i c 3-2: network security

IC3-2: Network security

Part 1 - A general overview of network security

Outline>Network Topologies>Network Addressing>LANs>MANs>WANs

Ethernet>IEEE 802.3, technology originated from

Xerox Corp.>Data packaged into frames>Network Interface Card (NIC)>CSMA/CD

>Carrier Sense>Multiple Access>Collision Detection

Network Cabling>Cabling

>Thick Ethernet – 10BASE-5>Thin Ethernet – 10BASE-2>Shielded & Unshielded Twisted Pair (STP,

UTP) – 10BASE-T (Cat 3) 100BASE-T (Cat 5)>Fibre Optic – Gigabit Ethernet>Wireless LAN

>TCP/IP Layer 1

1 Physical2 DataLink3 Network

4 Transport5 Session

6 Presentation7 Application

Cabling in OSI Protocol Stack

Cabling

Cabling Issues> Physical Environment

> Trunking> Network Closets> Risers

> Physical Environment - Issues> Single or multi-occupancy> Access Control to floor building> Network passes through public areas> Network infrastructure easily accessible > Network infrastructure shares facilities> Electromagnetic environment

Thin Ethernet> Short overall cable runs.> Vulnerability: information broadcast to all

devices.> Threat: Information Leakage, Illegitimate Use

> Vulnerability: One cable fault disables network> Threat: Denial of Service

> Easy to install & attach additional devices> Vulnerability: Anyone can plug into hub.

> Threat: Illegitimate Use.> Rarely seen now.

Thin Ethernet

UTP and Hub> Cable between hub and device is a single

entity> Only connectors are at the cable ends> Additional devices can only be added at the

hub> Disconnection/cable break rarely affects other

devices> Easy to install

hub

10/100BASE-T

UTP

Other Layer 1 options> Fibre Optic

> Cable between hub and device is a single entity> Tapping or altering the cable is difficult> Installation is more difficult> Much higher speeds

> Wireless LAN> Popular where building restrictions apply.> Several disadvantages

> Radio signals are subject to interference, interception, and alteration.

> Difficult to restrict to building perimeter.> Security must be built in from initial network design.

Hubs> Data is broadcast to everyone on the hub

> Vulnerability: information broadcast to all devices.> Threat: Information Leakage, Illegitimate Use

> Vulnerability: Anyone can plug into hub.> Threat: Illegitimate Use.

> TCP/IP Layer 1> Intelligent Hubs

> Signal regeneration.> Traffic monitoring.> Can be configured remotely.




Hubs in OSI Protocol Stack

Cabling, Hubs

Ethernet Addressing >Address of Network Interface Card>Unique 48 bit value

>first 24 bits indicate vendor .>For example, 00:E0:81:10:19:FC

>00:E0:81 indicates Tyan Corporation>10:19:FC indicates 1,055,228th NIC

>Media Access Control (MAC) address

IP Addressing> IP address is 32 bits long > Usually expressed as 4 octets separated by

dots> 62.49.67.170

> RFC 1918 specifies reserved addresses for use on private networks.

> 10.0.0.0 to 10.255.255.255> 172.16.0.0 to 172.31.255.255> 192.168.0.0 to 192.168.255.255

> Many large ranges assigned> 13.x.x.x Xerox, 18.x.x.x MIT, 54.x.x.x Merck

IP address to Ethernet address>Address Resolution Protocol (ARP)

>Layer 3 protocol>Maps IP address to MAC address

>ARP Query>Who has 192.168.0.40? Tell 192.168.0.20

>ARP Reply>192.168.0.40 is at 00:0e:81:10:19:FC

>ARP caches for speed>Records previous ARP replies>Entries are aged and eventually discarded

ARP Query & ARP Reply

Web BrowserIP 192.168.0.20

MAC 00:0e:81:10:17:D1Web Server

IP 192.168.0.40MAC 00:0e:81:10:19:FC

(1) ARP QueryWho has

192.168.0.40?

(2) ARP Reply192.168.0.40 is at 00:0e:81:10:19:FC

hub

10/100BASE-T

Switches>Switches only send data to the intended

receiver.>Builds an index of which device has

which MAC address.

switch

10/100BASE-T

00:0e:81:10:19:FCMAC address

2 00:0e:81:32:96:af

Device 1

3 00:0e:81:31:2f:d74 00:0e:81:97:03:058 00:0e:81:10:17:d1

Switch Operation>When a frame arrives at switch

>Switch looks up destination MAC address in index.

>Sends the frame to the device in the index that owns that MAC address.

>Switches are often intelligent:>Traffic monitoring, remotely configurable.

>Switches operate at Layer 2.




Switches in OSI Protocol Stack

Cabling,HubsSwitches

ARP Vulnerability>ARP spoofing

>Masquerade threat>Gratuitous ARP>ARP replies have no proof of origin>A malicious device can claim any MAC

address>Enables all fundamental threats

Before ARP spoofingIP 192.168.0.20

MAC 00:0e:81:10:17:d1

IP 192.168.0.40MAC 00:0e:81:10:19:FC

AttackerIP 192.168.0.1

MAC 00:1f:42:12:04:72

switch

MAC addressIP address 00:0e:81:10:19:FC192.168.0.40

192.168.0.1 00:1f:42:12:04:72

MAC addressIP address 00:0e:81:10:17:d1192.168.0.20

192.168.0.1 00:1f:42:12:04:72

After ARP spoofingIP 192.168.0.20

MAC 00:0e:81:10:17:d1

IP 192.168.0.40MAC 00:0e:81:10:19:FC


MAC 00:1f:42:12:04:72

switch

MAC addressIP address 192.168.0.40192.168.0.1 00:1f:42:12:04:72


(2) Gratuitious ARP192.168.0.20 is at00:1f:42:12:04:72

(1) Gratuitious ARP192.168.0.40 is at00:1f:42:12:04:72

00:1f:42:12:04:72

00:1f:42:12:04:72

Effect of ARP spoofingIP 192.168.0.20

MAC 00:0e:81:10:17:d1

IP 192.168.0.40MAC 00:0e:81:10:19:FC


MAC 00:1f:42:12:04:72

switch



IP datagramDest: 192.168.0.40

MAC: 00:1f:42:12:04:72

00:1f:42:12:04:72

00:1f:42:12:04:72

MAC addressIP address Attackers relay index

00:0e:81:10:19:FC192.168.0.40192.168.0.20 00:0e:81:10:17:d1

Switch Vulnerability>MAC Flooding

>Malicious device connected to switch>Sends multiple Gratuitous ARPs>Each ARP claims a different MAC address>When index fills, some switches revert to

hub behaviour

switch

00:0e:81:10:19:FCMAC address

4 00:0e:81:32:96:af

Device 1

4 00:0e:81:32:96:b1… …4 00:0e:81:32:97:a4

12

4

9999

44 00:0e:81:32:96:b03 4

Safeguards?>Physically secure the switch>Switches should failsafe when flooded

>Threat: Denial of Service>Arpwatch: monitors MAC to IP address

mappings>Switch port locking of MAC addresses

>Prevents ARP spoofing>Reduces flexibility

IP Routers>Routers support indirect delivery of ip

datagrams.>Employing routing tables.

>Information about possible destinations and how to reach them.

>Three possible actions for a datagram>Sent directly to destination host.>Sent to next router on way to known

destination.>Sent to default router.

>IP Routers operate at Layer 3.

Routers in OSI Protocol Stack




Cabling,HubsSwitchesRouters

InternetRouters

switch

Router

switch

Router

192.168.1.10

192.168.1.11192.168.0.40192.168.0.254

62.49.147.170

62.49.147.169IP address 192.168.0.20

Subnet 255.255.255.0Default router 192.168.0.254

InternetRouters

switch

Router

switch

Router

192.168.1.10

192.168.1.11192.168.0.40192.168.0.254

62.49.147.170

62.49.147.169


IP address 192.168.0.20


192.168.1.254

VLANs>VLAN is a virtual LAN.>Switch is configured to divide up

devices into VLANs.

>Device on one VLAN can’t send to deviceson another VLAN. switch

VLANs & Routers>How to get from one VLAN to another?

>Connect them with a router.

switch

Router

Secure?

D

CLayer 3…

192.168.0.2

Network 192.168.0.0

Network 192.168.1.0

192.168.1.1

192.168.1.2

A192.168.0.1

B

Secure?

switch

DC

Layer 2…

At Layer 3, the switch is “invisible”At Layer 2, the switch becomes “visible”

AB

TCP handshaking>Each TCP connection begins with three

packets:>A SYN packet from sender to receiver.

>“Can we talk?”>An SYN/ACK packet from receiver to sender.

>“Fine – ready to start?”>An ACK packet from sender to receiver.

>“OK, start”

TCP HandshakingTCP Packet

SYN flag

IP datagramSrc: 192.168.0.20

Dest: 192.168.0.40TCP Packet

SYN & ACK flag


Dest: 192.168.0.20TCP Packet

ACK flag


Dest: 192.168.0.40

192.168.0.20192.168.0.40

“Can we talk?”

“Fine, ready to start?”

“OK, start”

Tracking TCP handshakes>The destination machine has to track

which machines it has sent a “SYN+ACK” to

>Keeps a list of TCP SYN packets that have had a SYN+ACK returned.

>When ACK is received, packet removed from list as connection is open.

TCP Denial Of Service> What if the sender doesn’t answer with an

ACK?> A SYN packet from sender to receiver.

> “Can we talk?”> An SYN/ACK packet from receiver to sender.

> “Fine – ready to start?”> ………………..nothing…………..……

> If the sender sends 100 SYN packets per second> Eventually receiver runs out of room to track the

SYN+ACK replies> SYN flooding.

IP Spoofing>A machine can place any IP address in

the source address of an IP datagram.>Disadvantage: Any reply packet will

return to the wrong place.>Advantage (to an attacker): No-one

knows who sent the packet.>If the sender sends 100 SYN packets per

second with spoofed source addresses….

TCP Denial of Service

TCP PacketSYN flag


Dest: 192.168.0.40

TCP PacketSYN & ACK flag

IP datagramSrc: 192.168.0.20Dest: 62.49.10.1

192.168.0.20192.168.0.40

“Can we talk?”

“Fine, ready to start?”

TCP PacketSYN flag


Dest: 192.168.0.40

TCP PacketSYN flag


Dest: 192.168.0.40

TCP PacketSYN flag


Dest: 192.168.0.40







TCP/IP Ports> Many processes on a single machine may be

waiting for network traffic.> When a packet arrives, how does the transport

layer know which process it is for?> The port allows the transport layer to deliver

the packet to the application layer.> Packets have source and destination port.

> Source port is used by receiver as destination of replies.

Port Assignments>Well known ports from 0 to 1023

>http=port 80>smtp=port 25>syslog=port 514>telnet=23>ssh=22>ftp=21 + more…

>Registered ports from 1024 to 49151>Dynamic or private ports from 49152 to

65535

Port Multiplexing

putty

Transport Layer

Internet Layer

Network Layer

Physical Network

telnet

Transport Layer

Internet Layer

Network Layer

Message

Packet

Datagram

Frame

Host A Host Bie net

scape apachePort 80Port 23Port

2077Port 2076 Port

2078

Ports in Action

switch

HTTP messageGET index.html

www.localserver.orgTCP Packet

Src Port: 2076Dest Port: 80IP datagram

Src: 192.168.0.20Dest: 192.168.0.40

HTTP messageContents of index.htmlTCP PacketSrc Port: 80

Dest Port: 2076IP datagram

Src: 192.168.0.40Dest: 192.168.0.20

192.168.0.20 192.168.0.40

TELNET message

TCP PacketSrc Port: 2077Dest Port: 23IP datagram

Src: 192.168.0.20Dest: 192.168.0.40

TELNET message

TCP PacketSrc Port: 23


Src: 192.168.0.40Dest: 192.168.0.20

Network Sniffers> Network Interface Cards normally operating in

non-promiscuous mode.> Only listen for frames with their MAC address

> A sniffer changes a NIC into promiscuous mode.> Reads frames regardless of MAC address.

> Many different sniffers> tcpdump> ethereal> Snort

Sniffing legitimately>Do they have legitimate uses?

>Yes … when used in an authorised and controlled manner.

>Network analyzers or protocol analyzers.>With complex networks, they are used for

fault investigation and performance measurement.

>Useful when understanding how a COTS product uses the network.

Detecting Sniffers>Detecting an sniffing attack>Very difficult, but sometimes possible

>Tough to check remotely whether a device is sniffing. Approaches include:

> Sending large volumes of data, then sending ICMP ping requests.

> Sending data to unused IP addresses and watching for DNS requests for those IP addresses.

> Exploiting operating system quirks.>AntiSniff, Security Software Technologies

Sniffer Safeguards>Preventing attacks or limiting their

effects>Basically a matter of network and system

design security>Examples of safeguards are:

>Use of non-promiscuous interfaces.>Encryption of network traffic.>One-time passwords e.g. SecurId, skey.>Lock MAC addresses to switch ports – not

effective.

Networks at the building level>New Threats

>Backbone which connects LANs>Interconnections between the LAN and the

backbone>Control of information flow within a larger

network>Network Management itself

Backbone

HumanResources

Finance

Sales

Development

Network Backbone Threats 1>Backbone carries all inter-LAN traffic>Confidentiality

>All data could be eavesdropped>Integrity

>Any errors could affect all the network traffic

>Availability>Loss of backbone means that workgroups

would be unable to communicate with each other

Network Backbone Threats 2>Overview of Threats

>Point of interconnection between workgroup and backbone is a sensitive area

>From security viewpoint it:>Provides a point of access to the backbone>Provides a point of access to all the data

associated with a workgroup>Damage at this point could affect both the

workgroup and the backbone

Network Management>An overview

>Management of complex networks is a difficult task

>Specialised tools are available (including HP OpenView, IBM Netview, Cabletron Spectrum, Sun NetManager)

Fault Handling> Without network management, faults will:

> Disrupt network operation> Require substantial effort to identify> Require a long time to repair

> Network Management facilities combined with intelligent devices allows:> Faults to be handled / identified locally> Alert messages to be raised and gathered centrally> Appropriate actions to be taken

Further Integration>Physical Network

>Cable Management Systems>Actual device locations

>Servers and Workstations>Servers disk space monitoring>Printer status

LAN Safeguards - 1> Partitioning

> With a building network there will be different types of information being processed

> Some types of data will require extra protection e.g.> Finance> Personnel / Human Resources> Internal Audit> Divisional heads

> Two situations where extra controls are needed> Physically separate group or team> Widely distributed group of staff

LAN Safeguards - 2>Partitioning

>Network configured so that:>Group workstations cabled to their own switch>Switches programmed to restrict data flow onto

the backbone>Add a Firewall

>Control use of any network services>Control systems that can be contacted

LAN Safeguards – 3> Other Considerations

> If workgroup users are not located in a single area, different measures must be adopted

> In most cases, addressing is used to control traffic flow but does not prevent traffic being read in transit

> Higher level of security can be provided by encryption, but:

> Does encryption mechanism understand the network protocol?

> What is the performance impact of encryption?> How are encryption keys generated, distributed, and

stored?> Will a workstation on the encrypted workgroup be able

to communicate with an unencrypted server?

MAN>Metropolitan Area Network>New Environment

>A network which encompasses several closely located buildings (sometimes also called a campus network)

>Such expanded network environments bring additional security concerns:

>Network exposed to outside world>Problems of scale

MAN example

Building A

Building B

Building C

MAN - 2>Exposure to outside world

>Network has left the security of the building>Small scale may rule out encryption>New risks must be assessed

>Private or public areas>Investigate constraints on solution

>e.g. buried or elevated links>May need non-physical links

>e.g. Laser, infra-red, microwave

MAN - 3>Problem of scale

>Information flow must be controlled, and faulty network components (in one building) must not affect other buildings, so:

>Filters / bridges / firewalls will be needed>Network Information Centre (NIC) is

required>Normally a second level backbone is used

WAN - 1>Wide Area Network

>National or International network>Threats Become More Significant:

>Sensitive data (including passwords) much more widely transmitted

>Switched network rather than point-to-point>Change management errors >Dark-room equipment sites>Unauthorised access to network links>Traffic flow monitoring (is this an issue?)

Global WAN

http://www.plcmc.org/forkids/mow/default.asp

WAN - 2>Impact of different media

>Fibre>Minimal external radiation>Special equipment required for tapping>Normally a tap causes disruption of service

>Satellite, radio, or microwave>Extensive external radiation>Special (but easily available) equipment needed

for tapping>Tapping does not disrupt services>Carrier MIGHT provide some encryption

WAN - 3>Partitioning Networks - Physical

Separation>Provides good separation>Conceptually easy to understand>Legacy approach - in the days when

adequate logical separation was not possible

>Still done in very secure networks>Sharing data is difficult and uncontrolled>Costly

WAN - 4>Partitioning Networks - Logical

Separation>Closed User Groups

>Multiple virtual networks on one physical one>Based on network addresses>Managed by the Network Management Centre

(NMC)>PVCs (Permanent Virtual Circuits)>Cryptography

WAN - 5>Data Confidentiality

>Choice of physical media>Network Partitioning>Link Encryption (Layer 2)>End-to-end Encryption (Layer 4)>Key and equipment management issues

WAN - 6>Link Encryption

>For individual links>Protocol Independent>Throughput is not normally an issue>Moderate cost (£700-£1000 per unit)

>But Link Encryption for Larger Networks>Is expensive>Is a management burden>Data is not protected inside switches

WAN – 7>Conditions of Connection (COC)

>Very powerful tool for Network Services Dept. when it does not have direct authority

>Details users’ responsibilities>Responsible for security of their end systems>Comply with COC’s standards>Control access to end-systems and equipment>Protect user-ids, passwords etc.>Become security aware>Support tests investigations etc .

>User management signs up to it before getting the network service

Internet> Internet connection prerequisite for most

corporations> Web browsing, email, file transfer> Increasingly used for business critical applications> Possible to replace expensive WAN link with

Internet VPN link> Threats Become Critical

> Route of sensitive data not guaranteed> Availability not guaranteed

> Denial of service attacks are real risk> Any Internet host can probe any other host > Plenty of malicious content (viruses, trojans,

pornography)

Internet Safeguards>Firewalls to filter IP traffic>DeMilitarized Zones to isolate Internet-

facing machines from internal networks>Content filters to filter email & web

traffic content>VPNs to protect critical applications>Vital to understand how applications

communicate, to understand whether risk exists.

IS3-2: Network security

Part 2 - Network management security

Outline>The subject is divided into the following:

> Introduction> SNMP overview> SNMP security

1 Introduction>Network management protocols enable

on-line management of computers & networks.

>They support:>configuration management,>accounting,>event logging,>help with problem diagnosis.

>They are application layer protocols.

Management security>Two aspects of network management

security (as defined in ISO 7498-2):>management of security - support provided

by network management protocols for provision of security services, and

>security of management - means for protecting network management communications.

Internet SNMP overview>The Simple Network Management

Protocol (SNMP) is part of the Internet network management system.>Version 1 (1990/91) is specified in RFCs

1155-1157, and 1212/1213.>Version 2 (1993), with some security

features , is specified in RFCs 1441-1448.>Version 3 (1999), with more complete

security features in RFCs 2570-2576

SNMP V1 Architecture

UDP

Physical Network

Manager

IP

SNMP

Network

Central MIB

UDP

Agent

IP

SNMP

Network

Agent MIB

Architectural model>Model based on

>a network management station (a host system running SNMP, with management s/ware)

>many network elements (hosts, routers, gateways, servers).

>Management agent at a network device implements SNMP>provides access to the Management

Information Base (MIB).

SNMP managementManagement Station

NetworkElements

Connectionless Protocol>Because V1 uses UDP, SNMP is a

connectionless protocol >No guarantee that the management traffic

is received at the other entity >Advantages :

>reduced overhead >protocol simplicity

>Drawbacks : >connection-oriented operations must be built into

upper-layer applications, if reliability and accountability are needed

>V2 & V3 can use TCP.

SNMP Operations> SNMP provides three simple operations :

> GET : Enables the management station to retrieve object values from a managed station

> SET : Enables the management station to set object values in a managed station

> TRAP : Enables a managed station to notify the management station of significant events

> SNMP allows multiple accesses with a single operation

SNMP Protocol Data Units> Get Request : Used to obtain object values from

an agent > Get-Next Request : Similar to the Get Request,

except it permits the retrieving of the next object instance (in lexicographical order) in the MIB tree

> Set Request : Used to change object values at an agent

> Response : Responds to the Get Request, Get-Next Request and Set Request PDUs

> Trap : Enables an agent to report an event to the management station (no response from the manager entity)

SNMP Port Numbers>The UDP port numbers used for SNMP

are : 161 (Requests) and 162 (Traps)

>Manager behaviour : >listens for agent traps on local port 162 >sends requests to port 161 of remote agent

>Agent behaviour : >listens for manager requests on local port

161 >sends traps to port 162 of remote manager

SNMP messages

SNMP messageGET-REQUEST

UDP datagramSrc Port: 3042Dest Port: 161IP datagram

Src: 192.168.0.20Dest: 192.168.0.254

192.168.0.40

192.168.0.254

192.168.1.254

192.168.2.254

192.168.254.254

SNMP messageGET-REQUEST reply

UDP datagramSrc Port: 161


Src: 192.168.0.254Dest: 192.168.0.20

SNMP Message Format> All V1 SNMP PDUs are built in the same way :

> Community - local concept, defined at each device

> SNMP community = set of SNMP managers allowed to access to this device

> Each community is defined using a unique (within the device) name

> Each manager must indicate the name of the community it belongs in all get and set operations.

Version Community SNMP PDU

Trap Examples> Cisco router traps

> authentication> device is the addressee of an SNMP protocol message that is not

properly authenticated. (SNMPv1 - incorrect community string)> linkup

> device recognizes that one of the communication links represented in the agent's configuration has come up.

> linkdown> device recognizes a failure in one of the communication links

represented in the agent's configuration.> coldstart

> device is reinitializing itself so that the configuration may be altered.

> warmstart> device is reinitializing itself, but the configuration will not be

altered.

Base SNMP Security Mechanisms>The basic SNMP Version 1 standard

provides only trivial security mechanisms, based on: >Authentication Mechanism >Access mode Mechanism

Authentication Mechanism> Authentication Service: assure the destination

that the SNMP message comes from the source from which it claims to be

> Based on community name, included in every SNMP message from a management station to a device

> This name functions as a password : the message is assumed to be authentic if the sender knows the password

> No encryption of the community name

SNMP V1 Key Vulnerability>If an attacker can view the community

string>They can masquerade as a member of the

community by including the community string in SNMP messages.

>The attacker may be able to manage any agent that shares that community string.

Access Mode Mechanism>Based on community profiles >A community profile consists of the

combination of : >a defined subset of MIB objects (MIB view) >an access mode for those objects (READ-

ONLY or READ-WRITE) >A community profile is associated to

each community defined by an agent

Security threats>Two primary threats:

>data modification - to an SNMP message,>masquerade - impersonator might send

false SNMP messages.>Two secondary threats:

>message stream modification - reordering, replay and/or delay of SNMP messages,

>eavesdropping - on SNMP messages.

Security services>Identified security services to meet

threats:> data origin authentication,> data integrity,> message sequence integrity,> data confidentiality,> message timeliness & limited replay

protection

User-based Security Model>A User, identified by UserName holds:

>Secret keys>Other security information such as

cryptographic algorithms to be used.>SNMP V3 entities are identified by

snmpEngineID.>Each managed device or management

station has an snmpEngineID

Authoritative SNMP entities>Whenever a message is sent, one entity

is authoritative.>For get or set, receiver is authoritative.>For trap, response or report, sender is

authoritative.>Authoritative entity has:

>Localised keys>Timeliness indicators

Timeliness Indicators>Prevent replay of messages.>Each authoritative entity maintains a

clock.>A non-authoritative entity has to

retrieve the time from the authoritative entity, confirm the received value, then maintain a synchronised clock.

>Messages can arrive within 150 seconds of their generated time.

Keys>Keys generated from user password.>User provides password to all entities.>Each entity generates a key from the

password and generates two further keys using the entities snmpEngineID.>One for authentication>One for confidentiality

Data Integrity and Authenticity> Generate a cryptographic “fingerprint” of any

message to be protected. > Send the “fingerprint” with the message.

> Derive two temporary keys K2, K3 from localized user key K1.

> Compute T = Hash(K3 | SNMP Msg)> Compute M = Hash(K2 | T)> First 96 bits of M are the MAC (Message

Authentication Code)> Must support HMAC-MD5-96, may support

HMAC-SHA-96

Data Confidentiality>DES in Cipher Block Chaining mode.>Second localised key.>Has to be used together with Data

Integrity and Authenticity.

Management of SNMP security>Following data needs to be managed:

>secret (authentication and privacy) keys,>clock synchronisation (for replay detection),>SNMP party information.

>SNMP can be used to provide key management and clock synchronisation.

>After manually setting up some SNMP parties, rest can be managed using SNMP.

i c 3-2: network security

Documents