480 likes | 612 Views
EE579T Network Security 10: An Overview of SNMP. Prof. Richard A. Stanley. Overview of Tonight’s Class. Review last week’s lesson Course project outlines Security in the news SNMP. Summary.
E N D
EE579TNetwork Security10: An Overview of SNMP Prof. Richard A. Stanley WPI
Overview of Tonight’s Class • Review last week’s lesson • Course project outlines • Security in the news • SNMP WPI
Summary • TCP/IP was not intended as a secure protocol; as a result, it has vulnerabilities that can be exploited • There are many ways to get access to info • There are many types of attacks that can be mounted over network connections in order to gain unauthorized access to resources • Never forget, the best access is hands-on WPI
Projects to Present on April 17 • Team 1: Kerberos • Xiangping Xu, Yang, Gao, Yingchun Xu • Team 2: Mobile IP Security • Phadnis, Misra, Shetty, Subramaniam • Team 3: Routing Security • Aytek, Baktir, Yadlon • Team 9: SNMP Vulnerability • Staake, Peterson, Schweinsberg, Toczek WPI
Projects to Present on April 17 • Team 5: deleted • Team 6: Fibre Channel Security • Elkind, Maki, Deshpande, Nat, Rongfred • Team 7: Bluetooth Security • Mason, Bouchard • Team 8: Flawed WEP & Fixes • Doraisami, Shirali, Shukla, Thurston WPI
Projects to Present on April 24 • Team 4: Exploiting Firewall Rule Sets • Kurtz, Barrett • Team 10: TCP Security Flaws • Kavita, Anuj, Nikhil • Team 11: Intrusion Detection • Madhavi, Shankar, Rohan, Swathi • Team 12: Network Worms • Yuefeng, Wei, Xin WPI
Projects to Present on April 24 • Team 13:Web Services Security • Geldmacher, Johnston, • Team 14: DDoS • Hill, Voduc, Huynh • Team 15: S/W Firewalls • Page, Poon, Ibrahim, Meawad, Leclerc • Team 16: Honeypots • Hartling, Lawson, Posluszny, Chung WPI
Crypto Security--Again • Bugtraq reports 1024-bit RSA encryption should be “considered compromised” • Estimates factoring can be done for <$1B • What uses a key stronger than 1024 bits? • So, are SSL, S/MIME, all toast? • What about risk management? • Is what you have worth $1B to someone? • If so, do they have the $1B to spend on it? WPI
Real-World Security Lessons • Hotel in Netanya, Israel attacked by suicide bomber during religious observance • 15 dead, 100 wounded • Arab League meeting in Beirut about peace • Bomber’s motivation? • Net security lessons? WPI
SNMP Outline • Basic Concepts of SNMP • SNMPv1 Community Facility • SNMPv2 • SNMPv3 WPI
Why SNMP? • To provide a simple means of managing objects across a network • These objects need not be network elements • The objects need not support SNMP (although it makes things easier if they do!) • “Management” can be tailored to mean what we need it to mean • First introduced in 1988 WPI
Basic Concepts of SNMP • An integrated collection of tools for network monitoring and control. • Single operator interface • Minimal amount of separate equipment. Software and network communications capability built into the existing equipment • SNMP key elements: • Management station (physical device) • Management agent (software implementation) • Management information base (collection of objects) • Network Management protocol • Get, Set and Trap WPI
SNMP MIB • Management Information Base = MIB • Database held at the managed client • Scalar variables • 2D tables • Uses streamlined protocol to: • Allow manager to Get and Set MIB variables • Enable agent to issue unsolicited notifications • These are called traps WPI
SNMP Characteristics • Runs over UDP/IP or TCP/IP, depending on version • Uses • Port 161 (for messages) • Port 162 (for traps) WPI
SNMP Protocol WPI
SNMP Commands • Get • Query a MIB for information • Set • Set values in a MIB • Trap • Send condition information • Asynchronous WPI
SNMP Proxies • SNMPv1 supports UDP over IP • Period! • There are lots of clients out there that need to be managed that don’t speak UDP • Proxies bridge the gap • Provide translation of client management language to SNMP • Interfaces to SNMP for the client WPI
SNMPv2 • Allows use of TCP/IP, and others • Provides additional management features • Distributed network management • Single-server hierarchical networks get overloaded • Functional enhancements • GetBulk – retrieve block of data at once • Inform – intra-management station communications of events and/or conditions • Removes atomicity from the Get command WPI
SNMP v1 and v2 • SNMPv2 intended deal with deficiencies of SNMPv1 • Introduced first in 1993 • SNMPv1 is “connectionless” • Just like HTTP • Why? • Utilizes UDP as the transport layer protocol. • SNMPv2 allows use of TCP for “reliable, connection-oriented” service WPI
SNMPv1 Community Facility • SNMP Community – Relationship between an SNMP agent and SNMP managers • Think of a network domain as an analog • Three aspects of agent control: • Authentication service • Access policy • Proxy service WPI
Access Policy • SNMP MIB View • Subset of objects within the MIB • May be on different MIB sub-trees • SNMP Access Mode • Element of the set of MIB objects • Defined for each community • These two together are the SNMP Community Profile WPI
What About Proxied Clients? • Supported within community concept • Proxy is an SNMP agent that acts on behalf of other (foreign) devices • For each device supported, SNMP proxy maintains an access policy • Therefore, proxy knows which MIB objects can be used to manage the proxied system, and their access mode WPI
Where is the Security? • SNMPv1 has no inherent security • Messages can be spoofed, altered, or deleted • Does this have a potential for evil? • SNMPv2 doesn’t have any, either • It actually makes things worse by introducing the distributed management concept • What to do? WPI
Enter SNMPv3 • Framework for incorporating security into SNMPv1 or SNMPv2 • Introduced 1998 • Not a standalone replacement for either v1 or v2!! • Adds security • Requires underlying SNMP system • Not yet completely standardized WPI
User Security Model (USM) • Designed to secure against: • Modification of information (integrity) • Masquerade (authentication) • Message stream modification (stream integrity) • Disclosure (confidentiality) • Not intended to secure against: • Denial of Service (DoS attack) • Traffic analysis WPI
In Theory… • DoS attacks may look like network failure (imagine that!) • DoS should be dealt with by an overall network security capability, not one embedded in a protocol • Traffic analysis no problem, as management traffic highly predictable anyway • What do you think? WPI
USM Encryption • Authentication (using authKey) • HMAC-MD5-96 • HMAC-SHA1-96 • Encryption (using privKey) • DES CBC • Uses first 64 bits of the 16-octet privKey • Last 64 bits used as IV to DES CBC • Key values not accessible from SNMP WPI
Authoritative Engine • SNMP messages with payloads that expect a response (Get…, Set, Inform) • Receiver of message is authoritative • SNMP messages with payload that does not expect response (Trap, Response, Report) • Sender is authoritative • So what? WPI
Key Localization • Allows single user to own keys stored in multiple engines • Key localized to each authoritative engine using hash functions • Avoids problem of a single key being stored in many places • Greatly slows brute force attack WPI
Timeliness • Determined by a clock kept at the authoritative engine • When authoritative engine sends a message, it includes the current clock value • Nonauthoritative agent synchronizes on clock value • When nonauthoritative engine sends a message, it includes the estimated destination clock value • These procedures allow assessing message timeliness • Why do we care? WPI
View-Based Access Control Model (VACM) • VACM has two characteristics: • Determines whether access to a managed object should be allowed. • Make use of an MIB that: • Defines the access control policy for this agent. • Makes it possible for remote configuration to be used. WPI
SNMPv3 Security • SNMPv3 solves SNMP security problems, right? • NOT! • Decent security implementation, but reality is: • SNMPv1 still holds ~95% of the market • Even SNMPv2 not widely deployed • Upgrading to SNMPv3 is difficult and costly (sort of like moving from Win95 to WinXP all at once) • There is the issue of proxies and foreign clients • SNMPv3 is the clear long-term choice WPI
Recent SNMP Security Events • CERT Advisory 12 Feb 02, Revised 26Mar02, warns about potential for • unauthorized privileged access (which allows, inter alia, enumeration of SNMP agents) • denial of service attacks • unstable behavior • Vulnerabilities in both messages and traps • Vulnerabilities are in SNMPv1! WPI
This is Not New News! • After this class, are you surprised? • These vulnerabilities have been in SNMP since Day One • Only now, with an increased emphasis on security, are they getting the attention they deserve • Officially, the vulnerabilities have not been exploited. Unofficially, they have. WPI
Summary • SNMP is widely-used for managing clients distributed across a network • SNMPv1 is simple, effective, and provides the majority of SNMP service in the field • SNMPv2 adds some functionality to v1 • SNMPv3 is a security overlay for either version, not a standalone replacement • SNMP security is a major issue! WPI
Homework • Read Stallings, Chapters 8 & 10 • Do Problems 8.2, 8.4, 8.8 WPI