SNMP Management - PowerPoint PPT Presentation

1 / 72
About This Presentation
Title:

SNMP Management

Description:

Arranged in a hierarchical fashion. Starts from unnamed root. Connected to labeled nodes ... The community name. The SNMP Protocol Data Unit (PDU) ... – PowerPoint PPT presentation

Number of Views:151
Avg rating:3.0/5.0
Slides: 73
Provided by: waltt
Category:
Tags: snmp | management

less

Transcript and Presenter's Notes

Title: SNMP Management


1
  • SNMP Management

2
Overview
  • Growth of network size led to need for management
    techniques
  • Five main areas
  • Configuration management
  • Deals with installing, initializing, and
    boot-loading network hardware and software
  • Also deals with modifying and tracking
    configuration parameters
  • Fault location and repair management
  • Concerned with tools enabling fault location in
    equipment, software, and/or provider lines
  • Tools have strong error and alarm characteristics

3
Overview
  • Security management
  • Tools are concerned with access control
  • Tools enable network managers to restrict or
    grant access to various network resources
  • Performance management
  • Tools provide operational statistics about the
    network
  • These may include bandwidth utilization or the
    number of packets received, transmitted, or
    dropped, etc.
  • Accounting management
  • Concerned with the applications enabling managers
    to define costs related to network resources

4
Network Management Tool Development
  • Network management tools are essential
  • Internet Engineering Task Force (IETF) formed a
    group to develop tools, protocols, and database
    standards for TCP/IP networks
  • Result Simple Network Management Protocol (SNMP)
  • SNMP is the most commonly used protocol for
    collecting management data from IP networks
  • SNMP is not always the best solution

5
SNMP Client-Server Relationship
  • Manager
  • Client program that makes virtual connections to
    an agent
  • Agent
  • Server program residing on a remote network
    device
  • MIB
  • Management Information Base is a data base
    defining a standard set of statistical and
    control values
  • MIB can be customized by vendors

6
SNMP Client-Server Relationship
  • Managers and agents communicate with a simple
    request/response technique
  • Management station issues queries or action
    requests to the agent
  • Queries identify SNMP variables of interest (MIB
    object identifiers or MIB variables)
  • The agent is instructed to either get the
    requested variable or set the requested variable
  • Agent responds to the managers commands
  • Agent can be programmed to send unsolicited
    messages to the manager in the form of a trap
  • Traps are essentially alerts

7
SNMP Operation
8
SNMP Versions
  • Two available commercial versions
  • SNMPv1
  • Most popular version
  • Defined in Request for Comment (RFC) 1157
  • SNMPv2 (or SNMPv2c)
  • Improved security over SNMPv1
  • Updated the protocol operations and data types

9
SNMP Architecture
  • Network elements
  • Network devices to be managed such as routers,
    hubs, switches, computers, and printers
  • Agents
  • Software program residing on a network element
  • Collects and stores information about the managed
    device
  • Managed Object
  • Sets of values describing manageable
    characteristics of a device
  • Example
  • The number of IP interfaces in a router is a
    managed object, but a specific interface is an
    instance of a managed object

10
SNMP Architecture
  • MIB
  • Collection of all managed objects for a given
    device
  • Syntax Notation
  • The way MIB objects are described
  • Based on OSIs Abstract Syntax Notation One
    (ASN.1)
  • Machine independent
  • Structure of Management Information (SMI)
  • Rules for defining managed objects using ASN.1
  • Manager
  • Issues commands and queries to managed device
  • Workstations that run management application
  • Example Nortels Site Manager, Nortels
    Optivity, HPs Openview

11
Message Types
  • Only communication is between managers and agents
  • Get request
  • Agent will return value of the named object
  • Get next request
  • Agent will return the next object in the MIB
    hierarchy
  • Set request
  • Instructs the agent to set the value of a named
    object to a particular value
  • Used to control managed devices
  • Trap message
  • Agent notifies a manager of a problem as soon as
    it happens

12
SNMP and the TCP/IP Protocol
  • SNMP is an application layer protocol
  • Interfaces to User Datagram Protocol (UDP), not
    TCP
  • Uses ports 161 and 162

13
MIB
  • Resides on managed devices
  • Standard MIB includes objects to measure
  • IP activity
  • TCP and UDP activity
  • IP routes
  • TCP connections
  • Interfaces
  • General system description

14
MIB
  • Arranged in a hierarchical fashion
  • Starts from unnamed root
  • Connected to labeled nodes
  • Children of the root
  • Form branches of the tree
  • The path from the root down to an object defines
    the object
  • Path is called the Object Identifier ID
  • Example Nortel MIB objects are under
  • iso.org.dod.internet.private.enterprise.wellfleet
  • 1.3.6.1.4.1.18

15
MIB Object Hierarchy
16
MIB
  • Nodes under Internet are administered by the
    Internet Activities Board (IAB)
  • Nodes under Enterprise are for vendors with
    device-specific information
  • Vendors must apply to the IABs Internet Assigned
    Numbers Authority (IANA) for node numbers

17
Structure of Management Information (SMI)
  • Defines rules and formats for adding or accessing
    objects in the Internet MIB
  • Nodes (objects) are described by ASN.1
  • Three categories of SMI data types
  • Simple
  • Application-wide
  • Easily constructed

18
SMI Data Types
19
SMI Data Types
20
SMI Data Types
21
ASN.1
  • Grammatical rules governing definitions of
    protocols and programming languages
  • Used to define precise function of MIB values
  • Defines objects type, access, and description

22
Branch Object Identifiers
  • Act as placeholders for other objects
  • Much like directories containing files on a PC
  • Contain other objects instead of files

23
Two Types of Managed Objects in MIB
  • Scalar
  • One value per object
  • Columnar
  • Two-dimensional table made of multiple scalar
    objects indexed by row and column numbers

24
Scalar Object Definitions
  • Syntax for declaring an SNMP object
  • Template

25
Scalar Object Definitions
26
Scalar Object Definitions
  • Example

27
Table Types
  • Identical to branch types except objects in table
    are columns rather than scalar objects
  • Each SNMP table has the Table keyword
  • Single branch object exists beneath each table
    with an Entry keyword
  • This object contains table data
  • Series of SNMP objects exists within the Entry
    branch that contains indexes to table rows in dot
    notation

28
Table Types
  • Template

29
Table Types
  • Example

30
SNMP Operations - Communities
  • Managers and agents send messages to each other
    containing commands and information
  • Agents have full access to a devices
    configuration
  • Security is set up so that only selected managers
    can request this information
  • Security is implemented through SNMP communities
  • Logical groups containing the agent and one or
    more managers
  • Agent checks to see if manager is in the community

31
SNMP Operations - Communities
  • Community defined on the agent
  • Limits access to either read-only or read-write
  • Can define several communities with different
    rights, so different managers get different types
    of access

32
Accessing the Agent
  • Manager sends a message (datagram) to the agent
  • Each SNMP datagram has fields containing
  • SNMP version
  • The community name
  • The SNMP Protocol Data Unit (PDU)
  • PDU is the payload, or data field containing the
    SNMP operation to perform
  • Agent verifies that the manager is from the
    community it belongs to and determines what
    access rights, if any, it has
  • If the manager is granted access, the action
    specified in the datagram is performed

33
SNMP Datagram
34
SNMPv1 Datagram Format
35
SNMP PDU
  • Five types
  • Get Request
  • Get Next Request
  • Get Response
  • Set Request
  • Trap

36
Get and Set PDU Format
37
Get and Set PDU Fields
38
Trap PDU Format
39
Trap PDU Fields
40
SNMPv1 Security Issues
  • Problem
  • Manager access is limited only by IP address
  • Intruder can send a SNMP datagram to agent with
    fake source IP address belonging to agents
    community
  • Masquerading
  • Nortel solution Secure Mode
  • Default mode is Trivial mode
  • Use an encrypted exchange during Set Requests
  • Manager and agent exchange a key to be used to
    decode encrypted messages
  • Intruder will not have the key
  • Cannot use secure mode for public communities and
    addresses of 0.0.0.0

41
Standard MIB Structure
  • Defined by IETF
  • Recall that MIB object identifier number is
    derived from the tree structure of the MIB
  • Main management functions under
  • iso.org.dod.internet.management (1.3.6.1.2)
  • Vendor specific management functions under
  • iso.org.dod.internet.private.enterprises
    (1.3.6.1.4.1)
  • Nortel granted vendor number 18

42
MIB-I and MIB-II
  • SNMP originally designed as a short-term fix
  • OSI network management framework intended to be
    the long-term solution
  • SNMP became very popular
  • Problem
  • SNMP and OSI framework had limited compatibility
  • Resulted in separate, parallel development
  • SNMP was improved with development of version 2
    of MIB (MIB-II)

43
MIB-II Improvements
  • Changes
  • Incremental additions reflect new operational
    requirements
  • Improved support exists for multiprotocol
    entities
  • Textual cleanup improved clarity
  • Changes designed to keep upward compatibility
    with SNMP
  • Keep same object identifier as in MIB-I
  • MIB-II in RFC 1213

44
Nortel MIB Structure
  • Extension of standard MIB-II
  • Nortels router software MIB
  • Software called BayRS
  • Under enterprises.wellfleet.wfSwSeries7 (1.18.3)
  • Main object groups under wfSwSeries7 are
  • wfHardwareConfig
  • wfSoftwareConfig
  • wfSystem
  • wfLine
  • wfApplication
  • These objects have statistics and configuration
    information for the router

45
Nortel MIB Structure
46
wfSwSeries7 Object Groups
47
MIB Structure
48
Nortel Agent Traps
  • Trap messages are sent immediately by the agent
    to the manager when a given condition is met
  • Short description of condition is sent in
    message, detailed description stored in event log
  • Trap message types
  • Generic
  • Enterprise-specific

49
Generic Traps
  • Defined by RFC 1157
  • coldStart
  • warmStart
  • linkUp
  • linkDown
  • authenticationFailure
  • egpNeighborloss

50
Nortel Enterprise Traps
  • Any event that would be recorded in the router
    event log

51
Configuring Nortel Trap Messages
  • Three criteria
  • Category
  • Either generic or specific
  • Protocol Entity
  • Protocol entities to be sent
  • Event Severity
  • Specifies severity of the event, fault, warning,
    etc.

52
Configuring Nortel Trap Messages
  • Nortels Site Manager is used to
  • Specify the manager to receive trap messages from
    the agent
  • Selection of the type of event for the trap
  • Nortel routers have hundreds of different events
  • Events are grouped by entities
  • Entities are protocols like ATM, BGP, IP, etc.
  • Each entity has its various events categorized by
    severity level
  • Fault
  • Warning
  • Debug
  • Trace
  • Info

53
Configuring Nortel Trap Messages
  • Example
  • You can tell the agent to send traps for IP
    protocol events with the severity level Info
  • The router will send a trap to the manager for
    Info level events such as whether an interface IP
    filter dropped a packet because it met the filter
    criteria

54
SNMPv2
  • SNMPv2 addresses two deficiencies in v1
  • Lack of support for distributed network
    management
  • Functional deficiencies
  • A third deficiency, security is addressed to some
    degree
  • More enhancements in SNMPv3

55
SNMPv2 Distributed Network Mgt
  • Centralized management schemes have one main
    management station and possibly some backups, all
    at one location
  • Not good for large networks
  • Many agents sending information a long way
  • Too much information entering the management
    workstation

56
SNMPv2 Distributed Network Mgt
  • A decentralized management scheme has a hierarchy
    of management stations
  • The top level management stations is responsible
    for managing all of the agents
  • Intermediate management stations are deployed to
    directly manage some of the networks agents
  • Intermediate managers relay information to the
    top level manager

57
Distributed Network Management
  • W. Stallings, Network Security Essentials
    Applications and Standards, Englewood Cliffs, NJ,
    Prentice-Hall, 2000

58
SNMPv2 Functional Enhancements
  • Two new commands added
  • Inform
  • Sent from one management station to another to
    inform it about events at the sender
  • Used to implement hierarchical management
    structures
  • GetBulk
  • Allows manager to retrieve a large block of data
    an once rather than issue multiple Get commands
  • Good for sending an entire table at one time
  • The Get command is modified
  • In SNMPv1, if a Get requests a list of objects
    and one is invalid, the entire command is
    rejected by the agent
  • In SNMPv2, the agent will not reject the command,
    but will send back the valid objects

59
Comparison of SNMPv1 and v2 PDUs
60
SNMPv2 Security Enhancements
  • V1 security threats addressed by v2
  • V1 had no way of restricting 3rd party from
    observing traffic content between manager and
    agent
  • 3rd party (hacker) could learn passwords when
    manager SETs a new password
  • 3rd party could masquerade as the manager and
    perform get/set functions on agent
  • 3rd party could intercept and modify the content
    of messages between manager and agent
  • 3rd party could intercept and modify message
    sequence and timing
  • 3rd party could copy a message to reboot a router
    and replay it at a later time

61
SNMPv2 Security Enhancements
  • V1 security threats not addressed by v2
  • Denial of service
  • Hacker can prevent exchanges between manager and
    agent
  • Traffic analysis
  • Hacker observes traffic pattern between manager
    and agent

62
SNMPv2 Security Services
  • SNMPv2 adds some security enhancements over
    SNMPv1
  • Privacy
  • Protection of data from eavesdropping
  • Authentication
  • Communicating parties can verify that messages
    are from whom they say they are
  • Access Control
  • Only authorized parties have access to MIBs
  • How does v2 do it?
  • V2 added ability to include an authentication
    code so agent and manager know their correct
    identities
  • Messages can be encrypted
  • SNMPv3 adds more enhancements

63
SNMPv2 Security Features
  • W. Stallings, Network and Internetwork Security
    Principles and Practice, Englewood Cliffs, NJ,
    Prentice-Hall, 1995

64
SNMPv2 Capability Highlight
  • W. Stallings, Network and Internetwork Security
    Principles and Practice, Englewood Cliffs, NJ,
    Prentice-Hall, 1995

65
SNMPv3
  • In 1998, RFCs 2570 through 2575 proposed
    additional security features in SNMP with
    backward compatibility to SNMPv1 and SNMPv2
  • SNMPv3 is not a replacement for v1 and v2
  • It must be use with them
  • Defines security capability to be used with v1
    and v2
  • SNMPv3 can be thought of as SNMPv2 with
    additional security and administration
    capabilities

66
V3 Protocol Overview
  • Security related information is included inside
    the SNMP message
  • The v3 User Security Model (USM) uses fields in
    the message header
  • Payload of the SNMP message is the SNMPv1 or v2
    protocol data unit (PDU)
  • SNMPv1 and v2 PDU formats are the same as in the
    original protocols

67
SNMP Protocol Architecture
  • W. Stallings, Network Security Essentials
    Applications and Standards, Englewood Cliffs, NJ,
    Prentice-Hall, 2000

68
SNMP Architecture
  • Architecture is a distributed, interacting
    collection of SNMP entities
  • Entities can be agents, managers, or a
    combination of the two

69
V3 SNMP Entity
  • Traditional SNMP Manager
  • Interacts with SNMP agents using get, set
    commands and receiving traps
  • Interacts with other mangers using Inform Request
    PDUs and receiving Inform Responses
  • Manager consists of some SNMP applications an
    SNMP engine
  • Engine contains a security subsystem that
    supports the User Security Model

70
Traditional SNMP Manager
  • W. Stallings, Network Security Essentials
    Applications and Standards, Englewood Cliffs, NJ,
    Prentice-Hall, 2000

71
V3 SNMP Entity
  • Traditional SNMP Agent
  • Respond to incoming requests by retrieving or
    setting MIB objects and issuing a Response PDU
  • Generates v1 or v2 traps
  • Forwards messages between entities

72
Traditional SNMP Agent
  • W. Stallings, Network Security Essentials
    Applications and Standards, Englewood Cliffs, NJ,
    Prentice-Hall, 2000
Write a Comment
User Comments (0)
About PowerShow.com