SNMPv3

SNMPv3 Yen-Cheng Chen Department of Information Management National Chi Nan University Reference: http://www.comsoc.org/livepubs/surveys/public/4q98issue/stallings.html

SNMPv3 RFCs RFC3410 RFC3411 RFC3412 RFC3413 RFC3414 RFC3415 RFC3416 RFC3417 RFC3418 • Introduction and Applicability Statements for Internet-Standard Management Framework • An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks • Message Processing and Dispatching for the Simple Network Management Protocol (SNMP) • Simple Network Management Protocol (SNMP) Applications • User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3) • View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP) • Version 2 of the Protocol Operations for the Simple Network Management Protocol (SNMP) • Transport Mappings for the Simple Network Management Protocol (SNMP) • Management Information Base (MIB) for the Simple Network Management Protocol (SNMP)

SNMPv3 Architecture SNMP entity SNMP Engine (identified by snmpEngineID) Message Access Security Dispatcher Processing Control Subsystem Subsystem Subsystem Application(s) Proxy Command Notification Forwarder Generator Receiver Subsystem Command Notification Other Responder Originator SNMP entity is a node with an SNMP management element - either an agent or manager or both

Dispatcher • Sending and receiving SNMP messages to/from the network • Determining the version of an SNMP message and interacting with the corresponding Message Processing Model • Providing an abstract interface to SNMP applications for delivery of a PDU to an application. • Providing an abstract interface for SNMP applications that allows them to send a PDU to a remote SNMP entity. SNMP Engine (identified by snmpEngineID) Message Access Security Dispatcher Processing Control Subsystem Subsystem Subsystem

Dispatcher Three components • Transport mapping delivers messages over the transport protocol • Message Dispatcher routes messages betweennetwork and appropriate module of MPS • PDU dispatcher handles messages between application and MSP

Message Processing Subsystem • Contains one or more Message Processing Models • One MPM for each SNMP version • SNMP version identified in the header SNMP Engine (identified by snmpEngineID) Message Access Security Dispatcher Processing Control Subsystem Subsystem Subsystem

Security and Access Control • Security at the message level • Authentication • Privacy of message via secure communication • Flexible access control • Who can access • What can be accessed • Flexible MIB views SNMP Engine (identified by snmpEngineID) Message Access Security Dispatcher Processing Control Subsystem Subsystem Subsystem

Applications Application(s) Proxy Command Notification Forwarder Generator Receiver Subsystem Command Notification Other Responder Originator • Application Example • Command generator get-request • Command responder get-response • Notification receiver trap generation • Notification receiver trap processing • Proxy Forwarder get-bulk to get-next (SNMP versions only) • Other Special application

Manager

Agent

Command Generator or Notification Originator

Command Responder

Names • Entity • Engine (snmpEngineID) • Associated with each SNMP entity is a unique snmpEngineID. • Context (contextName) • A context is a collection of management information accessible by an SNMP entity. • Context engine (contextEngineID) • = snmpEngineID • Principal (securityName) • the "who" on whose behalf services are provided or processing takes place. • may be an individual or an application or a group of individuals or applications.

Context Engine contextName contexts

Security Threats Modification of information Masquerade Message stream modification Management Management Entity B Entity A Disclosure

Security Threats • SNMPv3 security model is developed to protect the following security threats: • Modification of information • Contents modified by unauthorized user • Masquerade • change of originating address by unauthorized user • Message Stream Modification • Re-ordering, delay or replay of messages • Disclosure • Eavesdropping • SNMPv3 security model doesn’t protect Denial of Service (DoS) and Traffic Analysis.

Security Services Security Subsystem Data Integrity Authentication Module Data Origin Authentication Message Processing Privacy Data Confidentiality Module Model Message Timeliness & Timeliness Module Limited Replay Protection

SNMPv3 Security • Authentication • Data integrity: • HMAC-MD5-96 / HMAC-SHA-96 • Data origin authentication • Append to the message a unique Identifier associated with authoritative SNMP engine • Privacy / confidentiality: • Encryption • Timeliness: • Authoritative Engine ID, No. of engine boots and time in seconds  

Role of SNMP Engines Non-Authoritative Engine (NMS) Authoritative Engine(Agent)

Header Data scopedPDU Message Message Message Message Context Context Security Data ID Max. Size Flag Engine ID Name Model Global/ Security Plaintext / Encrypted Version Header Whole Message Parameters scopedPDU Data Data Security Parameters Authoritative Authoritative Authoritative User Authentication Privacy Engine ID Engine Boots Engine Time Name Parameters Parameters Figure 7.12 SNMPv3 Message Format See P. 304

See p. 304

User-Based Security Model • Based on traditional user name concept • Authentication service primitives • authenticateOutgoingMsg • authenticateIncomingMsg • Privacy Services • encryptData • decryptData

Authentication Protocols • Authentication Key • Derived from a password chosen by the user • digest0: repeat password  220 octets • digest1: H(digest0) • digest2: H(engineID || digest1) • AuthKey = digest2 • Use HMAC-MD5-96 or HMAC-SHA-96

SNMPv3

SNMPv3

Presentation Transcript

Enterprise Network Management Chapter 2 SNMPv3 and Network Management Jiun January 2005

SNMPv3 *

SBSM BOF Session-Based Security Model for SNMPv3

Replacing TripWire with SNMPv3

Replacing TripWire with SNMPv3

SNMPv3, SSH & Cisco

SNMPv3

SBSM BOF Session-Based Security Model for SNMPv3

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt

Integrated Security Model for SNMPv3 (ISMS) pronounced "is" "miss"

SNMPv3 *

SNMPv3 Working Group

SNMPv3 Working Group

SBSM BOF Session-Based Security Model for SNMPv3

Title: HP OpenView Network Node Manager SPI for SNMPv3 Session #: 326

SBSM BOF Session-Based Security Model for SNMPv3

SNMPv3

Enterprise Network Management Chapter 2 SNMPv3 and Network Management Jiun January 2005

8. SNMPv3

Chapter 15 SNMPV3 Architecture and Applications

SNMPv3

SNMPv3

Presentation Transcript

Enterprise Network Management Chapter 2 SNMPv3 and Network Management Jiun January 2005

SNMPv3 *

SBSM BOF Session-Based Security Model for SNMPv3

Replacing TripWire with SNMPv3

Replacing TripWire with SNMPv3

SNMPv3, SSH &amp; Cisco

SNMPv3

SBSM BOF Session-Based Security Model for SNMPv3

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt

Integrated Security Model for SNMPv3 (ISMS) pronounced &quot;is&quot; &quot;miss&quot;

SNMPv3 *

SNMPv3 Working Group

SNMPv3 Working Group

SBSM BOF Session-Based Security Model for SNMPv3

Title: HP OpenView Network Node Manager SPI for SNMPv3 Session #: 326

SBSM BOF Session-Based Security Model for SNMPv3

SNMPv3

Enterprise Network Management Chapter 2 SNMPv3 and Network Management Jiun January 2005

8. SNMPv3

Chapter 15 SNMPV3 Architecture and Applications

SNMPv3, SSH & Cisco

Integrated Security Model for SNMPv3 (ISMS) pronounced "is" "miss"