Download presentation
Presentation is loading. Please wait.
1
SNMPv3 Wes Hardaker Network Associates Laboratories 6 August 2002 Wes_Hardaker@nai.com
2
CERT Conference 2002: SNMPv3 Aug 6, 2002Page 1, Overview About SNMP in General SNMPv3 Architecture Breakdown User Based Security View Based Access Control Future of SNMP Summary & Questions
3
CERT Conference 2002: SNMPv3 Aug 6, 2002Page 2, Author’s Background Past: – Lead developer of the Net-SNMP open source project – Developer of the OpenSNMP toolkit Present: – Project lead in a scalable IPSec policy management system build on top of SNMPv3. Future: – Participating in various IETF working groups responsible for continuing development of SNMP technologies. Apologetic: – Not all the slides in this presentation are in your hand out. – http://www.net-snmp.org/presentations/snmpv3/
4
CERT Conference 2002: SNMPv3 Aug 6, 2002Page 3, About SNMP “Simple Network Management Protocol” -- RFC 1157 “SNMP: Can I buy a vowel?” --Harrie Hazewinkel
5
CERT Conference 2002: SNMPv3 Aug 6, 2002Page 4, SNMP Overview: What is SNMP? Treats the network as a distributed database Management Station Computer Router
6
CERT Conference 2002: SNMPv3 Aug 6, 2002Page 5, SNMP Database example: netsh netsh> select ifIndex, ipAdEntIfIndex, ifDescr, ipAdEntAddr, ifOperStatus from ifTable, ipAddrTable where ifIndex = ipAdEntIfIndex +-------+--------------+-------+-----------+------------+ |ifIndex|ipAdEntIfIndex|ifDescr|ipAdEntAddr|ifOperStatus| +-------+--------------+-------+-----------+------------+ | 1| 1| lo| 127.0.0.1| up| | 2| 2| sit0| 0.0.0.0| down| | 3| 3| vmnet1|172.16.80.1| up| +-------+--------------+-------+-----------+------------+
7
CERT Conference 2002: SNMPv3 Aug 6, 2002Page 6, SNMP Overview Network monitoring and Information Collection GET: What is in your routing table?
8
CERT Conference 2002: SNMPv3 Aug 6, 2002Page 7, SNMP Overview Network Configuration SET: Add a route to your routing table
9
CERT Conference 2002: SNMPv3 Aug 6, 2002Page 8, SNMP Overview Alarms and Event conditions TRAP or INFORM: HELP!!!!
10
CERT Conference 2002: SNMPv3 Aug 6, 2002Page 9, Terminology SNMP: the protocol itself MIB: the specification defining a particular piece of data to be transferred over SNMP SMI: the language a MIB is written in – It is not ASN.1, contrary to what many people think. OID / “Object Identifier”: A hierarchical naming scheme using number assignment. –.1.3.6.1.2.1.1.4.0 = You (the system contact for a device) –.iso.org.dod.internet.mgmt.mib-2.system.sysContact.0
11
CERT Conference 2002: SNMPv3 Aug 6, 2002Page 10, SNMP Standards Timeline SNMPv1 created in 1988 – Officially a “Full Standard” SNMPv2c added a few things in 1996 – SNMPv2c MSG Format classified as experimental – PDUs, etc, classified as a “FULL Standard” SNMPv3 added security in 1999 – Currently a “Draft” standard – Approved as a “Full Standard”, but not published yet SNMPv2p, SNMPv2u, SNMPv2*: – secure protocol versions that didn’t make the cut.
12
CERT Conference 2002: SNMPv3 Aug 6, 2002Page 11, SNMPv1 and SNMPv2c message format SNMPv1/SNMPv2c Message { version snmpv1=0 snmpv2c=1 community STRING PDU (operation) { request-id INTEGER error-status INTEGER error-index INTEGER variable-bindings { OID, VALUE … }
13
CERT Conference 2002: SNMPv3 Aug 6, 2002Page 12, SNMPv1 and SNMPv2c problems Community strings for authentication == Clear Text Passwords Community strings also used for “context” – Accessing data in a certain “context” is difficult No Standardized Method for Access Control – No consistent method to configure communities across a network of many devices. – Most were devices manually configured, or worse, left with their default settings intact. kingdom keys:“public”, “private”
14
CERT Conference 2002: SNMPv3 Aug 6, 2002Page 13, SNMPv1 example: % snmpget -d -v 1 -c public localhost sysUpTime.0 Sending 43 bytes to 127.0.0.1 0000: 30 29 02 01 00 04 06 70 75 62 6C 69 63 A0 1C 02 0).....public.. 0016: 04 2C 78 27 BC 02 01 00 02 01 00 30 0E 30 0C 06.,x'¼......0.0.. 0032: 08 2B 06 01 02 01 01 03 00 05 00.+......... Received 45 bytes from 127.0.0.1 0000: 30 2B 02 01 00 04 06 70 75 62 6C 69 63 A2 1E 02 0+.....public¢.. 0016: 04 2C 78 27 BC 02 01 00 02 01 00 30 10 30 0E 06.,x'¼......0.0.. 0032: 08 2B 06 01 02 01 01 03 00 43 02 11 0F.+.......C... sysUpTimeInstance = Timeticks: (4367) 0:00:43.67
15
CERT Conference 2002: SNMPv3 Aug 6, 2002Page 14, Goals behind SNMPv3 Security Provide modularity in the architecture – Replacing new elements in the future should be easier. – Modularity = many IETF RFCs Separate “context” of the request from the authentication
16
CERT Conference 2002: SNMPv3 Aug 6, 2002Page 15, Aside: CERT Advisery CA-2002-03 SNMP uses BER encoded packets. BER has a bunch of flexible rules which allow strangely encoded, but legal packets. The failing was in the parsing of the BER encoding, NOT in the SNMP protocol. – SNMPv1 was the only packet format tested. – It’s likely most vendors also fixed SNMPv3 parsing too. – The university that produced the results has been testing various BER-based protocols. Started with LDAP. Next? Only they know. Kerberos?
17
CERT Conference 2002: SNMPv3 Aug 6, 2002Page 16, SNMPv3 Architecture “The architecture is designed to be modular to allow the evolution of the Framework over time.” -- RFC 2570 & RFC 2571
18
CERT Conference 2002: SNMPv3 Aug 6, 2002Page 17, SNMPv3: Standards Breakdown RFC2570:SNMPv3 Overview RFC2571:Architecture RFC2572:Message Processing RFC2573:Applications RFC2574:User-based Security Model RFC2575:View-based Access Control Model RFC2576:v1/v2c/v3 Coexistence / Transition RFC2578-80:SMIv2 -- Language of the MIBs RFC1157: SNMPv1 RFC1901,5:SNMPv2...
19
CERT Conference 2002: SNMPv3 Aug 6, 2002Page 18, SNMPv3: Framework Architecture Dispatcher Message Processing Security UDP TCP... SNMPv3 MP SNMPv1... User-based (USM) Kerberos Network Application or Agent Access Control VACM... CG CR NG NR... SNMPv3 Engine
20
CERT Conference 2002: SNMPv3 Aug 6, 2002Page 19, SNMPv3: Framework Architecture Dispatcher Message Processing Security UDP TCP... SNMPv3 MP SNMPv1... User-based (USM) Kerberos Network Application or Agent Access Control VACM... CG CR NG NR...
21
CERT Conference 2002: SNMPv3 Aug 6, 2002Page 20, SNMPv3: Applications (RFC 2573) Application “types” have been formally defined: – CG:Command Generator (was: Manager) – CR:Command Responder(was: Agent) – NG:Notification Generator – NR:Notification Responder – PF:Proxy Forwarder(not shown in diagram) An application can be of multiple types – An agent is typically a CR and a NG – A mid level manager is likely a CG, CR, NG, and NR (and maybe a PF)
22
CERT Conference 2002: SNMPv3 Aug 6, 2002Page 21, SNMPv3 Protocol Packet Breakdown SNMPv3Message { Version INTEGER (snmpv3 = 3) HeaderData { msgID INTEGER MaxSize INTEGER Flags STRING SecurityModel INTEGER (USM = 3) } UsmSecurityParameters STRING { AuthoritativeEngineID STRING, AuthoritativeEngineBoots INTEGER AuthoritativeEngineTime INTEGER UserName STRING AuthenticationParameters STRING PrivacyParameters STRING } ScopedPduData { contextEngineID STRING, contextName STRING, PDU SNMPv2 PDUs } MSG Processor Dispatcher Application Security Model
23
CERT Conference 2002: SNMPv3 Aug 6, 2002Page 22, SNMP Overview Network monitoring and Information Collection GET: What is in your routing table? RESPONSE: It’s …
24
CERT Conference 2002: SNMPv3 Aug 6, 2002Page 23, SNMPv3 Example: Generating a Request Dispatcher Message Processing Security UDP TCP... SNMPv3 MP SNMPv1... User-based (USM) Kerberos Network Application or Agent Access Control VACM... CG CR NG NR...
25
CERT Conference 2002: SNMPv3 Aug 6, 2002Page 24, SNMPv3 Example: Receiving a Request Dispatcher Message Processing Security UDP TCP... SNMPv3 MP SNMPv1... User-based (USM) Kerberos Network Application or Agent Access Control VACM... CG CR NG NR...
26
CERT Conference 2002: SNMPv3 Aug 6, 2002Page 25, SNMPv3 Example: Generating a Response Dispatcher Message Processing Security UDP TCP... SNMPv3 MP SNMPv1... User-based (USM) Kerberos Network Application or Agent Access Control VACM... CG CR NG NR...
27
CERT Conference 2002: SNMPv3 Aug 6, 2002Page 26, SNMPv3 Example: Receiving a Response Dispatcher Message Processing Security UDP TCP... SNMPv3 MP SNMPv1... User-based (USM) Kerberos Network Application or Agent Access Control VACM... CG CR NG NR...
28
CERT Conference 2002: SNMPv3 Aug 6, 2002Page 27, Architecture Components “The major portions of the architecture are an SNMP engine containing a Message Processing Subsystem, a Security Subsystem and an Access Control Subsystem, and possibly multiple SNMP applications which provide specific functional processing of management data..” -- RFC 2571
29
CERT Conference 2002: SNMPv3 Aug 6, 2002Page 28, The Dispatcher Dispatcher Message Processing Security UDP TCP... SNMPv3 MP SNMPv1... User-based (USM) Kerberos Network Application or Agent Access Control VACM... CG CR NG NR...
30
CERT Conference 2002: SNMPv3 Aug 6, 2002Page 29, The Dispatcher (RFC 2572) The simplest component of the architecture Directs packets to and from the other elements: – Application or agent CG, CR, NG, NR – The Network (through the appropriate transport layer) – The correct message processor Makes it’s decision based on: – What component sent it – What protocol version is being sent – What type of PDU is being sent Knowledge of it not required by the typical user
31
CERT Conference 2002: SNMPv3 Aug 6, 2002Page 30, The Message Processor Dispatcher Message Processor Security UDP TCP... SNMPv3 MP SNMPv1... User-based (USM) Kerberos Network Application or Agent Access Control VACM... CG CR NG NR...
32
CERT Conference 2002: SNMPv3 Aug 6, 2002Page 31, The SNMPv3 Message Processor (RFC 2572) Encodes and decodes the majority of the packet Handles errors and exceptions – Message too big to fit in a packet – Parse errors are detected –... Passes to appropriate security model for authentication and encryption support. – (Currently, the only defined security model is the USM) Knowledge of it not required by the typical user
33
CERT Conference 2002: SNMPv3 Aug 6, 2002Page 32, Security Model Dispatcher Message Processing Security UDP TCP... SNMPv3 MP SNMPv1... User-based (USM) Kerberos Network Application or Agent Access Control VACM... CG CR NG NR...
34
CERT Conference 2002: SNMPv3 Aug 6, 2002Page 33, Security Model Authenticates packets to ensure/verify origin – Current authentication methods Provides message encryption/decryption support – The ScopedPDU can be protected by encryption Makes it’s decisions based on packet data: – EngineID, Engine Boots, Engine Time – User Name – Authentication field – Privacy field Currently only one standard security model exists – The “User Based Security Model”, or USM
35
CERT Conference 2002: SNMPv3 Aug 6, 2002Page 34, User Based Security: USM (RFC 2574) The User Based Security model provides: – Authentication via MD5 or SHA1 hash The hash verifies the authenticity of the entire v3 message. Modified or forged packets will be rejected – Encryption via DES encryption The ScopedPDU is encrypted (basically, the payload) – 3 levels of security: noAuthNoPriv, authNoPriv, authPriv It does not provide protection against: – Denial of Service – Traffic Analysis
36
CERT Conference 2002: SNMPv3 Aug 6, 2002Page 35, USM: About EngineIDs, etc... EngineIDs are: – A unique “string” of data – Generally defined from one of: IPv4 address IPv6 address MAC address Administratively defined strings Implementation dependent EngineBoots: number of reboots EngineTime: Time since last initialized Information is automatically probed by protocol.
37
CERT Conference 2002: SNMPv3 Aug 6, 2002Page 36, USM: A User is... A USM User is defined by: – The EngineID of the authoritative engine – The SecurityName of the user (i.e., user name) – The authentication type (MD5 or SHA1) and key – The privacy type (DES) and key A user is modifiable via SNMP SET operations: – Authentication and privacy keys can be changed. – Encryption types and authentication types can not be changed without deleting and recreating the user
38
CERT Conference 2002: SNMPv3 Aug 6, 2002Page 37, USM: The Authoritative Engine Only one side of a transaction is “authoritative” – Authoritative side == where the master user key exists – Typically this means: the SNMP agents are authoritative – The authoritative side is defined by whether the packet being sent is expecting a response or not. An odd effect of this is: The engine receiving SNMPv3 INFORMs, which expect a “I got it” response, are authoritative. The engine sending SNMPv3 TRAPs, which don’t require a response, are authoritative. Ick.
39
CERT Conference 2002: SNMPv3 Aug 6, 2002Page 38, USM: Keys USM Keys used to authenticate and encrypt messages are generated: – A password hashed using the authentication algorithm (maybe) – The resulting hash is then re-hashed after mixing it with the authoritative engineID. This means: – All user keys are different on each host – Pro: A cracked system’s keys can’t be used to gain access to other systems. – Con: Distributing keys to many systems is difficult
40
CERT Conference 2002: SNMPv3 Aug 6, 2002Page 39, USM: Keys Password Ku: Master Key Kul 1 : Local Key 1 Kul 2 : Local Key 2 Kul 3 : Local Key 3 Management Application
41
CERT Conference 2002: SNMPv3 Aug 6, 2002Page 40, USM: The math behind the keys PassLong = repeat(password) till 1Mb long Ku = hash(PassLong) Kul = hash(Ku | authEngineID | Ku) Notes: – Passwords must be at least 8 characters long – Ku need not be generated from a password, but can be generated randomly instead. Protects against brute-forcing low entropy passwords – Hash is currently one of: MD5, SHA1
42
CERT Conference 2002: SNMPv3 Aug 6, 2002Page 41, Access Control Dispatcher Message Processing Security UDP TCP... SNMPv3 MP SNMPv1... User-based (USM) Kerberos Network Application or Agent Access Control VACM... CG CR NG NR...
43
CERT Conference 2002: SNMPv3 Aug 6, 2002Page 42, Access Control Decides if a particular “object instance” may be accessed or not. Consulted by the CR and NG application types Currently, only one access control model exists: – The View-Based Access Control Module (VACM)
44
CERT Conference 2002: SNMPv3 Aug 6, 2002Page 43, View Based Access Control (RFC 2575) Bases access control decisions on: – Operation type (read, write, notify) – Security model – User performing the action Users are placed into a “group” and the groups are assigned the rights, not the user. – Security level of the transaction (authenticated? encrypted?) – Object OID being accessed (and the context information) – OID ranges are “included” or “excluded” from view I wish: – Value of the object being accessed – Users could be assigned to multiple groups (unix-like)
45
CERT Conference 2002: SNMPv3 Aug 6, 2002Page 44, VACM: Access based on OID tree 1 2 1 2 3 4 1 2 3 1 2 3 Include.1.2 Exclude.1.2.2 Include.1.2.2.3 Objects “excluded” are simply “not visible” Simple Wild-carding not shown, but possible
46
CERT Conference 2002: SNMPv3 Aug 6, 2002Page 45, The Future of SNMP Other security work: – AES encryption for the USM – USM alternatives: kerberos, … New protocol PDU operations (EoS WG): – Better bulk retrieval – Better write transaction handling – Better data compression – Easier row operations (creation, deletion, …) A new SMI (SMIng WG): – Hierarchical Data Definition Language – Easier to write – Easier to read
47
CERT Conference 2002: SNMPv3 Aug 6, 2002Page 46, Summary SNMPv1, v2c: bad, no security SNMPv3: better, has security Start switching to SNMPv3 now. – Almost FULL standard – Most vendors support it SNMPv3 is modular in design
48
CERT Conference 2002: SNMPv3 Aug 6, 2002Page 47, Conclusion Questions? Wes Hardaker
Similar presentations
