Upload
pilis
View
23
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Dive into RFC 2574. User-based Security Model (USM) for the SNMP-v3. SNMP-v3 Sasan Adibi. Threats Limited protection provided for:. Modification of Information Masquerade - False pretend of unauthorized users - PowerPoint PPT Presentation
Citation preview
1
Dive into RFC 2574Dive into RFC 2574
User-based Security Model (USM) for the SNMP-v3
2
Threats
Limited protection provided for:
Modification of Information Masquerade - False pretend of unauthorized users Disclosure - Eavesdropping on the exchange
between managed agents and managed station. Message Stream Modification – Danger of the
message being re-ordered, delayed, or replayed by unauthorized management stations
3
Threats Cont.
No protection against:
Denial of Service Traffic Analysis
4
Goals
Verify that each received SNMP message has not been modified during its transmission through the network.
Verify the identity of the user on whose behalf a received SNMP message claims to have been generated.
Detect the received SNMP messages, which request or contain management information, whose time of generation was not recent.
Provide, when necessary, that the contents of each received SNMP message are protected from disclosure.
5
Constraints
When the requirements of effective management in times of network stress are inconsistent with those of security, the design should prefer the former
Neither the security protocol nor its underlying security mechanisms should depend upon the ready availability of other network services (e.g., Network Time Protocol (NTP) or key management protocols)
A security mechanism should entail no changes to the basic SNMP network management philosophy
6
Security Services
Data Integrity
Data Origin Authentication
Data Confidentiality
Message timeliness and limited replay protection
7
Why Use SNMP-v3
• Authentication• HMAC-MD5-96, or SHA authentication• Password must be greater than 8 characters including spaces
• Privacy• Packet data may now be DES encrypted (additional encryptions)• CBC-DES Symmetric Encryption Protocol • Allows for unique Privacy password
• Inform Traps• Old style trap was "throw-n-pray" over UDP• v2 Inform trap is over TCP and requires a response • Traps may also have Authentication and Privacy passwords
• Security Structures• User / Scope / ACL all may have independent AuthPriv structures
8
Authoritative and Non-authoritative Engines
In any message one of the transmitter/receiver SNMP entities is designated as the Authoritative SNMP engine
When a message expects a response, the receiver of such messages is authoritative
When no response is expected the sender is authoritative This serves two purposes
• Timeliness of message determined with clock of authoritative engine
• Key localization process
9
Protocol context of SNMP
10
SNMPv3 Architecture
SNMPv3 architecture (RFC 2571) consists of a distributed collection of SNMP entities communicating together
Each SNMP entity may act as manager, agent, or combination
SNMP Engine - Implements functions for:• sending and receiving messages• Authenticating and encrypting/decrypting messages• Controlling access to managed objects
11
SNMP Engine Modules
Modular nature means that upgrades to individual modules can be made without redoing the architecture
Modules:• Dispatcher - • Message Processing Subsystem• Security Subsystem• Access Control Subsystem
12
SNMP Manager
NOTIFICATIONRECEIVER
COMMANDGENERATOR
PDUDISPATCHER
COMMUNITY BASEDSECURITY MODEL
USER BASEDSECURITY MODEL
OTHERSECURITY MODEL
SECURITY SUBSYSTEM
SNMPv1
SNMPv2C
SNMPv3
OTHER
MESSAGE PROCESSINGSUBSYSTEM
MESSAGEDISPATCHER
TRANSPORTMAPPINGS
13
SNMP Agent
PDUDISPATCHER
COMMUNITY BASEDSECURITY MODEL
USER BASEDSECURITY MODEL
OTHERSECURITY MODEL
SECURITY SUBSYSTEM
SNMPv1
SNMPv2C
SNMPv3
OTHER
MESSAGE PROCESSINGSUBSYSTEM
MESSAGEDISPATCHER
TRANSPORTMAPPINGS
MANAGEMENT INFORMATION BASE
VIEW BASEDACCESS CONTROL
ACCESS CONTROL SUBSYSTEM
NOTIFICATIONORIGINATOR
COMMANDRESPONDER
14
SNMP Engine Modules: Dispatcher
Dispatcher is a simple traffic manager On incoming messages
It accepts incoming messages from the transport layer Routes each message to the appropriate message processing
module When the message processing completes the Dispatcher
sends the PDU to the appropriate application On outgoing messages
• It accepts PDUs from Application layer
• Sends to Message processing subsystem
• Sends to Transport layer
15
SNMP Engine Modules: Dispatcher
Dispatcher Submodules• PDU Dispatcher – sends/accepts Protocol Data Units (PDUs)
to/from SNMP applications• Message Dispatcher – transmits to/from message processing
subsystem• Transport Mapping – sends/receives transport layer packets
16
Message Processing Module
Accepts outgoing PDUs from dispatcher Passes message to the security subsytem Wraps the result with the appropriate header Sends back to the dispatcher
On incoming PDUs• Accepts messages from the dispatcher
• Processes the headers
• Possibly sending to Security Subsystem for authenitication and decryption and
• Returns the enclosed PDU to the dispatcher
17
Security and Access Control Modules
Security modules– User-based Security Model (USM)– Other security models allowed for but not yet.
Access Control Modules– View-based access control model (VACM)– Others allowed
18
SNMPv3 Terminology
snmpEngineId – unique ID to engine (Octet string) contextEngineId – unique ID to SNMP entity contextName – identifies particular context within SNMP
Engine scopedPDU – block including: contextEngineId,
contextName and an SNMP PDU snmpMessageProcessingModel – unique identifier snmpSecurityModel – integer indicating whether
authentication and/or encryption are required principal – the entity for “Whom the Bell Tolls” securityName – string representation of the principal
19
SNMPv3 Applications
Command generator applications
• Makes use of sendPdu primitive
• Dispatcher Message Processing Security subsytem
• Finally UDP
• and later the processResponse dispatcher primitive handles the response Notification originator/receiver applications
• Operates similarly sending a notification Command Responder applications use primitives
RegisterContextEngineID – here is my ID (unregister also) processPDU returnRespnsePDU isAccessAllowed (Access Control Subsystem primitive)
Proxy forwarder application
20
Message Processing Model
RFC 2572 defines the message processing model The model on outgoing messages
• Accepts PDUs from the dispatcher
• Encapsulates them in messages
• Invokes the user Security Model (USM) to insert security related parameters in the headers
• On incoming• Invokes the user Security Model (USM) process the security
related parameters in the header
• Delivers encapsulated PDU back to dispatcher
• SNMP message first five fields
21
SNMP3 Message Format with USM
22
USM Timeliness Mechanisms
Non authoritative engine maintains copies of snmpEngineBoots = number of times rebooted since originally
configured 0 to 231 snmpEngineTime latestReceived EngineTime
USM update conditions USM update rule Message judged to be outside window …
23
Key Localization Process
24
SNMPv3 RFCs
OTHER
SNMP APPLICATIONS
SNMP ENGINE
MESSAGE PROCESSINGSUBSYSTEM
DISPATCHERSECURITY
SUBSYSTEMACCESS CONTROL
SUBSYSTEM
SNMP ENTITY
RFC 2573
RFC 2571
RFC 2572 RFC 2572 USM: RFC 2574 VACM: RFC 2575
25
SNMP-v3 Strength
Widespread Support– SNMP agents available for many network deviced
(hosts, routers, switches, bridges, modems, printers, etc.)
Flexible and Extensible– SNMP agents can be extended to cover device-
specific data– Clear mechanism for upgrading– Additional interoperability via proxies
26
SNMP-v3 Weaknesses
SNMP is not really “simple”– Complicated protocol to implement– Complex encoding rules
SNMP is not an efficient protocol– Bandwidth wasted with useless information– Inefficiencies of ASN.1 with respect to compactness
SNMP lacking in security Lack of privacy or strong authentication Offered in SNMP-v3, but SNMP-v1 still widely used Limits utility for monitoring remote networks
27
SNMP Weaknesses Cont.
Latency can be high in SNMP– Request-response protocol, leading to a delay between time of
request and time of response– Typically small in a LAN, but potentially a problem in a WAN
28
THANK YOU