ee579t/10 #1 spring 2005 © 2000-2005, richard a. stanley ee579t network security 10: an overview of...

Spring 2005© 2000-2005, Richard A. Stanley

EE579T/10 #1

EE579TNetwork Security

10: An Overview of SNMP

Prof. Richard A. Stanley


EE579T/10 #2

Overview of Tonight’s Class

• Review last week’s lesson

• SNMP


EE579T/10 #3

Summary

• Computer crime is a fast-growing area of illegal activity

• “That’s where the money is”• Computers and networks are regulated by a

large and growing body of law• Both civil and criminal issues involved• Liability is a major consideration for any

business or practitioner


EE579T/10 #4

Top Ten Security Concerns

1- Security infrastructure2- Security policies/user compliance3- Intrusion-detection systems4- Operating system security5- Virus management6- Employee education7- Remote security8- Authentication/Access control9- E-commerce security10- Encryption


EE579T/10 #5

SNMP Outline

• Basic Concepts of SNMP

• SNMPv1 Community Facility

• SNMPv2

• SNMPv3


EE579T/10 #6

Why SNMP?

• To provide a simple means of managing objects across a network– These objects need not be network elements– The objects need not support SNMP (although

it makes things easier if they do!)– “Management” can be tailored to mean what we

need it to mean

• First introduced in 1988


EE579T/10 #7

Basic Concepts of SNMP

• An integrated collection of tools for network monitoring and control.– Single operator interface– Minimal amount of separate equipment. Software and network

communications capability built into the existing equipment

• SNMP key elements:– Management station (physical device)– Management agent (software implementation)– Management information base (collection of objects)– Network Management protocol

• Get, Set and Trap


EE579T/10 #8

SNMP MIB

• Management Information Base = MIB– Database held at the managed client– Scalar variables– 2D tables

• Uses streamlined protocol to: – Allow manager to Get and Set MIB variables– Enable agent to issue unsolicited notifications

• These are called traps


EE579T/10 #9

SNMP Characteristics

• Runs over UDP/IP or TCP/IP, depending on version

• Uses – Port 161 (for messages) – Port 162 (for traps)


EE579T/10 #10

SNMP Protocol


EE579T/10 #11

SNMP Commands

• Get– Query a MIB for information

• Set– Set values in a MIB

• Trap– Send condition information– Asynchronous


EE579T/10 #12

SNMP Proxies

• SNMPv1 supports UDP over IP– Period!

• There are lots of clients out there that need to be managed and that don’t speak UDP

• Proxies bridge the gap– Provide translation of client management

language to SNMP– Interfaces to SNMP for the client


EE579T/10 #13

Proxy Configuration


EE579T/10 #14

SNMPv2

• Allows use of TCP/IP, and others• Provides additional management features

– Distributed network management• Single-server hierarchical networks get overloaded

– Functional enhancements• GetBulk – retrieve block of data at once• Inform – intra-management station communications

of events and/or conditions• Removes atomicity from the Get command


EE579T/10 #15

SNMP v1 and v2

• SNMPv2 intended deal with deficiencies of SNMPv1– Introduced first in 1993

• SNMPv1 is “connectionless” – Just like HTTP

– Why?• Utilizes UDP as the transport layer protocol.

• SNMPv2 allows use of TCP for “reliable, connection-oriented” service


EE579T/10 #16

SNMPv2 Distributed Management


EE579T/10 #17

SNMPv1 vs. SNMPv2

SNMPv1 SNMPv2 Direction Description

GetRequest GetRequest Manager to agent Request value for each listed object

GetNext GetNext Manager to agent Request next value for each listed object

------ GetBulkRequest Manager to agent Request multiple values

SetRequest SetRequest Manager to agent Set value for each listed object

------ InformRequest Manager to manager Transmit unsolicited information

GetResponse Response Agent to manager or Manage to manager(SNMPv2)

Respond to manager request

Trap SNMPv2-Trap Agent to manager Transmit unsolicited information


EE579T/10 #18

SNMPv1 Community Facility

• SNMP Community – Relationship between an SNMP agent and SNMP managers– Think of a network domain as an analog

• Three aspects of agent control:– Authentication service– Access policy– Proxy service


EE579T/10 #19

SNMPv1 Administrative Concepts


EE579T/10 #20

Access Policy

• SNMP MIB View– Subset of objects within the MIB– May be on different MIB sub-trees

• SNMP Access Mode– Element of the set of MIB objects– Defined for each community

• These two together are the SNMP Community Profile


EE579T/10 #21

What About Proxied Clients?

• Supported within community concept

• Proxy is an SNMP agent that acts on behalf of other (foreign) devices– For each device supported, SNMP proxy

maintains an access policy– Therefore, proxy knows which MIB objects can

be used to manage the proxied system, and their access mode


EE579T/10 #22

Where is the Security?

• SNMPv1 has no inherent security– Messages can be spoofed, altered, or deleted– Does this have a potential for evil?

• SNMPv2 doesn’t have any, either– It actually makes things worse by introducing

the distributed management concept

• What to do?


EE579T/10 #23

Enter SNMPv3

• Framework for incorporating security into SNMPv1 or SNMPv2– Introduced 1998

• Not a standalone replacement for either v1 or v2 !!– Adds security to v1 or v2– Requires underlying SNMP system

• Not yet completely standardized


EE579T/10 #24

SNMPv3 Architecture


EE579T/10 #25

Traditional SNMP Manager


EE579T/10 #26

Traditional SNMP Agent


EE579T/10 #27

SNMPv3 Message Flow


EE579T/10 #28

SNMP3 Message Format with USM


EE579T/10 #29

User Security Model (USM)

• Designed to secure against:– Modification of information (integrity)– Masquerade (authentication)– Message stream modification (stream integrity)– Disclosure (confidentiality)

• Not intended to secure against:– Denial of Service (DoS attack)– Traffic analysis


EE579T/10 #30

In Theory (according to the standards folks)…

• DoS attacks may look like network failure (imagine that!)

• DoS should be dealt with by an overall network security capability, not one embedded in a protocol

• Traffic analysis no problem, as management traffic highly predictable anyway

• What do you think?


EE579T/10 #31

USM Encryption

• Authentication (using authKey)– HMAC-MD5-96– HMAC-SHA1-96

• Encryption (using privKey)– DES CBC– Uses first 64 bits of the 16-octet privKey– Last 64 bits used as IV to DES CBC

• Key values not accessible from SNMP


EE579T/10 #32

Authoritative Engine

• SNMP messages with payloads that expect a response (Get…, Set, Inform)– Receiver of message is authoritative

• SNMP messages with payload that does not expect response (Trap, Response, Report)– Sender is authoritative

• So what?


EE579T/10 #33

Key Localization

• Allows single user to own keys stored in multiple engines– Key localized to each authoritative engine using

hash functions– Avoids problem of a single key being stored in

many places

• Greatly slows brute force attack


EE579T/10 #34

Key Localization Process


EE579T/10 #35

Timeliness

• Determined by a clock kept at the authoritative engine– When authoritative engine sends a message, it includes

the current clock value• Nonauthoritative agent synchronizes on clock value

– When nonauthoritative engine sends a message, it includes the estimated destination clock value

• These procedures allow assessing message timeliness

• Why do we care?


EE579T/10 #36

View-Based Access Control Model (VACM)

• VACM has two characteristics:– Determines whether access to a managed object

should be allowed.– Make use of an MIB that:

• Defines the access control policy for this agent.

• Makes it possible for remote configuration to be used.


EE579T/10 #37

Access Control Logic in VACM


EE579T/10 #38

SNMPv3 Security

• SNMPv3 solves SNMP security problems, right?– NOT!

• Decent security implementation, but reality is:– SNMPv1 still holds ~95% of the market

– Even SNMPv2 not widely deployed

– Upgrading to SNMPv3 is difficult and costly (sort of like moving from Win95 to WinXP all at once)

– There is the issue of proxies and foreign clients

• SNMPv3 is the clear long-term choice


EE579T/10 #39

Recent SNMP Security Events

• CERT Advisory 12 Feb 02, Revised 26 Mar 02, warns about potential for– unauthorized privileged access (which allows,

inter alia, enumeration of SNMP agents)– denial of service attacks– unstable behavior

• Vulnerabilities in both messages and traps• Vulnerabilities are in SNMPv1!


EE579T/10 #40

This is Not New News!

• After this class, are you surprised?• These vulnerabilities have been in SNMP

since Day One• Only now, with an increased emphasis on

security, are they getting the attention they deserve

• Officially, the vulnerabilities have not been exploited. Unofficially, they have.


EE579T/10 #41

Summary

• SNMP is widely-used for managing clients distributed across a network

• SNMPv1 is simple, effective, and provides the majority of SNMP service in the field

• SNMPv2 adds some functionality to v1• SNMPv3 is a security overlay for either

version, not a standalone replacement• SNMP security is a major issue!


EE579T/10 #42

Homework

• Read Stallings, Chapter 8

• Do Problems 8.2, 8.4, 8.8

ee579t/10 #1 spring 2005 © 2000-2005, richard a. stanley ee579t network security 10: an overview of...

Documents

stanley slide

stanley snmp protocol

stanley snmp commands

stanley snmp characteristics

client slide

overview of snmp

stanley basic concepts

stanley snmp proxies