ECE-8843 http://www.csc.gatech.edu/copeland/jac/8843/ Prof. John A. Copeland john.copeland@ece.gatech.edu 404 894-5177 fax 404 894-0035 Office: GCATT Bldg 579 email or call for office visit, or call Kathy Cheek, 404 894-5696 Chapter 8: Basic Concepts of SNMP - Simple Network Mgmt Protocol The text, “Network Security Essentials, Applications and Standards” by William Stallings)
Network Management Architecture An integrated collection of tools for network monitoring and control. • Single operator interface. • Minimal amount of separate equipment – software and network communications capability built into the existing equipment.. The primary parts are: • Management station (central control, has a “agent”) • Management agents (software in network equipment) • Management Information Base (MIB) • Network management protocol (rules for communication)
SNMP Trap – an unsolicited message, perhaps reporting an alarm condition (to UDP port 162) . SNMPv1 (version 1) is “connectionless” since it utilizes UDP (rather than TCP) as the transport layer protocol. SNMPv2 allows the use of TCP for “reliable, connection-oriented” service. “Proxy” – an add-on box to add SNMP features to a network unit (router, modem, PC, …) that does not have built-in SNMP capability.
SNMP v1, v2, and v3 Problems with SNMP v1 addressed by version 2: • Lack of support for distributed network management. • Functional deficiencies - v2 can use TCP/IP and Novell IPX Problem addressed by version 3: • Security - version 1 used a community name as a password.
SNMP v3 – a Security Add-on SNMP v3 “engine” operating at the Application Layer: • On outgoing PDU’s inserts authentication codes (MACs), encrypts certain fields, encapsulates the PDU into a message for transmission. • For incoming messages (from the Transport Layer) performs authentication verification, decryption, and extracts PDU’s from the message to pass up to the SNMP applications above. • Security Subsystem- performs the authentication and encryption tasks.
SNMP Management Station SNMP Agent Managed Resources Management Application SNMP Managed Objects Application manages objects GetNextRequest GetNextRequest GetRequest GetRequest SetRequest GetResponse SetRequest GetResponse Trap Trap SNMP Manager SNMP Agent SNMP Messages UDP UDP IP IP Network-dependent protocols Network-dependent protocols network or internet Figure 8.1 The Role of SNMP
Proxy Agent Proxied Management Mapping Function Station Device Management Manager Process Agent Process process SNMP SNMP Protocol architecture used Protocol UDP UDP by proxied device architecture used by proxied device IP IP Network-dependent Network-dependent Network-dependent Network-dependent protocols protocols protocols protocols Figure 8.2 Proxy Configuration
Management Server (manager) Central Site Ethernet Router Router (agent) (agent) Intermediate Manager (manager/agent) Router agent agent (agent) Router (agent) FDDI backbone Ethernet Router agent (agent) Router agent agent (agent) agent agent Token ring Ethernet LAN agent agent agent agent agent Figure 8.3 Example Distributed Network Management Configuration
SNMP Set of SNMP SNMP SNMP agent managers MIB view access mode SNMP community SNMP community (community name) profile SNMP access policy Figure 8.4 SNMPv1 Administrative Concepts
SNMP v3 – a Security Add-on SNMP v3 “engine” operating at the Application Layer: • On outgoing PDU’s inserts authentication codes (MACs), encrypts certain fields, encapsulates the PDU into a message for transmission. • For incoming messages (from the Transport Layer) performs authentication verification, decryption, and extracts PDU’s from the message to pass up to the SNMP applications above. • Security Subsystem- performs the authentication and encryption tasks.
PDU Processing SNMP PDU (SNMPv1 or SNMPv2) Message Processing V3-MH SNMP PDU (SNMPv3 USM) UDP UDP-H V3-MH SNMP PDU IP IP-H UDP-H V3-MH SNMP PDU IP-H� =� IP header UDP-H� =� UDP header V3-MH� =� SNMPv3 message header PDU� =� Protocol data unit Figure 8.5 SNMP Protocol Architecture
SNMP Entity Command Notification Notification Generator Originator Receiver Applications Applications Applications SNMP Applications Message Processing Security PDU Subsystem Subsystem Dispatcher Dis- v1MP User-based patcher Security v2cMP Model Message Dispatcher v3MP Other Security Transport Mapping otherMP Model (e.g., RFC1906) SNMP Engine UDP IPX • • • Other Network Figure 8.6 Traditional SNMP Manager
UDP IPX • • • Other SNMP Entity Message Processing Security Access Control Transport Mapping Subsystem Subsystem Subsystem (e.g., RFC1906) Dis- v1MP User-based View-based patcher Security Access Control v2cMP Model Model Message Dispatcher v3MP Other Other Security Access Control PDU otherMP Model Model Dispatcher SNMP Engine Proxy Command Notification Forwarder Responder Originator Applications Applications Applications SNMP Applications MIB Instrumentation Figure 8.7 Traditional SNMP Agent
Message Message Processing Processing Command Security Command Security Generator Dispatcher Model Model Responder Dispatcher Model Model registerContextEngineID sendPdu prepareOutgoingMsg generateRequestMsg Receive SNMP Request Msg from Network prepareDataElements Send SNMP processIncomingMsg Request Msg to Network • processPdu • • Receive SNMP returnResponsePdu Response Msg from Network prepareResponseMsg generateResponseMsg prepareDataElements processIncomingMsg processResponsePdu Send SNMP Response Msg to Network (a) Command Generator or Notification Originator (b) Command Responder Figure 8.8 SNMPv3 Flow
msgVersion msgID Generated/processed msgMaxSize by Message Processing msgFlags Model msgSecurityModel msgAuthoritativeEngineID msgAuthoritativeEngineBoots msgAuthoritativeEngineTime Generated/Processed msgUserName by User Security msgAuthenticationParameters Model (USM) scope of authentication msgPrivacyParameters contextEngineID contextName scope of encryption Scoped PDU PDU (plaintext or encrypted) Figure 8.9 SNMPv3 Message Format with USM
Retrieve user Retrieve message information parameters YES YES Privacy Encrypt scopedPdu Authentication compute MAC; compare to required? set msgPrivacyParameters required? msgAuthenticationParameters NO NO msgPrivacyParameters Determine if message ← null string is within time window YES YES Authentication compute MAC Privacy Decrypt scopedPdu required? set msgAuthenticationParameters required? NO NO msgAuthenticationParameters ← null string (b) Message Reception (a) Message Transmission Figure 8.10 USM Message Processing
take hash of user key and remote EngineID Localized Key take hash of user key and remote EngineID Localized take hash Key of expanded User Password • password string User Key • • take hash of user key and remote EngineID Localized Key Figure 8.11 Key Localization
who where how why what which contextName securityModel securityName securityModel securityLevel object-type object-instance vacmContextTable viewType (read/write/notify) vacmSecurityToGroupTable groupName variableName (OID) vacmAccessTable viewName vacmViewTreeFamilyTable yes/no decision Figure 8.12 VACM Logic
More recommend