1 / 85

SNMPv3

SNMPv3. Network Management Spring 2014 Bahador Bakhshi CE & IT Department, Amirkabir University of Technology. This presentation is based on the slides listed in references. Outline. Introduction SNMPv3 Architecture Abstract Service Interface Security Background

adora
Télécharger la présentation

SNMPv3

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SNMPv3 Network Management Spring 2014 Bahador Bakhshi CE & IT Department, Amirkabir University of Technology This presentation is based on the slides listed in references.

  2. Outline Introduction SNMPv3 Architecture Abstract Service Interface Security Background User-based Security Model (USM) View-based Access Control Model (VACM) Message Format

  3. Outline Introduction SNMPv3 Architecture Abstract Service Interface Security Background User-based Security Model (USM) View-based Access Control Model (VACM) Message Format

  4. The Basic Ingredients of Network Management Previous Lectures: Functions & Integration Previous Lectures: NM Protocols Current Lecture: SNMPv3 agent Agent modules Security & Access control

  5. Introduction • SNMPv1 has both security and performance problems • SNMPv2 was aimed to resolved the issues • Most performance problems were solved, but SNMPv2c uses community based security method • SNMPv3 provides the security solution • Moreover, Modularization of document and architecture SNMP engine

  6. SNMPv3 Design Goals • Address the need for security set support • Define an architecture to allow longevity of SNMP • Modular design to allow for future extensions • Keep SNMP as simple as possible (!!) • Allow for minimal implementation • Support also more complex features which are required in large networks • Reuse existing specifications whenever possible

  7. Outline Introduction SNMPv3 Architecture Abstract Service Interface Security Background User-based Security Model (USM) View-based Access Control Model (VACM) Message Format

  8. SNMPv3 Architecture • Similar to SNMPv1 and SNMPv2, architecture is distributed • Interacting collection of SNMPv3 entities • A SNMP entity implements a portion of the SNMP capabilities • Manager capabilities vs. Agent capabilities • It acts either as an agent or manager or both • A collection of modules interacting with each other to provide services/capabilities

  9. SNMPv3 Architecture • Advantages: • The role of SNMP entity is determined by the modules implemented in that entity • Certain set of modules are required for agent, while a different set is required for a manager • Application specific entities can be implemented • Security subsystem provides services such as authentication and privacy of messages • Multiple security models can coexist • New security algorithms can be integrated

  10. Components of SNMP Entity • Each SNMP entity has a set of applications and a single SNMP engine • The SNMP engine implements the required SNMP functions • E.g. sending and receiving messages, authenticating, encrypting and decrypting messages and controlling access to managed objects, … • These functions are provided as services to one or more applications configured with the SNMP engine in the SNMP entity

  11. SNMP ENTITY SNMP APPLICATIONS COMMAND COMMAND NOTIFICATION NOTIFICATION PROXY OTHER OTHER GENERATOR RESPONDER ORIGINATOR RECEIVER FORWARDER SNMP ENGINE MESSAGE PROCESSING SECURITY ACCESS CONTROL DISPATCHER SUBSYSTEM SUBSYSTEM SUBSYSTEM SNMPv3 Entity

  12. SNMP Engine • An SNMP engine provides services for • sending and receiving messages • authenticating and encrypting messages • controlling access to managed objects • Components • a Dispatcher • a Message Processing Subsystem • a Security Subsystem • an Access Control Subsystem

  13. Dispatcher SNMP ENTITY SNMP APPLICATIONS Applications COMMAND COMMAND NOTIFICATION NOTIFICATION PROXY OTHER OTHER GENERATOR RESPONDER ORIGINATOR RECEIVER FORWARDER SNMP ENGINE MESSAGE PROCESSING SECURITY ACCESS CONTROL DISPATCHER SUBSYSTEM SUBSYSTEM SUBSYSTEM Network • Interfaces with application modules, network, and message processing models • Handles multiple versions of messages • For backward compatibility

  14. Dispatcher (cont’d) • Three components for three functions • Transport mapper delivers messages over the transport protocol • Message dispatcher routes messages between network and appropriate module of message processing subsystem • PDU dispatcher handles messages between application and message processing subsystem • There is only one dispatcher in an SNMP engine

  15. Message Processing Subsystem SNMP ENTITY SNMP APPLICATIONS COMMAND COMMAND NOTIFICATION NOTIFICATION PROXY OTHER OTHER GENERATOR RESPONDER ORIGINATOR RECEIVER FORWARDER SNMP ENGINE MESSAGE PROCESSING SECURITY ACCESS CONTROL DISPATCHER SUBSYSTEM SUBSYSTEM SUBSYSTEM • Contains one or more Message Processing Models • One Message Processing Model for each SNMP version • SNMP version identified in the header • Messages routed to corresponding processor by the dispatcher • Prepares outgoing message • Extracts data from incoming messages

  16. Security & Access Control Subsystem SNMP ENTITY SNMP APPLICATIONS COMMAND COMMAND NOTIFICATION NOTIFICATION PROXY OTHER OTHER GENERATOR RESPONDER ORIGINATOR RECEIVER FORWARDER SNMP ENGINE MESSAGE PROCESSING SECURITY ACCESS CONTROL DISPATCHER SUBSYSTEM SUBSYSTEM SUBSYSTEM • Security at the message level • Authentication • Encryption: Privacy of message via secure communication • Access control • Who can access • What can be accessed • Flexible MIB views

  17. Incoming Message Flow in SNMP Engine Dispatcher receives a valid SNMPv3 message Dispatcher determines the version and forward the message to SNMPv3 Message Processing Model Message processor extract data from message and call Security subsystem Security subsystem decrypts and authenticates the message Dispatcher forward the PDU to the appropriate SNMP application

  18. Out Going Message Flow in SNMP Engine ?

  19. SNMP ENTITY SNMP APPLICATIONS COMMAND COMMAND NOTIFICATION NOTIFICATION PROXY OTHER OTHER GENERATOR RESPONDER ORIGINATOR RECEIVER FORWARDER SNMP ENGINE MESSAGE PROCESSING SECURITY ACCESS CONTROL DISPATCHER SUBSYSTEM SUBSYSTEM SUBSYSTEM SNMPv3 Entity

  20. SNMPv3 Applications • Command Generator • Initiates SNMP GET, GETNEXT, GETBULK, SET requests • Prepares the request message to be sent to the responder • Command Responder • Receives SNMP GET, GETNEXT, GETBULK, SET request messages • Prepares a RESPONSE message to be sent to the request’s originator

  21. SNMPv3 Applications (cont’d) • Notification Originator • Monitors the system for particular events or conditions and generates a trap and/or Inform Request message • Notification Receiver • Listens for Notification messages and generates response messages when a message containing an Inform PDU is received

  22. SNMPv3 Applications (cont’d) • Proxy Forwarder • Acts as a proxy, forwards and translates requests, responses and notifications to other SNMP entities • Other • Special applications • For example a vendor can implement vendor specific management features

  23. SNMP Manager & Agent • SNMP Manager • An SNMP entity containing one or more command generator and/or notification receiver applications (along with their associated SNMP engine) has traditionally been called an SNMP manager • SNMP Agent • An SNMP entity containing one or more command responder and/or notification originator applications (along with their associated SNMP engine) has traditionally been called an SNMP agent

  24. SNMPv3 Manager Architecture NOTIFICATION ORIGINATOR COMMAND NOTIFICATION GENERATOR RECEIVER PDU MESSAGE PROCESSING SECURITY SUBSYSTEM DISPATCHER SUBSYSTEM COMMUNITY BASED SNMPv1 SECURITY MODEL MESSAGE SNMPv2C DISPATCHER USER BASED SECURITY MODEL SNMPv3 OTHER TRANSPORT SECURITY MODEL OTHER MAPPINGS

  25. SNMPv3 Agent Architecture MANAGEMENT INFORMATION BASE ACCESS CONTROL SUBSYSTEM COMMAND NOTIFICATION Proxy Forwarder VIEW BASED RESPONDER ORIGINATOR Applications ACCESS CONTROL SECURITY SUBSYSTEM PDU MESSAGE PROCESSING DISPATCHER SUBSYSTEM COMMUNITY BASED SNMPv1 SECURITY MODEL MESSAGE SNMPv2C USER BASED DISPATCHER SECURITY MODEL SNMPv3 OTHER SECURITY MODEL TRANSPORT OTHER MAPPINGS

  26. SNMP Engine ID

  27. Outline Introduction SNMPv3 Architecture Abstract Service Interface Security Background User-based Security Model (USM) View-based Access Control Model (VACM) Message Format

  28. Abstract Service Interface • Abstract service interface is a conceptual interface between modules • Independent of implementation • Defines a set of primitives used for interaction between two modules • Primitives contain IN and OUT parameters and status information / result • Primitives typically associated with receiving entities

  29. Examples: Dispatcher Primitives • Used by a command generator to send SNMP request or notification PDU to another SNMP entity • The application also provides transport domain/address, message processing model, security model, level of security, and the PDU itself • When successfully preparing the message by the Dispatcher: • a sendPduHandle (unique identifier) is returned (to track any response, if any is expected)

  30. Primitives Examples • processPdu • Used by Dispatcher to pass an incoming request or notification PDU to an application (command responder or notification receiver) • returnResponsePdu • Used by command responder to return an SNMP response in response to an incoming request or notification

  31. Primitives Examples (cont’d) • prepareOutgoingMessage • Prepare a message for an outgoing SNMP request or notification PDU • The IN parameter is a PDU and OUT parameter is the message

  32. Primitives Examples (cont’d) • prepareResponseMessage • Request the preparation of a message containing an outgoing SNMP response PDU, in response to an incoming request or notification PDU

  33. Primitives Examples: Security Subsystem • generateRequestMessage • Generate a “message” containing an outgoing SNMP request or notification PDU • Returns to the MPS a message (with possibly authentication and encryption) and associated security parameters • generateResponseMessage • Generate a message containing outgoing SNMP response PDU in response to incoming request or notification • Returns to the MPS a message (with some authentication and encryption applied) and associated security parameters • processIncomingMessage • Provide security function for incoming messages • Return success or failure indicating the result of the security check • If successful, a PDU is returned to the MPS

  34. Abstract Service Interface in Action Example

  35. Abstract Service Interface in Action Example

  36. Outline Introduction SNMPv3 Architecture Abstract Service Interface Security Background User-based Security Model (USM) View-based Access Control Model (VACM) Message Format

  37. Terminology • Security goals & objectives • What do we want? • Security threats • Why the goals is not achievable by default? • Security mechanisms • How to achieve the goals • Basic mechanisms • Typically cryptography algorithms • Security protocols • How to build a security system using the basic mechanism

  38. Common Security Goals • Authenticity • Is the message sent from a valid user? • Integrity • Has the message been modified? • Confidentiality • Has the message been intercepted? • Availability • Is the service available for the user? • Authorization • Has user the right to access the requested object? • ...

  39. Common Security Threats • Information Disclosure • Violates Confidentiality • Modification of messages • Violates Integrity • Masquerade & Replay & Man-in-Middle • Violates Authenticity • Denial of Service (DoS) • Violates Service Availability • Bypassing Access Controls • Violates Authorization • Traffic Analysis • Traffic Pattern

  40. Common Security Mechanisms • Encryption and Decryption • To protect confidentiality of information • Standards: DES, AES, etc… • Message Authentication Code (MAC and HMAC) • To protect message integrity and verify message authenticity • Standards: HMAC-96, SHA-1, MD5, etc… • Nonce, timestamp (timeliness) • Protect against replay attacks

  41. SNMP Security Goals & Threats

  42. SNMP Security Goal & Threats (cont’d) • Unauthorized modification of information • Some unauthorized entity may alter in-transit SNMP messages in such a way as to effect unauthorized management operations • Masquerade • Management operations not authorized for some principal may be attempted by assuming the identity of another principal that has the appropriate authorizations

  43. SNMP Security Goal & Threats (cont’d) • Message stream modification • Messages may be maliciously re-ordered,delayed or replayedin order to effect unauthorized management operations • Disclosure • Eavesdropping on the exchanges between SNMP engine

  44. SNMP Security Goal & Threats (cont’d) • Denial of service attack and traffic analysis threats are out-of-scope and not covered • DOS: Indeed, denial-of-service attacks network-wide attack that detecting & prevention mechanisms are independent of the management protocol • Many traffic patterns are predictable - entities may be managed on a regular basis by a relatively small number of management stations - and therefore there is no significant advantage afforded by protecting against traffic analysis

  45. Security Threats & Mechanisms in SNMPv3

  46. Outline Introduction SNMPv3 Architecture Abstract Service Interface Security Background User-based Security Model (USM) View-based Access Control Model (VACM) Message Format

  47. User-Based Security Model • Based on traditional username/pass concept • USM primitives across abstract service interfaces between MPU & USM • Authentication service primitives • authenticateOutgoingMsg • authenticateIncomingMsg • Privacy Services • encryptData • decryptData • Timeliness

  48. Security Services in SNMPv3

  49. Security Subsystem Data Integrity Authentication Module Data Origin Authentication Message Privacy Processing Data Confidentiality Module Model Message Timeliness & Timeliness Limited Replay Protection Module Authentication Module

  50. Authentication Module • Data integrity • message authentication at sender and validation at receiver • Ensure that a message is not modified by an unauthorized intruder • Authentication protocols: HMAC-MD5-96 / HMAC-SHA-96 • Data origin authentication • Check the identity of a user on whose behalf a message is sent • Append to the message a unique Identifier associated with authoritative SNMP engine

More Related