SNMP Management

2

Overview

Growth of network size led to need for management techniques

Five main areas Configuration management

Deals with installing, initializing, and boot-loading network hardware and software

Also deals with modifying and tracking configuration parameters

Fault location and repair management Concerned with tools enabling fault location in equipment, software,

and/or provider lines Tools have strong error and alarm characteristics

3

Overview

Security management Tools are concerned with access control Tools enable network managers to restrict or grant access to

various network resources

Performance management Tools provide operational statistics about the network These may include bandwidth utilization or the number of packets

received, transmitted, or dropped, etc.

Accounting management Concerned with the applications enabling managers to define costs

related to network resources

4

Network Management Tool Development

Network management tools are essential Internet Engineering Task Force (IETF) formed a group

to develop tools, protocols, and database standards for TCP/IP networks Result: Simple Network Management Protocol (SNMP)

SNMP is the most commonly used protocol for collecting management data from IP networks

SNMP is not always the best solution

5

SNMP Client-Server Relationship

Manager Client program that makes virtual connections to an agent

Agent Server program residing on a remote network device

MIB Management Information Base is a data base defining a

standard set of statistical and control values MIB can be customized by vendors

6

SNMP Client-Server Relationship

Managers and agents communicate with a simple request/response technique Management station issues queries or action requests to the

agent Queries identify SNMP variables of interest (MIB object identifiers or

MIB variables) The agent is instructed to either get the requested variable or set the

requested variable Agent responds to the manager’s commands Agent can be programmed to send unsolicited messages to

the manager in the form of a trap Traps are essentially alerts

7

SNMP Operation

8

SNMP Versions

Two available commercial versions SNMPv1

Most popular version Defined in Request for Comment (RFC) 1157

SNMPv2 (or SNMPv2c) Improved security over SNMPv1 Updated the protocol operations and data types

9

SNMP Architecture

Network elements Network devices to be managed such as routers, hubs, switches,

computers, and printers

Agents Software program residing on a network element Collects and stores information about the managed device

Managed Object Sets of values describing manageable characteristics of a device Example:

The number of IP interfaces in a router is a managed object, but a specific interface is an instance of a managed object

10

SNMP Architecture

MIB Collection of all managed objects for a given device

Syntax Notation The way MIB objects are described Based on OSI’s Abstract Syntax Notation One (ASN.1) Machine independent

Structure of Management Information (SMI) Rules for defining managed objects using ASN.1

Manager Issues commands and queries to managed device Workstations that run management application Example: Nortel’s Site Manager, Nortel’s Optivity, HP’s Openview

11

Message Types

Only communication is between managers and agents Get request

Agent will return value of the named object

Get next request Agent will return the next object in the MIB hierarchy

Set request Instructs the agent to set the value of a named object to a particular

value Used to control managed devices

Trap message Agent notifies a manager of a problem as soon as it happens

12

SNMP and the TCP/IP Protocol

SNMP is an application layer protocol Interfaces to User Datagram Protocol (UDP), not TCP Uses ports 161 and 162

13

MIB

Resides on managed devices Standard MIB includes objects to measure

IP activity TCP and UDP activity IP routes TCP connections Interfaces General system description

14

MIB

Arranged in a hierarchical fashion Starts from unnamed root Connected to labeled nodes

Children of the root Form branches of the tree

The path from the root down to an object defines the object Path is called the Object Identifier ID Example: Nortel MIB objects are under

iso.org.dod.internet.private.enterprise.wellfleet 1.3.6.1.4.1.18

15

MIB Object Hierarchy

16

MIB

Nodes under Internet are administered by the Internet Activities Board (IAB) Nodes under Enterprise are for vendors with device-specific

information Vendors must apply to the IAB’s Internet Assigned Numbers

Authority (IANA) for node numbers

17

Structure of Management Information (SMI)

Defines rules and formats for adding or accessing objects in the Internet MIB

Nodes (objects) are described by ASN.1 Three categories of SMI data types

Simple Application-wide Easily constructed

18

SMI Data Types

19

SMI Data Types

20

SMI Data Types

21

ASN.1

Grammatical rules governing definitions of protocols and programming languages

Used to define precise function of MIB values Defines object’s type, access, and description

22

Branch Object Identifiers

Act as placeholders for other objects Much like directories containing files on a PC

Contain other objects instead of files

23

Two Types of Managed Objects in MIB

Scalar One value per object

Columnar Two-dimensional table made of multiple scalar objects

indexed by row and column numbers

24

Scalar Object Definitions

Syntax for declaring an SNMP object

Template

25

Scalar Object Definitions

26

Scalar Object Definitions

Example

27

Table Types

Identical to branch types except objects in table are columns rather than scalar objects

Each SNMP table has the Table keyword Single branch object exists beneath each table with an

Entry keyword This object contains table data

Series of SNMP objects exists within the Entry branch that contains indexes to table rows in dot notation

28

Table Types

Template

29

Table Types

Example

30

SNMP Operations - Communities

Managers and agents send messages to each other containing commands and information

Agents have full access to a device’s configuration Security is set up so that only selected managers can

request this information

Security is implemented through SNMP communities Logical groups containing the agent and one or more

managers Agent checks to see if manager is in the community

31

SNMP Operations - Communities

Community defined on the agent Limits access to either read-only or read-write Can define several communities with different rights, so

different managers get different types of access

32

Accessing the Agent

Manager sends a message (datagram) to the agent Each SNMP datagram has fields containing

SNMP version The community name The SNMP Protocol Data Unit (PDU)

PDU is the payload, or data field containing the SNMP operation to perform

Agent verifies that the manager is from the community it belongs to and determines what access rights, if any, it has

If the manager is granted access, the action specified in the datagram is performed

33

SNMP Datagram

34

SNMPv1 Datagram Format

35

SNMP PDU

Five types Get Request Get Next Request Get Response Set Request Trap

36

Get and Set PDU Format

37

Get and Set PDU Fields

38

Trap PDU Format

39

Trap PDU Fields

40

SNMPv1 Security Issues

Problem: Manager access is limited only by IP address Intruder can send a SNMP datagram to agent with fake source IP

address belonging to agent’s community Masquerading

Nortel solution – Secure Mode Default mode is Trivial mode Use an encrypted exchange during Set Requests

Manager and agent exchange a key to be used to decode encrypted messages

Intruder will not have the key Cannot use secure mode for public communities and addresses of

0.0.0.0

41

Standard MIB Structure

Defined by IETF Recall that MIB object identifier number is derived from

the tree structure of the MIB Main management functions under

iso.org.dod.internet.management (1.3.6.1.2)

Vendor specific management functions under iso.org.dod.internet.private.enterprises (1.3.6.1.4.1) Nortel granted vendor number 18

42

MIB-I and MIB-II

SNMP originally designed as a short-term fix OSI network management framework intended to be

the long-term solution SNMP became very popular Problem:

SNMP and OSI framework had limited compatibility Resulted in separate, parallel development SNMP was improved with development of version 2 of MIB

(MIB-II)

43

MIB-II Improvements

Changes Incremental additions reflect new operational requirements Improved support exists for multiprotocol entities Textual cleanup improved clarity

Changes designed to keep upward compatibility with SNMP Keep same object identifier as in MIB-I

MIB-II in RFC 1213

44

Nortel MIB Structure

Extension of standard MIB-II Nortel’s router software MIB

Software called BayRS Under enterprises.wellfleet.wfSwSeries7 (1.18.3) Main object groups under wfSwSeries7 are

wfHardwareConfig wfSoftwareConfig wfSystem wfLine wfApplication

These objects have statistics and configuration information for the router

45

Nortel MIB Structure

46

wfSwSeries7 Object Groups

47

MIB Structure

48

Nortel Agent Traps

Trap messages are sent immediately by the agent to the manager when a given condition is met

Short description of condition is sent in message, detailed description stored in event log

Trap message types Generic Enterprise-specific

49

Generic Traps

Defined by RFC 1157 coldStart warmStart linkUp linkDown authenticationFailure egpNeighborloss

50

Nortel Enterprise Traps

Any event that would be recorded in the router event log

51

Configuring Nortel Trap Messages

Three criteria Category

Either generic or specific

Protocol Entity Protocol entities to be sent

Event Severity Specifies severity of the event, fault, warning, etc.

52

Configuring Nortel Trap Messages

Nortel’s Site Manager is used to Specify the manager to receive trap messages from the

agent Selection of the type of event for the trap

Nortel routers have hundreds of different events Events are grouped by entities

Entities are protocols like ATM, BGP, IP, etc. Each entity has its various events categorized by severity level

Fault Warning Debug Trace Info

53

Configuring Nortel Trap Messages

Example: You can tell the agent to send traps for IP protocol events with the

severity level Info The router will send a trap to the manager for Info level events such

as whether an interface IP filter dropped a packet because it met the filter criteria

54

SNMPv2

SNMPv2 addresses two deficiencies in v1: Lack of support for distributed network management Functional deficiencies

A third deficiency, security is addressed to some degree More enhancements in SNMPv3

55

SNMPv2 Distributed Network Mgt

Centralized management schemes have one main management station and possibly some backups, all at one location Not good for large networks

Many agents sending information a long way Too much information entering the management workstation

56

SNMPv2 Distributed Network Mgt

A decentralized management scheme has a hierarchy of management stations

The top level management stations is responsible for managing all of the agents Intermediate management stations are deployed to directly

manage some of the network’s agents Intermediate managers relay information to the top level

manager

57

Distributed Network Management

W. Stallings, Network Security Essentials: Applications and Standards, Englewood Cliffs, NJ, Prentice-Hall, 2000

58

SNMPv2 Functional Enhancements

Two new commands added Inform

Sent from one management station to another to inform it about events at the sender

Used to implement hierarchical management structures GetBulk

Allows manager to retrieve a large block of data an once rather than issue multiple Get commands

Good for sending an entire table at one time

The Get command is modified In SNMPv1, if a Get requests a list of objects and one is invalid, the

entire command is rejected by the agent In SNMPv2, the agent will not reject the command, but will send back the

valid objects

59

Comparison of SNMPv1 and v2 PDUs

60

SNMPv2 Security Enhancements

V1 security threats addressed by v2 V1 had no way of restricting 3rd party from observing traffic

content between manager and agent 3rd party (hacker) could learn passwords when manager SETs a new

password 3rd party could masquerade as the manager and perform

get/set functions on agent 3rd party could intercept and modify the content of messages

between manager and agent 3rd party could intercept and modify message sequence and

timing3rd party could copy a message to reboot a router and replay it at a

later time

61

SNMPv2 Security Enhancements

V1 security threats not addressed by v2 Denial of service

Hacker can prevent exchanges between manager and agent

Traffic analysis Hacker observes traffic pattern between manager and agent

62

SNMPv2 Security Services

SNMPv2 adds some security enhancements over SNMPv1 Privacy

Protection of data from eavesdropping Authentication

Communicating parties can verify that messages are from whom they say they are

Access Control Only authorized parties have access to MIBs

How does v2 do it? V2 added ability to include an authentication code so agent and manager

know their correct identities Messages can be encrypted

SNMPv3 adds more enhancements

63

SNMPv2 Security Features

W. Stallings, Network and Internetwork Security: Principles and Practice, Englewood Cliffs, NJ, Prentice-Hall, 1995

64

SNMPv2 Capability Highlight

W. Stallings, Network and Internetwork Security: Principles and Practice, Englewood Cliffs, NJ, Prentice-Hall, 1995

65

SNMPv3

In 1998, RFCs 2570 through 2575 proposed additional security features in SNMP with backward compatibility to SNMPv1 and SNMPv2

SNMPv3 is not a replacement for v1 and v2 It must be use with them Defines security capability to be used with v1 and v2

SNMPv3 can be thought of as SNMPv2 with additional security and administration capabilities

66

V3 Protocol Overview

Security related information is included inside the SNMP message

The v3 User Security Model (USM) uses fields in the message header

Payload of the SNMP message is the SNMPv1 or v2 protocol data unit (PDU)

SNMPv1 and v2 PDU formats are the same as in the original protocols

67

SNMP Protocol Architecture

W. Stallings, Network Security Essentials: Applications and Standards, Englewood Cliffs, NJ, Prentice-Hall, 2000

68

SNMP Architecture

Architecture is a distributed, interacting collection of SNMP entities

Entities can be agents, managers, or a combination of the two

69

V3 SNMP Entity

Traditional SNMP Manager Interacts with SNMP agents using get, set commands and

receiving traps Interacts with other mangers using Inform Request PDUs

and receiving Inform Responses Manager consists of some SNMP applications an SNMP

engine Engine contains a security subsystem that supports the User

Security Model

70

Traditional SNMP Manager

W. Stallings, Network Security Essentials: Applications and Standards, Englewood Cliffs, NJ, Prentice-Hall, 2000

71

V3 SNMP Entity

Traditional SNMP Agent Respond to incoming requests by retrieving or setting MIB

objects and issuing a Response PDU Generates v1 or v2 traps Forwards messages between entities

72

Traditional SNMP Agent

W. Stallings, Network Security Essentials: Applications and Standards, Englewood Cliffs, NJ, Prentice-Hall, 2000