SNMP In Depth

1
SNMP In Depth
2
SNMP

• Simple Network Management Protocol
• The most popular network management protocol
• Hosts, firewalls, routers, switchesUPS, power
  strips, ATM cards -- ubiquitous
• One of the single biggest security nightmares on
  networks today

3
SNMP Transport Mechanism Flaws

• UDP Based
• Unreliable - packets may or may not be received
• Easily forged - trivial to forge source of packets

4
Management Information Base

• MIB -- Management Information Base
• MIBs describe object attributes
• Some MIBs are pre-loaded
• Additional MIBs are needed
• Loaded manually
• Downloaded from manufactures WEB sites
• Standard MIBs
• MIB-I
• MIB-II
• RMON
• RMON 2
• Bridge
• Repeater

5
MIB Structure
iso (1) org (3) dod (6) internet (1) directory
(1) mgmt (2) experimental private
(4) mib-2 (1)
enterprises (1) system (1)
interfaces (2) snmp (11) cisco (9) hp(11)
novell(23) sysObjectID (2) sysDescr (1)

6
SNMP Basics
Manager
Agent
MIB Data
SNMP
Router, etc.
7
SNMP Popular Defaults

• Popular defaults
• public
• private
• write
• all private
• monitor
• manager
• security
• admin
• lan

• default
• password
• tivoli
• openview
• community
• snmp
• snmpd
• system
• and on and on...

8
SNMP v1 Information Disclosure

• Routing tables
• Network topology
• Network traffic patterns
• Filter rules

9
SNMP Options

• SNMP configuration
• Event Configuration
• Customize event notification messages
• Define the type of event notification
• Define automatic actions when an event is
  received.
• Create/modify alarm categories
• Configure additional actions for the operator
• Configure event correlations
• SNMP data collection and threshold
• SNMP MIB application builder
• Load/unload MIB
• Network polling configuration
• License password

10
SNMP Tools

• Remotely turn on the power of a PC
• Web base access
• Terminal Connect- provides the ability to
  establish a telnet session from a local system in
  order to manage a remote system
• SNMP MIB Browser- provides a functional tool that
  can be used to explore, query, and set MIB values
• DMI Browser

11
Agent Data Collection

• Network data collected using
• SNMPv1 SNMPv2
• IP Protocol
• TCP/IP
• UDP
• ICMP
• ARP/RARP
• IPX
• DMI
• Desktop Management Interface for accessing
  information about PC and their components

12
Auto-discovery

• Auto discovery of network objects based on
• IP Protocol
• Routing data on routers (ARP table)
• SNMP data
• Auto assignments of symbols to represent objects
• Auto arrangement of symbols on the maps and
  submaps

13
SNMP Event Generation

• SNMP agents continuously watch for certain
  incidents to occur
• When an incident occurs, an event is generated
• Events are categorized based on the alarm type
• Alarm types are user definable
• Events are displayed with color coded severity
• Severity and color codes are user definable
• Event trap configuration
• Pre-defined
• User-defined generic traps
• User-defined specific traps

14
Event Correlation

• Event correlation
• Discovers events that are either the same event
  and/or related events
• Presents these events as a single main event
• Allow drill down of the main event to view the
  related events
• Provides four pre-defined correlations
• Connector Down Correlation
• Scheduled Maintenance Correlation
• Repeated Event Correlation
• Pair Wise Correlation
• Additional correlations may be obtained
• From web page
• From a 3rd party for a fee
• Developed by yourself -- not recommended

15
Performance Management

• Network activities
• Status of the interfaces
• Error rate and percentage
• Ethernet traffic
• SNMP authentication failures, traffic, errors
• List of TCP connections
• Graph CPU load and disk space usage
• Graph SNMP data collected with MIB data collector
• Graph data based on Interface status polling and
  SNMP node polling

16
Configuration Management

• Network Configuration (at selected remote SNMP
  node)
• List interface properties
• List IP and link addresses
• List routing table
• List ARP cache table
• List the supported services
• List the services for which the selected remote
  SNMP nodes are configured to support
• List the management systems (by IP Address) that
  are configured to receive traps
• Run the Microsoft Windows NT operating system
  Registry Editor

17
Performance Management

• Network activities
• Status of the interfaces
• Error rate and percentage
• Ethernet traffic
• SNMP authentication failures, traffic, errors
• List of TCP connections
• Graph CPU load and disk space usage (HP-UX only)
• Graph SNMP data collected with MIB data collector
• Graph data based on Interface status polling and
  SNMP node polling

18
Fault Management

• Alarms -- show all alarms of selected nodes
• Network Connectivity
• Poll node -- information about selected objects
• Status poll -- status about selected objects
• Capability poll -- check for remote DMI,
  web-management, and web server capabilities.
• Ping
• Remote ping
• Locate route via SNMP
• Test IP/TCP/SNMP
• Interface Status -- Graphic display of number and
  rate of bad packets
• Window NT Event Viewer
• Window NT Diagnostic tool

19
SNMPv1 Security Flaws

• Transport Mechanism
• Data manipulation
• Denial of Service
• Replay
• Authentication
• Host Based
• Community Based
• Information Disclosure

20
SNMP Authentication Flaws

• Host Based
• Fails due to UDP transport
• DNS cache poisoning
• Community Based
• Cleartext community
• Community name prediction/brute forcing
• Default communities

21
RMON and RMON2 Security

• SNMPv1s flaws
• additional hazards by introducing action
  invocation objects
• collects extensive info on subnet
• packet captures

22
SNMP Fixes

• Disable it
• ACL It
• Read-Only