Upload
arline-french
View
242
Download
3
Tags:
Embed Size (px)
Citation preview
Network SecurityNetwork SecurityPart I: IntroductionPart I: Introduction
Network Network SecuritySecurity
ManagementManagement
SECURITY INNOVATION ©20032
OutlineOutline
• The subject is divided into the following:The subject is divided into the following:– IntroductionIntroduction– SNMP overviewSNMP overview– SNMP securitySNMP security
SECURITY INNOVATION ©20033
I IntroductionI Introduction
• Network management protocols enable Network management protocols enable on-line management of computers & on-line management of computers & networks.networks.
• They support:They support:– configuration management,configuration management,– accounting,accounting,– event logging,event logging,– help with problem diagnosis.help with problem diagnosis.
• They are application layer protocols.They are application layer protocols.
SECURITY INNOVATION ©20034
Management securityManagement security
• Two aspects of network management Two aspects of network management security (as defined in ISO 7498-2):security (as defined in ISO 7498-2):– management of security - support provided management of security - support provided
by network management protocols for by network management protocols for provision of security services, andprovision of security services, and
– security of management - means for security of management - means for protecting network management protecting network management communications.communications.
SECURITY INNOVATION ©20035
IInternet SNMP Overviewnternet SNMP Overview
• The Simple Network Management The Simple Network Management Protocol (SNMP) is part of the Internet Protocol (SNMP) is part of the Internet network management system.network management system.– Version 1 (1990/91) is specified in RFCs Version 1 (1990/91) is specified in RFCs
1155-1157, and 1212/1213.1155-1157, and 1212/1213.– Version 2 (1993), with some security Version 2 (1993), with some security
features , is specified in RFCs 1441-1448.features , is specified in RFCs 1441-1448.– Version 3 (1999), with more complete Version 3 (1999), with more complete
security features in RFCs 2570-2576security features in RFCs 2570-2576
SECURITY INNOVATION ©20036
SNMP V1 ArchitectureSNMP V1 Architecture
UDPUDP
Physical NetworkPhysical Network
ManagerManager
IPIP
SNMPSNMP
NetworkNetwork
Central MIBCentral MIB
UDPUDP
AgentAgent
IPIP
SNMPSNMP
NetworkNetwork
Agent MIBAgent MIB
SECURITY INNOVATION ©20037
Architectural ModelArchitectural Model
• Model based on Model based on – a network management station (a host a network management station (a host
system running SNMP, with management system running SNMP, with management s/ware) s/ware)
– many network elements (hosts, routers, many network elements (hosts, routers, gateways, servers).gateways, servers).
• Management agent at a network device Management agent at a network device implements SNMPimplements SNMP– provides access to the Management provides access to the Management
Information Base (MIB).Information Base (MIB).
SECURITY INNOVATION ©20038
SNMP ManagementSNMP Management
NetworkNetworkElementsElements
Management StationManagement Station
SECURITY INNOVATION ©20039
Connectionless ProtocolConnectionless Protocol
• Because Because V1V1 uses UDP, SNMP is a uses UDP, SNMP is a connectionless protocol connectionless protocol – No guarantee that the management traffic is No guarantee that the management traffic is
received at the other entity received at the other entity – Advantages : Advantages :
• reduced overhead reduced overhead • protocol simplicity protocol simplicity
– Drawbacks : Drawbacks : • connection-oriented operations must be built into connection-oriented operations must be built into
upper-layer applications, if reliability and upper-layer applications, if reliability and accountability are needed accountability are needed
• V2 & V3 can use TCP.V2 & V3 can use TCP.
SECURITY INNOVATION ©200310
SNMP OperationsSNMP Operations
• SNMP provides three simple operations : SNMP provides three simple operations : – GET : GET : EnEnables the management station to ables the management station to
retrieve object values from a managed retrieve object values from a managed station station
– SET : SET : EEnables the management station to set nables the management station to set object values in a managed station object values in a managed station
– TRAP : Enables a managed station to notify TRAP : Enables a managed station to notify the management station of significant the management station of significant events events
• SNMP allows multiple accesses with a SNMP allows multiple accesses with a single operation single operation
SECURITY INNOVATION ©200311
SNMP Protocol Data SNMP Protocol Data UnitsUnits
• Get Request : Used to obtain object values Get Request : Used to obtain object values from an agent from an agent
• Get-Next Request : Similar to the Get Request, Get-Next Request : Similar to the Get Request, except it permits the retrieving of the next except it permits the retrieving of the next object instance (in lexicographical order) in the object instance (in lexicographical order) in the MIB tree MIB tree
• Set Request : Used to change object values at Set Request : Used to change object values at an agent an agent
• Response : Responds to the Get Request, Get-Response : Responds to the Get Request, Get-Next Request and Set Request PDUs Next Request and Set Request PDUs
• Trap : Enables an agent to report an event to Trap : Enables an agent to report an event to the management station (no response from the the management station (no response from the manager entity) manager entity)
SECURITY INNOVATION ©200312
SNMP Port NumbersSNMP Port Numbers
• TThe UDP port numbers used for SNMP he UDP port numbers used for SNMP are : are : 161 (Requests) and 162 (Traps) 161 (Requests) and 162 (Traps)
• Manager behavior : Manager behavior : – listens for agent traps on local port 162 listens for agent traps on local port 162 – sends requests to port 161 of remote agent sends requests to port 161 of remote agent
• Agent behavior : Agent behavior : – listens for manager requests on local port listens for manager requests on local port
161 161 – sends traps to port 162 of remote manager sends traps to port 162 of remote manager
SECURITY INNOVATION ©200313
SNMP MessagesSNMP Messages
SNMP messageSNMP messageGET-REQUESTGET-REQUEST
SNMP messageSNMP messageGET-REQUESTGET-REQUEST
UDP datagramUDP datagramSrc Port: 3042Src Port: 3042Dest Port: 161Dest Port: 161
UDP datagramUDP datagramSrc Port: 3042Src Port: 3042Dest Port: 161Dest Port: 161
IP datagramIP datagramSrc: Src: 192.168.0.20192.168.0.20
Dest: Dest: 192.168.0.254192.168.0.254
IP datagramIP datagramSrc: Src: 192.168.0.20192.168.0.20
Dest: Dest: 192.168.0.254192.168.0.254
192.168.0.40192.168.0.40
192.168.0.254192.168.0.254
192.168.1.254192.168.1.254
192.168.2.254192.168.2.254
192.168.254.2192.168.254.25454
SNMP messageSNMP messageGET-REQUEST replyGET-REQUEST reply
SNMP messageSNMP messageGET-REQUEST replyGET-REQUEST reply
UDP datagramUDP datagramSrc Port: 161Src Port: 161
Dest Port: 3042Dest Port: 3042
UDP datagramUDP datagramSrc Port: 161Src Port: 161
Dest Port: 3042Dest Port: 3042
IP datagramIP datagramSrc: Src: 192.168.0.254192.168.0.254Dest: Dest: 192.168.0.20192.168.0.20
IP datagramIP datagramSrc: Src: 192.168.0.254192.168.0.254Dest: Dest: 192.168.0.20192.168.0.20
SECURITY INNOVATION ©200314
SNMP Message FormatSNMP Message Format
• AAll ll V1 V1 SNMP PDUs are built in the same way : SNMP PDUs are built in the same way :
• Community - Community - local concept, defined at each local concept, defined at each device device
• SNMP community = set of SNMP managers SNMP community = set of SNMP managers allowed to access to this deviceallowed to access to this device
• Each community is defined using a unique Each community is defined using a unique (within the device) name (within the device) name
• Each manager must indicate the name of the Each manager must indicate the name of the community it belongs in all get and set community it belongs in all get and set operationsoperations..
VersionVersion CommunityCommunity SNMP PDUSNMP PDU
SECURITY INNOVATION ©200315
Trap ExamplesTrap Examples• Cisco router trapsCisco router traps
– authenticationauthentication• device is the addressee of adevice is the addressee of an SNMPn SNMP protocol message that is not protocol message that is not
properly authenticated. properly authenticated. ((SNMPv1SNMPv1 - - incorrect community stringincorrect community string))
– linkuplinkup• device recognizes that one of the communication links device recognizes that one of the communication links
represented in the agent's configuration has come up.represented in the agent's configuration has come up.
– linkdownlinkdown• device recognizes a failure in one of the communication links device recognizes a failure in one of the communication links
represented in the agent's configuration.represented in the agent's configuration.
– coldstartcoldstart• device is reinitializing itself device is reinitializing itself so so that that thethe configuration configuration maymay be be
altered.altered.
– warmstartwarmstart• device is reinitializing itselfdevice is reinitializing itself, but , but the configuration the configuration will not be will not be
altered.altered.
SECURITY INNOVATION ©200316
SNMPSNMP
• Simple Network Management ProtocolSimple Network Management Protocol– The most popular network management The most popular network management
protocolprotocol– Hosts, firewalls, routers, switches…UPS, Hosts, firewalls, routers, switches…UPS,
power strips, ATM cards -- ubiquitouspower strips, ATM cards -- ubiquitous
• ““One of the single biggest security One of the single biggest security nightmares on networks today”nightmares on networks today”
SECURITY INNOVATION ©200317
SNMPv1 Security FlawsSNMPv1 Security Flaws
• Transport MechanismTransport Mechanism– Data manipulationData manipulation– Denial of ServiceDenial of Service– ReplayReplay
• AuthenticationAuthentication– Host BasedHost Based– Community BasedCommunity Based
• Information DisclosureInformation Disclosure
SECURITY INNOVATION ©200318
SNMPSNMPTransport Mechanism Transport Mechanism
FlawsFlaws• UDP BasedUDP Based
– Unreliable - packets may or may not be Unreliable - packets may or may not be receivedreceived
– Easily forged - trivial to forge source of Easily forged - trivial to forge source of packetspackets
SECURITY INNOVATION ©200319
SNMPSNMPAuthentication FlawsAuthentication Flaws
• Host BasedHost Based– Fails due to UDP transportFails due to UDP transport– DNS cache poisoningDNS cache poisoning
• Community BasedCommunity Based– Cleartext communityCleartext community– Community name prediction/brute forcingCommunity name prediction/brute forcing– Default communitiesDefault communities
SECURITY INNOVATION ©200320
SNMP Popular DefaultsSNMP Popular Defaults
• Popular defaultsPopular defaults– publicpublic– privateprivate– writewrite– ““all private”all private”– monitormonitor– managermanager– securitysecurity– adminadmin– lanlan
– defaultdefault– passwordpassword– tivolitivoli– openviewopenview– communitycommunity– snmpsnmp– snmpdsnmpd– systemsystem– and on and on...and on and on...
SECURITY INNOVATION ©200321
SNMPv1SNMPv1Information DisclosureInformation Disclosure
• Routing tablesRouting tables• Network topologyNetwork topology• Network traffic patternsNetwork traffic patterns• Filter rulesFilter rules
SECURITY INNOVATION ©200322
RMON and RMON2RMON and RMON2SecuritySecurity
• SNMPv1’s flawsSNMPv1’s flaws• additional hazards by introducing additional hazards by introducing
“action invocation” objects“action invocation” objects• collects extensive info on subnetcollects extensive info on subnet• packet capturespacket captures
SECURITY INNOVATION ©200323
SNMP FixesSNMP Fixes
• Disable itDisable it• ACL ItACL It• Read-OnlyRead-Only
SECURITY INNOVATION ©200324
Base Base SNMP Security SNMP Security MechanismsMechanisms
• TThe basic SNMP he basic SNMP Version 1 Version 1 standard standard provides only trivial security provides only trivial security mechanisms, based on: mechanisms, based on: – Authentication Mechanism Authentication Mechanism – Access mode Mechanism Access mode Mechanism
SECURITY INNOVATION ©200325
Authentication Authentication MechanismMechanism
• Authentication Service: assure the destination Authentication Service: assure the destination that the SNMP message comes from the source that the SNMP message comes from the source from which it claims to be from which it claims to be
• Based on community name, included in every Based on community name, included in every SNMP message from a management station to SNMP message from a management station to a device a device
• This name functions as a password : the This name functions as a password : the message is assumed to be authentic if the message is assumed to be authentic if the sender knows the password sender knows the password
• No encryption of the community name No encryption of the community name
SECURITY INNOVATION ©200326
SNMP V1 Key SNMP V1 Key VulnerabilityVulnerability
• If an attacker can view the community If an attacker can view the community stringstring– They can masquerade as a member of the They can masquerade as a member of the
community by including the community community by including the community string in SNMP messages.string in SNMP messages.
– The attacker may be able to manage any The attacker may be able to manage any agent that shares that community string.agent that shares that community string.
SECURITY INNOVATION ©200327
Access Mode MechanismAccess Mode Mechanism
• Based on community profiles Based on community profiles • A community profile consists of the A community profile consists of the
combination of : combination of : – a defined subset of MIB objects (MIB view) a defined subset of MIB objects (MIB view) – an access mode for those objects (READ-an access mode for those objects (READ-
ONLY or READ-WRITE) ONLY or READ-WRITE)
• A community profile is associated to A community profile is associated to each community defined by an agent each community defined by an agent
SECURITY INNOVATION ©200328
Security ThreatsSecurity Threats
• Two primary threats:Two primary threats:– data modification - to an SNMP message,data modification - to an SNMP message,– masquerade - impersonator might send false masquerade - impersonator might send false
SNMP messages.SNMP messages.
• Two secondary threats:Two secondary threats:– message stream modification - reordering, message stream modification - reordering,
replay and/or delay of SNMP messages,replay and/or delay of SNMP messages,– eavesdropping - on SNMP messages.eavesdropping - on SNMP messages.
SECURITY INNOVATION ©200329
Security ServicesSecurity Services
• Identified security services to meet Identified security services to meet threats:threats:– data origin authentication,data origin authentication,– data integrity,data integrity,– message sequence integrity,message sequence integrity,– data confidentiality,data confidentiality,– message timeliness & limited replay message timeliness & limited replay
protectionprotection
SECURITY INNOVATION ©200330
User-based Security User-based Security ModelModel
• A User, identified by UserName holds:A User, identified by UserName holds:– Secret keysSecret keys– Other security information such as Other security information such as
cryptographic algorithms to be used.cryptographic algorithms to be used.
• SNMP V3 entities are identified by SNMP V3 entities are identified by snmpEngineID.snmpEngineID.– Each managed device or management Each managed device or management
station has an snmpEngineIDstation has an snmpEngineID
SECURITY INNOVATION ©200331
Authoritative SNMP Authoritative SNMP EntitiesEntities
• Whenever a message is sent, one entity Whenever a message is sent, one entity is authoritative.is authoritative.– For get or set, receiver is authoritative.For get or set, receiver is authoritative.– For trap, response or report, sender is For trap, response or report, sender is
authoritative.authoritative.
• Authoritative entity has:Authoritative entity has:– Localised keysLocalised keys– Timeliness indicatorsTimeliness indicators
SECURITY INNOVATION ©200332
Timeliness IndicatorsTimeliness Indicators
• Prevent replay of messages.Prevent replay of messages.• Each authoritative entity maintains a Each authoritative entity maintains a
clock.clock.• A non-authoritative entity has to retrieve A non-authoritative entity has to retrieve
the time from the authoritative entity, the time from the authoritative entity, confirm the received value, then confirm the received value, then maintain a synchronised clock.maintain a synchronised clock.
• Messages can arrive within 150 seconds Messages can arrive within 150 seconds of their generated time.of their generated time.
SECURITY INNOVATION ©200333
KeysKeys
• Keys generated from user password.Keys generated from user password.• User provides password to all entities.User provides password to all entities.• Each entity generates a key from the Each entity generates a key from the
password and generates two further password and generates two further keys using the entities snmpEngineID.keys using the entities snmpEngineID.– One for authenticationOne for authentication– One for confidentialityOne for confidentiality
SECURITY INNOVATION ©200334
Data Integrity and Data Integrity and AuthenticityAuthenticity
• Generate a cryptographic “fingerprint” of any Generate a cryptographic “fingerprint” of any message to be protected. message to be protected.
• Send the “fingerprint” with the message.Send the “fingerprint” with the message.– Derive two temporary keys K2, K3 from localized user Derive two temporary keys K2, K3 from localized user
key K1.key K1.– Compute T = Hash(K3 | SNMP Msg)Compute T = Hash(K3 | SNMP Msg)– Compute M = Hash(K2 | T)Compute M = Hash(K2 | T)– First 96 bits of M are the MAC (Message First 96 bits of M are the MAC (Message
Authentication Code)Authentication Code)
• Must support HMAC-MD5-96, may support Must support HMAC-MD5-96, may support HMAC-SHA-96HMAC-SHA-96
SECURITY INNOVATION ©200335
Data ConfidentialityData Confidentiality
• DES in Cipher Block Chaining mode.DES in Cipher Block Chaining mode.• Second localised key.Second localised key.• Has to be used together with Data Has to be used together with Data
Integrity and Authenticity.Integrity and Authenticity.
SECURITY INNOVATION ©200336
Management of SNMP Management of SNMP securitysecurity
• Following data needs to be managed:Following data needs to be managed:– secret (authentication and privacy) keys,secret (authentication and privacy) keys,– clock synchronization (for replay detection),clock synchronization (for replay detection),– SNMP party information.SNMP party information.
• SNMP can be used to provide key SNMP can be used to provide key management and clock synchronization.management and clock synchronization.
• After manually setting up some SNMP After manually setting up some SNMP parties, rest can be managed using parties, rest can be managed using SNMP.SNMP.