Network Security Part I: Introduction Network Security Management

Network SecurityNetwork SecurityPart I: IntroductionPart I: Introduction

Network Network SecuritySecurity

ManagementManagement

SECURITY INNOVATION ©20032

OutlineOutline

• The subject is divided into the following:The subject is divided into the following:– IntroductionIntroduction– SNMP overviewSNMP overview– SNMP securitySNMP security


I IntroductionI Introduction

• Network management protocols enable Network management protocols enable on-line management of computers & on-line management of computers & networks.networks.

• They support:They support:– configuration management,configuration management,– accounting,accounting,– event logging,event logging,– help with problem diagnosis.help with problem diagnosis.

• They are application layer protocols.They are application layer protocols.


Management securityManagement security

• Two aspects of network management Two aspects of network management security (as defined in ISO 7498-2):security (as defined in ISO 7498-2):– management of security - support provided management of security - support provided

by network management protocols for by network management protocols for provision of security services, andprovision of security services, and

– security of management - means for security of management - means for protecting network management protecting network management communications.communications.


IInternet SNMP Overviewnternet SNMP Overview

• The Simple Network Management The Simple Network Management Protocol (SNMP) is part of the Internet Protocol (SNMP) is part of the Internet network management system.network management system.– Version 1 (1990/91) is specified in RFCs Version 1 (1990/91) is specified in RFCs

1155-1157, and 1212/1213.1155-1157, and 1212/1213.– Version 2 (1993), with some security Version 2 (1993), with some security

features , is specified in RFCs 1441-1448.features , is specified in RFCs 1441-1448.– Version 3 (1999), with more complete Version 3 (1999), with more complete

security features in RFCs 2570-2576security features in RFCs 2570-2576


SNMP V1 ArchitectureSNMP V1 Architecture

UDPUDP

Physical NetworkPhysical Network

ManagerManager

IPIP

SNMPSNMP

NetworkNetwork

Central MIBCentral MIB

UDPUDP

AgentAgent

IPIP

SNMPSNMP

NetworkNetwork

Agent MIBAgent MIB


Architectural ModelArchitectural Model

• Model based on Model based on – a network management station (a host a network management station (a host

system running SNMP, with management system running SNMP, with management s/ware) s/ware)

– many network elements (hosts, routers, many network elements (hosts, routers, gateways, servers).gateways, servers).

• Management agent at a network device Management agent at a network device implements SNMPimplements SNMP– provides access to the Management provides access to the Management

Information Base (MIB).Information Base (MIB).


SNMP ManagementSNMP Management

NetworkNetworkElementsElements

Management StationManagement Station


Connectionless ProtocolConnectionless Protocol

• Because Because V1V1 uses UDP, SNMP is a uses UDP, SNMP is a connectionless protocol connectionless protocol – No guarantee that the management traffic is No guarantee that the management traffic is

received at the other entity received at the other entity – Advantages : Advantages :

• reduced overhead reduced overhead • protocol simplicity protocol simplicity

– Drawbacks : Drawbacks : • connection-oriented operations must be built into connection-oriented operations must be built into

upper-layer applications, if reliability and upper-layer applications, if reliability and accountability are needed accountability are needed

• V2 & V3 can use TCP.V2 & V3 can use TCP.


SNMP OperationsSNMP Operations

• SNMP provides three simple operations : SNMP provides three simple operations : – GET : GET : EnEnables the management station to ables the management station to

retrieve object values from a managed retrieve object values from a managed station station

– SET : SET : EEnables the management station to set nables the management station to set object values in a managed station object values in a managed station

– TRAP : Enables a managed station to notify TRAP : Enables a managed station to notify the management station of significant the management station of significant events events

• SNMP allows multiple accesses with a SNMP allows multiple accesses with a single operation single operation


SNMP Protocol Data SNMP Protocol Data UnitsUnits

• Get Request : Used to obtain object values Get Request : Used to obtain object values from an agent from an agent

• Get-Next Request : Similar to the Get Request, Get-Next Request : Similar to the Get Request, except it permits the retrieving of the next except it permits the retrieving of the next object instance (in lexicographical order) in the object instance (in lexicographical order) in the MIB tree MIB tree

• Set Request : Used to change object values at Set Request : Used to change object values at an agent an agent

• Response : Responds to the Get Request, Get-Response : Responds to the Get Request, Get-Next Request and Set Request PDUs Next Request and Set Request PDUs

• Trap : Enables an agent to report an event to Trap : Enables an agent to report an event to the management station (no response from the the management station (no response from the manager entity) manager entity)


SNMP Port NumbersSNMP Port Numbers

• TThe UDP port numbers used for SNMP he UDP port numbers used for SNMP are : are : 161 (Requests) and 162 (Traps) 161 (Requests) and 162 (Traps)

• Manager behavior : Manager behavior : – listens for agent traps on local port 162 listens for agent traps on local port 162 – sends requests to port 161 of remote agent sends requests to port 161 of remote agent

• Agent behavior : Agent behavior : – listens for manager requests on local port listens for manager requests on local port

161 161 – sends traps to port 162 of remote manager sends traps to port 162 of remote manager


SNMP MessagesSNMP Messages

SNMP messageSNMP messageGET-REQUESTGET-REQUEST

SNMP messageSNMP messageGET-REQUESTGET-REQUEST

UDP datagramUDP datagramSrc Port: 3042Src Port: 3042Dest Port: 161Dest Port: 161

UDP datagramUDP datagramSrc Port: 3042Src Port: 3042Dest Port: 161Dest Port: 161

IP datagramIP datagramSrc: Src: 192.168.0.20192.168.0.20

Dest: Dest: 192.168.0.254192.168.0.254

IP datagramIP datagramSrc: Src: 192.168.0.20192.168.0.20

Dest: Dest: 192.168.0.254192.168.0.254

192.168.0.40192.168.0.40

192.168.0.254192.168.0.254

192.168.1.254192.168.1.254

192.168.2.254192.168.2.254

192.168.254.2192.168.254.25454

SNMP messageSNMP messageGET-REQUEST replyGET-REQUEST reply

SNMP messageSNMP messageGET-REQUEST replyGET-REQUEST reply

UDP datagramUDP datagramSrc Port: 161Src Port: 161

Dest Port: 3042Dest Port: 3042

UDP datagramUDP datagramSrc Port: 161Src Port: 161

Dest Port: 3042Dest Port: 3042

IP datagramIP datagramSrc: Src: 192.168.0.254192.168.0.254Dest: Dest: 192.168.0.20192.168.0.20

IP datagramIP datagramSrc: Src: 192.168.0.254192.168.0.254Dest: Dest: 192.168.0.20192.168.0.20


SNMP Message FormatSNMP Message Format

• AAll ll V1 V1 SNMP PDUs are built in the same way : SNMP PDUs are built in the same way :

• Community - Community - local concept, defined at each local concept, defined at each device device

• SNMP community = set of SNMP managers SNMP community = set of SNMP managers allowed to access to this deviceallowed to access to this device

• Each community is defined using a unique Each community is defined using a unique (within the device) name (within the device) name

• Each manager must indicate the name of the Each manager must indicate the name of the community it belongs in all get and set community it belongs in all get and set operationsoperations..

VersionVersion CommunityCommunity SNMP PDUSNMP PDU


Trap ExamplesTrap Examples• Cisco router trapsCisco router traps

– authenticationauthentication• device is the addressee of adevice is the addressee of an SNMPn SNMP protocol message that is not protocol message that is not

properly authenticated. properly authenticated. ((SNMPv1SNMPv1 - - incorrect community stringincorrect community string))

– linkuplinkup• device recognizes that one of the communication links device recognizes that one of the communication links

represented in the agent's configuration has come up.represented in the agent's configuration has come up.

– linkdownlinkdown• device recognizes a failure in one of the communication links device recognizes a failure in one of the communication links

represented in the agent's configuration.represented in the agent's configuration.

– coldstartcoldstart• device is reinitializing itself device is reinitializing itself so so that that thethe configuration configuration maymay be be

altered.altered.

– warmstartwarmstart• device is reinitializing itselfdevice is reinitializing itself, but , but the configuration the configuration will not be will not be

altered.altered.


SNMPSNMP

• Simple Network Management ProtocolSimple Network Management Protocol– The most popular network management The most popular network management

protocolprotocol– Hosts, firewalls, routers, switches…UPS, Hosts, firewalls, routers, switches…UPS,

power strips, ATM cards -- ubiquitouspower strips, ATM cards -- ubiquitous

• ““One of the single biggest security One of the single biggest security nightmares on networks today”nightmares on networks today”


SNMPv1 Security FlawsSNMPv1 Security Flaws

• Transport MechanismTransport Mechanism– Data manipulationData manipulation– Denial of ServiceDenial of Service– ReplayReplay

• AuthenticationAuthentication– Host BasedHost Based– Community BasedCommunity Based

• Information DisclosureInformation Disclosure


SNMPSNMPTransport Mechanism Transport Mechanism

FlawsFlaws• UDP BasedUDP Based

– Unreliable - packets may or may not be Unreliable - packets may or may not be receivedreceived

– Easily forged - trivial to forge source of Easily forged - trivial to forge source of packetspackets


SNMPSNMPAuthentication FlawsAuthentication Flaws

• Host BasedHost Based– Fails due to UDP transportFails due to UDP transport– DNS cache poisoningDNS cache poisoning

• Community BasedCommunity Based– Cleartext communityCleartext community– Community name prediction/brute forcingCommunity name prediction/brute forcing– Default communitiesDefault communities


SNMP Popular DefaultsSNMP Popular Defaults

• Popular defaultsPopular defaults– publicpublic– privateprivate– writewrite– ““all private”all private”– monitormonitor– managermanager– securitysecurity– adminadmin– lanlan

– defaultdefault– passwordpassword– tivolitivoli– openviewopenview– communitycommunity– snmpsnmp– snmpdsnmpd– systemsystem– and on and on...and on and on...


SNMPv1SNMPv1Information DisclosureInformation Disclosure

• Routing tablesRouting tables• Network topologyNetwork topology• Network traffic patternsNetwork traffic patterns• Filter rulesFilter rules


RMON and RMON2RMON and RMON2SecuritySecurity

• SNMPv1’s flawsSNMPv1’s flaws• additional hazards by introducing additional hazards by introducing

“action invocation” objects“action invocation” objects• collects extensive info on subnetcollects extensive info on subnet• packet capturespacket captures


SNMP FixesSNMP Fixes

• Disable itDisable it• ACL ItACL It• Read-OnlyRead-Only


Base Base SNMP Security SNMP Security MechanismsMechanisms

• TThe basic SNMP he basic SNMP Version 1 Version 1 standard standard provides only trivial security provides only trivial security mechanisms, based on: mechanisms, based on: – Authentication Mechanism Authentication Mechanism – Access mode Mechanism Access mode Mechanism


Authentication Authentication MechanismMechanism

• Authentication Service: assure the destination Authentication Service: assure the destination that the SNMP message comes from the source that the SNMP message comes from the source from which it claims to be from which it claims to be

• Based on community name, included in every Based on community name, included in every SNMP message from a management station to SNMP message from a management station to a device a device

• This name functions as a password : the This name functions as a password : the message is assumed to be authentic if the message is assumed to be authentic if the sender knows the password sender knows the password

• No encryption of the community name No encryption of the community name


SNMP V1 Key SNMP V1 Key VulnerabilityVulnerability

• If an attacker can view the community If an attacker can view the community stringstring– They can masquerade as a member of the They can masquerade as a member of the

community by including the community community by including the community string in SNMP messages.string in SNMP messages.

– The attacker may be able to manage any The attacker may be able to manage any agent that shares that community string.agent that shares that community string.


Access Mode MechanismAccess Mode Mechanism

• Based on community profiles Based on community profiles • A community profile consists of the A community profile consists of the

combination of : combination of : – a defined subset of MIB objects (MIB view) a defined subset of MIB objects (MIB view) – an access mode for those objects (READ-an access mode for those objects (READ-

ONLY or READ-WRITE) ONLY or READ-WRITE)

• A community profile is associated to A community profile is associated to each community defined by an agent each community defined by an agent


Security ThreatsSecurity Threats

• Two primary threats:Two primary threats:– data modification - to an SNMP message,data modification - to an SNMP message,– masquerade - impersonator might send false masquerade - impersonator might send false

SNMP messages.SNMP messages.

• Two secondary threats:Two secondary threats:– message stream modification - reordering, message stream modification - reordering,

replay and/or delay of SNMP messages,replay and/or delay of SNMP messages,– eavesdropping - on SNMP messages.eavesdropping - on SNMP messages.


Security ServicesSecurity Services

• Identified security services to meet Identified security services to meet threats:threats:– data origin authentication,data origin authentication,– data integrity,data integrity,– message sequence integrity,message sequence integrity,– data confidentiality,data confidentiality,– message timeliness & limited replay message timeliness & limited replay

protectionprotection


User-based Security User-based Security ModelModel

• A User, identified by UserName holds:A User, identified by UserName holds:– Secret keysSecret keys– Other security information such as Other security information such as

cryptographic algorithms to be used.cryptographic algorithms to be used.

• SNMP V3 entities are identified by SNMP V3 entities are identified by snmpEngineID.snmpEngineID.– Each managed device or management Each managed device or management

station has an snmpEngineIDstation has an snmpEngineID


Authoritative SNMP Authoritative SNMP EntitiesEntities

• Whenever a message is sent, one entity Whenever a message is sent, one entity is authoritative.is authoritative.– For get or set, receiver is authoritative.For get or set, receiver is authoritative.– For trap, response or report, sender is For trap, response or report, sender is

authoritative.authoritative.

• Authoritative entity has:Authoritative entity has:– Localised keysLocalised keys– Timeliness indicatorsTimeliness indicators


Timeliness IndicatorsTimeliness Indicators

• Prevent replay of messages.Prevent replay of messages.• Each authoritative entity maintains a Each authoritative entity maintains a

clock.clock.• A non-authoritative entity has to retrieve A non-authoritative entity has to retrieve

the time from the authoritative entity, the time from the authoritative entity, confirm the received value, then confirm the received value, then maintain a synchronised clock.maintain a synchronised clock.

• Messages can arrive within 150 seconds Messages can arrive within 150 seconds of their generated time.of their generated time.


KeysKeys

• Keys generated from user password.Keys generated from user password.• User provides password to all entities.User provides password to all entities.• Each entity generates a key from the Each entity generates a key from the

password and generates two further password and generates two further keys using the entities snmpEngineID.keys using the entities snmpEngineID.– One for authenticationOne for authentication– One for confidentialityOne for confidentiality


Data Integrity and Data Integrity and AuthenticityAuthenticity

• Generate a cryptographic “fingerprint” of any Generate a cryptographic “fingerprint” of any message to be protected. message to be protected.

• Send the “fingerprint” with the message.Send the “fingerprint” with the message.– Derive two temporary keys K2, K3 from localized user Derive two temporary keys K2, K3 from localized user

key K1.key K1.– Compute T = Hash(K3 | SNMP Msg)Compute T = Hash(K3 | SNMP Msg)– Compute M = Hash(K2 | T)Compute M = Hash(K2 | T)– First 96 bits of M are the MAC (Message First 96 bits of M are the MAC (Message

Authentication Code)Authentication Code)

• Must support HMAC-MD5-96, may support Must support HMAC-MD5-96, may support HMAC-SHA-96HMAC-SHA-96


Data ConfidentialityData Confidentiality

• DES in Cipher Block Chaining mode.DES in Cipher Block Chaining mode.• Second localised key.Second localised key.• Has to be used together with Data Has to be used together with Data

Integrity and Authenticity.Integrity and Authenticity.


Management of SNMP Management of SNMP securitysecurity

• Following data needs to be managed:Following data needs to be managed:– secret (authentication and privacy) keys,secret (authentication and privacy) keys,– clock synchronization (for replay detection),clock synchronization (for replay detection),– SNMP party information.SNMP party information.

• SNMP can be used to provide key SNMP can be used to provide key management and clock synchronization.management and clock synchronization.

• After manually setting up some SNMP After manually setting up some SNMP parties, rest can be managed using parties, rest can be managed using SNMP.SNMP.

Documents

Network Security Part I: Introduction Network Security Management