SNMP Management

1

• SNMP Management

2
Overview

• Growth of network size led to need for management
  techniques
• Five main areas
• Configuration management
• Deals with installing, initializing, and
  boot-loading network hardware and software
• Also deals with modifying and tracking
  configuration parameters
• Fault location and repair management
• Concerned with tools enabling fault location in
  equipment, software, and/or provider lines
• Tools have strong error and alarm characteristics

3
Overview

• Security management
• Tools are concerned with access control
• Tools enable network managers to restrict or
  grant access to various network resources
• Performance management
• Tools provide operational statistics about the
  network
• These may include bandwidth utilization or the
  number of packets received, transmitted, or
  dropped, etc.
• Accounting management
• Concerned with the applications enabling managers
  to define costs related to network resources

4
Network Management Tool Development

• Network management tools are essential
• Internet Engineering Task Force (IETF) formed a
  group to develop tools, protocols, and database
  standards for TCP/IP networks
• Result Simple Network Management Protocol (SNMP)
• SNMP is the most commonly used protocol for
  collecting management data from IP networks
• SNMP is not always the best solution

5
SNMP Client-Server Relationship

• Manager
• Client program that makes virtual connections to
  an agent
• Agent
• Server program residing on a remote network
  device
• MIB
• Management Information Base is a data base
  defining a standard set of statistical and
  control values
• MIB can be customized by vendors

6
SNMP Client-Server Relationship

• Managers and agents communicate with a simple
  request/response technique
• Management station issues queries or action
  requests to the agent
• Queries identify SNMP variables of interest (MIB
  object identifiers or MIB variables)
• The agent is instructed to either get the
  requested variable or set the requested variable
• Agent responds to the managers commands
• Agent can be programmed to send unsolicited
  messages to the manager in the form of a trap
• Traps are essentially alerts

7
SNMP Operation
8
SNMP Versions

• Two available commercial versions
• SNMPv1
• Most popular version
• Defined in Request for Comment (RFC) 1157
• SNMPv2 (or SNMPv2c)
• Improved security over SNMPv1
• Updated the protocol operations and data types

9
SNMP Architecture

• Network elements
• Network devices to be managed such as routers,
  hubs, switches, computers, and printers
• Agents
• Software program residing on a network element
• Collects and stores information about the managed
  device
• Managed Object
• Sets of values describing manageable
  characteristics of a device
• Example
• The number of IP interfaces in a router is a
  managed object, but a specific interface is an
  instance of a managed object

10
SNMP Architecture

• MIB
• Collection of all managed objects for a given
  device
• Syntax Notation
• The way MIB objects are described
• Based on OSIs Abstract Syntax Notation One
  (ASN.1)
• Machine independent
• Structure of Management Information (SMI)
• Rules for defining managed objects using ASN.1
• Manager
• Issues commands and queries to managed device
• Workstations that run management application
• Example Nortels Site Manager, Nortels
  Optivity, HPs Openview

11
Message Types

• Only communication is between managers and agents
• Get request
• Agent will return value of the named object
• Get next request
• Agent will return the next object in the MIB
  hierarchy
• Set request
• Instructs the agent to set the value of a named
  object to a particular value
• Used to control managed devices
• Trap message
• Agent notifies a manager of a problem as soon as
  it happens

12
SNMP and the TCP/IP Protocol

• SNMP is an application layer protocol
• Interfaces to User Datagram Protocol (UDP), not
  TCP
• Uses ports 161 and 162

13
MIB

• Resides on managed devices
• Standard MIB includes objects to measure
• IP activity
• TCP and UDP activity
• IP routes
• TCP connections
• Interfaces
• General system description

14
MIB

• Arranged in a hierarchical fashion
• Starts from unnamed root
• Connected to labeled nodes
• Children of the root
• Form branches of the tree
• The path from the root down to an object defines
  the object
• Path is called the Object Identifier ID
• Example Nortel MIB objects are under
• iso.org.dod.internet.private.enterprise.wellfleet
• 1.3.6.1.4.1.18

15
MIB Object Hierarchy
16
MIB

• Nodes under Internet are administered by the
  Internet Activities Board (IAB)
• Nodes under Enterprise are for vendors with
  device-specific information
• Vendors must apply to the IABs Internet Assigned
  Numbers Authority (IANA) for node numbers

17
Structure of Management Information (SMI)

• Defines rules and formats for adding or accessing
  objects in the Internet MIB
• Nodes (objects) are described by ASN.1
• Three categories of SMI data types
• Simple
• Application-wide
• Easily constructed

18
SMI Data Types
19
SMI Data Types
20
SMI Data Types
21
ASN.1

• Grammatical rules governing definitions of
  protocols and programming languages
• Used to define precise function of MIB values
• Defines objects type, access, and description

22
Branch Object Identifiers

• Act as placeholders for other objects
• Much like directories containing files on a PC
• Contain other objects instead of files

23
Two Types of Managed Objects in MIB

• Scalar
• One value per object
• Columnar
• Two-dimensional table made of multiple scalar
  objects indexed by row and column numbers

24
Scalar Object Definitions

• Syntax for declaring an SNMP object
• Template

25
Scalar Object Definitions
26
Scalar Object Definitions

• Example

27
Table Types

• Identical to branch types except objects in table
  are columns rather than scalar objects
• Each SNMP table has the Table keyword
• Single branch object exists beneath each table
  with an Entry keyword
• This object contains table data
• Series of SNMP objects exists within the Entry
  branch that contains indexes to table rows in dot
  notation

28
Table Types

• Template

29
Table Types

• Example

30
SNMP Operations - Communities

• Managers and agents send messages to each other
  containing commands and information
• Agents have full access to a devices
  configuration
• Security is set up so that only selected managers
  can request this information
• Security is implemented through SNMP communities
• Logical groups containing the agent and one or
  more managers
• Agent checks to see if manager is in the community

31
SNMP Operations - Communities

• Community defined on the agent
• Limits access to either read-only or read-write
• Can define several communities with different
  rights, so different managers get different types
  of access

32
Accessing the Agent

• Manager sends a message (datagram) to the agent
• Each SNMP datagram has fields containing
• SNMP version
• The community name
• The SNMP Protocol Data Unit (PDU)
• PDU is the payload, or data field containing the
  SNMP operation to perform
• Agent verifies that the manager is from the
  community it belongs to and determines what
  access rights, if any, it has
• If the manager is granted access, the action
  specified in the datagram is performed

33
SNMP Datagram
34
SNMPv1 Datagram Format
35
SNMP PDU

• Five types
• Get Request
• Get Next Request
• Get Response
• Set Request
• Trap

36
Get and Set PDU Format
37
Get and Set PDU Fields
38
Trap PDU Format
39
Trap PDU Fields
40
SNMPv1 Security Issues

• Problem
• Manager access is limited only by IP address
• Intruder can send a SNMP datagram to agent with
  fake source IP address belonging to agents
  community
• Masquerading
• Nortel solution Secure Mode
• Default mode is Trivial mode
• Use an encrypted exchange during Set Requests
• Manager and agent exchange a key to be used to
  decode encrypted messages
• Intruder will not have the key
• Cannot use secure mode for public communities and
  addresses of 0.0.0.0

41
Standard MIB Structure

• Defined by IETF
• Recall that MIB object identifier number is
  derived from the tree structure of the MIB
• Main management functions under
• iso.org.dod.internet.management (1.3.6.1.2)
• Vendor specific management functions under
• iso.org.dod.internet.private.enterprises
  (1.3.6.1.4.1)
• Nortel granted vendor number 18

42
MIB-I and MIB-II

• SNMP originally designed as a short-term fix
• OSI network management framework intended to be
  the long-term solution
• SNMP became very popular
• Problem
• SNMP and OSI framework had limited compatibility
• Resulted in separate, parallel development
• SNMP was improved with development of version 2
  of MIB (MIB-II)

43
MIB-II Improvements

• Changes
• Incremental additions reflect new operational
  requirements
• Improved support exists for multiprotocol
  entities
• Textual cleanup improved clarity
• Changes designed to keep upward compatibility
  with SNMP
• Keep same object identifier as in MIB-I
• MIB-II in RFC 1213

44
Nortel MIB Structure

• Extension of standard MIB-II
• Nortels router software MIB
• Software called BayRS
• Under enterprises.wellfleet.wfSwSeries7 (1.18.3)
• Main object groups under wfSwSeries7 are
• wfHardwareConfig
• wfSoftwareConfig
• wfSystem
• wfLine
• wfApplication
• These objects have statistics and configuration
  information for the router

45
Nortel MIB Structure
46
wfSwSeries7 Object Groups
47
MIB Structure
48
Nortel Agent Traps

• Trap messages are sent immediately by the agent
  to the manager when a given condition is met
• Short description of condition is sent in
  message, detailed description stored in event log
• Trap message types
• Generic
• Enterprise-specific

49
Generic Traps

• Defined by RFC 1157
• coldStart
• warmStart
• linkUp
• linkDown
• authenticationFailure
• egpNeighborloss

50
Nortel Enterprise Traps

• Any event that would be recorded in the router
  event log

51
Configuring Nortel Trap Messages

• Three criteria
• Category
• Either generic or specific
• Protocol Entity
• Protocol entities to be sent
• Event Severity
• Specifies severity of the event, fault, warning,
  etc.

52
Configuring Nortel Trap Messages

• Nortels Site Manager is used to
• Specify the manager to receive trap messages from
  the agent
• Selection of the type of event for the trap
• Nortel routers have hundreds of different events
• Events are grouped by entities
• Entities are protocols like ATM, BGP, IP, etc.
• Each entity has its various events categorized by
  severity level
• Fault
• Warning
• Debug
• Trace
• Info

53
Configuring Nortel Trap Messages

• Example
• You can tell the agent to send traps for IP
  protocol events with the severity level Info
• The router will send a trap to the manager for
  Info level events such as whether an interface IP
  filter dropped a packet because it met the filter
  criteria

54
SNMPv2

• SNMPv2 addresses two deficiencies in v1
• Lack of support for distributed network
  management
• Functional deficiencies
• A third deficiency, security is addressed to some
  degree
• More enhancements in SNMPv3

55
SNMPv2 Distributed Network Mgt

• Centralized management schemes have one main
  management station and possibly some backups, all
  at one location
• Not good for large networks
• Many agents sending information a long way
• Too much information entering the management
  workstation

56
SNMPv2 Distributed Network Mgt

• A decentralized management scheme has a hierarchy
  of management stations
• The top level management stations is responsible
  for managing all of the agents
• Intermediate management stations are deployed to
  directly manage some of the networks agents
• Intermediate managers relay information to the
  top level manager

57
Distributed Network Management

• W. Stallings, Network Security Essentials
  Applications and Standards, Englewood Cliffs, NJ,
  Prentice-Hall, 2000

58
SNMPv2 Functional Enhancements

• Two new commands added
• Inform
• Sent from one management station to another to
  inform it about events at the sender
• Used to implement hierarchical management
  structures
• GetBulk
• Allows manager to retrieve a large block of data
  an once rather than issue multiple Get commands
• Good for sending an entire table at one time
• The Get command is modified
• In SNMPv1, if a Get requests a list of objects
  and one is invalid, the entire command is
  rejected by the agent
• In SNMPv2, the agent will not reject the command,
  but will send back the valid objects

59
Comparison of SNMPv1 and v2 PDUs
60
SNMPv2 Security Enhancements

• V1 security threats addressed by v2
• V1 had no way of restricting 3rd party from
  observing traffic content between manager and
  agent
• 3rd party (hacker) could learn passwords when
  manager SETs a new password
• 3rd party could masquerade as the manager and
  perform get/set functions on agent
• 3rd party could intercept and modify the content
  of messages between manager and agent
• 3rd party could intercept and modify message
  sequence and timing
• 3rd party could copy a message to reboot a router
  and replay it at a later time

61
SNMPv2 Security Enhancements

• V1 security threats not addressed by v2
• Denial of service
• Hacker can prevent exchanges between manager and
  agent
• Traffic analysis
• Hacker observes traffic pattern between manager
  and agent

62
SNMPv2 Security Services

• SNMPv2 adds some security enhancements over
  SNMPv1
• Privacy
• Protection of data from eavesdropping
• Authentication
• Communicating parties can verify that messages
  are from whom they say they are
• Access Control
• Only authorized parties have access to MIBs
• How does v2 do it?
• V2 added ability to include an authentication
  code so agent and manager know their correct
  identities
• Messages can be encrypted
• SNMPv3 adds more enhancements

63
SNMPv2 Security Features

• W. Stallings, Network and Internetwork Security
  Principles and Practice, Englewood Cliffs, NJ,
  Prentice-Hall, 1995

64
SNMPv2 Capability Highlight

• W. Stallings, Network and Internetwork Security
  Principles and Practice, Englewood Cliffs, NJ,
  Prentice-Hall, 1995

65
SNMPv3

• In 1998, RFCs 2570 through 2575 proposed
  additional security features in SNMP with
  backward compatibility to SNMPv1 and SNMPv2
• SNMPv3 is not a replacement for v1 and v2
• It must be use with them
• Defines security capability to be used with v1
  and v2
• SNMPv3 can be thought of as SNMPv2 with
  additional security and administration
  capabilities

66
V3 Protocol Overview

• Security related information is included inside
  the SNMP message
• The v3 User Security Model (USM) uses fields in
  the message header
• Payload of the SNMP message is the SNMPv1 or v2
  protocol data unit (PDU)
• SNMPv1 and v2 PDU formats are the same as in the
  original protocols

67
SNMP Protocol Architecture

• W. Stallings, Network Security Essentials
  Applications and Standards, Englewood Cliffs, NJ,
  Prentice-Hall, 2000

68
SNMP Architecture

• Architecture is a distributed, interacting
  collection of SNMP entities
• Entities can be agents, managers, or a
  combination of the two

69
V3 SNMP Entity

• Traditional SNMP Manager
• Interacts with SNMP agents using get, set
  commands and receiving traps
• Interacts with other mangers using Inform Request
  PDUs and receiving Inform Responses
• Manager consists of some SNMP applications an
  SNMP engine
• Engine contains a security subsystem that
  supports the User Security Model

70
Traditional SNMP Manager

• W. Stallings, Network Security Essentials
  Applications and Standards, Englewood Cliffs, NJ,
  Prentice-Hall, 2000

71
V3 SNMP Entity

• Traditional SNMP Agent
• Respond to incoming requests by retrieving or
  setting MIB objects and issuing a Response PDU
• Generates v1 or v2 traps
• Forwards messages between entities

72
Traditional SNMP Agent

• W. Stallings, Network Security Essentials
  Applications and Standards, Englewood Cliffs, NJ,
  Prentice-Hall, 2000