Post on 02-Apr-2015
transcript
CS 678 P. T. Chung 1
Network Management Security
CS 678 Network Security, Dept. of Computer Science, Long Island University,Brooklyn, NY
CS 678 P. T. Chung 2
Outline
Basic Concepts of SNMP SNMPv1 Community Facility SNMPv3 Recommended Reading and WEB
Sites
CS 678 P. T. Chung 3
Basic Concepts of SNMP An integrated collection of tools for network
monitoring and control. Single operator interface Minimal amount of separate equipment. Software
and network communications capability built into the existing equipment
SNMP key elements: Management station Managament agent Management information base Network Management protocol
Get, Set and Notify
CS 678 P. T. Chung 4
PRINCIPLE OPERATIONMANAGER
AGENTS
SNMP
MIB
CS 678 P. T. Chung 5
SNMP STRUCTUREMANAGER AGENT
CONNECTIONLESS TRANSPORT SERVICE PROVIDER
SNMP PDUs
UDP
Management ApplicationMIB
CS 678 P. T. Chung 6
Protocol context of SNMP
CS 678 P. T. Chung 7
Proxy Configuration
CS 678 P. T. Chung 8
CS 678 P. T. Chung 9
SNMP v1 and v2 Trap – an unsolicited message
(reporting an alarm condition) SNMPv1 is ”connectionless” since
it utilizes UDP (rather than TCP) as the transport layer protocol.
SNMPv2 allows the use of TCP for ”reliable, connection-oriented” service.
CS 678 P. T. Chung 10
SNMP PROTOCOL
MANAGER
UDP
IP
LINK
AGENT
UDP
IP
LINK
SNMP MESSAGESMIB
CS 678 P. T. Chung 11
OVERVIEW OF PDUs
getNext
response
MIB
manager agent
set
response
MIB
manager agent
get
response
MIB
manager agent
trap
manager agent
CS 678 P. T. Chung 12
TO REQUEST THE VALUE OF 1 OR MORE VARIABLES
POSSIBLE ERRORS: • noSuchName Object does not exist / Object is
not a leaf
• tooBig Result does not fit in response PDU
• genErr All other causes
manager agentget
response
MIB
CS 678 P. T. Chung 13
EXAMPLE MIB1
address (1) info (2) route-table (3)
route-entry (1)name (1) uptime (2)
130.89.16.2
printer-1 123456
1
2
9
3
5
7
8
dest(1) next(3)
2
3
5
5
7
8
9
1
1
1
2
1
1
1
2
3
2
3
2
3
2
policy(2)
CS 678 P. T. Chung 14
GET EXAMPLESget(1.1.0) response(1.1.0 => 130.89.16.2)
get(1.2.0) response(error-status = noSuchName)
get(1.1) response(error-status = noSuchName)
get(1.1.0; 1.2.2.0) response(1.1.0 => 130.89.16.2; 1.2.2.0 => 123456)
get(1.3.1.3.5.1) response(1.3.1.3.5.1 => 2)
get(1.3.1.1.5.1) response(1.3.1.1.5.1 => 5)
get(1.3.1.1.5.1, 1.3.1.2.5.1, 1.3.1.3.5.1) response(1.3.1.1.5.1 => 5, 1.3.1.2.5.1 => 1, 1.3.1.3.5.1 =>
2)
CS 678 P. T. Chung 15
MESSAGE & PDU STRUCTURE
NAME 1 VALUE 1 NAME 2 VALUE 2 ••• ••• NAME n VALUE n
PDU TYPE* ERROR
VARIABLE BINDINGSSTATUSREQUEST
IDERRORINDEX
VERSION COMMUNITY SNMP PDU
variable bindings:
SNMP PDU:
SNMP message:
CS 678 P. T. Chung 16
Comparison of SNMPv1 and SNMPv2SNMPv1 PDU SNMPv2 PDU Direction DescriptionGetRequest GetRequest Manager to agent Request value for
each listed object
GetRequest GetRequest Manager to agent Request next value for each listed object
------ GetBulkRequest Manager to agent Request multiple values
SetRequest SetRequest Manager to agent Set value for each listed object
------ InformRequest Manager to manager
Transmit unsolicited information
GetResponse Response Agent to manager or Manage to manager(SNMPv2)
Respond to manager request
Trap SNMPv2-Trap Agent to manager Transmit unsolicited information
CS 678 P. T. Chung 17
SNMPv1 Community Facility
SNMP Community – Relationship between an SNMP agent and SNMP managers.
Three aspect of agent control: Authentication service Access policy Proxy service
CS 678 P. T. Chung 18
SNMPv1 Administrative Concepts
CS 678 P. T. Chung 19
SNMPv2 PROTOCOL OPERATIONS
getNext
response
MIB
manager agent
set
response
MIB
manager agent
get
response
MIB
manager agent
getBulk
response
MIB
manager agent
trap
MIB
manager agent
response
inform
MIB
manager "agent"
CS 678 P. T. Chung 20
GET-BULK
NEW COMMAND getBulk IN SNMPv2 TO RETRIEVE A LARGE NUMBER OF
VARBINDS IMPROVES PERFORMANCE!
manager agentgetBulk
response
MIB
CS 678 P. T. Chung 21
GETBULK PERFORMANCESource: Steve Waldbusser, Carnegie-Mellon University
210
3300
v1
v2
NO SECURITY
195
2910
110
1600
WITH AUTHENTICATION WITH ENCRYPTION
Figures based on original (party based) SNMPv2
CS 678 P. T. Chung 22
GET-BULK EXAMPLE
getBulk(max-repetitions = 4; 1.1)
response(1.1.0 => 130.89.16.2 1.2.1.0 => printer-11.2.2.0 => 1234561.3.1.1.2.1 => 2 )
CS 678 P. T. Chung 23
GET-BULK EXAMPLE
getBulk(max-repetitions = 3; 1.3.1.1; 1.3.1.2; 1.3.1.3)
response(1.3.1.1.2.1 => 2; 1.3.1.2.2.1 => 1; 1.3.1.3.2.1 => 2
1.3.1.1.3.1 => 3; 1.3.1.2.3.1 => 1; 1.3.1.3.3.1 => 3
1.3.1.1.5.1 => 5; 1.3.1.2.5.1 => 1; 1.3.1.3.5.1 => 2 )
CS 678 P. T. Chung 24
SNMPv3 SNMPv3 defines a security capability
to be used in conjunction with SNMPv1 or v2
CS 678 P. T. Chung 25
SNMP v3 DESIGN DECISIONS
ADDRESS THE NEED FOR SECURY SET SUPPORT
DEFINE AN ARCHITECTURE THAT ALLOWS FOR LONGEVITY OF SNMP
ALLOW THAT DIFFERENT PORTIONS OF THE ARCHITECTURE
MOVE AT DIFFERENT SPEEDS TOWARDS STANDARD STATUS
CS 678 P. T. Chung 26
SNMP v3 DESIGN DECISIONS
ALLOW FOR FUTURE EXTENSIONS KEEP SNMP AS SIMPLE AS POSSIBLE ALLOW FOR MINIMAL IMPLEMENTATIONS SUPPORT ALSO THE MORE COMPLEX
FEATURES, WHICH ARE REQUIRED IN LARGE
NETWORKS RE-USE EXISTING SPECIFICATIONS,
WHENEVER POSSIBLE
CS 678 P. T. Chung 27
SNMPv3 Flow
CS 678 P. T. Chung 28
SNMPv3 ARCHITECTURE
OTHERNOTIFICATIONORIGINATOR
COMMANDRESPONDER
COMMANDGENERATOR
NOTIFICATIONRECEIVER
PROXYFORWARDER
SNMP APPLICATIONS
SNMP ENGINE
MESSAGE PROCESSINGSUBSYSTEM
DISPATCHERSECURITY
SUBSYSTEMACCESS CONTROL
SUBSYSTEM
SNMP ENTITY
OTHER
CS 678 P. T. Chung 29
Traditional SNMP Manager
CS 678 P. T. Chung 30
Traditional SNMP Agent
CS 678 P. T. Chung 31
SNMPv3 MESSAGE STRUCTURE
msgVersionmsgID
msgMaxSizemsgFlags
msgSecurityModel
msgSecurityParameters
contextEngineIDcontextName
PDU
USED BY MESSAGE PROCESSING SUBSYSTEM
USED BY SNMPv3 PROCESSING MODULE
USED BY SECURITY SUBSYSTEM
USED BY ACCESS CONTROL SUBSYSTEMAND APPLICATIONS
CS 678 P. T. Chung 32
SNMP3 Message Format with USM
CS 678 P. T. Chung 33
User Security Model (USM) Designed to secure against:
Modification of information Masquerade Message stream modification Disclosure
Not intended to secure against: Denial of Service (DoS attack) Traffic analysis
CS 678 P. T. Chung 34
Key Localization Process
CS 678 P. T. Chung 35
View-Based Access Control Model (VACM)
VACM has two characteristics: Determines wheter access to a
managed object should be allowed. Make use of an MIB that:
Defines the access control policy for this agent.
Makes it possible for remote configuration to be used.
CS 678 P. T. Chung 36
Access control decision
CS 678 P. T. Chung 37
SECURE COMMUNICATION VERSUS ACCESS CONTROL
MIB
MANAGER
APPLICATION PROCESSES
TRANSPORT SERVICE
MANAGER AGENT
GET / GET-NEXT / GETBULKSET / TRAP / INFORM
SECURE COMMUNICATION
ACCESS CONTROL
CS 678 P. T. Chung 38
USM: SECURITY THREATSTHREAT ADDRESSED? MECHANISM
REPLAY YES TIME STAMP
MASQUERADE YES MD5 / SHA-1
INTEGRITY YES (MD5 / SHA-1)
DISCLOSURE YES DES
DENIAL OF SERVICE YES
TRAFFIC ANALYSIS YES
CS 678 P. T. Chung 39
USM MESSAGE STRUCTUREmsgVersion
msgIDmsgMaxSize
msgFlagsmsgSecurityModel
msgAuthoritativeEngineIDmsgAuthoritativeEngineBootsmsgAuthoritativeEngineTime
msgUserNamemsgAuthenticationParameters
msgPrivacyParameterscontextEngineID
contextName
PDU
REPLAY
MASQUERADE/INTEGRITY/DISCLOSURE
DISCLOSURE
MASQUERADE/INTEGRITY
CS 678 P. T. Chung 40
IDEA BEHIND REPLAY PROTECTION
LOCAL NOTION OFREMOTE CLOCK
ALLOWEDLIFETIME
LOCALCLOCK
+ >?
ID BOOTS TIME DATA ID BOOTS TIME DATA
Authoritative EngineNonauthoritative Engine
CS 678 P. T. Chung 41
IDEA BEHIND DATA INTEGRITY AND AUTHENTICATION
HASH FUNCTION
DATAKEY
MAC
ADD THE MESSAGE AUTHENTICATION CODE (MAC) TO THE DATAAND SEND THE RESULT
CS 678 P. T. Chung 42
IDEA BEHIND AUTHENTICATION
HASH FUNCTION
KEY
MAC
DATAUSER MAC
DATA
HASH FUNCTION
KEY
MAC
DATAUSER MAC
DATA
=?
CS 678 P. T. Chung 43
IDEA BEHIND THE DATA CONFIDENTIALITY (DES)
DES ALGORITHM
DATADES-KEY
ENCRYPTED DATA
CS 678 P. T. Chung 44
IDEA BEHIND ENCRYPTION
DES ALGORITHM
DATADES-KEY
ENCRYPTED DATA
ENCRYPTED DATAUSER
DES ALGORITHM
DATADES-KEY
ENCRYPTED DATA
ENCRYPTED DATAUSER
CS 678 P. T. Chung 45
VIEW BASED ACCESS CONTROL MODEL
ACCESS CONTROL TABLE
MIB VIEWS
CS 678 P. T. Chung 46
ACCESS CONTROL TABLES
GET / GETNEXTInterface Table John, Paul Authentication
•••••• ••• •••
•••••• ••• •••
SETInterface Table JohnAuthentication
GET / GETNEXTSystems Group George None
•••••• ••• •••
•••••• ••• •••
Encryption
MIB VIEWALLOWED
MANAGERSREQUIRED LEVEL
OF SECURITYALLOWED
OPERATIONS
CS 678 P. T. Chung 47
MIB VIEWS
CS 678 P. T. Chung 48
SNMPv3 RFCs
OTHER
SNMP APPLICATIONS
SNMP ENGINE
MESSAGE PROCESSINGSUBSYSTEM
DISPATCHERSECURITY
SUBSYSTEMACCESS CONTROL
SUBSYSTEM
SNMP ENTITY
RFC 2573
RFC 2571
RFC 2572 RFC 2572 USM: RFC 2574 VACM: RFC 2575
CS 678 P. T. Chung 49
Recommended Reading and WEB Sites Subramanian, Mani. Network
Management. Addison-Wesley, 2000 Stallings, W. SNMP, SNMPv1,
SNMPv3 and RMON 1 and 2. Addison-Wesley, 1999
IETF SNMPv3 working group (Web sites)
SNMPv3 Web sites