09-09-23

Network
Management
Security
Ola Flygt
Vxj University, Sweden
http://w3.msi.vxu.se/users/ofl/
Ola.Flygt@vxu.se
+46 470 70 86 49
1

Outline
Basic Concepts of SNMP
SNMPv1 Community Facility
SNMPv3

09-09-23

The Internet Standard Management

Framework
SNMP network management consists of four parts:
Management Information Base (MIB)

A map of the hierarchical order of all managed objects and how

they are accessed

Structure of Management Information (SMI)
Rules specifying the format used to define objects managed on the
network that the SNMP protocol accesses
SNMP Protocol
Defines format of messages exchanged by management systems
and agents.
Specifies the Get, GetNext, Set, and Trap operations
Security and administration capabilities
The addition of these capabilities represents the major
enhancement in SNMPv3 over SNMPv2

Basic Concepts of SNMP

An integrated collection of tools for network

monitoring and control.

Single operator interface

Minimal amount of separate equipment. Software

and network communications capability built into

the existing equipment

SNMP key elements:

Management station
Management agent
Management information base
Network Management protocol
Get, Set and Notify
4

09-09-23

Management Information
Bases (MIB)
SNMP agent is software that runs on a piece

of network equipment (host, router, printer,

or others) and that maintains information
about its configuration and current state in a
database
Information in the database is described by
Management Information Bases (MIBs)
The MIB specifies the managed objects
5

Management Information
Bases (MIB)
The MIB is a text file that describes managed

objects using the syntax of ASN.1 (Abstract

Syntax Notation 1)
ASN.1 is a formal language for describing
data and its properties
In Linux, MIB files are in the directory /usr/
share/snmp/mibs

Multiple MIB files

MIB-II (defined in RFC 1213) defines the managed

objects of TCP/IP networks

09-09-23

Managed Objects
Each managed object is assigned an object

identifier (OID)
The OID is specified in a MIB file.
An OID can be represented as a sequence of
integers separated by decimal points or by a
text string. Example:
1.3.6.1.2.1.4.6.
iso.org.dod.internet.mgmt.mib-2.ip.ipForwData

When an SNMP manager requests an object,

it sends the OID to the SNMP agent.

MIB Example
ipForwDatagrams OBJECT-TYPE
SYNTAX Counter
ACCESS read-only
STATUS mandatory
DESCRIPTION
"The number of input datagrams for which this
entity was not their final IP destination, as a
result of which an attempt was made to find a
route to forward them to that final destination.
In entities which do not act as IP Gateways, this
counter will include only those packets which were
Source-Routed via this entity, and the SourceRoute option processing was successful."
::= { ip 6 }

09-09-23

Protocol context of SNMP

Proxy Configuration

10

09-09-23

11

SNMP v1 and v2
Trap an unsolicited message

(reporting an alarm condition)

SNMPv1 is connectionless since it
utilizes UDP (rather than TCP) as the
transport layer protocol.
SNMPv2 allows the use of TCP for
reliable, connection-oriented
service.
12

09-09-23

Comparison of SNMPv1 and SNMPv2

SNMPv1 PDU

SNMPv2 PDU

Direction

Description

GetRequest

GetRequest

Manager to agent

Request value for each

listed object

GetNextRequest

GetNextRequest

Manager to agent

Request next value for

each listed object

------

GetBulkRequest

Manager to agent

Request multiple
values

SetRequest

SetRequest

Manager to agent

Set value for each

listed object

------

InformRequest

Manager to manager

Transmit unsolicited
information

GetResponse

Response

Agent to manager or
Manage to
manager(SNMPv2)

Respond to manager
request

Trap

SNMPv2-Trap

Agent to manager

Transmit unsolicited
information 13

SNMPv1 Community Facility

SNMP Community Relationship

between an SNMP agent and SNMP

managers.
Three aspect of agent control:
Authentication service
Access policy
Proxy service
14

09-09-23

SNMPv1 Administrative
Concepts

15

SNMPv3

SNMPv3 defines a security capability to

be used in conjunction with SNMPv1 or v2

16

09-09-23

SNMPv3 Flow

17

Typical SNMP Manager

18

09-09-23

Typical SNMP Agent

19

User Security Model (USM)

Designed to secure against:
Modification of information
Masquerade
Message stream modification
Disclosure
Not intended to secure against:
Denial of Service (DoS attack)
Traffic analysis
20

10

09-09-23

SNMP3 Message Format with USM

21

USM Encryption
Authentication (using authKey)
HMAC-MD5-96
HMAC-SHA1-96
Encryption (using privKey)
DES CBC
Uses first 64 bits of the 16-octet privKey
Last 64 bits used as IV to DES CBC
Key values not accessible from SNMP
22

11

09-09-23

Authoritative Engine
SNMP messages with payloads that

expect a response (Get, Set, Inform)

Receiver of message is authoritative

SNMP messages with payload that does

not expect response (Trap, Response,

Report)
Sender is authoritative
23

Key Localization
Allows single user to own keys stored in

multiple engines
Key localized to each authoritative engine

using hash functions

Avoids problem of a single key being
stored in many places

Greatly slows brute force attack

24

12

09-09-23

Key Localization

25

Timeliness
Determined by a clock kept at the

authoritative engine
When authoritative engine sends a message, it

includes the current clock value

Nonauthoritative agent synchronizes on clock value

When nonauthoritative engine sends a message,

it includes the estimated destination clock value

These procedures allow assessing message

timeliness
26

13

09-09-23

View-Based Access Control

Model (VACM)
VACM has two characteristics:
Determines whether access to a managed
object should be allowed.
Make use of an MIB that:
Defines the access control policy for this

agent.
Makes it possible for remote configuration to
be used.
27

Access control decision

28

14

09-09-23

SNMPv3 Security
SNMPv3 solves SNMP security problems, right?
NOT!

Decent security implementation, but reality is:

SNMPv1 still holds ~95% of the market (2005)
Even SNMPv2 not widely deployed
Upgrading to SNMPv3 is difficult and costly (sort of like

moving from WinXP to WinVista all at once)

There is the issue of proxies and foreign clients

SNMPv3 is the clear long-term choice

29

15