1 / 48

EE579T Network Security 10: An Overview of SNMP

EE579T Network Security 10: An Overview of SNMP. Prof. Richard A. Stanley. Overview of Tonight’s Class. Review last week’s lesson Course project outlines Security in the news SNMP. Summary.

Download Presentation

EE579T Network Security 10: An Overview of SNMP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. EE579TNetwork Security10: An Overview of SNMP Prof. Richard A. Stanley WPI

  2. Overview of Tonight’s Class • Review last week’s lesson • Course project outlines • Security in the news • SNMP WPI

  3. Summary • TCP/IP was not intended as a secure protocol; as a result, it has vulnerabilities that can be exploited • There are many ways to get access to info • There are many types of attacks that can be mounted over network connections in order to gain unauthorized access to resources • Never forget, the best access is hands-on WPI

  4. Projects to Present on April 17 • Team 1: Kerberos • Xiangping Xu, Yang, Gao, Yingchun Xu • Team 2: Mobile IP Security • Phadnis, Misra, Shetty, Subramaniam • Team 3: Routing Security • Aytek, Baktir, Yadlon • Team 9: SNMP Vulnerability • Staake, Peterson, Schweinsberg, Toczek WPI

  5. Projects to Present on April 17 • Team 5: deleted • Team 6: Fibre Channel Security • Elkind, Maki, Deshpande, Nat, Rongfred • Team 7: Bluetooth Security • Mason, Bouchard • Team 8: Flawed WEP & Fixes • Doraisami, Shirali, Shukla, Thurston WPI

  6. Projects to Present on April 24 • Team 4: Exploiting Firewall Rule Sets • Kurtz, Barrett • Team 10: TCP Security Flaws • Kavita, Anuj, Nikhil • Team 11: Intrusion Detection • Madhavi, Shankar, Rohan, Swathi • Team 12: Network Worms • Yuefeng, Wei, Xin WPI

  7. Projects to Present on April 24 • Team 13:Web Services Security • Geldmacher, Johnston, • Team 14: DDoS • Hill, Voduc, Huynh • Team 15: S/W Firewalls • Page, Poon, Ibrahim, Meawad, Leclerc • Team 16: Honeypots • Hartling, Lawson, Posluszny, Chung WPI

  8. Top Ten Security Concerns WPI

  9. Crypto Security--Again • Bugtraq reports 1024-bit RSA encryption should be “considered compromised” • Estimates factoring can be done for <$1B • What uses a key stronger than 1024 bits? • So, are SSL, S/MIME, all toast? • What about risk management? • Is what you have worth $1B to someone? • If so, do they have the $1B to spend on it? WPI

  10. Real-World Security Lessons • Hotel in Netanya, Israel attacked by suicide bomber during religious observance • 15 dead, 100 wounded • Arab League meeting in Beirut about peace • Bomber’s motivation? • Net security lessons? WPI

  11. SNMP Outline • Basic Concepts of SNMP • SNMPv1 Community Facility • SNMPv2 • SNMPv3 WPI

  12. Why SNMP? • To provide a simple means of managing objects across a network • These objects need not be network elements • The objects need not support SNMP (although it makes things easier if they do!) • “Management” can be tailored to mean what we need it to mean • First introduced in 1988 WPI

  13. Basic Concepts of SNMP • An integrated collection of tools for network monitoring and control. • Single operator interface • Minimal amount of separate equipment. Software and network communications capability built into the existing equipment • SNMP key elements: • Management station (physical device) • Management agent (software implementation) • Management information base (collection of objects) • Network Management protocol • Get, Set and Trap WPI

  14. SNMP MIB • Management Information Base = MIB • Database held at the managed client • Scalar variables • 2D tables • Uses streamlined protocol to: • Allow manager to Get and Set MIB variables • Enable agent to issue unsolicited notifications • These are called traps WPI

  15. SNMP Characteristics • Runs over UDP/IP or TCP/IP, depending on version • Uses • Port 161 (for messages) • Port 162 (for traps) WPI

  16. SNMP Protocol WPI

  17. SNMP Commands • Get • Query a MIB for information • Set • Set values in a MIB • Trap • Send condition information • Asynchronous WPI

  18. SNMP Proxies • SNMPv1 supports UDP over IP • Period! • There are lots of clients out there that need to be managed that don’t speak UDP • Proxies bridge the gap • Provide translation of client management language to SNMP • Interfaces to SNMP for the client WPI

  19. Proxy Configuration WPI

  20. SNMPv2 • Allows use of TCP/IP, and others • Provides additional management features • Distributed network management • Single-server hierarchical networks get overloaded • Functional enhancements • GetBulk – retrieve block of data at once • Inform – intra-management station communications of events and/or conditions • Removes atomicity from the Get command WPI

  21. SNMP v1 and v2 • SNMPv2 intended deal with deficiencies of SNMPv1 • Introduced first in 1993 • SNMPv1 is “connectionless” • Just like HTTP • Why? • Utilizes UDP as the transport layer protocol. • SNMPv2 allows use of TCP for “reliable, connection-oriented” service WPI

  22. SNMPv2 Distributed Management WPI

  23. SNMPv1 vs. SNMPv2 WPI

  24. SNMPv1 Community Facility • SNMP Community – Relationship between an SNMP agent and SNMP managers • Think of a network domain as an analog • Three aspects of agent control: • Authentication service • Access policy • Proxy service WPI

  25. SNMPv1 Administrative Concepts WPI

  26. Access Policy • SNMP MIB View • Subset of objects within the MIB • May be on different MIB sub-trees • SNMP Access Mode • Element of the set of MIB objects • Defined for each community • These two together are the SNMP Community Profile WPI

  27. What About Proxied Clients? • Supported within community concept • Proxy is an SNMP agent that acts on behalf of other (foreign) devices • For each device supported, SNMP proxy maintains an access policy • Therefore, proxy knows which MIB objects can be used to manage the proxied system, and their access mode WPI

  28. Where is the Security? • SNMPv1 has no inherent security • Messages can be spoofed, altered, or deleted • Does this have a potential for evil? • SNMPv2 doesn’t have any, either • It actually makes things worse by introducing the distributed management concept • What to do? WPI

  29. Enter SNMPv3 • Framework for incorporating security into SNMPv1 or SNMPv2 • Introduced 1998 • Not a standalone replacement for either v1 or v2!! • Adds security • Requires underlying SNMP system • Not yet completely standardized WPI

  30. SNMPv3 Architecture WPI

  31. Traditional SNMP Manager WPI

  32. Traditional SNMP Agent WPI

  33. SNMPv3 Message Flow WPI

  34. SNMP3 Message Format with USM WPI

  35. User Security Model (USM) • Designed to secure against: • Modification of information (integrity) • Masquerade (authentication) • Message stream modification (stream integrity) • Disclosure (confidentiality) • Not intended to secure against: • Denial of Service (DoS attack) • Traffic analysis WPI

  36. In Theory… • DoS attacks may look like network failure (imagine that!) • DoS should be dealt with by an overall network security capability, not one embedded in a protocol • Traffic analysis no problem, as management traffic highly predictable anyway • What do you think? WPI

  37. USM Encryption • Authentication (using authKey) • HMAC-MD5-96 • HMAC-SHA1-96 • Encryption (using privKey) • DES CBC • Uses first 64 bits of the 16-octet privKey • Last 64 bits used as IV to DES CBC • Key values not accessible from SNMP WPI

  38. Authoritative Engine • SNMP messages with payloads that expect a response (Get…, Set, Inform) • Receiver of message is authoritative • SNMP messages with payload that does not expect response (Trap, Response, Report) • Sender is authoritative • So what? WPI

  39. Key Localization • Allows single user to own keys stored in multiple engines • Key localized to each authoritative engine using hash functions • Avoids problem of a single key being stored in many places • Greatly slows brute force attack WPI

  40. Key Localization Process WPI

  41. Timeliness • Determined by a clock kept at the authoritative engine • When authoritative engine sends a message, it includes the current clock value • Nonauthoritative agent synchronizes on clock value • When nonauthoritative engine sends a message, it includes the estimated destination clock value • These procedures allow assessing message timeliness • Why do we care? WPI

  42. View-Based Access Control Model (VACM) • VACM has two characteristics: • Determines whether access to a managed object should be allowed. • Make use of an MIB that: • Defines the access control policy for this agent. • Makes it possible for remote configuration to be used. WPI

  43. Access Control Logic in VACM WPI

  44. SNMPv3 Security • SNMPv3 solves SNMP security problems, right? • NOT! • Decent security implementation, but reality is: • SNMPv1 still holds ~95% of the market • Even SNMPv2 not widely deployed • Upgrading to SNMPv3 is difficult and costly (sort of like moving from Win95 to WinXP all at once) • There is the issue of proxies and foreign clients • SNMPv3 is the clear long-term choice WPI

  45. Recent SNMP Security Events • CERT Advisory 12 Feb 02, Revised 26Mar02, warns about potential for • unauthorized privileged access (which allows, inter alia, enumeration of SNMP agents) • denial of service attacks • unstable behavior • Vulnerabilities in both messages and traps • Vulnerabilities are in SNMPv1! WPI

  46. This is Not New News! • After this class, are you surprised? • These vulnerabilities have been in SNMP since Day One • Only now, with an increased emphasis on security, are they getting the attention they deserve • Officially, the vulnerabilities have not been exploited. Unofficially, they have. WPI

  47. Summary • SNMP is widely-used for managing clients distributed across a network • SNMPv1 is simple, effective, and provides the majority of SNMP service in the field • SNMPv2 adds some functionality to v1 • SNMPv3 is a security overlay for either version, not a standalone replacement • SNMP security is a major issue! WPI

  48. Homework • Read Stallings, Chapters 8 & 10 • Do Problems 8.2, 8.4, 8.8 WPI

More Related