860 likes | 922 Views
In the Name of the Most High. SNMPv3. by Behzad Akbari Fall 2011. These slides are based in parts upon slides of Prof. Dssouli (Concordia university ). Key Features of SNMPv3. Modularization of documentation and architecture
E N D
In the Name of the Most High SNMPv3 by Behzad Akbari Fall 2011 These slides are based in parts upon slides of Prof. Dssouli (Concordia university)
Key Features of SNMPv3 • Modularization of documentation and architecture • Enables the use of SNMPv1 and SNMPv2 with the newly developed SNMPv3. • SNMP engine defined • – A model for the processing of SNMP messages. • New Security features • – Secure information to prevent tampering of data • – Access control to determine proper access to MIB.
Distributed, interacting collection of SNMP entities SNMP entity implements a portion of the SNMP capability: It acts either as an agent or manager or both A collection of modules interacting with each other to provide services SNMP ENTITY SNMP APPLICATIONS COMMAND COMMAND NOTIFICATION NOTIFICATION PROXY OTHER OTHER GENERATOR RESPONDER ORIGINATOR RECEIVER FORWARDER SNMP ENGINE MESSAGE PROCESSING SECURITY ACCESS CONTROL DISPATCHER SUBSYSTEM SUBSYSTEM SUBSYSTEM SNMP Architecture
SNMP Architecture Advantages: The role of SNMP entity is determined by the modules implemented in that entity Certain set of modules are required for agent, while a different set is required for a manager Security subsystem provides services such as authentication and privacy of messages Multiple security models can coexist Set of authorization services an application can use for checking access rights Access Control
SNMP Architecture-Manager NOTIFICATION ORIGINATOR COMMAND NOTIFICATION GENERATOR RECEIVER PDU MESSAGE PROCESSING SECURITY SUBSYSTEM DISPATCHER SUBSYSTEM COMMUNITY BASED SNMPv1 SECURITY MODEL MESSAGE DISPATCHER SNMPv2C USER BASED SECURITY MODEL SNMPv3 OTHER TRANSPORT SECURITY MODEL OTHER MAPPINGS
SNMPv3 Architecture-Manager Command Generator Application Monitor and manipulate management data at remote agents Make use of SNMPv1,v2 PDUs: Get, GetNext, GetBulk, etc. Notification Originator Application Initiates messages, such as InformRequest PDU Notification Receiver Application Receive messages from other managers or agents InformRequest, SNMPv1- and SNMPv2-Traps, etc… These applications make use of the services provided by the SNMP engine: Get Outgoing PDUs, process them and generates SNMP messages for transmission over the transport layer Accept incoming SNMP messages, process them, and extracts PDUs and passes them to appropriate SNMP application
SNMPv3 Architecture-Manager One dispatcher in an SNMP engine Accepts PDUs from applications Handles multiple version messages (SNMPv1, v2, v3) Interfaces with application modules, network, and message processing models Three components for three functions Transport mapper delivers messages over the transport protocol Routes messages between network and appropriate module of MPS PDU dispatcher handles messages between application and MPS SNMP Engine (identified by snmpEngineID) Message Security Dispatcher Processing Subsystem Subsystem
SNMPv3 Architecture-Manager Accepts outgoing PDUs from Dispatcher, attach appropriate header, and return message to Dispatcher Accepts incoming messages, process each message header, and return the enclosed PDU to the Dispatcher Contains one or more Message Processing Models, each for each SNMP version SNMP version identified in the header SNMP Engine (identified by snmpEngineID) Message Security Dispatcher Processing Subsystem Subsystem
SNMPv3 Architecture-Manager Security subsystems perform authentication and encryption functions for each outgoing/incoming message Outgoing PDUs may be encrypted and authentication codes generated and appended to the message header The message is then returned to the MPS Incoming messages are passed to the security subsystem Message decryption Messages authenticated SNMP Engine (identified by snmpEngineID) Message Security Dispatcher Processing Subsystem Subsystem
SNMPv3 Architecture-Agent MANAGEMENT INFORMATION BASE ACCESS CONTROL SUBSYSTEM COMMAND NOTIFICATION Proxy Forwarder VIEW BASED RESPONDER ORIGINATOR Applications ACCESS CONTROL SECURITY SUBSYSTEM PDU MESSAGE PROCESSING DISPATCHER SUBSYSTEM COMMUNITY BASED SNMPv1 SECURITY MODEL MESSAGE DISPATCHER SNMPv2C USER BASED SECURITY MODEL SNMPv3 OTHER SECURITY MODEL TRANSPORT OTHER MAPPINGS
SNMPv3 Architecture-Agent Command Responder Application Provides access to management data Responds to incoming requests by retrieving and/or setting managed objects and issuing Response PDU Notification Originator Application e.g., SNMPv1, v2 Trap PDU Proxy Forwarder Application Forwards messages between entities Access Control Subsystem Provides authorization services to “control access” to the MIB for reading and setting management objects Who can access What can be accessed
Terminology SNMP Engine IDsnmpEngineID -- associated with each SNMP entity Principalprincipal -- person or group or application requesting services Security NamesecurityName -- human readable name Context Engine IDcontextEngineID -- each entity has a unique context ID (identical to snmpEngineID) Context NamecontextName --a context associated with a managed object (for access control) An SNMP agent can monitor more than one network element (context) Example: SNMP Engine ID IP address Principal John Smith Security Name Administrator
Abstract Service Interfaces Abstract service interface is a conceptual interface between modules, independent of implementation Defines a set of primitives A primitive specifies the function to be performed (e.g., procedural call) Primitives associated with receiving entities An interface defined using primitive and parameters is referred to as “abstract service interface” e.g., Dispatcher primitives: Handle messages to and from applications registering and un-registering of application modules transmitting to and receiving messages from network IN and OUT parameters Status information / result
Dispatcher Primitives sendPdu Used by a command generator to send SNMP request or notification PDU to another SNMP entity When successfully preparing the message by the Dispatcher: a sendPduHandle (unique identifier) is returned (to track any response, if any is expected) The application also provides transport domain/address for the PDU as well as message processing model, security model, principal, level of security, the context for this PDU, and the PDU itself sendPdu Message Command sendPduHandle/ Dispatcher Processing prepareOutgoingMessage Generator Error Indication Model Abstract Abstract Service Service Interface Interface
Dispatcher Primitives processResponsePdu Used by Dispatcher to pass an incoming response PDU to an application The application checks whether it is matched with a preceding request or notification PDU by checking the sendPduHandle: Success or failure sendPdu Message Command sendPduHandle/ Dispatcher Processing prepareOutgoingMessage Generator errorIndication Model Abstract Service Interface processResponsePdu
Dispatcher Primitives processPdu Used by Dispatcher to pass an incoming request or notification PDU to an application (command responder) Security related information is required to generate a matching response message The security subsystem (access control) will check whether access is allowed and a response will be generated accordingly returnResponsePdu Used by command responder to return an SNMP response in response to an incoming request or notification returnResponsePdu Message Command Dispatcher Processing prepareResponseMessage Responder Model processPdu Abstract Service Interface
Message Processing Subsystem Primitives prepareOutgoingMessage Prepare a message for an outgoing SNMP request or notification PDU The IN parameter is a PDU and OUT parameter is the message Success or failure is returned sendPdu Message Command sendPduHandle/ Dispatcher Processing prepareOutgoingMessage Generator errorIndication Model Abstract Service Interface
Message Processing Subsystem Primitives prepareResponseMessage Request the preparation of a message containing an outgoing SNMP response PDU, in response to an incoming request or notification PDU returnResponsePdu Message Command Dispatcher Processing prepareResponseMessage Responder Model processPdu Abstract Service Interface
Security Subsystem Primitives generateRequestMessage Generate a “message” containing an outgoing SNMP request or notification PDU Returns to the MPS a message (with possibly authentication and encryption) and associated security parameters processIncomingMessage Provide security function for incoming messages Return success or failure indicating the result of the security check If successful, a PDU is returned to the MPS generateResponseMessage Generate a message containing outgoing SNMP response PDU in response to incoming request or notification Returns to the MPS a message (with some authentication and encryption applied) and associated security parameters
Applications Application(s) Proxy Command Notification Forwarder Generator Receiver Subsystem Command Notification Other Responder Originator • Application Example • Command generator get-request • Command responder get-response • Notification originator trap generation • Notification receiver trap processing • Proxy Forwarder get-bulk to get-next (SNMP versions only) • Other Special application
Command Generator Command Generator: 1)-Examine parameters from the received PDU and match/compare them with a cached copy (security model/level/name, contextName, etc.). If no match, message is discarded 2)-Check the received PDU (check request-id, etc.) 3)- if all OK, then take action
Command Responder Command Responder: 1)-examines content of request PDU. Check whether object has already registered with the responder 2)- isAccessAllowed primitive is invoked (to determine whether object can be accessed by the principal making the request) check the security level 3)- if access permitted, prepare a response.
Message Format reportableFlag privFlag authFlag Header Data scopedPDU Message Message Message Message Context Context 1 SNMPv1 2 SNMPv2 3 SNMPv3 Security Data ID Max. Size Flag Engine ID Name Model Security Parameters Authoritative Authoritative Authoritative User Authentication Privacy Engine ID Engine Boots Engine Time Name Parameters Parameters Time synch. between entities to avoid message replay and achieve timeliness Global/ Security Plaintext / Encrypted Version Header Whole Message Parameters scopedPDU Data Data
Security Threats Modification of Information an entity may alter in-transit SNMP messages generated on behalf of an authorized principal in such a way as to effect unauthorized management operations, including falsifying the value of an object Masquerade management operations not authorized for some entity may be attempted by assuming the identity of another entity that has the appropriate authorizations Modification of information Masquerade Message stream modification Management Management Entity A Entity B Disclosure
Security Threats Message Stream Modification SNMP is typically based upon a connectionless transport service. Messages may be maliciously re-ordered, delayed or replayed, in order to effect unauthorized management operations. For example, a message to reboot a system could be copied and replayed later Disclosure Eavesdropping or intercepting on the exchanges between SNMP engines Modification of information Masquerade Message stream modification Management Management Entity A Entity B Disclosure
Security Threats SNMPv3 is not intended to secure against these two threats: Denial of Service: An attacker may prevent exchanges between manager and agent DOS are indistinguishable from network element failures DOS may disrupt all services (not just those pertaining to NM) Traffic Analysis: An attacker may observe the general pattern of traffic between managers and agents Modification of information Masquerade Message stream modification Management Management Entity A Entity B Disclosure
Security Model Goals Data Integrity (Authentication) Authentication Message redirection/re-ordering/delay/replay Data encryption/decryption
Security Model The Security model authenticates and forwards incoming and outgoing messages to the MPM 3 different modules Authentication module Privacy module Timeliness module Security Subsystem Data Integrity Authentication Module Data Origin Authentication Message Privacy Processing Data Confidentiality Module Model Message Timeliness & Timeliness Limited Replay Protection Module
Authentication Module Data integrity message authentication at sender and validation at receiver Ensure that a message is not modified by an unauthorized intruder Authentication protocols: HMAC-MD5-96 / HMAC-SHA-96 Data origin authentication Check the identity of a user on whose behalf a message is sent Append to the message a unique Identifier associated with authoritative SNMP engine Security Subsystem Data Integrity Authentication Module Data Origin Authentication Message Privacy Processing Data Confidentiality Module Model Message Timeliness & Timeliness Limited Replay Protection Module
Privacy Module Data confidentiality ensures that data is not made available to unauthorized users or entities Encryption is applied at the sender and decryption at receiver (CBC-DES) Security Subsystem Data Integrity Authentication Module Data Origin Authentication Message Privacy Processing Data Confidentiality Module Model Message Timeliness & Timeliness Limited Replay Protection Module