1 / 29

Network Management Security

Network Management Security. Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@msi.vxu.se +46 470 70 86 49. Outline. Basic Concepts of SNMP SNMPv1 Community Facility SNMPv3. The Internet Standard Management Framework.

pfinger
Download Presentation

Network Management Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Network Management Security Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@msi.vxu.se +46 470 70 86 49

  2. Outline • Basic Concepts of SNMP • SNMPv1 Community Facility • SNMPv3

  3. The Internet Standard Management Framework SNMP network management consists of four parts: • Management Information Base (MIB) • A map of the hierarchical order of all managed objects and how they are accessed • Structure of Management Information (SMI) • Rules specifying the format used to define objects managed on the network that the SNMP protocol accesses • SNMP Protocol • Defines format of messages exchanged by management systems and agents. • Specifies the Get, GetNext, Set, and Trap operations • Security and administration capabilities • The addition of these capabilities represents the major enhancement in SNMPv3 over SNMPv2

  4. Basic Concepts of SNMP • An integrated collection of tools for network monitoring and control. • Single operator interface • Minimal amount of separate equipment. Software and network communications capability built into the existing equipment • SNMP key elements: • Management station • Management agent • Management information base • Network Management protocol • Get, Set and Notify

  5. Management Information Bases (MIB) • SNMP agent is software that runs on a piece of network equipment (host, router, printer, or others) and that maintains information about its configuration and current state in a database • Information in the database is described by Management Information Bases (MIBs) • The MIB specifies the managed objects

  6. Management Information Bases (MIB) • The MIB is a text file that describes managed objects using the syntax of ASN.1 (Abstract Syntax Notation 1) • ASN.1 is a formal language for describing data and its properties • In Linux, MIB files are in the directory /usr/share/snmp/mibs • Multiple MIB files • MIB-II (defined in RFC 1213) defines the managed objects of TCP/IP networks

  7. Managed Objects • Each managed object is assigned an object identifier(OID) • The OID is specified in a MIB file. • An OID can be represented as a sequence of integers separated by decimal points or by a text string. Example: • 1.3.6.1.2.1.4.6. • iso.org.dod.internet.mgmt.mib-2.ip.ipForwData • When an SNMP manager requests an object, it sends the OID to the SNMP agent.

  8. MIB Example ipForwDatagrams OBJECT-TYPE SYNTAX Counter ACCESS read-only STATUS mandatory DESCRIPTION "The number of input datagrams for which this entity was not their final IP destination, as a result of which an attempt was made to find a route to forward them to that final destination. In entities which do not act as IP Gateways, this counter will include only those packets which were Source-Routed via this entity, and the Source- Route option processing was successful." ::= { ip 6 }

  9. Protocol context of SNMP

  10. Proxy Configuration

  11. SNMP v1 and v2 • Trap – an unsolicited message (reporting an alarm condition) • SNMPv1 is ”connectionless” since it utilizes UDP (rather than TCP) as the transport layer protocol. • SNMPv2 allows the use of TCP for ”reliable, connection-oriented” service.

  12. Comparison of SNMPv1 and SNMPv2

  13. SNMPv1 Community Facility • SNMP Community – Relationship between an SNMP agent and SNMP managers. • Three aspect of agent control: • Authentication service • Access policy • Proxy service

  14. SNMPv1 Administrative Concepts

  15. SNMPv3 • SNMPv3 defines a security capability to be used in conjunction with SNMPv1 or v2

  16. SNMPv3 Flow

  17. Traditional SNMP Manager

  18. Traditional SNMP Agent

  19. SNMP3 Message Format with USM

  20. User Security Model (USM) • Designed to secure against: • Modification of information • Masquerade • Message stream modification • Disclosure • Not intended to secure against: • Denial of Service (DoS attack) • Traffic analysis

  21. USM Encryption • Authentication (using authKey) • HMAC-MD5-96 • HMAC-SHA1-96 • Encryption (using privKey) • DES CBC • Uses first 64 bits of the 16-octet privKey • Last 64 bits used as IV to DES CBC • Key values not accessible from SNMP

  22. Authoritative Engine • SNMP messages with payloads that expect a response (Get…, Set, Inform) • Receiver of message is authoritative • SNMP messages with payload that does not expect response (Trap, Response, Report) • Sender is authoritative

  23. Key Localization • Allows single user to own keys stored in multiple engines • Key localized to each authoritative engine using hash functions • Avoids problem of a single key being stored in many places • Greatly slows brute force attack

  24. Key Localization

  25. Timeliness • Determined by a clock kept at the authoritative engine • When authoritative engine sends a message, it includes the current clock value • Nonauthoritative agent synchronizes on clock value • When nonauthoritative engine sends a message, it includes the estimated destination clock value • These procedures allow assessing message timeliness

  26. View-Based Access Control Model (VACM) • VACM has two characteristics: • Determines whether access to a managed object should be allowed. • Make use of an MIB that: • Defines the access control policy for this agent. • Makes it possible for remote configuration to be used.

  27. Access control decision

  28. SNMPv3 Security • SNMPv3 solves SNMP security problems, right? • NOT! • Decent security implementation, but reality is: • SNMPv1 still holds ~95% of the market (2005) • Even SNMPv2 not widely deployed • Upgrading to SNMPv3 is difficult and costly (sort of like moving from Win95 to WinXP all at once) • There is the issue of proxies and foreign clients • SNMPv3 is the clear long-term choice

More Related