1. SNMP Management

2. 2 Overview u Growth of network size led to need for management techniques u Five main areas u Configuration management u Deals with installing, initializing, and boot-loading network hardware and software u Also deals with modifying and tracking configuration parameters u Fault location and repair management u Concerned with tools enabling fault location in equipment, software, and/or provider lines u Tools have strong error and alarm characteristics

3. 3 Overview u Security management u Tools are concerned with access control u Tools enable network managers to restrict or grant access to various network resources u Performance management u Tools provide operational statistics about the network u These may include bandwidth utilization or the number of packets received, transmitted, or dropped, etc. u Accounting management u Concerned with the applications enabling managers to define costs related to network resources

4. 4 Network Management Tool Development u Network management tools are essential u Internet Engineering Task Force (IETF) formed a group to develop tools, protocols, and database standards for TCP/IP networks u Result: Simple Network Management Protocol (SNMP) u SNMP is the most commonly used protocol for collecting management data from IP networks u SNMP is not always the best solution

5. 5 SNMP Client-Server Relationship u Manager u Client program that makes virtual connections to an agent u Agent u Server program residing on a remote network device u MIB u Management Information Base is a data base defining a standard set of statistical and control values u MIB can be customized by vendors

6. 6 SNMP Client-Server Relationship u Managers and agents communicate with a simple request/response technique u Management station issues queries or action requests to the agent u Queries identify SNMP variables of interest (MIB object identifiers or MIB variables) u The agent is instructed to either get the requested variable or set the requested variable u Agent responds to the manager’s commands u Agent can be programmed to send unsolicited messages to the manager in the form of a trap u Traps are essentially alerts

7. 7 SNMP Operation

8. 8 SNMP Versions u Two available commercial versions u SNMPv1 u Most popular version u Defined in Request for Comment (RFC) 1157 u SNMPv2 (or SNMPv2c) u Improved security over SNMPv1 u Updated the protocol operations and data types

9. 9 SNMP Architecture u Network elements u Network devices to be managed such as routers, hubs, switches, computers, and printers u Agents u Software program residing on a network element u Collects and stores information about the managed device u Managed Object u Sets of values describing manageable characteristics of a device u Example: u The number of IP interfaces in a router is a managed object, but a specific interface is an instance of a managed object

10. 10 SNMP Architecture u MIB u Collection of all managed objects for a given device u Syntax Notation u The way MIB objects are described u Based on OSI’s Abstract Syntax Notation One (ASN.1) u Machine independent u Structure of Management Information (SMI) u Rules for defining managed objects using ASN.1 u Manager u Issues commands and queries to managed device u Workstations that run management application u Example: Nortel’s Site Manager, Nortel’s Optivity, HP’s Openview

11. 11 Message Types u Only communication is between managers and agents u Get request u Agent will return value of the named object u Get next request u Agent will return the next object in the MIB hierarchy u Set request u Instructs the agent to set the value of a named object to a particular value u Used to control managed devices u Trap message u Agent notifies a manager of a problem as soon as it happens

12. 12 SNMP and the TCP/IP Protocol u SNMP is an application layer protocol u Interfaces to User Datagram Protocol (UDP), not TCP u Uses ports 161 and 162

13. 13 MIB u Resides on managed devices u Standard MIB includes objects to measure u IP activity u TCP and UDP activity u IP routes u TCP connections u Interfaces u General system description

14. 14 MIB u Arranged in a hierarchical fashion u Starts from unnamed root u Connected to labeled nodes u Children of the root u Form branches of the tree u The path from the root down to an object defines the object u Path is called the Object Identifier ID u Example: Nortel MIB objects are under u iso.org.dod.internet.private.enterprise.wellfleet u 1.3.6.1.4.1.18

15. 15 MIB Object Hierarchy

16. 16 MIB u Nodes under Internet are administered by the Internet Activities Board (IAB) u Nodes under Enterprise are for vendors with device-specific information u Vendors must apply to the IAB’s Internet Assigned Numbers Authority (IANA) for node numbers

17. 17 Structure of Management Information (SMI) u Defines rules and formats for adding or accessing objects in the Internet MIB u Nodes (objects) are described by ASN.1 u Three categories of SMI data types u Simple u Application-wide u Easily constructed

18. 18 SMI Data Types

19. 19 SMI Data Types

20. 20 SMI Data Types

21. 21 ASN.1 u Grammatical rules governing definitions of protocols and programming languages u Used to define precise function of MIB values u Defines object’s type, access, and description

22. 22 Branch Object Identifiers u Act as placeholders for other objects u Much like directories containing files on a PC u Contain other objects instead of files

23. 23 Two Types of Managed Objects in MIB u Scalar u One value per object u Columnar u Two-dimensional table made of multiple scalar objects indexed by row and column numbers

24. 24 Scalar Object Definitions u Syntax for declaring an SNMP object u Template

25. 25 Scalar Object Definitions

26. 26 Scalar Object Definitions u Example

27. 27 Table Types u Identical to branch types except objects in table are columns rather than scalar objects u Each SNMP table has the Table keyword u Single branch object exists beneath each table with an Entry keyword u This object contains table data u Series of SNMP objects exists within the Entry branch that contains indexes to table rows in dot notation

28. 28 Table Types u Template

29. 29 Table Types u Example

30. 30 SNMP Operations - Communities u Managers and agents send messages to each other containing commands and information u Agents have full access to a device’s configuration u Security is set up so that only selected managers can request this information u Security is implemented through SNMP communities u Logical groups containing the agent and one or more managers u Agent checks to see if manager is in the community

31. 31 SNMP Operations - Communities u Community defined on the agent u Limits access to either read-only or read-write u Can define several communities with different rights, so different managers get different types of access

32. 32 Accessing the Agent u Manager sends a message (datagram) to the agent u Each SNMP datagram has fields containing u SNMP version u The community name u The SNMP Protocol Data Unit (PDU) u PDU is the payload, or data field containing the SNMP operation to perform u Agent verifies that the manager is from the community it belongs to and determines what access rights, if any, it has u If the manager is granted access, the action specified in the datagram is performed

33. 33 SNMP Datagram

34. 34 SNMPv1 Datagram Format

35. 35 SNMP PDU u Five types u Get Request u Get Next Request u Get Response u Set Request u Trap

36. 36 Get and Set PDU Format

37. 37 Get and Set PDU Fields

38. 38 Trap PDU Format

39. 39 Trap PDU Fields

40. 40 SNMPv1 Security Issues u Problem: u Manager access is limited only by IP address u Intruder can send a SNMP datagram to agent with fake source IP address belonging to agent’s community u Masquerading u Nortel solution – Secure Mode u Default mode is Trivial mode u Use an encrypted exchange during Set Requests u Manager and agent exchange a key to be used to decode encrypted messages u Intruder will not have the key u Cannot use secure mode for public communities and addresses of 0.0.0.0

41. 41 Standard MIB Structure u Defined by IETF u Recall that MIB object identifier number is derived from the tree structure of the MIB u Main management functions under u iso.org.dod.internet.management (1.3.6.1.2) u Vendor specific management functions under u iso.org.dod.internet.private.enterprises (1.3.6.1.4.1) u Nortel granted vendor number 18

42. 42 MIB-I and MIB-II u SNMP originally designed as a short-term fix u OSI network management framework intended to be the long-term solution u SNMP became very popular u Problem: u SNMP and OSI framework had limited compatibility u Resulted in separate, parallel development u SNMP was improved with development of version 2 of MIB (MIB-II)

43. 43 MIB-II Improvements u Changes u Incremental additions reflect new operational requirements u Improved support exists for multiprotocol entities u Textual cleanup improved clarity u Changes designed to keep upward compatibility with SNMP u Keep same object identifier as in MIB-I u MIB-II in RFC 1213

44. 44 Nortel MIB Structure u Extension of standard MIB-II u Nortel’s router software MIB u Software called BayRS u Under enterprises.wellfleet.wfSwSeries7 (1.18.3) u Main object groups under wfSwSeries7 are u wfHardwareConfig u wfSoftwareConfig u wfSystem u wfLine u wfApplication u These objects have statistics and configuration information for the router

45. 45 Nortel MIB Structure

46. 46 wfSwSeries7 Object Groups

47. 47 MIB Structure

48. 48 Nortel Agent Traps u Trap messages are sent immediately by the agent to the manager when a given condition is met u Short description of condition is sent in message, detailed description stored in event log u Trap message types u Generic u Enterprise-specific

49. 49 Generic Traps u Defined by RFC 1157 u coldStart u warmStart u linkUp u linkDown u authenticationFailure u egpNeighborloss

50. 50 Nortel Enterprise Traps u Any event that would be recorded in the router event log

51. 51 Configuring Nortel Trap Messages u Three criteria u Category u Either generic or specific u Protocol Entity u Protocol entities to be sent u Event Severity u Specifies severity of the event, fault, warning, etc.

52. 52 Configuring Nortel Trap Messages u Nortel’s Site Manager is used to u Specify the manager to receive trap messages from the agent u Selection of the type of event for the trap u Nortel routers have hundreds of different events u Events are grouped by entities n Entities are protocols like ATM, BGP, IP, etc. u Each entity has its various events categorized by severity level n Fault n Warning n Debug n Trace n Info

53. 53 Configuring Nortel Trap Messages u Example: u You can tell the agent to send traps for IP protocol events with the severity level Info u The router will send a trap to the manager for Info level events such as whether an interface IP filter dropped a packet because it met the filter criteria

54. 54 SNMPv2 u SNMPv2 addresses two deficiencies in v1: u Lack of support for distributed network management u Functional deficiencies u A third deficiency, security is addressed to some degree u More enhancements in SNMPv3

55. 55 SNMPv2 Distributed Network Mgt u Centralized management schemes have one main management station and possibly some backups, all at one location u Not good for large networks u Many agents sending information a long way u Too much information entering the management workstation

56. 56 SNMPv2 Distributed Network Mgt u A decentralized management scheme has a hierarchy of management stations u The top level management stations is responsible for managing all of the agents u Intermediate management stations are deployed to directly manage some of the network’s agents u Intermediate managers relay information to the top level manager

57. 57 Distributed Network Management u W. Stallings, Network Security Essentials: Applications and Standards, Englewood Cliffs, NJ, Prentice-Hall, 2000

58. 58 SNMPv2 Functional Enhancements u Two new commands added u Inform u Sent from one management station to another to inform it about events at the sender u Used to implement hierarchical management structures u GetBulk u Allows manager to retrieve a large block of data an once rather than issue multiple Get commands u Good for sending an entire table at one time u The Get command is modified u In SNMPv1, if a Get requests a list of objects and one is invalid, the entire command is rejected by the agent u In SNMPv2, the agent will not reject the command, but will send back the valid objects

59. 59 Comparison of SNMPv1 and v2 PDUs

60. 60 SNMPv2 Security Enhancements u V1 security threats addressed by v2 u V1 had no way of restricting 3 rd party from observing traffic content between manager and agent u 3 rd party (hacker) could learn passwords when manager SETs a new password u 3 rd party could masquerade as the manager and perform get/set functions on agent u 3 rd party could intercept and modify the content of messages between manager and agent u 3 rd party could intercept and modify message sequence and timing 3 rd party could copy a message to reboot a router and replay it at a later time

61. 61 SNMPv2 Security Enhancements u V1 security threats not addressed by v2 u Denial of service u Hacker can prevent exchanges between manager and agent u Traffic analysis u Hacker observes traffic pattern between manager and agent

62. 62 SNMPv2 Security Services u SNMPv2 adds some security enhancements over SNMPv1 u Privacy u Protection of data from eavesdropping u Authentication u Communicating parties can verify that messages are from whom they say they are u Access Control u Only authorized parties have access to MIBs u How does v2 do it? u V2 added ability to include an authentication code so agent and manager know their correct identities u Messages can be encrypted u SNMPv3 adds more enhancements

63. 63 SNMPv2 Security Features u W. Stallings, Network and Internetwork Security: Principles and Practice, Englewood Cliffs, NJ, Prentice-Hall, 1995

64. 64 SNMPv2 Capability Highlight u W. Stallings, Network and Internetwork Security: Principles and Practice, Englewood Cliffs, NJ, Prentice-Hall, 1995

65. 65 SNMPv3 u In 1998, RFCs 2570 through 2575 proposed additional security features in SNMP with backward compatibility to SNMPv1 and SNMPv2 u SNMPv3 is not a replacement for v1 and v2 u It must be use with them u Defines security capability to be used with v1 and v2 u SNMPv3 can be thought of as SNMPv2 with additional security and administration capabilities

66. 66 V3 Protocol Overview u Security related information is included inside the SNMP message u The v3 User Security Model (USM) uses fields in the message header u Payload of the SNMP message is the SNMPv1 or v2 protocol data unit (PDU) u SNMPv1 and v2 PDU formats are the same as in the original protocols

67. 67 SNMP Protocol Architecture u W. Stallings, Network Security Essentials: Applications and Standards, Englewood Cliffs, NJ, Prentice-Hall, 2000

68. 68 SNMP Architecture u Architecture is a distributed, interacting collection of SNMP entities u Entities can be agents, managers, or a combination of the two

69. 69 V3 SNMP Entity u Traditional SNMP Manager u Interacts with SNMP agents using get, set commands and receiving traps u Interacts with other mangers using Inform Request PDUs and receiving Inform Responses u Manager consists of some SNMP applications an SNMP engine u Engine contains a security subsystem that supports the User Security Model

70. 70 Traditional SNMP Manager u W. Stallings, Network Security Essentials: Applications and Standards, Englewood Cliffs, NJ, Prentice-Hall, 2000

71. 71 V3 SNMP Entity u Traditional SNMP Agent u Respond to incoming requests by retrieving or setting MIB objects and issuing a Response PDU u Generates v1 or v2 traps u Forwards messages between entities

72. 72 Traditional SNMP Agent u W. Stallings, Network Security Essentials: Applications and Standards, Englewood Cliffs, NJ, Prentice-Hall, 2000