Chapter 4-1.pdf

Full Transcript

BPE3723: INTRODUCTION TO COMPUTER NETWORK & SECURITY
INTRODUCTION
Chapter 4: Network Management SNMP
What is Network Management?
autonomous systems (aka “network”): 1000s of interacting
hardware/software components
other complex systems requiring monitoring, configuration, control:
○ jet airplane, nuclear power plant, others?

"Network management includes the deployment, integration
Network Layer: 5-2
and coordination of the hardware, software, and human
elements to monitor, test, poll, configure, analyze, evaluate,
and control the network and element resources to meet the
real-time, operational performance, and Quality of Service
requirements at a reasonable cost."
 Components of Network Management
Managing server:
application, typically Managed device:
with network agent data equipment with
managing manageable, configurable
managers (humans) in server/controller
the loop hardware, software
data managed device
components
agent data
Network
management agent data
protocol: used by managed device
Network Layer: 5-3 Data: device
managing server to managed device “state” configuration
query, configure, agent data data, operational
manage device; used by agent data
data, device
devices to inform statistics
managing server of data, managed device
managed device
events.
SNMP
A fundamental network management tool is SNMP, the Simple Network
Management Protocol.
SNMP, developed in 1988, is widely supported in most modern network
hardware.
Designed to be Simple-very few commands
It’s a Protocol-defined by IETF (Internet engineering task force)
SNMP & OSI Model

Management and Agent APIs
SNMP

ASN.1 and BER

RPC and NetBIOS

TCP and UDP

IP and IPX

Ethernet, Token Ring, FDDI
Port & UDP

Management and Agent APIs
SNMP

ASN.1 and BER

RPC and NetBIOS

TCP and UDP

IP and IPX

Ethernet, Token Ring, FDDI
Port & UDP
SNMP uses User Datagram Protocol (UDP) as the transport mechanism for
SNMP message
Like FTP, SNMP uses two well-known ports to operate
o UDP Port 161 - SNMP Messages
o UDP Port 162 - SNMP Trap Message
 SNMP Compatible Devices
SNMP is a tool (protocol) that allows for remote and local management of items on the
network
…all SNMP compatible
○ Server
○ Workstation
○ Router

○ Switch
○ Printer

○ More
SNMP Functionality
Fault Management
Configuration Management
Local / Remote
Accounting Management
Performance Monitoring and Management
Security Management
SNMP Architecture
SNMP Manager
SNMP Agent
NMS (Network Management System)

Net work
SNMP SNMP
Manager Request Agent
Process Process
Response
Trap
MIB MIB
SNMP Architecture
SNMP Manager
A managed device (network element)
○ network node - contains an SNMP agent; resides on a manage network
○ Purpose: Collect and store management information and make it available to NMSs
using SNMP
○ E.g: routers and access servers, switches and bridges, hub, computer hosts or printer
○ Capable of querying any managed device – via polling

○ Capable enforcing management decision in Network
○ Normally runs on very few system compared to SNMP agents
SNMP Agent
Small piece of code that runs on every SNMP managed device and gathers and sends
data about that managed resource in response to a request from the manager
Collects information from network device, on which it resides and store in MIB
Replies to manager with proper information when asked for
Can initiate communication with SNMP manager using traps
SNMP Proxy
A Proxy Agent is an SNMP agent that
maintains information of one or more non- SNMP Manager
SNMP devices
Proxy Agent does the conversion of control
message SNMP Agent Proxy Agent..may run some other NMS. SNMP Non-SNMP
Community Community
NMS
NMS (Network Management Station)
○ Executes applications that monitor and control managed devices
○ Provides the bulk of the processing and memory resources required for network management
SNMP Internal Component

How Management Information will be stored?
SMI: Structure of Management Information

What Management Information data will be stored?
MIBs: Management Information Base

How information would be exchanged on network?
SNMP: Simple Network Management Protocol
SNMP Message
SNMP – Trap (1 of 2)
Traps are unrequested event reports that are sent to a management system by an
SNMP agent process
When a trappable event occurs, a trap message is generated by the agent and is sent
to a trap destination (a specific, configured network address)
Many events can be configured to signal a trap, like a network cable fault, failing NIC or
Hard Drive, a “General Protection Fault”, or a power supply failure
Traps can also be throttled -- You can limit the number of traps sent per second from
the agent
Traps have a priority associated with them -- Critical, Major, Minor, Warning, Marginal,
Informational, Normal, Unknow
SNMP – Trap (2 of 2)

Trap 1 Trap 2
Contains agent address Does not contain agent address

It has information about specific It has Trap OID in the second
trap and generic trap value varbind.

It does not have error index and It has error index and status.
status
SNMP v1
Communication is via SNMP Protocol Data Units (PDUs) that are typically encapsulated in
UDP packets

UDP ports, 1161 and 162 are the default ports reserved for SNMP
The agent listens for request and replies to them over port 161
…report asynchronous traps on port 162, unless it is instructed to use different ports
 ▪Indicates one of a ▪Associates error
number of errors and with object instance.
0: GetRequest ▪Set by ‘Response’
error types.
1: GetNextRequest operation.
SNMP Request to ▪Set by ‘Response’
2: SetRequest ▪Others set it to ‘0’
Response association operation.
3: GetResponse
▪Others set it to ‘0’ ▪Data Field of SNMPv1
General PDU Structure PDU.
▪ Associates Object
instance with current
Object 1 Object 2
lue.
PDU TYPE Request ID Error Status Error Index ▪IgnVoarleufeor2
va
Value 1 d
Get an
GetNext

Generic Trap Type:
SNMP v1 Protocol Data Units 7 values are defined:
coldStart(0) Specific Trap Type:
warmStart(1) Identifies non-generic
trap when Generic
(PDU) linkDown(2)
linkUp(3) Trap Type set to
authenticationFailure(4) ‘enterpriseSpecific(6)’
Management Enterprise egpNeighborLoss(5) Time elapsed between
Agent’s IP Address
under whose registration enterpriseSpecific(6) last network
4: Trap authority trap was (for further
reinitialization and
defined. identification) trap generation
Trap PDU Structure
Time Object 1 Object 2
PDU TYPE Enterprise Agent Addr Gen Trap Spec Trap
Stamp Value 1 Value 2
Issues with SNMP v1
Security – very low standard (password transmitted as plain text)
No provision for authenticating message source
○ For example, it does not offer authentication, which would enable an agent to ascertain the identify
of a manager, or encryption, which would prevent SNMP message from being seen by others or
tampered with.
A hacker could exploit the lack of authentication by sending unauthorized command to a
device that might alters its configuration, for example to steal service or sabotage the
network
For this reason, many agents do not allow their configuration to be modified through
SNMP and limit SNMP’s use to monitoring, where exposure to security holes is less
critical
SNMP v2
Improvement over SNMP v1
Improved in areas of performance, security feature, confidentially
Introduce GetBulkRequest & Inform Request
….added manager to manager communication
Four version of SNMP v2:
○ SNMP v2p
○ SNMP v2c
○ SNMP v2u
○ SNMP v2*
SNMP v2 is not backward compatible with SNMP v1
SNMP v2 Additional Operations
Bulk Data Transfer
○ GetBulkRequest message was added
○ Manager can request multiple value from agent via this message
○ …faster retrieval of multiple records
Manager to Manager communication
○ InformRequest – information sharing between two SNMP manager
Improved error handling
○ SNMPv2 includes expanded error code that distinguishes kind of error condition
SNMP v2 Protocol Data Units (PDU)

0: GetRequest
1: GetNextRequest
2: Response
▪Associates error
3: Set Request ▪Indicates one of a
number of errors and with object instance.
4. Obsolete ▪Set by ‘Response’
5. GetBulkRequest error types.
▪Set by ‘Response’ operation.
6. InformRequest SNMP Request to ▪Others set it to ‘0’
Response association operation.
7. SNMPv2 Trap ▪Others set it to ‘0’

Object 1 Object 2
PDU TYPE Request ID Error Status Error Index
Value 1 Value 2

▪Data Field of SNMPv1
SNMPv2 PDU (except bulk) PDU.
▪ Associates Object
instance with current
value.
▪Ignore for Get and
GetNext
 SNMP v2 Protocol Data Units (PDU)

Max Object 1 Object 2 …………… Object n
PDU TYPE Request ID Non-Repeaters
Repetitions Value 1 Value 2 …………... Value n

SNMPv2 GetBulkRequest PDU
Issues with SNMP v2
Multiple version of SNMP v2 – no consensus
Security – not much improvement
Incompatibility with earlier version
○ Overhead implementing Bilingual Manager or Proxy Server
SNMP v2 Compatibility SNMP v1
Bilingual Manager
○ Implements both SNMP v1 and v2 interpreter in Bilingual Manager

manager Agent
SNMPv1 SNMPv2 Profile
○ Interpreter module do all MIB and protocol Interpreter Interpreter

conversion to and from SNMP agent
○ SNMP PDU contains version number to identify
the frame
○ This method is expensive to implement and
maintain SNMP v1 SNMP v2
Agent Agent
Interfacing SNMP v1
Proxy Server SNMPv2 Manager

○ Requests, response and trap from SNMP v2 agents
Proxy
are processes straightforward by the SNMP v2 Server

manager directly
○ A proxy server is implemented as a front-end
module to the SNMP v2 manager to allow
communication with SNMP v1 agent

SNMPv1 SNMPv2
Agent Agent
SNMP v3
A general framework for all three SNMP versions
○ Implement SNMP v1 and v2 specifications along with the proposed new feature
Improved security feature
Secure remote configuration
○ Protection against modification of information
SNMP v3 Security
Major security improvement of v3 from the earlier version:
○ Message Integrity – ensure that data has not been modified or tampered while in transit
○ Authentication – checks if the message is from an authorized source
○ Encryption – encrypt the data to prevent others from seeing the content
Data can be collected securely from SNMP devices without fear of the data being
tampered with or corrupted
SNMP v3 Architecture
SNMP v3 Engine (1 of 2)
SNMP engine provides services for sending, receiving messages, authenticating and
encrypting messages, and controlling access to manage object
Dispatcher – support concurrent multiple SNMP message
○ Send and receive message s to and from the network
○ Determine SNMP versions forward to corresponding message processing subsystem
○ Interface between network and SNMP applications
SNMP v3 Engine (2 of 2)
Message processing subsystem
○ Prepares message for sending in network
○ Extract information from received message
Security subsystem
○ Provide security services-authentication, encryption etc
○ Contains multiple subsystem
Access Control System
○ Porvides authorization services
SNMP v3 Application
Command Generator
○ Used to generate get-request, get-next-request, get-bulk and set-request message
○ …also processes the response received from the sent command
Command Responder
○ Processes the get and set request destinated for it
Notification Receiver
○ Receives asynchronous message and processes that
Notification Originator
○ Initiates asynchronous message or traps
Proxy Forwarder
○ Forwards requests and notifications to other SNMP engines, according to context
○ No matter what MO information contained in it
THANK YOU