1 / 49

Network Management Security

Network Management Security. CS 678 Network Security, Dept. of Computer Science, Long Island University,Brooklyn, NY. Outline. Basic Concepts of SNMP SNMPv1 Community Facility SNMPv3 Recommended Reading and WEB Sites. Basic Concepts of SNMP.

phuoc
Télécharger la présentation

Network Management Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Management Security CS 678 Network Security, Dept. of Computer Science, Long Island University,Brooklyn, NY CS 678 P. T. Chung

  2. Outline • Basic Concepts of SNMP • SNMPv1 Community Facility • SNMPv3 • Recommended Reading and WEB Sites CS 678 P. T. Chung

  3. Basic Concepts of SNMP • An integrated collection of tools for network monitoring and control. • Single operator interface • Minimal amount of separate equipment. Software and network communications capability built into the existing equipment • SNMP key elements: • Management station • Managament agent • Management information base • Network Management protocol • Get, Set and Notify CS 678 P. T. Chung

  4. PRINCIPLE OPERATION CS 678 P. T. Chung

  5. SNMP STRUCTURE CS 678 P. T. Chung

  6. Protocol context of SNMP CS 678 P. T. Chung

  7. Proxy Configuration CS 678 P. T. Chung

  8. CS 678 P. T. Chung

  9. SNMP v1 and v2 • Trap – an unsolicited message (reporting an alarm condition) • SNMPv1 is ”connectionless” since it utilizes UDP (rather than TCP) as the transport layer protocol. • SNMPv2 allows the use of TCP for ”reliable, connection-oriented” service. CS 678 P. T. Chung

  10. SNMP PROTOCOL CS 678 P. T. Chung

  11. OVERVIEW OF PDUs CS 678 P. T. Chung

  12. TO REQUEST THE VALUE OF 1 OR MORE VARIABLES POSSIBLE ERRORS: • • noSuchName Object does not exist / Object is not a leaf • • tooBig Result does not fit in response PDU • • genErr All other causes CS 678 P. T. Chung

  13. EXAMPLE MIB CS 678 P. T. Chung

  14. GET EXAMPLES get(1.1.0) • response(1.1.0 => 130.89.16.2) • get(1.2.0) • response(error-status = noSuchName) • get(1.1) • response(error-status = noSuchName) • get(1.1.0; 1.2.2.0) • response(1.1.0 => 130.89.16.2; 1.2.2.0 => 123456) • get(1.3.1.3.5.1) • response(1.3.1.3.5.1 => 2) • get(1.3.1.1.5.1) • response(1.3.1.1.5.1 => 5) • get(1.3.1.1.5.1, 1.3.1.2.5.1, 1.3.1.3.5.1) • response(1.3.1.1.5.1 => 5, 1.3.1.2.5.1 => 1, 1.3.1.3.5.1 => 2) CS 678 P. T. Chung

  15. MESSAGE & PDU STRUCTURE CS 678 P. T. Chung

  16. Comparison of SNMPv1 and SNMPv2 CS 678 P. T. Chung

  17. SNMPv1 Community Facility • SNMP Community – Relationship between an SNMP agent and SNMP managers. • Three aspect of agent control: • Authentication service • Access policy • Proxy service CS 678 P. T. Chung

  18. SNMPv1 Administrative Concepts CS 678 P. T. Chung

  19. SNMPv2 PROTOCOL OPERATIONS CS 678 P. T. Chung

  20. GET-BULK • NEW COMMAND getBulk IN SNMPv2 • TO RETRIEVE A LARGE NUMBER OF VARBINDS • IMPROVES PERFORMANCE! CS 678 P. T. Chung

  21. GETBULK PERFORMANCE CS 678 P. T. Chung

  22. GET-BULK EXAMPLE • getBulk(max-repetitions = 4; 1.1) response(1.1.0 => 130.89.16.2 1.2.1.0 => printer-1 1.2.2.0 => 123456 1.3.1.1.2.1 => 2 ) CS 678 P. T. Chung

  23. GET-BULK EXAMPLE • getBulk(max-repetitions = 3; 1.3.1.1; 1.3.1.2; 1.3.1.3) response(1.3.1.1.2.1 => 2; 1.3.1.2.2.1 => 1; 1.3.1.3.2.1 => 2 1.3.1.1.3.1 => 3; 1.3.1.2.3.1 => 1; 1.3.1.3.3.1 => 3 1.3.1.1.5.1 => 5; 1.3.1.2.5.1 => 1; 1.3.1.3.5.1 => 2 ) CS 678 P. T. Chung

  24. SNMPv3 • SNMPv3 defines a security capability to be used in conjunction with SNMPv1 or v2 CS 678 P. T. Chung

  25. SNMP v3 DESIGN DECISIONS • ADDRESS THE NEED FOR SECURY SET SUPPORT • DEFINE AN ARCHITECTURE THAT ALLOWS FOR LONGEVITY OF SNMP • ALLOW THAT DIFFERENT PORTIONS OF THE ARCHITECTURE • MOVE AT DIFFERENT SPEEDS TOWARDS STANDARD STATUS CS 678 P. T. Chung

  26. SNMP v3 DESIGN DECISIONS • ALLOW FOR FUTURE EXTENSIONS • KEEP SNMP AS SIMPLE AS POSSIBLE • ALLOW FOR MINIMAL IMPLEMENTATIONS • SUPPORT ALSO THE MORE COMPLEX FEATURES, • WHICH ARE REQUIRED IN LARGE NETWORKS • RE-USE EXISTING SPECIFICATIONS, WHENEVER POSSIBLE CS 678 P. T. Chung

  27. SNMPv3 Flow CS 678 P. T. Chung

  28. SNMPv3 ARCHITECTURE CS 678 P. T. Chung

  29. Traditional SNMP Manager CS 678 P. T. Chung

  30. Traditional SNMP Agent CS 678 P. T. Chung

  31. SNMPv3 MESSAGE STRUCTURE CS 678 P. T. Chung

  32. SNMP3 Message Format with USM CS 678 P. T. Chung

  33. User Security Model (USM) • Designed to secure against: • Modification of information • Masquerade • Message stream modification • Disclosure • Not intended to secure against: • Denial of Service (DoS attack) • Traffic analysis CS 678 P. T. Chung

  34. Key Localization Process CS 678 P. T. Chung

  35. View-Based Access Control Model (VACM) • VACM has two characteristics: • Determines wheter access to a managed object should be allowed. • Make use of an MIB that: • Defines the access control policy for this agent. • Makes it possible for remote configuration to be used. CS 678 P. T. Chung

  36. Access control decision CS 678 P. T. Chung

  37. SECURE COMMUNICATION VERSUS ACCESS CONTROL CS 678 P. T. Chung

  38. USM: SECURITY THREATS CS 678 P. T. Chung

  39. USM MESSAGE STRUCTURE CS 678 P. T. Chung

  40. IDEA BEHIND REPLAY PROTECTION CS 678 P. T. Chung

  41. IDEA BEHIND DATA INTEGRITY AND AUTHENTICATION CS 678 P. T. Chung

  42. IDEA BEHIND AUTHENTICATION CS 678 P. T. Chung

  43. IDEA BEHIND THE DATA CONFIDENTIALITY (DES) CS 678 P. T. Chung

  44. IDEA BEHIND ENCRYPTION CS 678 P. T. Chung

  45. VIEW BASED ACCESS CONTROL MODEL • ACCESS CONTROL TABLE • MIB VIEWS CS 678 P. T. Chung

  46. ACCESS CONTROL TABLES CS 678 P. T. Chung

  47. MIB VIEWS CS 678 P. T. Chung

  48. SNMPv3 RFCs CS 678 P. T. Chung

  49. Recommended Reading and WEB Sites • Subramanian, Mani. Network Management. Addison-Wesley, 2000 • Stallings, W. SNMP, SNMPv1, SNMPv3 and RMON 1 and 2. Addison-Wesley, 1999 • IETF SNMPv3 working group (Web sites) • SNMPv3 Web sites CS 678 P. T. Chung

More Related