ECE-8843 http://www.csc.gatech.edu/copeland/jac/8843/ Prof. John A. - - PowerPoint PPT Presentation

ece 8843
SMART_READER_LITE
LIVE PREVIEW

ECE-8843 http://www.csc.gatech.edu/copeland/jac/8843/ Prof. John A. - - PowerPoint PPT Presentation

Sep 30, 2022 176 likes •374 views

ECE-8843 http://www.csc.gatech.edu/copeland/jac/8843/ Prof. John A. Copeland john.copeland@ece.gatech.edu 404 894-5177 fax 404 894-0035 Office: GCATT Bldg 579 email or call for office visit, or call Kathy Cheek, 404 894-5696 Chapter 8: Basic

slide-1
SLIDE 1

ECE-8843

http://www.csc.gatech.edu/copeland/jac/8843/

  • Prof. John A. Copeland

john.copeland@ece.gatech.edu 404 894-5177 fax 404 894-0035 Office: GCATT Bldg 579 email or call for office visit, or call Kathy Cheek, 404 894-5696

Chapter 8: Basic Concepts of SNMP - Simple Network Mgmt Protocol

The text, “Network Security Essentials, Applications and Standards” by William Stallings)

slide-2
SLIDE 2

Network Management Architecture An integrated collection of tools for network monitoring and control.

  • Single operator interface.
  • Minimal amount of separate equipment – software and

network communications capability built into the existing equipment.. The primary parts are:

  • Management station (central control, has a “agent”)
  • Management agents (software in network equipment)
  • Management Information Base (MIB)
  • Network management protocol (rules for communication)
slide-3
SLIDE 3

SNMP Trap – an unsolicited message, perhaps reporting an alarm condition (to UDP port 162). SNMPv1 (version 1) is “connectionless” since it utilizes UDP (rather than TCP) as the transport layer protocol. SNMPv2 allows the use of TCP for “reliable, connection-oriented” service. “Proxy” – an add-on box to add SNMP features to a network unit (router, modem, PC, …) that does not have built-in SNMP capability.

slide-4
SLIDE 4

SNMP v1, v2, and v3 Problems with SNMP v1 addressed by version 2:

  • Lack of support for distributed network management.
  • Functional deficiencies - v2 can use TCP/IP and Novell IPX

Problem addressed by version 3:

  • Security - version 1 used a community name as a password.
slide-5
SLIDE 5

SNMP v3 – a Security Add-on SNMP v3 “engine” operating at the Application Layer:

  • On outgoing PDU’s inserts authentication codes (MACs),

encrypts certain fields, encapsulates the PDU into a message for transmission.

  • For incoming messages (from the Transport Layer) performs

authentication verification, decryption, and extracts PDU’s from the message to pass up to the SNMP applications above.

  • Security Subsystem- performs the authentication and

encryption tasks.

slide-6
SLIDE 6

GetRequest GetNextRequest SetRequest GetResponse Trap

SNMP Management Station SNMP Manager UDP IP Network-dependent protocols

GetRequest GetNextRequest SetRequest GetResponse Trap

SNMP Agent SNMP Agent UDP IP Network-dependent protocols network or internet SNMP Messages Application manages objects

Figure 8.1 The Role of SNMP

Management Application Managed Resources SNMP Managed Objects

slide-7
SLIDE 7

Manager Process SNMP UDP IP

Network-dependent protocols

Management process

Network-dependent protocols

Agent Process SNMP UDP IP

Network-dependent protocols Network-dependent protocols

Protocol architecture used by proxied device Mapping Function Protocol architecture used by proxied device Management Station Proxy Agent

Proxied Device

Figure 8.2 Proxy Configuration

slide-8
SLIDE 8

Ethernet

Central Site

Management Server (manager) Router (agent) FDDI backbone Token ring LAN Ethernet Ethernet

Figure 8.3 Example Distributed Network Management Configuration

Intermediate Manager (manager/agent) Router (agent) Router (agent) agent agent agent agent agent agent agent agent agent agent agent Router (agent) Router (agent) Router (agent) agent

slide-9
SLIDE 9

SNMP agent Set of SNMP managers SNMP MIB view SNMP community (community name) SNMP access policy Figure 8.4 SNMPv1 Administrative Concepts SNMP community profile SNMP access mode

slide-10
SLIDE 10

SNMP v3 – a Security Add-on SNMP v3 “engine” operating at the Application Layer:

  • On outgoing PDU’s inserts authentication codes (MACs),

encrypts certain fields, encapsulates the PDU into a message for transmission.

  • For incoming messages (from the Transport Layer)

performs authentication verification, decryption, and extracts PDU’s from the message to pass up to the SNMP applications above.

  • Security Subsystem- performs the authentication and

encryption tasks.

slide-11
SLIDE 11

SNMP PDU SNMP PDU V3-MH SNMP PDU V3-MH UDP-H SNMP PDU V3-MH UDP-H IP-H

IP-H = IP header UDP-H = UDP header V3-MH = SNMPv3 message header PDU = Protocol data unit

PDU Processing (SNMPv1 or SNMPv2) Message Processing (SNMPv3 USM) UDP IP Figure 8.5 SNMP Protocol Architecture

slide-12
SLIDE 12

Security Subsystem

SNMP Entity SNMP Applications SNMP Engine

Message Processing Subsystem Dis- patcher

Figure 8.6 Traditional SNMP Manager

Other Security Model

Message Dispatcher

User-based Security Model v1MP v2cMP v3MP

  • therMP

UDP IPX Network

  • • •

Other

Transport Mapping (e.g., RFC1906) PDU Dispatcher

Notification Originator Applications Notification Receiver Applications Command Generator Applications

slide-13
SLIDE 13

Security Subsystem

SNMP Applications SNMP Engine

SNMP Entity

Message Processing Subsystem

Figure 8.7 Traditional SNMP Agent

Command Responder Applications MIB Instrumentation Notification Originator Applications Proxy Forwarder Applications Other Security Model User-based Security Model Access Control Subsystem Other Access Control Model View-based Access Control Model v1MP v2cMP v3MP

  • therMP

UDP IPX

  • • •

Other Dis- patcher

Message Dispatcher Transport Mapping (e.g., RFC1906) PDU Dispatcher

slide-14
SLIDE 14

prepareOutgoingMsg prepareDataElements processIncomingMsg processResponsePdu

(a) Command Generator or Notification Originator

generateRequestMsg

Security Model Message Processing Model Dispatcher Command Generator

Send SNMP Request Msg to Network Receive SNMP Response Msg from Network

sendPdu

  • (b) Command Responder

Figure 8.8 SNMPv3 Flow

Security Model Message Processing Model Dispatcher Command Responder

Send SNMP Response Msg to Network Receive SNMP Request Msg from Network

registerContextEngineID

prepareDataElements processIncomingMsg processPdu returnResponsePdu prepareResponseMsg generateResponseMsg

slide-15
SLIDE 15

msgVersion msgID msgMaxSize Generated/processed by Message Processing Model msgFlags msgSecurityModel msgAuthoritativeEngineID msgAuthoritativeEngineBoots msgAuthoritativeEngineTime msgUserName msgAuthenticationParameters msgPrivacyParameters contextEngineID contextName PDU

Figure 8.9 SNMPv3 Message Format with USM

Generated/Processed by User Security Model (USM) Scoped PDU (plaintext or encrypted) scope of encryption scope of authentication

slide-16
SLIDE 16

Retrieve user information Encrypt scopedPdu set msgPrivacyParameters Decrypt scopedPdu compute MAC set msgAuthenticationParameters Privacy required?

YES YES NO YES NO YES NO NO

Privacy required? Authentication required? (a) Message Transmission msgPrivacyParameters ← null string msgAuthenticationParameters ← null string Retrieve message parameters compute MAC; compare to msgAuthenticationParameters Determine if message is within time window Authentication required? (b) Message Reception

Figure 8.10 USM Message Processing

slide-17
SLIDE 17

take hash

  • f expanded

password string User Password User Key Localized Key Localized Key Localized Key

Figure 8.11 Key Localization

  • take hash
  • f user key and

remote EngineID take hash

  • f user key and

remote EngineID take hash

  • f user key and

remote EngineID

slide-18
SLIDE 18

what who where how why which

Figure 8.12 VACM Logic

securityModel securityName securityModel securityLevel contextName viewType (read/write/notify)

  • bject-type
  • bject-instance

groupName variableName (OID) viewName

yes/no decision

vacmSecurityToGroupTable vacmAccessTable vacmContextTable vacmViewTreeFamilyTable