SNMP uses over LANs and TCP/IP
...??? MIB Structure: The SNMP data structure or MIB is how all managed objects communicate with management stations. RFC 1155 specified the Structure of Management Information (SMI) which specifies how a MIB is defined and organized. The SMI specifies for a standardized representation of the management information. SMI provides for a standard technique for the definition of individual objects, which includes the syntax and the value for each object. SMI also defines the encoding to be used and the structure of the MIB. The SMI document defines 4 nodes under the internet node; directory, mgmt, experimental, and private (see appendix A chart 1). Directory is reserved for future use with OSI. MGMT is used for objects defined in IAB approved documents. Experimental is used for objects used in internet experiments. Private is typically used for extra features that may be non-standard provided by a vendor, and this allows them to have a common place to reside. The MIB tree is located under the mgmt node. Describe major commands. In the MIB-II structure there are 11 objects which form the basis for SNMP. The first group is the system group. This group primarily defines each object and stores some basic information, and reports general information back to the management station (see appendix A Chart 2). The interface group contains information on the physical interfaces of the managed object. In this group there is one object which stores the number of interfaces connected, and the rest of the group is a table to store interface specific information. This is necessary for instance for a hub which could have several devices attached to it and this would be where all that information would be stored. The table could store the ip address, status, and inbound and outbound traffic statistics (see appendix A Chart 3) The IP Group contains basic traffic counters for the traffic flow though the IP layer. The IP group contains the settings for the operation and the implementation of the IP at the output node. The Internet Control Message Protocol (ICMP) group is a required companion to IP, as it provides a the path for transferring messages from routes and to other hosts to hosts. When problems occur in the communications this provides feedback to the management stations. All the objects in the group are counters. The TCP, ECP and UDP group are all very similar and provide means to interface with there respective interfaces. SNMP v1 Issues: SNMPv1 made great strides to improving the reliability of computer networks. Through user comments and vendor comments during usage and experiments several concerns and recommendations for enhancements were made. Some of the main issues were that retrieving table information was not efficient for large volumes of data. Security was not very strong and was only based on a unique object identifier. Also traps were generally unacknowledged in SNMPv1. Some commands like SetRequest are not used because of security concerns of the protocol. The overall architecture of SNMP was very limiting. It involved manager-agent communications only, and did not allow manager-manager or mid-level manager communications. This limits the usefulness in large networks where it is desirable for more than 1 PC to interpret all of the data from the network monitoring stations. This also was hindering the frequency of polling because some manger stations were not able to receive all the pertinent data from every managed objects. To add or delete rows in table was not explicitly defined so that this needs to be addressed in future revisions of SNMP. SNMP v2 Enhancements: ITU decided that most of the enhancements fell into two categories. These were remote networking and MIB enhancements, and security, these were given to two groups being SNMPv2 working group and SNMPv2 security group respectively. Both groups worked independently XXXX. The SNMP security needed more time so just the working group was incorporated to SNMPv2. Many improvements and advancements helped SNMP continue its hold on market share and improve network reliability. In SNMPv2 error codes were improved to give more information on the nature of the failure. Counters were improved to 64 bits from 32 bits for SNMPv2. Manager-manager communications were implemented with the “InformRequest” message, and this allows for a hierarchical architecture. The “BulkRequest” was added to speed up table data retrieval which saves steps from the previously used “GetNextRequest.” Protocol stacks allowed SNMPv2 to run on Appletalk, IPX, and OSI. Table operations were refined to allow row creation and deletion, using the “SetRequest” and supported by “RowStatus” commands. Indexing was made more flexible to allow further utilization of tables. A wider variety of object syntaxes made MIB values more meaningful. These include timing variables, increased integers and counters. MIB Enhacements in SNMPv2 included 3 new groups. The System group was an expanded version of the original group in SNMPv1. It included objects that allowed a SNMPv2 entity acting as an agent to describe its dynamically configurable object resources. The SNMP group was also refined for SNMv2. It now consisted of objects providing basic instrumentation of protocol activity. Several objects from the SNMP group are dropped, and some new ones are added, to help streamline the group. The last object group enhancement was for the collection of trap PDUs and that to allow several cooperating sNMPv2 entities to all act in a manger role, and to coordinate their use of the SNMPv2 set operation. In order to get SNMPv1 and SNMPv2 to be able to coexist on already existing machines several considerations had to be accounted for. A simple way to achieve coexistence at the protocol level is to allow existing SNMPv1 agents to remain in place. In order for their transmissions to reach the SNMPv2 manager they would need to be translated by a proxy agent. A second way to achieve coexistence is to employ management stations that can communicate in SNMPv1 and SNMPv2. SNMP v3 Enhancements During the development of SNMPv2 several security concerns were noted but a tight deadline kept them from being implemented with that version. SNMPv3 continued the work of the SNMPv2 security groups work and there work was released during 1998. There were four main security threats that SNMPv3 addresses, interruption, eavesdropping/replay, modification, masquerade. Interruption is the communication link between a manager and an agent is physically disabled to cause a denial of service attack. Eavesdropping is when an entity could observe exchanges between a manager and an agent and thereby learn the values of managed objects and learn of events. It could then replay this response at a later time and control the managed object, while not knowing the exact message being transmitted. For example, the observation of a set command that changes passwords would enable an attacker to learn the new passwords. An observer can also capture a message and replay it later on as though it is being sent from the authorized manager, to cause a denial of service or some other attack. Modification is when an entity could alter an in transit message generated by an authorized manager in such a way as to effect unauthorized management operations, including the setting of object values. The essence of this threat is that an unauthorized entity could change any management parameter, including those related to configuration, operations, and accounting. Masquerade is when the management operations that are not authorized for some entity may be attempted by that entity by assuming the identity of an authorized entity. In order to remedy these potential security holes, a few simple but effective safeguards were implemented. Authentication was added to the originator of the message should be correctly identified. A design criteria was to insure that there was integrity between the transmitted information should not be modified by unauthorized parties. No unauthorized user should be able to eavesdrop on the communication between a manager and an agent. Access to the MIB should be controlled using a sound access control policy and privileges In order to improve the security of SNMP data over the network an increased level of security was implemented and called User-Based Security Model (USM). It defines the Elements of Procedure for providing SNMP message-level security. The document RFC 2274 describes the two primary and two secondary threats that are defended against by the User-based Security Model. These threats are: modification of information, masquerade, and message stream modification. The USM utilizes MD5 and the Secure Hash Algorithm as keyed hashing algorithms for digest computation to provide data integrity to directly protect against data modification attacks, to indirectly provide data origin authentication, and to defend against masquerade attacks. These codes were developed at MIT and NIST respectively for general encryption purposes. The USM uses loosely synchronized increasing time indicators to defend against certain message stream modification attacks. Automatic clock synchronization mechanisms based on the protocol are specified without dependence on third-party time sources and related security considerations. A masquerader can capture and replay a message, even though it does not know the secret value. SNMPv3 dictates that a message must be received within a reasonable time window, to avoid delay and replay attacks. The time window should be chosen to be as small as possible given the accuracy of the clocks involved, round-trip communication delays, and the frequency with which clocks are synchronized. If the time window is set too small, authentic messages will be rejected as unauthentic. On the other hand, a large time window increases the vulnerability to malicious delays of messages. The SNMP PDUs have fields to communicate the time, by means of a time-stamp, as to when the PDU was actually transmitted. Loosely synchronized clocks are used at the manager and agent stations to determine the time window based on the time-stamp. USM allows the use of one of two alternative authentication protocols, HMAC-MD5-96 and HMAC-SHA-96 which is a version of a Message Authentication Code (MAC). HMAC uses a secure hash function and a secret key to produce a message authentication code, HMAC is widely used for Internet-based applications and is defined in RFC 2104. For HMAC-MD5-96, HMAC is used with MD5 as the underlying hash function. A 16-octet (128-bit) authentication key is used as input to the HMAC algorithm. The algorithm produces a 128-bit output, which is truncated to 12 octets (96 bits). For HMAC-SHA-96, the underlying hash function is SHA-1. The authentication key is 20 octets in length. The algorithm produces a 20-octet output, which is also truncated to 12 octets. USM uses the cipher block chaining (CBC) mode of the Data Encryption Standard (DES) for encryption. A 16-octet private key is provided as input to the encryption protocol. The first eight octets (64 bits) of this private key are used as a DES key. Because DES only requires a 56-bit key, the least significant bit of each octet is ignored. Access control is a security function performed at the PDU level. In RFC 2275 access control is defined by mechanisms for determining whether access to a managed object in a local MIB by a remote manager (principal) should be allowed. VACM has two important characteristics. It determines whether access to a managed object in a local MIB by a remote manager should be allowed. It makes use of a MIB table that defines the access control policy for this agent and makes it possible for remote configuration to be used. Access Control is determined by information in the VACM MIB. It consists of four aspects: Party database, Contexts, MIB View, and Access privileges or Access Policy. The party database, contains authentication and privacy parameters. The context table contains one entry for each context known to the agent. The MIB view is a subset of the local MIB that is accessible through a context Access privileges: Indicates if a particular MIB view is included or excluded. Specific allowable operations such as read, write, or create/delete are also specified. SNMP Tools: While SNMP is a standard in terms...