CSCE 815 Network Security CSCE 815 Network Security Lecture 18 Lecture 18CSCE 815 Network Security CSCE 815 Network Security Lecture 18 Lecture 18
SNMPSNMP
Simple Network Management ProtocolSimple Network Management Protocol
March 25, 2003
– 2 – CSCE 815 Sp 03
SNMP GOALSSNMP GOALS
UBIQUITYUBIQUITY PCs AND CRAYs
INCLUSION OF MANAGEMENT SHOULD BE INCLUSION OF MANAGEMENT SHOULD BE INEXPENSIVEINEXPENSIVE SMALL CODE LIMITED FUNCTIONALITY
MANAGEMENT EXTENSIONS SHOULD BE POSSIBLEMANAGEMENT EXTENSIONS SHOULD BE POSSIBLE NEW MIBs
MANAGEMENT SHOULD BE ROBUSTMANAGEMENT SHOULD BE ROBUST CONNECTIONLESS TRANSPORT
Resource/reference for next few slidesResource/reference for next few slides http://www.simpleweb.org/tutorials/slides-ppt.html
Copyright © 2001 by Aiko Pras
These sheets may be used for educational purposes
– 3 – CSCE 815 Sp 03
SNMP SNMP MANAGER
AGENTS
GET / SET
TRAP
MIB
– 4 – CSCE 815 Sp 03
Protocol context of SNMPProtocol context of SNMP
– 5 – CSCE 815 Sp 03
SNMP ProxiesSNMP Proxies
Note all are capable of implementing SNMP(UDP,IP) Note all are capable of implementing SNMP(UDP,IP) e.g., bridges, modems etc.e.g., bridges, modems etc.
Concept of a proxy was added to accommodate such Concept of a proxy was added to accommodate such devices.devices.
SNMPv2 added the capability of running on the OSI as SNMPv2 added the capability of running on the OSI as well as the TCP/IP protocol suitewell as the TCP/IP protocol suite
– 6 – CSCE 815 Sp 03
Proxy ConfigurationProxy Configuration
– 7 – CSCE 815 Sp 03
SNMPv2SNMPv2
The strength of SNMPv1 was simplicity implying it was The strength of SNMPv1 was simplicity implying it was easy to implement and configure.easy to implement and configure.
However, deficiencies arose:However, deficiencies arose:
1.1. Lack of support for distributed network managementLack of support for distributed network management
2.2. Functional deficienciesFunctional deficiencies
3.3. Security deficienciesSecurity deficiencies
The first two were addressed by SNMPv2 and the latter The first two were addressed by SNMPv2 and the latter by SNMPv3.by SNMPv3.
– 8 – CSCE 815 Sp 03
– 9 – CSCE 815 Sp 03
MIB II - Objects MIB II - Objects
Described in RFC 1213 Described in RFC 1213 http://www.freesoft.org/CIE/RFC/1213/http://www.freesoft.org/CIE/RFC/1213/
Groups of ObjectsGroups of Objects Physical addresses, system, interfaces, … , the IP group, … E.g., the IP Group contains: ipRouteMask, ipRouteInfo,
ipRoutingDiscards …
DefinitionsDefinitions PhysAddress ::= OCTET STRING This data type is used to model media addresses. For many
-- types of media, this will be in a binary representation. -- For example, an ethernet address would be represented as -- a string of 6 octets.
Object Identifiers (OIDs) – unique integer name of Object Identifiers (OIDs) – unique integer name of object object
– 10 – CSCE 815 Sp 03
SNMPv3SNMPv3SNMPv3 defines a security capability to be used in SNMPv3 defines a security capability to be used in
conjunction with SNMPv2 preferably or possibly v1conjunction with SNMPv2 preferably or possibly v1
– 11 – CSCE 815 Sp 03
SNMPv3 ArchitectureSNMPv3 ArchitectureSNMPv3 architecture (RFC 2571) consists of a SNMPv3 architecture (RFC 2571) consists of a
distributed collection of SNMP entities distributed collection of SNMP entities communicating togethercommunicating together
Each SNMP entity may act as manager, agent, or Each SNMP entity may act as manager, agent, or combinationcombination
SNMP Engine - SNMP Engine - Implements functions for:Implements functions for:1. sending and receiving messages
2. Authenticating and encrypting/decrypting messages
3. Controlling access to managed objects
– 12 – CSCE 815 Sp 03
SNMP Engine ModulesSNMP Engine ModulesModular nature means that upgrades to individual Modular nature means that upgrades to individual
modules can be made without redoing the modules can be made without redoing the architecturearchitecture
Modules:Modules:
1.1. Dispatcher - Dispatcher -
2.2. Message Processing SubsystemMessage Processing Subsystem
3.3. Security SubsystemSecurity Subsystem
4.4. Access Control SubsystemAccess Control Subsystem
– 13 – CSCE 815 Sp 03
SNMP ManagerSNMP Manager
NOTIFICATIONRECEIVER
COMMANDGENERATOR
PDUDISPATCHER
COMMUNITY BASEDSECURITY MODEL
USER BASEDSECURITY MODEL
OTHERSECURITY MODEL
SECURITY SUBSYSTEM
SNMPv1
SNMPv2C
SNMPv3
OTHER
MESSAGE PROCESSINGSUBSYSTEM
MESSAGEDISPATCHER
TRANSPORTMAPPINGS
– 14 – CSCE 815 Sp 03
SNMP AgentSNMP Agent
PDUDISPATCHER
COMMUNITY BASEDSECURITY MODEL
USER BASEDSECURITY MODEL
OTHERSECURITY MODEL
SECURITY SUBSYSTEM
SNMPv1
SNMPv2C
SNMPv3
OTHER
MESSAGE PROCESSINGSUBSYSTEM
MESSAGEDISPATCHER
TRANSPORTMAPPINGS
MANAGEMENT INFORMATION BASE
VIEW BASEDACCESS CONTROL
ACCESS CONTROL SUBSYSTEM
NOTIFICATIONORIGINATOR
COMMANDRESPONDER
– 15 – CSCE 815 Sp 03
SNMP Engine Modules: DispatcherSNMP Engine Modules: Dispatcher
Dispatcher is a simple traffic managerDispatcher is a simple traffic manager
On incoming messagesOn incoming messages It accepts incoming messages from the transport layer Routes each message to the appropriate message
processing module When the message processing completes the Dispatcher
sends the PDU to the appropriate application
On outgoing messagesOn outgoing messages1. It accepts PDUs from Application layer
2. Sends to Message processing subsystem
3. Sends to Transport layer
– 16 – CSCE 815 Sp 03
SNMP Engine Modules: DispatcherSNMP Engine Modules: Dispatcher
Dispatcher SubmodulesDispatcher Submodules PDU Dispatcher – sends/accepts Protocol Data Units
(PDUs) to/from SNMP applications Message Dispatcher – transmits to/from message
processing subsystem Transport Mapping – sends/receives transport layer
packets
– 17 – CSCE 815 Sp 03
Message Processing ModuleMessage Processing Module
Accepts outgoing PDUs from dispatcherAccepts outgoing PDUs from dispatcher Passes message to the security subsytem Wraps the result with the appropriate header Sends back to the dispatcher
On incoming PDUsOn incoming PDUs1. Accepts messages from the dispatcher
2. Processes the headers
3. Possibly sending to Security Subsystem for authenitication and decryption and
4. Returns the enclosed PDU to the dispatcher
– 18 – CSCE 815 Sp 03
Security and Access Control ModulesSecurity and Access Control Modules
Security modulesSecurity modules User-based Security Model (USM) Other security models allowed for but not yet.
Access Control Access Control ModulesModules View-based access control model (VACM) Others allowed
– 19 – CSCE 815 Sp 03
SNMPv3 Terminology Table 8.2SNMPv3 Terminology Table 8.2
snmpEngineId – unique ID to engine (Octet string)snmpEngineId – unique ID to engine (Octet string)
contextEngineId – unique ID to SNMP entitycontextEngineId – unique ID to SNMP entity
contextName – identifies particular context within contextName – identifies particular context within SNMP EngineSNMP Engine
scopedPDU – block including: contextEngineId, scopedPDU – block including: contextEngineId, contextName and an SNMP PDUcontextName and an SNMP PDU
snmpMessageProcessingModel – unique identifiersnmpMessageProcessingModel – unique identifier
snmpSecurityModel – integer indicating whether snmpSecurityModel – integer indicating whether authentication and/or encryption are requiredauthentication and/or encryption are required
principal – the entity for “Whom the Bell Tolls”principal – the entity for “Whom the Bell Tolls”
securityName – string representation of the principalsecurityName – string representation of the principal
– 20 – CSCE 815 Sp 03
SNMPv3 ApplicationsSNMPv3 Applications
Command generator applicationsCommand generator applications Makes use of sendPdu primitive Dispatcher Message Processing Security subsytem Finally UDP and later the processResponse dispatcher primitive handles the
response
Notification originator/receiver applicationsNotification originator/receiver applications Operates similiarly sending a notification
Command Responder applications use primitivesCommand Responder applications use primitives RegisterContextEngineID – here is my ID (unregister also) processPDU returnRespnsePDU isAccessAllowed (Access Control Subsystem primitive)
Proxy forwarder applicationProxy forwarder application
– 21 – CSCE 815 Sp 03
Message Processsing ModelMessage Processsing Model
RFC 2572 defines the message processing modelRFC 2572 defines the message processing model
The model on outgoing messagesThe model on outgoing messages1. Accepts PDUs from the dispatcher
2. Encapsulates them in messages
3. Invokes the user Security Model (USM) to insert security related parameters in the headers
On incomingOn incoming1. Invokes the user Security Model (USM) process the
security related parameters in the header
2. Delivers encapsulated PDU back to dispatcher
SNMP message first five fieldsSNMP message first five fields
– 22 – CSCE 815 Sp 03
SNMP3 Message Format with USMSNMP3 Message Format with USM
– 23 – CSCE 815 Sp 03
User Security Model (USM)User Security Model (USM)
RFC 2574RFC 2574
Designed to secure against:Designed to secure against: Modification of information Masquerade Message stream modification: messages reordered, delayed Disclosure
Not intended to secure against:Not intended to secure against: Denial of Service (DoS attack) Traffic analysis
– 24 – CSCE 815 Sp 03
Cryptographic FunctionsCryptographic Functions
Privacy Key and Authentication KeysPrivacy Key and Authentication Keys
Keys maintained forKeys maintained for1. Local users any principal at this SNMP engine
2. Remote users
USM authentication protocolsUSM authentication protocols1. HMAC-MD-5-96
2. HMAC-SHA-96
USM encryption uses CBC of DESUSM encryption uses CBC of DES
– 25 – CSCE 815 Sp 03
Authoritative and Nonauthoritative EnginesAuthoritative and Nonauthoritative Engines
In any message one of the transmitter/receiver SNMP In any message one of the transmitter/receiver SNMP entities is designated as the Authoriatative SNMP entities is designated as the Authoriatative SNMP engineengine
When a message expects a response the receiver of When a message expects a response the receiver of such messages is aithoritativesuch messages is aithoritative
When no response is expected the sender is When no response is expected the sender is authoritativeauthoritative
This serves two purposesThis serves two purposes
1.1. Timeliness of message determined wrt clock of Timeliness of message determined wrt clock of authoritative engineauthoritative engine
2.2. Key localization processKey localization process
– 26 – CSCE 815 Sp 03
USM Message ProcessingUSM Message Processing
ParametersParameters Figure 8.9 on earlier slide
USM Message Processing Figure 8.10USM Message Processing Figure 8.10
– 27 – CSCE 815 Sp 03
USM Timeliness MechanismsUSM Timeliness Mechanisms
Non authoritative engine maintains copies ofNon authoritative engine maintains copies of snmpEngineBoots = number of times rebooted since
originally configured 0 to 231 snmpEngineTime latestReceived EngineTime
USM update conditionsUSM update conditions
USM update ruleUSM update rule
Message judged to be outside window …Message judged to be outside window …
– 28 – CSCE 815 Sp 03
Key Localization ProcessKey Localization Process
– 29 – CSCE 815 Sp 03
View-Based Access Control Model (VACM)View-Based Access Control Model (VACM)VACM has two characteristics:VACM has two characteristics:
Determines wheter access to a managed object should be allowed.
Make use of an MIB that:Defines the access control policy for this agent.Makes it possible for remote configuration to be used.
– 30 – CSCE 815 Sp 03
Access control decisionAccess control decision
– 31 – CSCE 815 Sp 03
Recommended Reading and WEB SitesRecommended Reading and WEB SitesSubramanian, Mani. Subramanian, Mani. Network ManagementNetwork Management. Addison-. Addison-
Wesley, 2000Wesley, 2000
Stallings, W. Stallings, W. SNMP, SNMPv1, SNMPv3 and RMON 1 and SNMP, SNMPv1, SNMPv3 and RMON 1 and 22. Addison-Wesley, 1999. Addison-Wesley, 1999
IETF SNMPv3 working group (Web sites)IETF SNMPv3 working group (Web sites)
http://www.ietf.org/html.charters/snmpv3-charter.htmlhttp://www.ietf.org/html.charters/snmpv3-charter.html
SNMPv3 Web sitesSNMPv3 Web sites
http://www.simpleweb.org/tutorials/slides-ppt.htmlhttp://www.simpleweb.org/tutorials/slides-ppt.html
http://www.sans.org/rr/netdevices/SNMP_sec.phphttp://www.sans.org/rr/netdevices/SNMP_sec.php
– 32 – CSCE 815 Sp 03
IntrudersIntruders
Three classes of intruders (hackers or crackers):Three classes of intruders (hackers or crackers): Masquerader Misfeasor Clandestine user
– 33 – CSCE 815 Sp 03
Intrusion TechniquesIntrusion Techniques
System maintain a file that associates a password with System maintain a file that associates a password with each authorized user.each authorized user.
Password file can be protected with:Password file can be protected with: One-way encryption Access Control
– 34 – CSCE 815 Sp 03
Intrusion TechniquesIntrusion TechniquesTechniques for guessing passwords:Techniques for guessing passwords:
• Try default passwords.• Try all short words, 1 to 3 characters long.• Try all the words in an electronic dictionary(60,000).• Collect information about the user’s hobbies, family names,
birthday, etc.• Try user’s phone number, social security number, street
address, etc.• Try all license plate numbers (MUP103).• Use a Trojan horse• Tap the line between a remote user and the host system.
PreventionPrevention: Enforce good password selection (Ij4Gf4Se%f#): Enforce good password selection (Ij4Gf4Se%f#)
– 35 – CSCE 815 Sp 03
UNIX Password SchemeUNIX Password Scheme
Loading a new password
– 36 – CSCE 815 Sp 03
UNIX Password SchemeUNIX Password Scheme
Verifying a password file
– 37 – CSCE 815 Sp 03
Storing UNIX PasswordsStoring UNIX Passwords
UNIX passwords were kept in in a publicly readable file, UNIX passwords were kept in in a publicly readable file, etc/passwords. etc/passwords.
Now they are kept in a “shadow” directory and only Now they are kept in a “shadow” directory and only visible by “root”.visible by “root”.
– 38 – CSCE 815 Sp 03
”Salt””Salt”
The salt serves three purposes:The salt serves three purposes: Prevents duplicate passwords. Effectively increases the length of the password. Prevents the use of hardware implementations of DES
– 39 – CSCE 815 Sp 03
Password Selecting StrategiesPassword Selecting Strategies
User ducationUser ducation
Computer-generated passwordsComputer-generated passwords
Reactive password checkingReactive password checking
Proactive password checkingProactive password checking