860 likes | 1.14k Views
SNMPv3 *. * Mani Subramanian “Network Management: Principles and practice” , Addison-Wesley, 2000. Background and security threats SNMPv3 Architecture SNMPv3 Applications Message Format User-based Security Model (USM) View-based Access Control Model (VCAM). SNMPv3.
 
                
                E N D
SNMPv3* *Mani Subramanian “Network Management: Principles and practice”, Addison-Wesley, 2000.
Background and security threats SNMPv3 Architecture SNMPv3 Applications Message Format User-based Security Model (USM) View-based Access Control Model (VCAM) SNMPv3
SGMP: monitor gateways SNMP: simple but powerful facilities to monitor and control NEs SMI MIB Protocol SNMP deficiencies: Difficulties in monitoring networks as opposed to nodes on networks, RMON Lack of security facilities, S-SNMP  SNMPv2 Background SNMPv2 • SNMPv2 Working Group: charged with all non security aspects • SMI, MIB, Protocol, Conformance issues, compatibility issues • SNMPv2 Security WG • Based on S-SNMP, many unresolved issues • SNMPv2 was finally issued w/out security features and security work and previous efforts resulted in creating a new standard, SNMPv3
Address the need for secure support (especially those required by set-request operations) Define and architecture that allows for longevity for SNMP Allow different portions of the architecture to move at different speeds towards standard status Design Requirements • Allow for future extensions (Modular Implementation) • Keep SNMP simple • Allow for minimal implementations • Support also more complex features, which are required in large networks • Re-use existing specifications, whenever possible
Modification of information Masquerade Message stream modification Management Management Entity A Entity B Disclosure Security Threats Modification of Information an entity may alter in-transit SNMP messages generated on behalf of an authorized principal in such a way as to effect unauthorized management operations, including falsifying the value of an object Masquerade management operations not authorized for some entity may be attempted by assuming the identity of another entity that has the appropriate authorizations
Modification of information Masquerade Message stream modification Management Management Entity A Entity B Disclosure Security Threats Message Stream Modification SNMP is typically based upon a connectionless transport service. Messages may be maliciously re-ordered, delayed or replayed, in order to effect unauthorized management operations. For example, a message to reboot a system could be copied and replayed later Disclosure Eavesdropping or intercepting on the exchanges between SNMP engines
Modification of information Masquerade Message stream modification Management Management Entity A Entity B Disclosure Security Threats SNMPv3 is not intended to secure against these two threats: Denial of Service: An attacker may prevent exchanges between manager and agent DOS are indistinguishable from network element failures DOS may disrupt all services (not just those pertaining to NM) Traffic Analysis: An attacker may observe the general pattern of traffic between managers and agents
Background and security threats SNMPv3 Architecture SNMPv3 Applications Message Format User-based Security Model (USM) View-based Access Control Model (VCAM) SNMPv3
Distributed, interacting collection of SNMP entities SNMP entity implements a portion of the SNMP capability: It acts either as an agent or manager or both A collection of modules interacting with each other to provide services SNMP ENTITY SNMP APPLICATIONS COMMAND COMMAND NOTIFICATION NOTIFICATION PROXY OTHER OTHER GENERATOR RESPONDER ORIGINATOR RECEIVER FORWARDER SNMP ENGINE MESSAGE PROCESSING SECURITY ACCESS CONTROL DISPATCHER SUBSYSTEM SUBSYSTEM SUBSYSTEM SNMP Architecture
SNMP Architecture Advantages: The role of SNMP entity is determined by the modules implemented in that entity Certain set of modules are required for agent, while a different set is required for a manager Security subsystem provides services such as authentication and privacy of messages Multiple security models can coexist Set of authorization services an application can use for checking access rights Access Control
SNMP Architecture-Manager NOTIFICATION ORIGINATOR COMMAND NOTIFICATION GENERATOR RECEIVER PDU MESSAGE PROCESSING SECURITY SUBSYSTEM DISPATCHER SUBSYSTEM COMMUNITY BASED SNMPv1 SECURITY MODEL MESSAGE DISPATCHER SNMPv2C USER BASED SECURITY MODEL SNMPv3 OTHER TRANSPORT SECURITY MODEL OTHER MAPPINGS
SNMPv3 Architecture-Manager Command Generator Application Monitor and manipulate management data at remote agents Make use of SNMPv1,v2 PDUs: Get, GetNext, GetBulk, etc. Notification Originator Application Initiates messages, such as InformRequest PDU Notification Receiver Application Receive messages from other managers or agents InformRequest, SNMPv1- and SNMPv2-Traps, etc… These applications make use of the services provided by the SNMP engine: Get Outgoing PDUs, process them and generates SNMP messages for transmission over the transport layer Accept incoming SNMP messages, process them, and extracts PDUs and passes them to appropriate SNMP application
SNMP Engine (identified by snmpEngineID) Message Security Dispatcher Processing Subsystem Subsystem SNMPv3 Architecture-Manager One dispatcher in an SNMP engine Accepts PDUs from applications Handles multiple version messages (SNMPv1, v2, v3) Interfaces with application modules, network, and message processing models Three components for three functions Transport mapper delivers messages over the transport protocol Routes messages between network and appropriate module of MPS PDU dispatcher handles messages between application and MPS
SNMP Engine (identified by snmpEngineID) Message Security Dispatcher Processing Subsystem Subsystem SNMPv3 Architecture-Manager Accepts outgoing PDUs from Dispatcher, attach appropriate header, and return message to Dispatcher Accepts incoming messages, process each message header, and return the enclosed PDU to the Dispatcher Contains one or more Message Processing Models, each for each SNMP version SNMP version identified in the header
SNMP Engine (identified by snmpEngineID) Message Security Dispatcher Processing Subsystem Subsystem SNMPv3 Architecture-Manager Security subsystems perform authentication and encryption functions for each outgoing/incoming message Outgoing PDUs may be encrypted and authentication codes generated and appended to the message header The message is then returned to the MPS Incoming messages are passed to the security subsystem Message decryption Messages authenticated
SNMPv3 Architecture-Agent MANAGEMENT INFORMATION BASE ACCESS CONTROL SUBSYSTEM COMMAND NOTIFICATION Proxy Forwarder VIEW BASED RESPONDER ORIGINATOR Applications ACCESS CONTROL SECURITY SUBSYSTEM PDU MESSAGE PROCESSING DISPATCHER SUBSYSTEM COMMUNITY BASED SNMPv1 SECURITY MODEL MESSAGE DISPATCHER SNMPv2C USER BASED SECURITY MODEL SNMPv3 OTHER SECURITY MODEL TRANSPORT OTHER MAPPINGS
SNMPv3 Architecture-Agent Command Responder Application Provides access to management data Responds to incoming requests by retrieving and/or setting managed objects and issuing Response PDU Notification Originator Application e.g., SNMPv1, v2 Trap PDU Proxy Forwarder Application Forwards messages between entities Access Control Subsystem Provides authorization services to “control access” to the MIB for reading and setting management objects Who can access What can be accessed
Terminology SNMP Engine IDsnmpEngineID -- associated with each SNMP entity Principalprincipal -- person or group or application requesting services Security NamesecurityName -- human readable name Context Engine IDcontextEngineID -- each entity has a unique context ID (identical to snmpEngineID) Context NamecontextName --a context associated with a managed object (for access control) An SNMP agent can monitor more than one network element (context) Example: SNMP Engine ID IP address Principal John Smith Security Name Administrator
Abstract Service Interfaces Abstract service interface is a conceptual interface between modules, independent of implementation Defines a set of primitives A primitive specifies the function to be performed (e.g., procedure call) Primitives associated with receiving entities An interface defined used primitive and parameters is referred to as “abstract service interface” e.g., Dispatcher primitives: Handle messages to and from applications registering and un-registering of application modules transmitting to and receiving messages from network IN and OUT parameters Status information / result
sendPdu Message Command sendPduHandle/ Dispatcher Processing prepareOutgoingMessage Generator Error Indication Model Abstract Abstract Service Service Interface Interface Dispatcher Primitives sendPdu Used by a command generator to send SNMP request or notification PDU to another SNMP entity When successfully preparing the message by the Dispatcher:  a sendPduHandle (unique identifier) is returned (to track any response, if any is expected) The application also provides transport domain/address for the PDU as well as message processing model, security model, principal, level of security, the context for this PDU, and the PDU itself
sendPdu Message Command sendPduHandle/ Dispatcher Processing prepareOutgoingMessage Generator errorIndication Model Abstract Service Interface Dispatcher Primitives processResponsePdu processResponsePdu Used by Dispatcher to pass an incoming response PDU to an application The application checks whether it is matched with a preceding request or notification PDU by checking the sendPduHandle: Success or failure
sendPdu Message Command sendPduHandle/ Dispatcher Processing prepareOutgoingMessage Generator errorIndication Model Abstract Service Interface Dispatcher Primitives processPdu processPdu Used by Dispatcher to pass an incoming request or notification PDU to an application Security related information is required to generate a matching response message The security subsystem will check whether access is allowed and a response will be generated accordingly returnResponsePdu Used by command responder to return an SNMP response in response to an incoming request or notification
sendPdu Message Command sendPduHandle/ Dispatcher Processing prepareOutgoingMessage Generator errorIndication Model Abstract Service Interface Message Processing Subsystem Primitives prepareOutgoingMessage Prepare a message for an outgoing SNMP request or notification PDU The IN parameter is a PDU and OUT parameter is the message Success or failure is returned prepareResponseMessage Request the preparation of a message containing an outgoing SNMP response PDU, in response to an incoming request or notification PDU
Security Subsystem Primitives generateRequestMessage Generate a “message” containing an outgoing SNMP request or notification PDU Returns to the MPS a message (with possibly authentication and encryption) and associated security parameters processIncomingMessage Provide security function for incoming messages Return success or failure indicating the result of the security check If successful, a PDU is returned to the MPS generateResponseMessage Generate a message containing outgoing SNMP response PDU in response to incoming request or notification Returns to the MPS a message (with some authentication and encryption applied) and associated security parameters
Background and security threats SNMPv3 Architecture SNMPv3 Applications Message Format User-based Security Model (USM) View-based Access Control Model (VCAM) SNMPv3
Command Generator Command Generator: 1)-Examine parameters from the received PDU and match/compare them with a cached copy (security model/level/name, contextName, etc.). If not math, message is discarded 2)-Check the received PDU (check request-id, etc.) 3)- if all OK, then take action
Command Responder Command Responder: 1)-examines content of request PDU. Check whether object has already registered with the responder 2)- isAccessAllowed is invoked (to determine whether object can be accessed by the principal making the request)  check the security level 3)- if access permitted, prepare a response.
Background and security threats SNMPv3 Architecture SNMPv3 Applications Message Format User-based Security Model (USM) View-based Access Control Model (VCAM) SNMPv3
reportableFlag privFlag authFlag Header Data scopedPDU Message Message Message Message Context Context 1 SNMPv1 2 SNMPv2 3 SNMPv3 Security Data ID Max. Size Flag Engine ID Name Model Security Parameters Authoritative Authoritative Authoritative User Authentication Privacy Engine ID Engine Boots Engine Time Name Parameters Parameters Time synch. between entities to avoid message replay and achieve timeliness Message Format Global/ Security Plaintext / Encrypted Version Header Whole Message Parameters scopedPDU Data Data
Background and security threats SNMPv3 Architecture SNMPv3 Applications Message Format User-based Security Model (USM) View-based Access Control Model (VCAM) SNMPv3
Security Model Goals Verification that each received SNMP message has not been modified during its transmission through the network Data Integrity (Authentication) Verification of the identity of the user on whose behalf a received SNMP message claims to have been generated. Authentication Detection of received SNMP messages, which request or contain management information, whose time of generation was not recent Message redirection/re-ordering/delay/replay Ensure that the contents of each received SNMP message are protected from disclosure Data encryption/decryption
Security Subsystem Data Integrity Authentication Module Data Origin Authentication Message Privacy Processing Data Confidentiality Module Model Message Timeliness & Timeliness Limited Replay Protection Module Security Model The Security model authenticates and forwards incoming and outgoing messages to the MPM 3 different modules Authentication module Privacy module Timeliness module