330 likes | 571 Views
Network Management Security. Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49. Outline. Basic Concepts of SNMP SNMPv1 Community Facility SNMPv3. The Internet Standard Management Framework.
E N D
Network Management Security Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49
Outline • Basic Concepts of SNMP • SNMPv1 Community Facility • SNMPv3
The Internet Standard Management Framework SNMP network management consists of four parts: • Management Information Base (MIB) • A map of the hierarchical order of all managed objects and how they are accessed • Structure of Management Information (SMI) • Rules specifying the format used to define objects managed on the network that the SNMP protocol accesses • SNMP Protocol • Defines format of messages exchanged by management systems and agents. • Specifies the Get, GetNext, Set, and Trap operations • Security and administration capabilities • The addition of these capabilities represents the major enhancement in SNMPv3 over SNMPv2
Basic Concepts of SNMP • An integrated collection of tools for network monitoring and control. • Single operator interface • Minimal amount of separate equipment. Software and network communications capability built into the existing equipment • SNMP key elements: • Management station • Management agent • Management information base • Network Management protocol • Get, Set and Notify
Management Information Bases (MIB) • SNMP agent is software that runs on a piece of network equipment (host, router, printer, or others) and that maintains information about its configuration and current state in a database • Information in the database is described by Management Information Bases (MIBs) • The MIB specifies the managed objects
Management Information Bases (MIB) • The MIB is a text file that describes managed objects using the syntax of ASN.1 (Abstract Syntax Notation 1) • ASN.1 is a formal language for describing data and its properties • In Linux, MIB files are in the directory /usr/share/snmp/mibs • Multiple MIB files • MIB-II (defined in RFC 1213) defines the managed objects of TCP/IP networks
Managed Objects • Each managed object is assigned an object identifier(OID) • The OID is specified in a MIB file. • An OID can be represented as a sequence of integers separated by decimal points or by a text string. Example: • 1.3.6.1.2.1.4.6. • iso.org.dod.internet.mgmt.mib-2.ip.ipForwData • When an SNMP manager requests an object, it sends the OID to the SNMP agent.
MIB Example ipForwDatagrams OBJECT-TYPE SYNTAX Counter ACCESS read-only STATUS mandatory DESCRIPTION "The number of input datagrams for which this entity was not their final IP destination, as a result of which an attempt was made to find a route to forward them to that final destination. In entities which do not act as IP Gateways, this counter will include only those packets which were Source-Routed via this entity, and the Source- Route option processing was successful." ::= { ip 6 }
SNMP v1 and v2 • Trap – an unsolicited message (reporting an alarm condition) • SNMPv1 is ”connectionless” since it utilizes UDP (rather than TCP) as the transport layer protocol. • SNMPv2 allows the use of TCP for ”reliable, connection-oriented” service.
SNMPv1 Community Facility • SNMP Community – Relationship between an SNMP agent and SNMP managers. • Three aspect of agent control: • Authentication service • Access policy • Proxy service
SNMPv3 • SNMPv3 defines a security capability to be used in conjunction with SNMPv1 or v2
User Security Model (USM) • Designed to secure against: • Modification of information • Masquerade • Message stream modification • Disclosure • Not intended to secure against: • Denial of Service (DoS attack) • Traffic analysis
USM Encryption • Authentication (using authKey) • HMAC-MD5-96 • HMAC-SHA1-96 • Encryption (using privKey) • DES CBC • Uses first 64 bits of the 16-octet privKey • Last 64 bits used as IV to DES CBC • Key values not accessible from SNMP
Authoritative Engine • SNMP messages with payloads that expect a response (Get…, Set, Inform) • Receiver of message is authoritative • SNMP messages with payload that does not expect response (Trap, Response, Report) • Sender is authoritative
Key Localization • Allows single user to own keys stored in multiple engines • Key localized to each authoritative engine using hash functions • Avoids problem of a single key being stored in many places • Greatly slows brute force attack
Timeliness • Determined by a clock kept at the authoritative engine • When authoritative engine sends a message, it includes the current clock value • Nonauthoritative agent synchronizes on clock value • When nonauthoritative engine sends a message, it includes the estimated destination clock value • These procedures allow assessing message timeliness
View-Based Access Control Model (VACM) • VACM has two characteristics: • Determines whether access to a managed object should be allowed. • Make use of an MIB that: • Defines the access control policy for this agent. • Makes it possible for remote configuration to be used.
SNMPv3 Security • SNMPv3 solves SNMP security problems, right? • NOT! • Decent security implementation, but reality is: • SNMPv1 still holds ~95% of the market (2005) • Even SNMPv2 not widely deployed • Upgrading to SNMPv3 is difficult and costly (sort of like moving from WinXP to WinVista all at once) • There is the issue of proxies and foreign clients • SNMPv3 is the clear long-term choice