Network Management and SNMP

1
Network Management and SNMP

• What is Network Management?
• ISO Network Management Model(FCAPS)
• Network Management Architecture
• SNMPv1 and SNMPv2
• SNMPv3 whats new?

2
Network Management

• Any complex system with many interacting
  components must be monitored, managed and
  controlled
• In the early 1980 networks expansion prompted the
  need for automated network management

3
Network management scenarios

• Detecting failure of an interface card in a
  device
• Host monitoring
• Traffic monitoring to optimize resource
  deployment
• Detecting rapid changes in routing tables
• Intrusion detection

4
ISO Network Management Model

• FCAPS
• Fault management
• Configuration management
• Accounting management
• Performance management
• Security Management

5
ISO Network Management Model

• Fault management log, detect and respond to
  fault conditions in the network
• Configuration management track devices and
  their h/w and s/w configs
• Accounting management - specify, log and control
  user access to network resources
• Performance management quantify, measure,
  report, analyze and control performance of
  network components
• Security Management control access to network
  resources according to some well-defined policy

6
Network Management Architecture
7
Simple Network Management Protocol

• Protocol for network management, part of TCP/IP
  suite
• Current version SNMPv3
• Includes communication protocol, set of data
  definitions and database schema
• Basic componentsManagers/NMSManaged
  devicesSNMP AgentsMIB

8
SNMPv3

• Was implemented as a full standardin 2004
• Only changes relate to security and remote
  configuration
• SNMPv3 provides for encryption, authentication
  and message integrity

9
Network Management Architecture
10
MIB (Management Information Base)

• MIB virtual information store for a collection
  of managed objects
• Describes structure of management data on managed
  device
• Each variable that describes some part of device
  configuration is identified by a unique OID
  (object ID)
• Vendors define MIB variables for their own use
• MIB II standard MIB implemented by all managed
  objects

11
SMI (Structure of management information)

• SMI is the language used to define the management
  information residing in a managed object
  logically
• SMI states that each managed object should have a
  name, syntax and encoding
• SMI is a subset of ASN.1 - a standard for
  describing data that is independent of
  machine-specific encoding.

12
Object naming by OID
13
MIB-II subtree
14
SNMP Transport
15
SNMP Transport
16
SNMP Operations

• get
• getnext
• getbulk (SNMPv2 and SNMPv3)
• set
• getresponse
• trap
• notification (SNMPv2 and SNMPv3)
• inform (SNMPv2 and SNMPv3)
• report (SNMPv2 and SNMPv3)

17
SNMP Operations

• Get and getresponse

18
SNMP Operations

• Getnext retreive a group of values

19
SNMP Operations

• Getbulk retreive a section of a table

20
SNMP Operations

• Set change value or create a new row in the
  table

21
SNMP Operations

• Trap asynchronous operation

22
Primary Goals of SNMPv3

• Check message integrity - To verify that each
  received message has not been modified during its
  transmission .
• User authentication - To verify the identity of
  the user on whose behalf a received message
  claims to have been generated.
• Message timestamp to detect outdated messages
• Message confidentiality - To assure that the
  contents of each received message are
  protected/encrypted.

23
SNMPv3 security framework

• Two core modules within the framework are the
  User-based Security Model (USM) and the
  View-based Access Control Model (VACM).
• The USM is in charge of authenticating/encrypting/
  decrypting SNMP packets
• The VACM is in charge of administering access to
  MIB data.

24
SNMPv3 security framework

• Authentication -Each SNMP entity is identified by
  SNMPEngineID, and SNMP communication is possible
  only if an SNMP entity knows the identity of its
  peer. Traps and Notifications are exceptions to
  this rule.Protection against
• Modification of Information (Data
  Integrity)Ensure that the data is not
  maliciously altered during transit by an
  unauthorized entity.
• Masquerading (Data Origin Authentication)Ensure
  that it is known exactly who and where the data
  came from to prevent an unauthorized entity from
  assuming the identity of an authorized user.
• Disclosure (Data Confidentiality)Ensure that an
  unauthorized entity cannot eavesdrop on the data
  exchanges.
• Message Stream Modification (Message
  Timeliness)Ensure that the data was received in
  a timely manner to prevent malicious re-ordering
  of data by an unauthorized entity.

25
SNMPv3 User-based Secuirity Model

• USM communication mechanisms available
• Communication without authentication and privacy
  (NoAuthNoPriv).
• Communication with authentication and without
  privacy (AuthNoPriv).
• Communication with authentication and privacy
  (AuthPriv).
• Different authentication and privacy protocols
  supported - Currently, the MD5 and SHA
  authentication protocols and the CBC_DES and
  CFB_AES_128 privacy protocols are supported in
  the USM.

26
SNMPv3 VCAM

• The Access Control Subsystem of an SNMP entity
  has the responsibility for checking whether a
  specific type of access to a specific managed
  object is allowed.
• Access control occurs in the agent when
  processing SNMP retrieval or modification request
  messages from a manager, and also when a
  notification message must be sent to the manager.
• Elaborates on the concept of community strings in
  the previous versions of SNMP