Network Monitoring Using SNMP

Transcription

1 Network Monitoring Using SNMP A Thesis submitted in partial fulfillment of the requirements for the degree of Master of Technology In Computer Technology Department of Computer Science and Engineering Jadavpur University, Kolkata by NITA DAS Examination Roll No: M6TCT University Registration No: of Under the guidance of Shri Mridul Sankar Barik Assistant Professor Department of Computer Science and Engineering, Faculty of Engineering and Technology, Jadavpur University, Kolkata May, 2013

2 Certificate of Approval This is to certify that the thesis entitled Network Monitoring Using SNMP is a bona-fide record of work carried out by Nita Das in partial fulfillment of the requirements for the award of the degree of Master of Technology in Computer Technology, in the Department of Computer Science and Engineering, Jadavpur University. It is understood that by this approval, the undersigned do not necessarily endorse or approve any statement made, opinion expressed or conclusion drawn therein, but approve the thesis only for the purpose for which it is submitted. Examiners: ( Signature of the Examiner ) ( Signature of the Supervisor ) 2

3 To whom it may concern This is to certify that the work in this thesis entitled Network Monitoring Using SNMP has been satisfactorily completed by Nita Das. It is a bona-fide piece of work carried out under my supervision and guidance for partial fulfillment of the requirements for the awarding of the Master of Technology in Computer Technology degree by the Department of Computer Science & Engineering, Faculty of Engineering & Technology, Jadavpur University, during the academic year Shri Mridul Sankar Barik Department of Computer Science and Engineering Jadavpur University Forwarded by: Prof. Sivaji Bandyopadhyay Head of the Department of Computer Science & Engineering Jadavpur University 3

4 Declaration of Originality and Compliance of Academic Ethics I hereby declare that this thesis contains literature survey and original research work by the undersigned candidate, as part of her Master of Technology in Computer Technology studies. All information in this document has been obtained and present in accordance with academic rules and ethical conduct. I also declare that, as required by these rules and conduct, I have fully cited and referenced all material and results that are not original to this work. Name: Nita Das Exam Roll Number: M6TCT Thesis Title: Network Monitoring Using SNMP Signature with date: 4

5 Acknowledgement With my sincere respect and gratitude, I would like to thank my thesis guide Shri. Mridul Sankar Barik for his continuous support for this thesis work, for his patience, motivation and enthusiasm. His guidance helped me a lot throughout the duration of the work. His valuable suggestions inspired me a lot. I feel deeply honored that I got the opportunity to work under his guidance. I would also wish to thank Prof. Sivaji Bandyopadhyay, Head of the Department of Computer Science & Engineering, Jadavpur University for providing me all the facilities and for his support to the activities of this project. I would like to thank Prof. Chandan Mazumdar for giving me such an opportunity to work on this project. I would like to thank Dr. Anirban Sengupta, Principal Research Engineer, CDCJU, for sharing his knowledge and experience with me and also their immense support and co-operation. Last, but not the least, I would like to thank all my family members and my classmates of Master of Technology in Computer Technology batch of , for their co-operation and support. Their wealth of experience has been a source of strength for me throughout the duration of my work. Name: Nita Das Exam Roll No: M6TCT Registration No: of Master of Technology in Computer Technology 5

6 Table of Contents I Introduction..10 a. Purpose and Scope b. Document Structure About SNMP SNMP History Technical Description of SNMP Supported Transport Protocols SNMP Agents and Managers Managers Agents SNMP Manager/Agent Communication SNMP Message Format SNMP V1 and SNMP V2 Message Format and PDU Formats SNMP V3 Message Format Abstract Syntax Notation Number One (ASN.1) Encoding Rules of ASN Structure of Management Information (SMI) MIB (Management Information Base) SNMP Operations Get Operations Description SNMP Get Commands and Output The getnext Operation Description SNMP GetNext Commands and Output The getbulk Operation Description SNMP Getbulk Commands and Output The set Operation Description SNMP set Operation Commands and Output The getresponse Operation Traps Operation SNMP Notification SNMP Inform SNMP Report

7 2 SNMP Vulnerability and Solution Description Type of Threats Masquerading Modification of Information Message Stream Modification Disclosure Denial of Service (DoS) Traffic Pattern Analysis Securities in SNMP Security of SNMP Version Security of SNMP Version Security of SNMP Version Other Securities Applications of SNMP in Network Management Description Functional Areas Where SNMP Work Fault Management Configuration Management Accounting Management Performance Management Security Management SNMP Monitoring of Wireless Network Introduction IEEE Carrier Sense Multiple Access with Collision Avoidance Request-To-Send (RTS) and Clear-To-Send (CTS) Roll of SNMP in Wireless Monitoring Experimental Setup Aim Prerequisites LAN configuration Methodology Descriptions Component of DSNMP API Program Modules and classes Descriptions Conclusion 63 7 Bibliography..64 7

8 List of Figures Figure 1 Evolution of SNMP versions Figure 2 Transport mechanism between SNMP Agents and Managers Figure 3 Manager requests status information from devices running SNMP Agent Figure 4 SNMP message From Figure 5 SNMPv1 and SNMP v2 message Figure 6 PDU format for Get, GetNext, Set and ResponsePDUs of SNMP v Figure 7 SNMP v1 PDU format for Trap message Figure 8 SNMPv2 PDU format for Get, GetNext, Set and ResponsePDU Figure 9 SNMPv2 PDU format for GetBulk operation Figure 10 SNMPv3 Message Format Figure 11 A block diagram describing the ASN.1 value encoded with BER Figure 12 MIB-II subtree Figure 13 SNMP operations Figure 14 Get request sequence Figure 15 Get-bulk request sequence Figure 16 Set request sequence Figure 17 The trap-generation sequence Figure 18 Man in the Middle attack Figure 19 Network investigation using SNMP Figure 20 Experimental setup Figure 21 Architecture of DSNMP API

9 List of Tables Table 1 RFC of SNMP Table 2 Table briefly describes each management group defined in MIB-II [RFC 1213].. 26 Table 3 SNMPv1 error messages Table 4 Generic traps Table 5 OID for Wireless Monitoring Table 6 prerequisites for the experiment

10 I. Introduction a. Purpose and Scope In today s network of switches, routers, servers and other network equipments make a very complex network. It is a daunting task to manage all the network devices in a large network efficiently. The general purpose of Network management is to monitor the network effectively and efficiently by using various network management tools. The main purpose of network management is to capture all the incoming and outgoing traffics from/to a network and analyze this and producing a report which will reflect the total health of a network. SNMP is a protocol through which any network can be monitored. SNMP is easy to implement. It is a very simple protocol. The purpose of this thesis is to know about rolls of SNMP in managing an IP network. The main objective of this thesis work is to develop an SNMP based network monitoring device which can map all the network equipements and its configurations. This thesis contains an analytical report on SNMP protocol that contains the general features of SNMP (Simple Network Management Protocol), technical details of SNMP, versions, security features in SNMP, its applications in wired networks and wireless networks and other details regarding SNMP. 10

11 b. Document Structure In this document the first chapter contains the basic details of the Simple Network Management Protocol (SNMP). This chapter contains the following sections: i. History of SNMP This section contains the evaluation of SNMP and versions and its standards. ii. Technical descriptions of SNMP This section contains the detailed descriptions of the SNMP protocols which includes SNMP versions, standards etc. It describes the different elements of a network which runs SNMP protocol, and the basic operations of those SNMP devices and the communication techniques between them. iii. Basic operations of SNMP This section includes the basic operations by which SNMP devices communicate with each other. The second chapter contains the vulnerability of a network and rolls of SNMP to prevent those vulnerabilities. This chapter contains the following sections: i. Type of threats that can cause a severe shutdown of a network, or which can tether a network or which can cause unauthorized access to the network by an intruder that may cause network insecure. ii. This section contains the security features that are implemented in SNMP to defend from different probable threats into a network. The third chapter describes the applications of SNMP in network management. The following sections are described in this chapter: i. The application part of a network management tool, and how it helps to monitor the network. ii. It describes how SNMP can be helpful in network management 11

12 Fourth chapter contains wireless standards and the applications of SNMP in wireless networking and gives the details of the MIB that help to detect or monitor any wireless SNMP device. The fifth and final chapter contains the experimental setup which is used to detect the SNMP enabled device in a network. This chapter shows the basic understanding of DSNMP (Dynamic SNMP) API which is used to develop the SNMP application. Then it describes the functionality of various modules that are used in this thesis. 12

13 1 About SNMP 1.1 SNMP History SNMP is a standard TCP/IP protocol [1] for network management. SNMP was first defined in 1988 in RFC-1067 [2], then the development went on with a re-release as RFC-1098 [2] in 1989 and again in 1990 the document was re-released as RFC-1157 [2] which is the current definition of SNMP Version 1.SNMP was approved as an Internet standard in 1990 by the Internet Architecture Board (IAB) and has been in wide use since that time. The internet community developed SNMP for managing networks easily and uniformly. Since the initial version of SNMP the standard has been revised and new versions have been released. No individual company is the creator or updater of the SNMP standard, when changes are made a group of individuals work together to make the changes and these changes get reviewed by peers. Networks have become larger so it is necessary to make all the network reliable and error free, for this reason certain level of network monitoring and maintenance should be done to guarantee any level of service. When monitoring a network certain information should be gathered like utilization, Error Rates, Protocol distribution, Latency etc. Like this SNMP also helps to monitor network statistics effectively and it also monitors various parameters of devices in networks like software versions, IP address, available hard disk space, session table, open files, ARP table etc. SNMP tools are installed in various network IP devices like host machines, switches, bridges, routers, printers, as well as services such as Dynamic Host Configuration Protocol (DHCP) [3] or Windows Internet Name Service (WINS) [4] etc. One SNMP tool can query other SNMP tool (known as POLLING) to gather data which may help to discover traffic bottlenecks on the network or spot unusual activities. SNMP devices can send a special message (trap) to notify when some adverse conditions occurred. These conditions are defined in MIB (Management Information Based) by the vendor of those devices. SNMP is defined by The Internet Engineering Task Force (IETF) and uses Request for Comments (RFC) specifications. Currently, there are three versions of SNMP in use, and each one is defined by one or more RFCs. The RFCs that define each version are listed in Table 1 [26],The evolution of SNMP versions are depicted in Figure 1 [12]. 13

14 SNMP Version 1 This oldest version is supported by most of the SNMP devices. Data is sent via simple text, no encryptions are done while sending data. So this version can be used only in LANs, packets cannot should outside for the security purpose. SNMP v1 cannot monitor high loads in the internet. SNMP Version 2 This is more secure than SNMP v1. In SNMP v2 several data encryptions are done and it can be used outside LAN networks.this version was not used largely.detailed description is given in section 2.3. SNMP Version 3 SNMP v3 evolved from SNMPv2.It adds encryptions and authentications of users. It adds highest security in SNMP. SNMP Version Defining RFC(s) SNMPv1 SNMPv2 SNMPv3 RFC 1157 Simple Network Management Protocol RFC 1905 Protocol Operations for SNMPv2 RFC 1906 Transport Mappings for SNMPv2 RFC 1907 MIB for SNMPv2 RFC 2571 Architecture for SNMP Frameworks RFC 2572 Message Processing and Dispatching RFC 2573 SNMP Applications RFC 2574 User-based Security Model RFC 2575 View-based Access Control Model RFC 1905 Protocol Operations for SNMPv2 RFC 1906 Transport Mappings for SNMPv2 RFC 1907 MIB for SNMPv2 Table 1 RFC of SNMP 14

15 1.2 Technical Description of SNMP Supported Transport Protocols Figure 1 Evolution of SNMP versions There are two transport layer protocols in the OSI model [5], TCP (Transmission control Protocol) and UDP (User Datagram Protocol).TCP is a connection oriented protocol and UDP is a connectionless protocol. Connection-oriented services must first establish a connection between the two endpoints (sending/receiving) before passing any data traffic between them. An example of a connectionoriented service is Frame Relay [6], a VC (virtual connection) is required between both endpoints before data traffic can be exchanged. Connectionless services can send data without requiring an established connection. Connection-oriented services provide some level of delivery guarantee, whereas connectionless services do not. An example of a connectionless service is any IP service, such as the Internet. 15

16 TCP is more reliable than UDP, TCP sends an acknowledgement to the sender after receiving the message, but UDP does not acknowledge the sender after receiving the message, so it is not possible to know whether receiver received the message or not in the case of UDP transmission. Though UDP has many disadvantages, SNMP uses User Datagram Protocol (UDP defined by RFC 768 [2]) for its very low overhead. The low overhead protocol is simple to use and doesn t occupy all the bandwidth like TCP based applications going across the WAN (Wide Area Network). SNMP uses the UDP port 161 for sending and receiving requests, and port 162 for receiving traps from managed devices SNMP Agents and Managers The SNMP model defines two entities SNMP agent and SNMP manager. SNMP devices can be configured as Manager and Agent. SNMP Manager communicates with other SNMP devices in which SNMP agents are running. SNMP Agents are configured in various devices in networks that provide information to SNMP Managers Managers: SNMP manager is a device that can handle management tasks for a network. Managers are installed with some kind of software to handle the management tasks. Managers are often referred to as Network Management Stations (NMSs). An NMS is responsible for polling and receiving traps from agents in the network. A poll in the context of network management is the act of querying an agent (router, switch, UNIX server, etc.) for some information. The object which could be queried by the manager is defined in the MIB. A trap is a way for the agent to tell the NMS that something wrong has happened. When some unusual fenomena (like link down,heavy traffic,machine shut down etc)occurs in the network agent send a trap message to the manager to inform the manager that something wrong has happened. Polls and traps can happen at the same time Agents: Agent is a piece of software that runs on the network devices to manage the network. It can be a separate program (a demon, in UNIX language), or it can be incorporated into the operating system (for example, Cisco s IOS on a router, or the low-level operating system that controls a UPS).Now a day s most IP device come with some kind of SNMP agent built in. The agent provides management information to the NMS by keeping track of various operational aspects 16

17 of the device. For example, the agent on a router is able to keep track of the state of each of its interfaces: which ones are up which ones are down, etc. The NMS can query the status of each interface and take appropriate action if any of them are down. When the agent notices that something bad has happened, it can send a trap to the NMS. This trap originates from the agent and is sent to the NMS, where it is handled appropriately. Some devices will send a corresponding all clear trap when there is a transition from a bad start to a good state. This can be useful in determining when a problem situation has been resolved. There are no restrictions on when the NMS can query the agent or when the agent can send a trap. Figure 2 [9]shows how SNMP Agents and Manager communicates via UDP port,and Figure 3 shows the basic architecture of SNMP managed network. Figure 2 Transport mechanism between SNMP Agents and Managers The managers and agents communicate via poll and trap messages. 17

18 SNMP Manager/Agent Communication Figure 3 Manager requests status information from devices running SNMP Agent In client server architecture servers store all the data, requests are made by clients to the servers and server processes the request and provides the desired results to the clients. Likewise in SNMP managed networks SNMP Agents can be considered as servers which serves information defined in MIBs [7] and SNMP Managers can be considered as clients who request Agents for information written MIBs. The communication between the agent and the manager uses the SNMP protocol, which is an application of the ASN.1 BER (Abstract Syntax Notation 1 with Basic Encoding Rules [8], this communication takes place over UDP (for IP networks) SNMP Message Format SNMP devices communicate with other SNMP enabled devices through SNMP PDU (Packet Data Unit) by encapsulating SNMP messages within [9]. Figure 4 shows the SNMP message form. 18

19 Figure 4 SNMP message From SNMP V1 and SNMP V2 Message Format and PDU Formats Figure 5 shows SNMPv1 and SNMP V2 message format and Figure 6 shows PDU format for for Get, GetNext, Set and ResponsePDUs of SNMPv1. Figure 7 shows the format Trap and PDUs and Figure 8 shows the PDU format for GetBulk operation. SNMPv2 PDU format for GetBulk operation is shown in Figure 9.The details of these formats are given below: SNMP Versions- specifies the version of SNMP used. Community String -specifies a string used to add security to SNMP devices. SNMP PDU (Protocol Data Unit)-PDU means Information that is delivered as a unit among peer entities of a network and that may contain control information, such as address information, or user data. SNMP PDU specifies communications between the SNMP entities. SNMP VERSION COMMUNITY STRING SNMP PDU Figure 5 SNMPv1 and SNMP v2 message 19

20 PDU Type Request ID Error Status Error Index Object1 Value 1 Object2 Value 2.Object n.object n Figure 6 PDU format for Get, GetNext, Set and ResponsePDUs of SNMP v1 PDU Type Specifies the type of PDU. Request ID Associates SNMP requests with responses. Error status Indicates one of a number of errors and error types. It is set only in Response PDU, for rest it is set as 0. Error index Associates an error with a particular object instance. It is set only in Response PDU, for rest it is set as 0. Variable bindings Each variable binding associates a particular object instance with its current value. For Get and GetNext requests, the value is ignored. PDU Type Enterprise Agent Address Generic Trap Specific Trap Time Stamp Object 1 Value 1 Object1 Value 1 Figure 7 SNMP v1 PDU format for Trap message PDU Type Specifies the type of PDU as Trap Enterprise Identifies the management enterprise under whose registration authority the trap was defined. Agent address IP address of the agent. Generic trap type Used to identify the generic trap. There are six types of generic traps. Specific trap type Used to identify a specific trap. Time Stamp Value of the sysuptime mib object. PDU Type Request ID Error Status Error Index Object1 Value1 Object2 Value2 Object n Value n Figure 8 SNMPv2 PDU format for Get, GetNext, Set and ResponsePDU 20

21 PDU Type- Specifies the type of PDU Request ID- Associates SNMP requests with responses. Error Status- Indicates one of a number of errors and error types. It is set only in Response PDU, for rest it is set as 0. Error Index- Associates an error with a particular object instance. It is set only in Response PDU, for rest it is set as 0. Variable Bindings- Each variable binding associate a particular object instance with its current value. For Get and GetNext requests, the value is ignored. PDU Type Request ID Non Repeaters Max Repetition Object 1 Value 1 Object 2 Value 2 Object n Value n Figure 9 SNMPv2 PDU format for GetBulk operation PDU Type Specifies the type of PDU as GetBulk Request ID- Associates SNMP requests with responses. Non repeaters- Specifies the number of object instances in the variable bindings field that should be retrieved no more than once from the beginning of the request. Max repetitions- Defines the maximum number of times that other variables beyond those specified by the Non repeaters field should be retrieved. Variable Bindings- Each variable binding associate a particular object instance with its current value SNMP V3 Message Format Below in Figure 10 shows SNMP V3 message format VERSION ID MAX SIZE FLAGS SECURITY MODEL ENGINE ID ENGINE BOOTS ENGINE TIME USER NAME SECURITY PARAMETERS CONTEXT ENGINE ID CONTEXT NAME PDU Figure 10 SNMPv3 Message Format 21

22 Version It is an Integer that identifies the version of SNMP. For SNMPv3 this value is 3. ID This field contains the SNMP message identifier which is a unique ID associated with the message. The msgid field is different from the reqid field available in the PDU. Max Size This field represents the maximum size of message which the requesting SNMP entity can accept. Flags This field contains the message security level. 0 message is authenticated, 1 message uses privacy, 2 a report PDU is expected for the message. Security Model This field indicates the security model used to generate the message. When USM is used, it has a value of 3. Engine ID This field has the SNMPEngineID of the authoritative SNMP entity involved in the transaction. When a request PDU is generated from an SNMP engine, the remote peer (agent for Get request and manager for Trap request) is the authoritative SNMP entity. Engine Boots This field has the snmpengineboots value of the authoritative SNMP entity involved in the transaction. Engine Time This field has the snmpenginetime value of the authoritative SNMP entity involved in the transaction. User Name This field contains the principal who originated the request. Security Parameters This field contains the security parameters that are security model dependent. It contains the authentication parameters and the privacy parameters for the USM. Context Engine ID Within an administrative domain, the contextengineid uniquely identifies an SNMP entity that may realize an instance of a context with a particular contextname.[3] Context Name A contextname is used to name a context. Each contextname must be unique within an SNMP entity. PDU The SNMP PDU (Protocol Data Unit) is used for communication between the SNMP entities. The PDU types for SNMPv3 are the same as the SNMPv Abstract Syntax Notation Number One (ASN.1) ASN.1 [13] is a standard notation for describing data structures and encoding rules for communication between entities. The main purpose for using ASN.1 is that it is not dependent on the platform on which the described data structures originate.due to its support for many encoding rules can form very bandwidth efficient transmissions between entities. The standard has some pre-defined simple types like integers, boolean values, strings etc. ASN.1 also has support for describing more complex constructed data types such as structures. 22

23 Encoding Rules of ASN.1 ASN.1 supports several different encoding rules. Two of these standard encoding rules are BER (Basic encoding rules) and PER (Packed encoding rules),both define how the values defined in ASN.1 shall be encoded. The BER encoding rules are used in SNMP. Field in the SNMP message format, is encoded as an array of three fields. All BER encoded ASN.1 values are encoded in the Type, Length, Value (TLV) format. Figure 11 shows the TLV format. In BER package TYPE represents the ASN.1 type. Next field LENGTH represents the information that will be sent is how long the value transmission is. VALUE is the actual value that shall be transmitted. TYPE LENGTH VALUE Figure 11 A block diagram describing the ASN.1 value encoded with BER (TLV format) Structure of Management Information (SMI) The structure of Management Information (SMI) is given in RFC 1155 [1], is based on the OSI SMI given in Draft proposal 2684.The current version of SMI V2 in described in RFC 2678 [2]. Management Information is a collection of managed objects and is termed as MIB (Management Information Base) MIB (Management Information Base) Management Information is a collection of managed objects and is termed as MIB. Objects in the MIB are defined using a subset of Abstract Syntax Notation One (ASN.1) called "Structure of Management Information Version 2 (SMIv2)" RFC 2578 [2].MIB can be considered as a tree structured database and each entry is addressed through an object identifier (OID). This structure is the basis for SNMP s naming scheme. An object ID is made up of a series of integers based on the nodes in the tree, separated by dots (.).The latest Internet MIB given in RFC 1213 [2] is called MIB II [10]. The hierarchical order of MIB II is shown in Figure 12 [11]. The MIB, or Management Information Base, is an ASCII text file that describes SNMP network elements as a list of data objects. Every object referred to in an SNMP message must be listed 23

24 in the MIB. Because as far as SNMP managers and agents are concerned if a component of a network device isn't described in the MIB, it doesn't exist. Each managed object has a numeric OID and an associated textual name. The dotted decimal notation represents how a managed object is represented internally within an agent and consists of the textual name. MIB translates numerical strings into human-readable text. When an SNMP device sends a trap or other message, it identifies each data object in the message with a number string called an object identifier,or OID.SNMP manager imports the MIB through a software function called compiling. Compiling converts the MIB from its raw ASCII format into a binary format the SNMP manager can use. The definition of managed objects can be broken down into three attributes listed below. i. Name The name, or object identifier (OID), uniquely defines a managed object. Names 3 commonly appear in two forms: numeric and human readable. ii. Type and Syntax A managed object s datatype is defined using a subset of Abstract Syntax Notation One (ASN.1). ASN.1 is a way of specifying how data is represented and transmitted between managers and agents, within the context of SNMP. iii. Encoding A single instance of a managed object is encoded into a string of octets using the Basic Encoding Rules (BER). BER defines how the objects are encoded and decoded so that they can be transmitted over a transport medium such as Ethernet. 24

25 Figure 12 MIB-II subtree 25

26 Subtree Name OID Description system interfaces at Defines a list of objects such as the system uptime, system contact, and system name. Keeps track of the status of each interface on a managed entity. The interfaces group monitors which interfaces are up or down and tracks such things as octets sent and received, errors and discards, etc. The address translation group is deprecated and is provided only for backward compatibility. ip Keeps track of many aspects, including IP routing. icmp Tracks things such as ICMP errors, discards, etc tcp Tracks things like the state of the TCP connection (e.g., closed, listen, synsent, etc.). udp Tracks UDP statistics, datagram in and out, etc. egp transmission snmp Tracks various statistics about the Exterior Gateway Protocol (EGP) and keeps an EGP neighbor table. No objects are currently defined for this group, but other media-specific MIBs are defined using this subtree. Measures the performance of the underlying SNMP implementation on the managed entity and tracks things such as the number of SNMP packets sent and received. Table 2 Table briefly describes each management group defined in MIB-II [RFC 1213] 26

27 1.2.6 SNMP Operations In an SNMP operations Manager and Agents communicate via messages exchange. The manager uses messages to request operations to be performed on the SNMP agent. The Protocol Data Unit (PDU) is the message format that managers and agents use to send and receive information. There is a standard PDU format for each of the following SNMP operations.operations of SNMP are shown in Figure 13 [12]. Below SNMP operations and message PDU formats are described. i. Get ii. iii. iv. Getnext getbulk (SNMPv2 and SNMPv3) set v. getresponse vi. vii. viii. ix. trap notification (SNMPv2 and SNMPv3) inform (SNMPv2 and SNMPv3) report (SNMPv2 and SNMPv3) Figure 13 SNMP operations 27

28 Get Operations Description The get request is initiated by the manager to the agent. The agent receives the request and processes it. If the agent is successful in gathering the requested information, it sends a getresponse back to the NMS, where it is processed. But Some devices that are under heavy load, such as routers, may not be able to respond to the request and will have to drop it. One of the items in the get request is a variable binding. A variable binding, or varbind, is a list of MIB objects that allows a request s recipient to see what the originator wants to know. Figure 14 [18] shows the basic Get operations: Figure 14 Get request sequence SNMP Get Commands and Output $ snmpget -v 1 -c public cisco.ora.com system.syslocation.0 = " " The name of the device to query (cisco.ora.com), the read-only community string (public),oid is the system group.6 and.0. The.6 is actually the MIB variable to query; its human-readable name is syslocation. Here system location is set to on the Cisco router. But in the response (system.syslocation.0 = "").This means the system location on this router currently is not set to anything. 28

29 The getnext Operation Description The getnext operation issues a sequence of commands to retrieve a group of values from a MIB. The getnext command traverses a subtree in lexicographic order. Agent to start at the root of its SMI object tree and work its way down until it finds the OID it is looking for. This searching method is called depth-first [13]. When the NMS receives a response from the agent for the getnext command it issues another getnext command. It keeps doing this until the agent returns an error, signifying that the end of the MIB has been reached and there are no more objects left to get SNMP GetNext Commands and Output $ snmpwalk -v 1 -c public cisco.ora.com system system.sysdescr.0 = "Cisco IOS Software, C2600 Software (C2600-IPBASE-M), Version 12. 3(8)T3, RELEASE SOFTWARE (fc1) Technical Support: Copyright (c) by Cisco Systems, Inc. Compiled Tue 20-Jul-04 17:03 by eaarmas" system.sysobjectid.0 = OID: enterprises system.sysuptime.0 = Timeticks: ( ) 3 days, 3:35:07.23 system.syscontact.0 = "" system.sysname.0 = "cisco.ora.com" system.syslocation.0 = "" system.sysservices.0 = 6 (OID ) represents system group The getbulk Operation Description SNMPv2 defines the getbulk operation, which allows a management application to retrieve a large section of a table at once. The standard get operation can attempt to retrieve more than one MIB object at once, but message sizes are limited by the agent s capabilities. If the agent can t return all the requested responses, it returns an error message with no data. The getbulk operation, tells the agent to send back as much of the response as it can. This means that incomplete responses are possible. Figure 15 [18] shows the getbulk operation. 29

30 Two fields must be set when issuing a getbulk command: nonrepeaters and maxrepetitions. Nonrepeaters It tells the getbulk command that the first N objects can be retrieved with a simple getnext operation. Maxrepetitions It tells the getbulk command to attempt up to M getnext operations to retrieve the remaining objects. Figure 15 Get-bulk request sequence SNMP Getbulk Commands and Output $ snmpbulkget -v2c c public -Cn1 Cr3 linux.ora.com sysdescr ifinoctets ifoutoctets system.sysdescr.0 = " Linux snort #1 Thu Sep 6 17:27:27 EDT 2001 i686 unknown interfaces.iftable.ifentry.ifinoctets.1 = interfaces.iftable.ifentry.ifoutoctets.1 = interfaces.iftable.ifentry.ifinoctets.2 = interfaces.iftable.ifentry.ifoutoctets.2 = interfaces.iftable.ifentry.ifinoctets.3 = 0 interfaces.iftable.ifentry.ifoutoctets.3 = 0 Requesting three bindings: sysdescr, ifinoctets, and ifoutoctets. 30

31 The total number of variable bindings that are requested is given by the formula N+ (M * R), where N is the number of nonrepeaters (i.e., scalar objects in the request in this case, 1because sysdescr is the only scalar object), M is max-repetitions (in this case, it is arbitrarily set to 3), and R is the number of nonscalar objects in the request (in this case, 2 because ifinoctets and ifoutoctets are both nonscalar). Plugging in the numbers from this example, get 1+ (3 * 2) = 7, which is the total number of variable bindings that can be returned by this getbulk request. Since getbulk is a SNMPv2 command, to tell snmpbulkget to use an SNMPv2 PDU with the v2c option. Nonrepeaters and max-repetitions are set with the Cn1 and Cr3 options. This sets nonrepeaters to 1 and max-repetitions to 3. This command returned seven variable bindings: one for sysdescr and three each for ifinoctets and ifoutoctets. $ snmpbulkget -v2c -Cn1 -Cr c public sysdescr syscontact Frame 1 (97 bytes on wire, 97 bytes captured) Arrival Time: Sep 20, :24: Time delta from previous packet: seconds Time since reference or first frame: seconds Frame Number: 1 Packet Length: 97 bytes Capture Length: 97 bytes Ethernet II, Src: 00:00:00:00:00:00, Dst: 00:00:00:00:00:00 Destination: 00:00:00:00:00:00 (00:00:00_00:00:00) Source: 00:00:00:00:00:00 (00:00:00_00:00:00) Type: IP (0x0800) The set Operation Description The set command is used to alter the objects defined in MIB by changing the value of a the object or to create a new row in a table. Objects that are defined in the MIB as read-write or read-only. It is possible for an NMS to set more than one object at a time.. The following example in Figure 16 [18] queries the syslocation variable and sets it to a value [11]. 31

32 Figure 16 Set request sequence SNMP set Operation Commands and Output $ snmpget -v 1 -c public cisco.ora.com system.syslocation.0 system.syslocation.0 = "" $ snmpset -v 1 -c private cisco.ora.com system.syslocation.0 s "Atlanta, GA" system.syslocation.0 = "Atlanta, GA" $ snmpget -v 1 -c public cisco.ora.com system.syslocation.0 system.syslocation.0 = "Atlanta, GA The getresponse Operation Error responses help to determine whether to get or set request was processed correctly by the agent. The get, getnext, getbulk, and set operations can return the error responses shown in Table 3 [11]. 32

33 SNMPv1 error message Meaning of the error message noerror(0) There was no problem performing the request. toobig(1) The response to request was too big to fit into one response. nosuchname(2) An agent was asked to get or set an OID that it can t find; i.e., the OID doesn t exist. badvalue(3) A read-write or write-only object was set to an inconsistent value. readonly(4) generr(5) This error is generally not used. The nosuchname error is equivalent to this one. This is a catchall error. If an error occurs for which none of the previous messages is appropriate, a generr is issued. Table 3 SNMPv1 error messages Traps Operation Description A trap is a way for an agent to tell the NMS that something bad has happened. The trap originates from the agent and is sent to the trap destination. The trap destination is typically the IP address of the manager. In trap operation no acknowledgment is sent from the manager to the agent, so the agent has no way of knowing if the trap makes it to the NMS. Since SNMP uses UDP, and since traps are designed to report problems with the network, traps are especially prone to getting lost and not making it to their destinations. In a well-planned environment traps are an integral part of network management. Here are a few situations that a trap might report: A network interface on the device (where the agent is running) has gone down. A network interface on the device (where the agent is running) has come back up. 33

34 An incoming call to a modem rack was unable to establish a connection to a modem. The fan on a switch or router has failed. A trap is first identified by its generic trap number. There are seven generic trap numbers (0 6).Table 4 lists all generic traps and its definitions [11]. A trap is usually packed with information. This information is in the form of MIB objects and their values, these object-value pairs are known as variable bindings. For the generic traps 0 through 5, knowledge of what the trap contains is generally built into the NMS software or trap receiver. The variable bindings contained by an enterprise-specific trap are determined by whoever defined the trap. For example, if a modem in a modem rack fails, the rack s agent may send a trap to the NMS informing the failure. The trap will most likely be an enterprise-specific trap defined by the rack s manufacturer; the trap s contents are up to the manufacturer, but it will probably contain enough information to determine exactly what failed (for example, the position of the modem card in the rack and the channel on the modem card).trap operations are shown in Figure 17 [18]. Figure 17 The trap-generation sequence. 34

35 Generic trap name and number coldstart (0) warmstart (1) linkdown (2) linkup (3) authenticationfailure (4) egpneighborloss (5) enterprisespecific (6) Definition The SNMP agent initialized its configuration tables. The SNMP agent re-initialized its configuration tables. The state of a network adapter on the SNMP agent changed from up to down. The state of a network adapter on the SNMP agent changed from down to up. The SNMP agent received a message from an SNMP manager, but the message contained an invalid community name. The SNMP agent could not communicate with its Exterior Gateway Protocol (EGP) peer. Reserved for vendor-defined error conditions and error codes. Table 4 Generic traps SNMP Notification Description SNMPv2 defines a NOTIFICATION-TYPE. The PDU format for NOTIFICATION-TYPE is identical to that get and set.rfc 2863 redefines the linkdown generic notification type [14]. LinkDown NOTIFICATION-TYPE OBJECTS {ifindex, ifadminstatus, ifoperstatus} STATUS current DESCRIPTION "A linkdown trap signifies that the SNMPv2 entity, acting in an Agent s role, has detected that the ifoperstatus object for one of its communication links left the down state and transitioned into some other state (but not into the notpresent state). This other state is indicated by the included value of ifoperstatus." : = {snmptraps 3 } 35

36 The list of bindings is called OBJECTS rather than VARIABLES. The first object is the specific interface (ifindex) that transitioned from the linkdown condition to some other condition. The OID for this trap is , oriso. org. dod. internet. snmpv2.snmpmodules.snmpmib.snmpmibobjects.snmptraps. Link Down Creating an SNMP Notification $ snmptrap -v2c -c public '' ifindex i 2 ifadminstatus i 1 ifoperstatus i SNMP Inform SNMPv2 provides an inform mechanism, which allows for acknowledgement after receiving traps. This operation can be useful when the need arises for more than one NMS in the network. When an inform message is sent, the receiver sends an acknowledgement message to the sender. An SNMP inform can be used to send SNMPv2 traps to a manager. If an inform mechanism is used for this purpose, the agent will be notified when the NMS receives the trap SNMP Report The report operation was defined in the draft version of SNMPv2 but was never implemented. It is now part of the SNMPv3 standard and is intended to allow SNMP engines to communicate with each other (mainly to report problems with processing SNMP messages). 36

37 2 SNMP Vulnerability and Solution 2.1 Description By enabling SNMP services, devices can monitor the network statistics such as port utilization, device connectivity, errors, packet drops, packet discards, and other critical network health statistics. By enabling SNMP services it is easy to monitor any network effectively and efficiently but enabling it will make a network vulnerable to security attacks. It could enable an intruder to gain unauthorized access to the system on which the SNMP software is running, launch denial of service attacks that bring the system down, or cause unstable behavior. 2.2 Type of Threats Several classical threats can harm a network which may cause shutting down of a network by other unauthorized persons, getting the authority to access the secret information and confidential data of a network. Below some threats are described by which unauthorized access to a network can happens Masquerading This is the threat that an SNMP message may be maliciously altered during transit. Means attacker gains the authority to in someone else's role and perform some tasks on behalf of the victim. This is the most critical threat of a network. One way to masquerade is to use spoofing [14]. Attacker plays a role of a network manager by spoofing, thus he can gain manager s access to all confidential data and can do every job in the network that a network manager is authorized to do Modification of Information The threat of the modification of information means when SNMP messages are transmitted attacker or some third party can modify the message. Then the modified message is passed to the original receiver. Now the receiver of the message thinks that the message was sent by the trusted source while the contents of the message are changed. In network management, an authorized network manager can generate a valid management PDU. If an attacker succeeds to intercept the transmission, the whole PDU can be changed while keeping the authentication information unchanged. This can happen if the PDU is not signed, nor encrypted. 37

38 2.2.3 Message Stream Modification This means that the stream of SNMP messages is modified. The messages could be recorded and replayed. The network management design originally aimed to connectionless management protocols. And most of the management protocols were designed to operate on connectionless transport services the message stream modification is a severe threat in network management. An attacker could example record the valid management message that orders the router to shut down. Then, in the future, the attacker could use the captured message to perform the router shutdown whenever he wanted to do so Disclosure The threat of disclosure means that confidential information is leaked to the people who shouldn't see it. In network security in general, sniffing the SNMP traffic that is not encrypted is one way to do it. Also, in network management, some management PDUs can carry some crucial information about the network and managed nodes itself. So, if an attacker spies the management traffic on a network segment, he could get some important information. That information could be used as the basis for other attacks, such as masquerading. A way to fight the threat of disclosure is to encrypt the messages Denial of Service (DoS) It means that some network service will become blocked somehow. An attacker could for example try to open TCP connections to a host continuously and that way blocks all the other connection requests. In network management this could mean that an attacker succeeds in blocking the flow of management protocol messages between the manager and the agent. In the network management, the DoS can also be a consequence if the other threats take place. For example, if an attacker succeeds to masquerade and act as the network manager, he can possibly give the shutdown command to a specific router. And this is, in fact, a denial-of-service type of threat taking place Traffic Pattern Analysis It is a threat where the information contents of the SNMP messages are ignored. Instead, the crucial information about the system is extracted from the usual patterns of the traffic flow. Both of these last two threats are hard to prevent. 38

39 2.3 Securities in SNMP Security of SNMP Version 1 The basic SNMP has very primitive security functions. Managers can be authenticated by community name. The community name [15] is used in defining management groups with differing access rights. That is, the community name is used to define which managers are allowed to submit get or set requests. The same community name mapping is used to define access policies for different managers. The SNMP community is locally defined as a node and the same name may be used at multiple nodes. When a manager wants to perform some kind of management task (get or set) it always has to present the community name that matches its need for access rights. In order to manage a selection of nodes the manager has to maintain a list of all the relevant community names. Anybody who knows a community name can act as a manager. And, in addition, compromising a community name compromises the security of the management in the network. The second problem with the security of the SNMP is the fact that there is no privacy. That is, no encryption is done in SNMPv1 message, it can be a threat to the network because any third party can know what is in the message. That in turn makes the t greater threat of sniffing. Anybody could listen to unencrypted UDP based SNMP traffic and catch the community name at a router. This means that eavesdropping and masquerading are the most obvious threats to take place. The weak authentication of the SNMP is bad enough by itself. The lack of privacy makes things even worse. And, Due to the total insecurity of the SNMP, it is mostly used only for monitoring the agents. Actually, in most implementations, the SNMP "set" function is disabled just because it is ridiculously easy for an attacker to maliciously manage someone else's devices Security of SNMP Version 2 This version of the protocol added strong security to the protocol operations of SNMPv1.The SNMPv2 standardization wasn't successful. The specification and designing of the SNMPv2 was initiated to enhance SNMP functionalities and the security was given some priority. A security scheme called "Party- Based Security" was introduced. Because the original SNMPv2 proposal was never really taken into any broader use, the Party-Based Security Model isn't introduced here. The following is a brief description of the versions of the SNMP protocol[12]. SNMPv1- This is the first version of the protocol, Security is based on community strings. 39

40 SNMPsec- This version of the protocol added strong security to the protocol operations of SNMPv1. A few vendors implemented this protocol. SNMPv2p- For this version, much work was done to update the SNMPv1 protocol and the SMIv1. The result was updated protocol operations, new protocol operations and data types, and party-based security from SNMPsec. SNMPv2c- This version of the protocol is called community string-based SNMPv2. It is an update of the protocol operations and data types of SNMPv2p, and uses communitybased security from SNMPv1. SNMPv2u- This version of the protocol uses the protocol operations and data types of SNMPv2c and security based on users. SNMPv2*- This version combined the best features of SNMPv2p and SNMPv2u. The standardization process of SNMPv2 was stuck with two competing proposals: SNMPv2u, SNMPv2* which both had a user-based security model. Unfortunately, a compromise was made and a proposal named SNMPv2c was standardized Security of SNMP Version 3 This version of the protocol is a combination of user-based security and the protocol operations and data types from SNMPv2p and support for proxies. Two vulnerabilities have been discovered in the implementation of SNMPv3 networks. 1. The one way authentication used in SNMPv3 leads to the man-in-the-middle (MITM) attack as in the wireless network. The MITM can play a dual role: An agent and a manager. In this case, the manager will start managing the agent through the MITM. Moreover, the MITM may take the role of the agent; As a consequence, the manager, which is the non-authoritative entity, will try to synchronize its clock (SNMP engine time, SNMP engine boots) to that of the agent, which is the authoritative entity. This will render all the communication with the authentic device as unauthentic. 2. An attacker can take his time to crack the admin password. Once the admin password is discovered, the attacker will be able to manage all the devices that belong to the manager. In this case, updating the admin password will make no sense since the old password is already known by the attacker. Figure 18 shows how Man in the Middle attack takes place [16]. Here when packets are transferring between two network elements,a third party can get access of the packets,and can see what information is in these packets. 40

41 Figure 18 Man in the Middle attack Using SNMPv3, users can securely collect management information from their SNMP agents. Also, confidential information, such as SNMP set packets that change a device's configuration, can be encrypted to prevent their contents from being exposed during transmission. Also, the group-based administrative model allows different users to access the same SNMP agent with varying access privileges. The effective PDU, that is either SNMPv1-PDU or SNMPv2-PDU, is encapsulated in an SNMPv3 packet. This encapsulation provides security related functions on the level of message processing.necessary decryption and authentication functions is done in SNMP v3 before passing the PDU to the SNMP applications. SNMPv3 Mechanisms to Implement Security i. User-Based Security Model (USM) USM [17] is the security model that implements the actual security services for authentication and privacy. Two different secret keys are needed, one for privacy (encryption key or privacy key, privkey) and the other for authentication (authentication key, authkey). These keys are not stored in the MIB of the node. Therefore they are not directly accessible through SNMP get- or set-functions. Privacy is provided through the use of an encryption scheme. 41

42 ii. Authentication and Integrity For authentication of sender and checking the integrity of messages the USM supports two different authentication protocols, both of which are based on a widely used HMAC. HMAC- MD5-96 is a protocol where the secure hash function is MD5 and SHA-1 [18]. Inputs for both of the hash functions are the message to be sent and secret authentication key of the user (authkey). Both hash functions produce an output, which is in both cases truncated to a message authentication code (MAC) of 12 octets. The calculated and truncated MAC is then appended to the message to be sent. Upon reception the recipient does the following. The received message and the authkey are used as inputs for HMAC to calculate the MAC as was done when the message was sent. If the calculated MAC is not the same as the MAC of a received message, the message is ignored. If, on the other hand, the MAC that was just calculated is the same MAC the received messages contained, the recipient can be sure about two things: Integrity: The message couldn't be changed during the transmission. An attacker would have to know the secret authkey to change the message without being noticed. Authenticity: To calculate the correct MAC the sender has to know the secret key. And, if the secret key is only known by the sender and the recipient, one can be sure that the message was sent by the authentic party. iii. Timeliness Verification of Messages Message delay or message replay attacks can happen in the network. To make the SNMPv3 secure against this kind of flow manipulating attacks the USM has a timing mechanism. Actually, SNMPv3 demands that the messages must be received within a reasonable time window. The timeliness mechanism is based on two counters associated with each single SNMP engine: the snmpengineboots and snmpenginetime. When an SNMP engine is installed, both of the two values are set to zero. After the SNMP engine has been started, once per second snmpenginetime is incremented. Using a complex synchronization mechanism, an SNMP engine maintains an estimate of the values of time for each of the remote engines with which it communicates. These estimated values are placed in each outgoing message. The receiving management node's SNMP-engine then determines whether or not the incoming message is in the acceptable time window of 150 seconds. If the message doesn't fit the time window, it is simply ignored. 42

43 iv. Privacy through Encryption For privacy, the USM uses Data Encryption Standard for cyphering messages. The secret key needed for encryption is gained by taking the first eight octets of the privacy key (privkey) associated with the user. The initial vector (IV) needed for the DES encryption algorithm is same as the last eight octets of privacy key. The encryption of the messages is optional. Like authentication key, the encryption key has to be set locally on the managed node. Using the secret key (symmetric) cryptography presents the SNMPv3 system additional challenges. The management of keys becomes a usability and security issue. If all the managed nodes have different secret keys the manager has to possess the same number of secret keys that there are managed nodes. The setup and management of keys quickly become a burden. If the management station is hacked and the secret keys compromised, all the nodes have to be reconfigured by hand. On the other hand one might like to use just one and the same secret key at all the managed nodes. The problem with this is that the compromising the only secret key compromises the security of the entire management system that is, all the managed nodes. In USM, however, this problem is solved by utilizing a technique called Key Localization. The key creation, update and management are described in RFC-2274[2]. The idea is to generate a unique key (called localized key) for each user-snmp-engine pair by using the user's password and snmpengineid, which is the id of the target SNMP engine. v. View-Based Access Control In general, there exist various ways to manage the access control, that is, determining the access rights of a remote user to alter or view the local MIB. This means that the access control is a security function that is performed at the PDU level. The access control mechanism intended to be used with SNMPv3 is called View-Based Access Control (VACM), specified in RFC [2]. The VACM is specified to determine the access rights per group basis. This is different from the USM which specifies the authentication of users individually. In VACM each user has to be included in some group and the different groups can then be granted different security levels. This means that there might be, for example, a group of root managers, which have the ultimate control to alter all the parameters in all the managed nodes. Additionally, There could be a group of minor, observing managers who would be granted only read permissions to certain parts of each local MIB. The access rights are stored in different tables at the node and each of the tables is consulted to determine the access rights of the requesting manager. The procedure is based on the following concepts: 43

44 "Who is the subject of the operation and is defined by security model and security name. This subject then belongs to one group at this SNMPv3 node. The contextname specifies "where" the desired management object can be found. "How" is the combination of securitymodel and securitylevel and it defines how the incoming request was protected. The viewtype specifies the type of access request ("why"). The options are read, write, or notify access request. The object of the SNMP operation ("what") is defined by the variablename. The final access decision is made by comparing the variablename to the retrieved MIB view. If the variable Name is found in the MIB view the access is granted Other Securities Precautions should be taken with the community strings would with the super user or administrator passwords. Community strings should be chosen in such a way that nobody can guess, and this password should be changed periodically. Although someone with the read-only community string can't do as much damage as someone with the read-write string, it is required to take the same precautions for both. When an agent is configured, it's a good idea to limit the devices that can make SNMP requests (assuming that agent allows making this restriction). That way, even if someone gets the community strings, he'll have to spoof the IP address of one of the management stations to do any damage. For those who know how to spoof, A better solution is to prevent the SNMP packets from being visible on the external network by configuring firewalls and access lists. A separate administrative network can be built up for SNMP queries and other management operations. To use SNMP to monitor the network from home it is necessary to install VPN software, or some form of tunneling for keeping SNMP traffic private. 44

45 3 Applications of SNMP in Network Management 3.1 Description SNMP can ease the job of System administrator by performing many jobs on behalf of them automatically by using some script, so it's become easy to monitor the system relatively easy. SNMP can poll for disk-space utilization, it can notify when mirrors are syncing or record who is logged in or out of the system. So Most of the organizations widely use the Network Management Systems (NMS) to observe and manage their networks. Figure 19 shows the network investigation using SNMP. One of the major functional areas of an NMS is Security Management. Therefore most of the organizations implement network management services for managing the network effectively. NMS uses SNMP to carry out online monitoring of the network to detect threats. An NMS has five major functional areas, Fault Management, Accounting Management, Configuration and Name Management, Performance Management and Security Management [11]. SNMP is popular because it is flexible, vendors can easily add network management functions to their existing products. SNMP runs on a multitude of devices and operating systems that include but are not limited to, core network devices (such as routers, switches, bridges, hubs, and wireless access points), networked office equipment (such as printers, copiers, and FAX machines), network and system management tools (such as network sniffers and network analyzers). SNMP is also used in managing medical equipment (imaging units and oscilloscopes), manufacturing and processing equipment. The SNMP enables network and system administrators to remotely monitor and configure network devices on their network such as servers, routers, workstations, hubs and switches. For example, if a network administrator wants to know the amount of traffic that is flowing through a network device, can poll the device using SNMP request commands. Once the data is pulled from a router or a switch, it can be interpreted in many different ways. Network traffic throughput is not the only thing that can be determined using SNMP. It is also used to monitor CPU usage, device voltage and attributes, and environmental conditions. For example a system administrator could monitor the temperature of a server chassis based on information obtained using SNMP. Monitoring the environmental conditions of routers and servers is important because if the temperature climbs too high, the devices could be damaged. In this way SNMP 45

46 enables network/system administrators to manage network performance, find and solve network problems, and plan for network growth. Security management of a network involves: Figure 19 Network investigation using SNMP Scanning a network to determine what are the loopholes are in the network. On-line monitoring of the network for detecting any suspicious events. Data encryption and secure passwords. Firewalls defense. In response to this need, the simple network management protocol (SNMP) was developed to provide a tool for multi-vendor, interoperable network management. SNMP includes the following key capabilities: get - enables the management station to retrieve the value of objects at the agent. set - enables the management station to set the value of objects at the agent. trap - enables an agent to notify the management station of significant events. 46

47 Resources in the network are managed by representing them as objects, which are essentially data variables that represent different aspects of the managed agent. This collection of objects is referred to as a Management Information Base (MIB). MIB is like a database. The MIB functions as a collection of access points at the agent for the management station. All of the values that are stored only in the MIB are dynamic. The information stored in the MIBs ranges from Object IDs (OIDs) to Protocol Data Units (PDUs). The MIBs must be located at both the agent and the manager to work effectively. SNMP is a clear choice, as the standard is designed for network monitoring; it is widely deployed, and was designed to be lightweight so as to be embedded in network equipment. One of the most common uses of SNMP is for remote monitoring (RMON) of network devices. RMON probe is a network device that can monitor traffic and set alarm when a certain condition occurs. An RMON probe, which resides on a specific LAN, collects information for that LAN, performs more sophisticated processing than an SNMP agent, and reports more complex information such as link and individual Layer 2 throughput. Stand-alone RMON probe appliances are another solution that often delivers more complete RMON feature support than that found in most network equipment. RMON and SMON enabled administrators to place probes in the network to perform remote polling, logging, and trap forwarding functions. Probes typically have the extra processing power to analyze and distill information before it is transferred to an NMS. 3.2 Functional Areas Where SNMP Work Fault Management The purpose of fault management is to inform users or monitoring system s of a system when a fault occurs. Fault management involves failure detection, resolving the fault that has been detected, Keeping records of the faults and logging the prevention mechanism. SNMP features can be used for failure detection service. This includes the following functionalities: i. Messaging Functions When a fault occurs, SNMP manager informs the SNMP agent by sending a trap message. Trap message specifies what kind of fault has occurred. Fault types and objects are defined in the MIBs. 47

48 SNMP trap and inform message does the same function but trap messages are unacknowledged and inform messages are acknowledged. So it is not known whether trap messages are sent successfully or not. ii. Process Informing Function Host resource MIB [RFC 1907] [2] gives the information regarding process information. iii. Failure Detecting and Reporting Functions SNMP standard is designed for network monitoring. It is widely deployed, and was designed to be lightweight so as to be embedded in network equipment. SNMP can be used for the task of building a failure detection service. The Snmp failure detection service is known as SNMP FD. Available failure detection information is mentioned below : Process Failures When operation of a host crashes,the agent send a trap to the monitoring device to inform device crash has occurred. When a crash is detected by the operating system and the monitored agent is restarted. Upon restart, the agent will send a cold start trap (as specified by the SNMP standard). Link Crash Failures When a network list goes down,the agent of a device with the link inform SNMP manager that a link goes down. Host Failures When a host fails or reboot it can cause a network link down, and when the host restarts again, it may cause the network link up. This is often only signaled by the equipment by a link-up trap. Detection time for changes in the link state is quite long. The traps are only generated after roughly 1 second. The hardware does its own transient suppression and thus waits for the link state to stabilize. Depending on the equipment, the agent can be configured to send notifications instead of traps and do retries to ensure the notifications are reliably delivered. It is not possible to distinguish the crash of a single host from the failure of its entire links: both are signaled by link-down traps. Both cases indicate that further messages from the host should be expected. Link-down traps can be 48

49 correlated with ICMP Host unreachable packets which also signal that a host is unreachable. Network Failure If network equipment stop working, network failure may happen, and this is detected by the link connecting to them going down. It is also not possible to distinguish between the crash of some equipment and the failure of its entire links. Such failures should be handled by the networking infrastructure and does not concern directly the failure detection service; those failures could affect some failure detection parameters Configuration Management The purpose of configuration management is to monitor the network and system configurations. It monitors all the network devices and its configurations. If any hardware or software fault occurs it track, manage and notify the fault. Configuration management involves the following: 1. Operating system type 2. Installed firewall 3. Number of hard disk 4. Number of CPU s 5. Amount of RAM 6. All network devices and all of its interfaces Accounting Management The purpose of accounting management is to monitor whether networks and its resources are being used effectively or not. Proper Accounting Management can minimize network problems Performance Management The goal of performance management is to measure and report on various aspects of network or system performance. Steps involved in performance management: 1. Performance data are gathered. 2. Baseline levels are established based on analysis of the data gathered. 49

50 3. Performance thresholds are established. When these thresholds are exceeded, it is indicative of a problem that requires attention. One example of performance management is service monitoring. For example, an Internet service provider (ISP) may be interested in monitoring its service response time. This includes sending s via SMTP and getting via POP Security Management The purpose of security management involves securing the network and its hosts and resources from threats or unauthorized accesses. It includes network security systems as well as physical securities of network equipments by authorizing the users. 50

51 4 SNMP Monitoring of Wireless Network 4.1 Introduction Stability and Reliability are two main parameters of any network communication. In wireless network there may be loss of data,synchronization problems.if the error rate in the transmission line increased then the transmission rate will be decreased and vice versa. So it is very important to take care of administrative issues as well as physical layer communication issues and there is a crucial need to understand the characteristics of the wireless traffic as well as the wireless medium itself [19].By proper monitoring tools it is possible to find out the problems in the network. There are many tolls e.g. Wireshark, Ethereal and tcpdump that can monitor wireless networks by capturing the wireless traffic and analyzing. SNMP tool can be used to monitor wireless networks (IEEE ) [27] effectively. The conventional IP network solution for network monitoring and management is the Simple Network Management Protocol (SNMP). 6LoWPAN-SNMP [20] enables transmission of SNMP messages over IPv6-enabled low-power wireless personal area networks (6LoWPAN). The 6LoWPAN-SNMP is an extended modification of the Simple Network Management Protocol (SNMP). Many experiments show that 6LoWPAN can be effectively supported with network management functionality based on SNMP. 4.2 IEEE IEEE is a set of physical layer standards for implementing wireless local area network (WLAN) [28] computer communication. This protocol uses an algorithm known as Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) [21] and RTS-CTS messaging [22] technology to reduce contention in the network Carrier Sense Multiple Access with Collision Avoidance CSMA is the technology where multiple nodes can transmit through a common channel. Before transmitting the signal nodes sense the channel. If the channel sensed busy the node defers the transmission for a specific amount of time known as the Back off Interval and then tries to sense the medium again. If the channel is sensed idle node send the signal to the destination. On receiving the message the receiver sends an acknowledgement to the sender. IF sender does not get any acknowledgement then it tries to send the message once again when it senses the transmission channel is idle. 51

52 4.2.2 Request- To-Send (RTS) and Clear-To-Send (CTS) IEEE protocol uses another method for communication by sending and receiving Request- To-Send (RTS) and Clear-To-Send (CTS) [22] messages between communicating hosts. The sender transmits RTS packets that contain all of the information regarding the size of the upcoming data frame and the amount of time that the channel will be occupied as required by the data frames. If the receiver is able to receive the packets, it sends CTS packets to the sender as well as all the hosts to record the estimated channel consumption time. The hosts that are not involved in the transmission then back off for the estimated amount of time, or until the channel becomes free again, before attempting to sense any traffic on the network medium. Cisco has extended the base MIB with extensions that allow per-client events to be monitored. This extension is referred to as the AIRESPACE WIRELESS-MIB [23]. Using this provided MIB, we are not only able to obtain the statistics that are included in the standard MIB, but we are also able to acquire client-specific statistics such as the number of packets and bytes sent and received, and even the SNR and RSSI values as seen by the clients and Access Points respectively. 4.3 Roll of SNMP in Wireless Monitoring There is a standard IEEE SNMP MIBs to monitor the wireless networks, IEEE802dot11- MIB.In the table 5 [24] there is some OID description which monitors the wireless networks. OID OBJECT NAME DESCRIPTION dot11transmittedfragmentcount dot11multicasttransmitted FrameCount This is an important parameter since we have a different MTU for different internet backbone links. Tracking the fragmentation volumes within wireless network we can adjust the MTU in order to improve the payload for each transmitted frame. Some facilities implemented in protocols may represent an issue if misused; one example is the DTIM (Delivery 52

53 dot11failedcount dot11retrycount dot11frameduplicatecount dot11rtssuccesscount Traffic Indication Message). It is commonly referred in some Access Points as DTIM Interval, with default value 100, and is used to inform Stations in power-save mode to wake-up to receive data. As low as this value, more Multicast traffic is generated. This counter is incremented whenever an MSDU (MAC Service Data Unit) is not transmitted successfully due to the number of transmit attempts. This value should be at lower than possible. This counter is incremented whenever an MSDU (MAC Service Data Unit) is successfully transmitted after one or more retransmissions, it reflects the situation of radio link status. This counter is incremented whenever a duplicated frame is received. Duplication condition is indicated by sequence control field. Duplicated frame indicates the bad routing table scheme and should be corrected. This counter is incremented whenever a "Clear to Send" is received for each Request to Send sent. The RTS/CTS function is used to control station access to the medium and minimize collisions. The primary reason for implementing RTS/CTS is to 53

54 dot11rtsfailurecount dot11ackfailurecount dot11receivedfragmentcount dot11fcserrorcount dot11transmittedframecount dot11currenttxpowerlevel minimize collisions among hidden stations. This counter is incremented whenever a Clear to Send is not received for each Request to Send sent. Higher values mean that the value set it too low or other side station is too busy. This counter is incremented whenever an expected ACK is not received. Bad link conditions lead this value to increase. This counter shall be incremented for each successfully received MPDU (MAC Protocol Data Unit) of type Data or Management. This counter shall increment when an FCS error is detected in a received MPDU (MAC Protocol Data Unit). Noisy environments, bad/corroded connectors increase this count. This counter shall increment for each successfully transmitted MSDU This counter shall be incremented for each successfully received MPDU (MAC Protocol Data Unit) of type Data or Management. Table 5 OID for Wireless Monitoring 54

55 5 Experimental Setup 5.1 Aim The experimental part of this thesis is to set up a SNMP monitoring system for network monitoring by using Simple Network Management Protocol(SNMP) through which it will be possible to track SNMP enabled devices into a network and its configurations. 5.2 Prerequisites Elements JRE Description It is a Java run time environment for running Java program. DynamicSNMP Manager It is a Java language API that provides for the development of SNMP managers. ECLIPS editor (Version: 4.2.1) It is a program editor where Java program can be run. Java Package Used Monfox, java.net, Standard java packages Network devices switch, lan, modem, PCs, printers MIB browser[14] Jar Files MIB browser helps to detect IODs of all the objects of the PC where program is running for testing purpose. Monfox precompiled JAR files are used. dsnmp-agent.jar dsnmp-lic.jar dsnmp-mgr.jar dsnmp-mibs.jar log4j.jar Operating System Windows Xp, Windows 7 Table 6 Prerequisites for the experiment 55

56 5.3 LAN configuration The experimental setup for the test bed consisted of a local area network as shown in Figure 20. Monitoring Device (manager) Pc(Host with Unix, Windows) (Agent) Switch L2 Device (Agent) Router L3 Device (Agent) Printer (Agent) Router L3 Device (Agent) Figure 20 Experimental setup 56

57 5.4 Methodology The devices were prepared by enabling SNMP services into it.first one PC was selected to be the monitoring PC for all SNMP enabled devices in a network. Then SNMP services have been enabled in that PC. A Java program was written with the use of the monfox API, descriptions of the Java code module are given in section 5.6. The Java program for discovering SNMP monitoring system was tested. When this monitoring device was connected to a network it was able to detect other SNMP enabled devices in that network and the software installed, its versions etc., associated IP address, device name. 5.5 Descriptions Component of DSNMP API Below in Figure 21 shows the hierarchy of the DSNMP API. And the detailed descriptions are given below [25]. Figure 21 A rchitecture of DSNMP API 57