNMP messages from the transport layer, performs necessary processing, including inserting authentication codes and encrypting, extracts PDUs and passes thse on to SNMP applications
SNMP Engine Contains
A Dispatcher – simple traffic manager- accepts PDUs, determines the type of processing and passes it to Message processor; for incoming messages from transport layer, routes it to application
A Message Processing Subsystem – wraps PDUs in message and returns to the Dispatcher
A Security Subsystem – performs authentication and encryption
Traditional SNMP Agent
Containt 3 types of applications: Command Responder- provides access to
management data Notification Originator- initiates asynchronous
messages Proxy Forwarder- forwards messages between
applications
Traditional SNMP Agent
SNMPv3 Flow
SNMP3 Message Format with USM
User Security Model (USM)
Designed to secure against: Modification of information Masquerade Message stream modification Disclosure
Not intended to secure against: Denial of Service (DoS attack) Traffic analysis
Key Localization Process
View-Based Access Control Model (VACM) VACM has two characteristics:
Determines wheter access to a managed object should be allowed.
Make use of an MIB that: Defines the access control policy for this agent. Makes it possible for remote configuration to be used.
Access control decision
Recommended Reading and WEB Sites Subramanian, Mani. Network Management.
Addison-Wesley, 2000 Stallings, W. SNMP, SNMPv1, SNMPv3 and
RMON 1 and 2. Addison-Wesley, 1999 IETF SNMPv3 working group (Web sites) SNMPv3 Web sites