1 Network Management and SNMP What is Network Management? ISO Network Management Model (FCAPS) Network Management Architecture SNMPv1 and SNMPv2 SNMPv3 – what’s new?
1
Network Management and SNMP
What is Network Management?
ISO Network Management Model(FCAPS)
Network Management Architecture
SNMPv1 and SNMPv2
SNMPv3 – what’s new?
2
Network Management
Any complex system with many interacting components must be monitored, managed and controlled
In the early 1980 networks expansion prompted the need for automated network management
3
Network management scenarios Detecting failure of an interface card in a
device
Host monitoring
Traffic monitoring to optimize resource deployment
Detecting rapid changes in routing tables
Intrusion detection
4
ISO Network Management Model
FCAPS:
Fault management
Configuration management
Accounting management
Performance management
Security Management
5
ISO Network Management Model
Fault management – log, detect and respond to fault conditions in the network
Configuration management – track devices and their h/w and s/w configs
Accounting management - specify, log and control user access to network resources
Performance management – quantify, measure, report, analyze and control performance of network components
Security Management – control access to network resources according to some well-defined policy
7
Simple Network Management Protocol Protocol for network management, part of
TCP/IP suite
Current version SNMPv3
Includes communication protocol, set of data definitions and database schema
Basic components:Managers/NMSManaged devicesSNMP AgentsMIB
8
SNMPv3
Was implemented as a full standardin 2004
Only changes relate to security and remote configuration
SNMPv3 provides for encryption, authentication and message integrity
10
MIB (Management Information Base) MIB – virtual information store for a collection
of managed objects
Describes structure of management data on managed device
Each variable that describes some part of device configuration is identified by a unique OID (object ID)
Vendors define MIB variables for their own use
MIB II – standard MIB implemented by all managed objects
11
SMI (Structure of management information)
SMI is the language used to define the management information residing in a managed object – logically
SMI states that each managed object should have a name, syntax and encoding
SMI is a subset of ASN.1 - a standard for describing data that is independent of machine-specific encoding.
16
SNMP Operations
get getnext getbulk (SNMPv2 and SNMPv3) set getresponse trap notification (SNMPv2 and SNMPv3) inform (SNMPv2 and SNMPv3) report (SNMPv2 and SNMPv3)
22
Primary Goals of SNMPv3
Check message integrity - To verify that each received message has not been modified during its transmission .
User authentication - To verify the identity of the user on whose behalf a received message claims to have been
generated.
Message timestamp – to detect outdated messages
Message confidentiality - To assure that the contents of each received message are protected/encrypted.
24
SNMPv3 security framework
Two core modules within the framework are the User-based Security Model (USM) and the View-based Access Control Model (VACM).
The USM is in charge of authenticating/encrypting/decrypting SNMP packets
The VACM is in charge of administering access to MIB data.
25
SNMPv3 security framework
Authentication -Each SNMP entity is identified by SNMPEngineID, and SNMP communication is possible only if an SNMP entity knows the identity of its peer. Traps and Notifications are exceptions to this rule.
Protection against: Modification of Information (Data Integrity)
Ensure that the data is not maliciously altered during transit by an unauthorized entity.
Masquerading (Data Origin Authentication)Ensure that it is known exactly who and where the data came from to prevent an unauthorized entity from assuming the identity of an authorized user.
Disclosure (Data Confidentiality)Ensure that an unauthorized entity cannot eavesdrop on the data exchanges.
Message Stream Modification (Message Timeliness)Ensure that the data was received in a timely manner to prevent malicious re-ordering of data by an unauthorized entity.
26
SNMPv3 User-based Secuirity Model USM communication mechanisms
available: Communication without authentication
and privacy (NoAuthNoPriv). Communication with authentication and
without privacy (AuthNoPriv). Communication with authentication and
privacy (AuthPriv).
Different authentication and privacy protocols supported - Currently, the MD5 and SHA authentication protocols and the CBC_DES and CFB_AES_128 privacy protocols are supported in the USM.
27
SNMPv3 VCAM
The Access Control Subsystem of an SNMP entity has the responsibility for checking whether a specific type of access to a specific managed object is allowed.
Access control occurs in the agent when processing SNMP retrieval or modification request messages from a manager, and also when a notification message must be sent to the manager.
Elaborates on the concept of community strings in the previous versions of SNMP