snmp management. 2 overview u growth of network size led to need for management techniques u five...
TRANSCRIPT
2
Overview
Growth of network size led to need for management techniques
Five main areas Configuration management
Deals with installing, initializing, and boot-loading network hardware and software
Also deals with modifying and tracking configuration parameters
Fault location and repair management Concerned with tools enabling fault location in equipment, software,
and/or provider lines Tools have strong error and alarm characteristics
3
Overview
Security management Tools are concerned with access control Tools enable network managers to restrict or grant access to
various network resources
Performance management Tools provide operational statistics about the network These may include bandwidth utilization or the number of packets
received, transmitted, or dropped, etc.
Accounting management Concerned with the applications enabling managers to define costs
related to network resources
4
Network Management Tool Development
Network management tools are essential Internet Engineering Task Force (IETF) formed a group
to develop tools, protocols, and database standards for TCP/IP networks Result: Simple Network Management Protocol (SNMP)
SNMP is the most commonly used protocol for collecting management data from IP networks
SNMP is not always the best solution
5
SNMP Client-Server Relationship
Manager Client program that makes virtual connections to an agent
Agent Server program residing on a remote network device
MIB Management Information Base is a data base defining a
standard set of statistical and control values MIB can be customized by vendors
6
SNMP Client-Server Relationship
Managers and agents communicate with a simple request/response technique Management station issues queries or action requests to the
agent Queries identify SNMP variables of interest (MIB object identifiers or
MIB variables) The agent is instructed to either get the requested variable or set the
requested variable Agent responds to the manager’s commands Agent can be programmed to send unsolicited messages to
the manager in the form of a trap Traps are essentially alerts
8
SNMP Versions
Two available commercial versions SNMPv1
Most popular version Defined in Request for Comment (RFC) 1157
SNMPv2 (or SNMPv2c) Improved security over SNMPv1 Updated the protocol operations and data types
9
SNMP Architecture
Network elements Network devices to be managed such as routers, hubs, switches,
computers, and printers
Agents Software program residing on a network element Collects and stores information about the managed device
Managed Object Sets of values describing manageable characteristics of a device Example:
The number of IP interfaces in a router is a managed object, but a specific interface is an instance of a managed object
10
SNMP Architecture
MIB Collection of all managed objects for a given device
Syntax Notation The way MIB objects are described Based on OSI’s Abstract Syntax Notation One (ASN.1) Machine independent
Structure of Management Information (SMI) Rules for defining managed objects using ASN.1
Manager Issues commands and queries to managed device Workstations that run management application Example: Nortel’s Site Manager, Nortel’s Optivity, HP’s Openview
11
Message Types
Only communication is between managers and agents Get request
Agent will return value of the named object
Get next request Agent will return the next object in the MIB hierarchy
Set request Instructs the agent to set the value of a named object to a particular
value Used to control managed devices
Trap message Agent notifies a manager of a problem as soon as it happens
12
SNMP and the TCP/IP Protocol
SNMP is an application layer protocol Interfaces to User Datagram Protocol (UDP), not TCP Uses ports 161 and 162
13
MIB
Resides on managed devices Standard MIB includes objects to measure
IP activity TCP and UDP activity IP routes TCP connections Interfaces General system description
14
MIB
Arranged in a hierarchical fashion Starts from unnamed root Connected to labeled nodes
Children of the root Form branches of the tree
The path from the root down to an object defines the object Path is called the Object Identifier ID Example: Nortel MIB objects are under
iso.org.dod.internet.private.enterprise.wellfleet 1.3.6.1.4.1.18
16
MIB
Nodes under Internet are administered by the Internet Activities Board (IAB) Nodes under Enterprise are for vendors with device-specific
information Vendors must apply to the IAB’s Internet Assigned Numbers
Authority (IANA) for node numbers
17
Structure of Management Information (SMI)
Defines rules and formats for adding or accessing objects in the Internet MIB
Nodes (objects) are described by ASN.1 Three categories of SMI data types
Simple Application-wide Easily constructed
21
ASN.1
Grammatical rules governing definitions of protocols and programming languages
Used to define precise function of MIB values Defines object’s type, access, and description
22
Branch Object Identifiers
Act as placeholders for other objects Much like directories containing files on a PC
Contain other objects instead of files
23
Two Types of Managed Objects in MIB
Scalar One value per object
Columnar Two-dimensional table made of multiple scalar objects
indexed by row and column numbers
27
Table Types
Identical to branch types except objects in table are columns rather than scalar objects
Each SNMP table has the Table keyword Single branch object exists beneath each table with an
Entry keyword This object contains table data
Series of SNMP objects exists within the Entry branch that contains indexes to table rows in dot notation
30
SNMP Operations - Communities
Managers and agents send messages to each other containing commands and information
Agents have full access to a device’s configuration Security is set up so that only selected managers can
request this information
Security is implemented through SNMP communities Logical groups containing the agent and one or more
managers Agent checks to see if manager is in the community
31
SNMP Operations - Communities
Community defined on the agent Limits access to either read-only or read-write Can define several communities with different rights, so
different managers get different types of access
32
Accessing the Agent
Manager sends a message (datagram) to the agent Each SNMP datagram has fields containing
SNMP version The community name The SNMP Protocol Data Unit (PDU)
PDU is the payload, or data field containing the SNMP operation to perform
Agent verifies that the manager is from the community it belongs to and determines what access rights, if any, it has
If the manager is granted access, the action specified in the datagram is performed
40
SNMPv1 Security Issues
Problem: Manager access is limited only by IP address Intruder can send a SNMP datagram to agent with fake source IP
address belonging to agent’s community Masquerading
Nortel solution – Secure Mode Default mode is Trivial mode Use an encrypted exchange during Set Requests
Manager and agent exchange a key to be used to decode encrypted messages
Intruder will not have the key Cannot use secure mode for public communities and addresses of
0.0.0.0
41
Standard MIB Structure
Defined by IETF Recall that MIB object identifier number is derived from
the tree structure of the MIB Main management functions under
iso.org.dod.internet.management (1.3.6.1.2)
Vendor specific management functions under iso.org.dod.internet.private.enterprises (1.3.6.1.4.1) Nortel granted vendor number 18
42
MIB-I and MIB-II
SNMP originally designed as a short-term fix OSI network management framework intended to be
the long-term solution SNMP became very popular Problem:
SNMP and OSI framework had limited compatibility Resulted in separate, parallel development SNMP was improved with development of version 2 of MIB
(MIB-II)
43
MIB-II Improvements
Changes Incremental additions reflect new operational requirements Improved support exists for multiprotocol entities Textual cleanup improved clarity
Changes designed to keep upward compatibility with SNMP Keep same object identifier as in MIB-I
MIB-II in RFC 1213
44
Nortel MIB Structure
Extension of standard MIB-II Nortel’s router software MIB
Software called BayRS Under enterprises.wellfleet.wfSwSeries7 (1.18.3) Main object groups under wfSwSeries7 are
wfHardwareConfig wfSoftwareConfig wfSystem wfLine wfApplication
These objects have statistics and configuration information for the router
48
Nortel Agent Traps
Trap messages are sent immediately by the agent to the manager when a given condition is met
Short description of condition is sent in message, detailed description stored in event log
Trap message types Generic Enterprise-specific
49
Generic Traps
Defined by RFC 1157 coldStart warmStart linkUp linkDown authenticationFailure egpNeighborloss
51
Configuring Nortel Trap Messages
Three criteria Category
Either generic or specific
Protocol Entity Protocol entities to be sent
Event Severity Specifies severity of the event, fault, warning, etc.
52
Configuring Nortel Trap Messages
Nortel’s Site Manager is used to Specify the manager to receive trap messages from the
agent Selection of the type of event for the trap
Nortel routers have hundreds of different events Events are grouped by entities
Entities are protocols like ATM, BGP, IP, etc. Each entity has its various events categorized by severity level
Fault Warning Debug Trace Info
53
Configuring Nortel Trap Messages
Example: You can tell the agent to send traps for IP protocol events with the
severity level Info The router will send a trap to the manager for Info level events such
as whether an interface IP filter dropped a packet because it met the filter criteria
54
SNMPv2
SNMPv2 addresses two deficiencies in v1: Lack of support for distributed network management Functional deficiencies
A third deficiency, security is addressed to some degree More enhancements in SNMPv3
55
SNMPv2 Distributed Network Mgt
Centralized management schemes have one main management station and possibly some backups, all at one location Not good for large networks
Many agents sending information a long way Too much information entering the management workstation
56
SNMPv2 Distributed Network Mgt
A decentralized management scheme has a hierarchy of management stations
The top level management stations is responsible for managing all of the agents Intermediate management stations are deployed to directly
manage some of the network’s agents Intermediate managers relay information to the top level
manager
57
Distributed Network Management
W. Stallings, Network Security Essentials: Applications and Standards, Englewood Cliffs, NJ, Prentice-Hall, 2000
58
SNMPv2 Functional Enhancements
Two new commands added Inform
Sent from one management station to another to inform it about events at the sender
Used to implement hierarchical management structures GetBulk
Allows manager to retrieve a large block of data an once rather than issue multiple Get commands
Good for sending an entire table at one time
The Get command is modified In SNMPv1, if a Get requests a list of objects and one is invalid, the
entire command is rejected by the agent In SNMPv2, the agent will not reject the command, but will send back the
valid objects
60
SNMPv2 Security Enhancements
V1 security threats addressed by v2 V1 had no way of restricting 3rd party from observing traffic
content between manager and agent 3rd party (hacker) could learn passwords when manager SETs a new
password 3rd party could masquerade as the manager and perform
get/set functions on agent 3rd party could intercept and modify the content of messages
between manager and agent 3rd party could intercept and modify message sequence and
timing3rd party could copy a message to reboot a router and replay it at a
later time
61
SNMPv2 Security Enhancements
V1 security threats not addressed by v2 Denial of service
Hacker can prevent exchanges between manager and agent
Traffic analysis Hacker observes traffic pattern between manager and agent
62
SNMPv2 Security Services
SNMPv2 adds some security enhancements over SNMPv1 Privacy
Protection of data from eavesdropping Authentication
Communicating parties can verify that messages are from whom they say they are
Access Control Only authorized parties have access to MIBs
How does v2 do it? V2 added ability to include an authentication code so agent and manager
know their correct identities Messages can be encrypted
SNMPv3 adds more enhancements
63
SNMPv2 Security Features
W. Stallings, Network and Internetwork Security: Principles and Practice, Englewood Cliffs, NJ, Prentice-Hall, 1995
64
SNMPv2 Capability Highlight
W. Stallings, Network and Internetwork Security: Principles and Practice, Englewood Cliffs, NJ, Prentice-Hall, 1995
65
SNMPv3
In 1998, RFCs 2570 through 2575 proposed additional security features in SNMP with backward compatibility to SNMPv1 and SNMPv2
SNMPv3 is not a replacement for v1 and v2 It must be use with them Defines security capability to be used with v1 and v2
SNMPv3 can be thought of as SNMPv2 with additional security and administration capabilities
66
V3 Protocol Overview
Security related information is included inside the SNMP message
The v3 User Security Model (USM) uses fields in the message header
Payload of the SNMP message is the SNMPv1 or v2 protocol data unit (PDU)
SNMPv1 and v2 PDU formats are the same as in the original protocols
67
SNMP Protocol Architecture
W. Stallings, Network Security Essentials: Applications and Standards, Englewood Cliffs, NJ, Prentice-Hall, 2000
68
SNMP Architecture
Architecture is a distributed, interacting collection of SNMP entities
Entities can be agents, managers, or a combination of the two
69
V3 SNMP Entity
Traditional SNMP Manager Interacts with SNMP agents using get, set commands and
receiving traps Interacts with other mangers using Inform Request PDUs
and receiving Inform Responses Manager consists of some SNMP applications an SNMP
engine Engine contains a security subsystem that supports the User
Security Model
70
Traditional SNMP Manager
W. Stallings, Network Security Essentials: Applications and Standards, Englewood Cliffs, NJ, Prentice-Hall, 2000
71
V3 SNMP Entity
Traditional SNMP Agent Respond to incoming requests by retrieving or setting MIB
objects and issuing a Response PDU Generates v1 or v2 traps Forwards messages between entities