Understanding and Optimizing SNMP Management with CA ehealth PM & CA Spectrum IM. Dave Soares and Mike Taldo

Understanding and Optimizing SNMP Management with CA ehealth PM & CA Spectrum IM Dave Soares and Mike Taldo

Terms of This Presentation This presentation was based on current information and resource allocations as of October 2009 and is subject to change or withdrawal by CA at any time without notice. Notwithstanding anything in this presentation to the contrary, this presentation shall not serve to (i) affect the rights and/or obligations of CA or its licensees under any existing or future written license agreement or services agreement relating to any CA software product; or (ii) amend any product documentation or specifications for any CA software product. The development, release and timing of any features or functionality described in this presentation remain at CA s sole discretion. Notwithstanding anything in this presentation to the contrary, upon the general availability of any future CA product release referenced in this presentation, CA will make such release available (i) for sale to new licensees of such product; and (ii) to existing licensees of such product on a when and if-available basis as part of CA maintenance and support, and in the form of a regularly scheduled major product release. Such releases may be made available to current licensees of such product who are current subscribers to CA maintenance and support on a when and if-available basis. In the event of a conflict between the terms of this paragraph and any other information contained in this presentation, the terms of this paragraph shall govern. 2 August 12, 2009 [Enter presentation title in footer] Copyright 2009 CA

For Informational Purposes Only Certain information in this presentation may outline CA s general product direction. All information in this presentation is for your informational purposes only and may not be incorporated into any contract. CA assumes no responsibility for the accuracy or completeness of the information. To the extent permitted by applicable law, CA provides this document as is without warranty of any kind, including without limitation, any implied warranties or merchantability, fitness for a particular purpose, or non-infringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits, lost investment, business interruption, goodwill, or lost data, even if CA is expressly advised of the possibility of such damages. 3 August 12, 2009 [Enter presentation title in footer] Copyright 2009 CA

Abstract > Review the numerous updates that have been done for CA ehealth PM in polling, discovery, SNMP and SDM. > This session will discuss their added value and changes in configurations and administration. The focus will be on CA ehealth, but we will also cover topics on using the CA ehealth PM and CA Spectrum IM together. > Examples will include sharing SDC, getting SNMP credentials from CA Spectrum IM to CA ehealth PM through Synchronized Discovery and understanding differences in SNMP community string character support. 4 August 12, 2009 [Enter presentation title in footer] Copyright 2009 CA

Agenda > SNMP History > SNMP Challenges Security Scalability Unreliable message delivery Configuration of Trap Destinations Firewalls Private/Overlapping IP Ranges > SDM 5 August 12, 2009 [Enter presentation title in footer] Copyright 2009 CA

SNMP > SNMP has been the defacto standard network management protocol for 20+ years 3 versions, many RFCs > SNMP exposes management data in the form of variables on the managed systems, which describe the system configuration > Variables can be queried or set by managing applications, such as CA Spectrum and CA ehealth Examples: Free memory, System Name, Number of running processes, etc. > SNMP uses UDP as its transport layer > SNMP is the primary data acquisition protocol for ehealth and Spectrum

SNMP v2 and v3 > SNMPv2 was introduced in 1993 in RFC 1441 and 1452 includes improvements in the areas of performance, security, confidentiality, and manager-to-manager communications It introduced GETBULK, an alternative to iterative GETNEXTs for retrieving large amounts of management data in a single request However, the new party-based security system in SNMP v2, viewed by many as overly complex, was not widely accepted > SNMPv2c The Community Edition in RFC 1901 and 1908 Included everything but the Security, 1996 > SNMPv2u The User Based Edition in RFC 1909 and 1910 Formed the basis for SNMPv3 > SNMPv3 defined in RFC 3411 and 3418 and standard in 2003 Authentication, Privacy and Access Control

MIBs > SNMP uses MIBs (Management Information Base) as its primary data objects > Managed objects are made up of one or more object instances (identified by their OIDs), which are essentially variables > Example of MIB Object: sysdescr OBJECT-TYPE SYNTAX DisplayString (SIZE (0..255)) MAX-ACCESS read-only STATUS current DESCRIPTION "A textual description of the entity. This value should include the full name and version identification of the system's hardware type, software operating-system, and networking software." ::= { system 1 } > iso.org.dod.internet.mgmt.mib-2.system.sysdescr > 1.3.6.1.2.1.1.1 DisplayString : Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(37)SE, RELEASE SOFTWARE (fc2) Copyright (c) 1986-2007 by Cisco Systems, Inc. Compiled Thu 10-May-07 16:43 by antonino

SNMP Questions > SNMP, while not the only protocol, underpins the core of Spectrum and ehealth > Is anyone not using SNMP or does anyone have plans to move away from using SNMP > Is anyone still using SNMPv1 > Has anyone adopted SNMPv2c > SNMPv3 > We are seeing a large adoption of SNMPv2c and SNMPv3 > Anyone use SNMP to manage agents over IPv6 What versions of SNMP

What are the largest challenges with SNMP? > Security Credentials Fuzzing Service Interruptions Denial of Service Attacks Unauthorized Access > Scalability > Unreliable message delivery > Configuration of Trap Destinations > Firewalls > Private/Overlapping IP Ranges

Security Challenge > Pushing and managing security credentials How do you distribute, update and coordinate Biggest inhibitor to adoption Secret key cryptography is used by SNMPv3 User, proxy password, and proxy priv password If each agent has a unique credentials, the manager has to store the same number of credentials as the number of nodes. Setup and changing of keys for all agents need to be done manually. If you use shared credentials then it lowers the security. one key is used for all agents, compromising the key compromises the entire managed network. > Coordinate security management with the folks managing the network

Security Challenge > Fuzzing Since the shared secret is not hidden, an attacker can monitor the SNMP traffic to determine network topology and harvest those shared secrets Among hackers, this is called fuzzing; amongst security professionals, this is Packet Sniffing Armed with topology data and shared secrets, like configuration information, the hacker is well informed to plan an attack and choose targets Internal v's External threat > To prevent Fuzzing, Spectrum and ehealth support SNMPv3

Security Challenge > Service Interruptions Vulnerabilities with decoding and processing SNMP messages (whether a trap or request) in various software products is exploited by the Badly Formed SNMP Trap Attack. The impact of this attack is to blind the NMS (prevent it from receiving more traps by causing it to crash) or blind the agent (making it unable to be queried by causing it to crash). The ability of the NMS to continue to manage is degraded at best or disabled at worst. From within a DMZ, an attacker can reach the NMS in the secure network when holes in the firewall are open to allow SNMP traffic or SNMP traps through directly. > With a unified SNMP Processing Core, Spectrum and ehealth drop malformed SNMP packets

Security Challenge > Denial of Service The denial-of-service attack disables NMS/agents by sending them more SNMP traffic than the NMS/agent can process or by sending malformed SNMP packets to crash the manager/agent. Better still, use an IPS > Unauthorized Privileged Access Typically exposed via Buffer Overflow This can enable malware to execute immediately in a privilege state or it may enable another process running on the host to switch to an elevated privileged state To mitigate this threat use management protocol proxy firewall which verifies SNMP traffic to ensure its authentic and valid as well as mitigates SNMP-based attacks

Scalability Challenge > Scalability Refers to the number of agents that can be managed by single management system Networks have grown exponentially since the early days of SNMP > Efficiency How quickly and effectively a system performs in such operations as the delivery and processing of data SNMP is not considered efficient when querying bulky data Security comes at a price of efficiency. Authentication of community string or user credentials and data encryption occurs for every SNMP packet > Spectrum and ehealth have an efficient multi-threaded core and specialize in processing SNMP packets ehealth and Spectrum retrieve the information through the GET,GETNEXT and GETBULK protocol operations or the agent will send data without being asked using TRAP or INFORM protocol operations.

Unreliable Message Delivery Challenges > Nature of UDP as a transport layer Unreliable, connectionless protocol. Out of order packet delivery. No acknowledgment > Impact Traps are not guaranteed to be received by NMS. Request retries, increased latency. Duplicate traps sent by agent. > How do ehealth and SPECTRUM address this? Applications implement reliability mechanisms such as trap buffering Intelligence to detect duplicate traps.

Other Challenge > Trap Destinations > Firewalls Present their own challenge to management of networks We use them to keep intruders out, but have to make holes in them to manage remote or secure networks > Private/Overlapping IP Ranges Managing Overlapping IP addresses, especially important with MSP s and those. Is a growing concern among customers

To work around some of the challenges > Proxy Used in several forms, but primarily for the following reasons > Trap Exploder To forward the SNMP request from the management application to the device sometimes over a different protocol support for aggregated managed objects where the value of one managed object instance depends upon the values of multiple other (remote) items of management information To multiplex SNMP traps to multiple applications No longer required for ehealth A shim for Network Admins, offers flexibility and control, altering the path of specific network mangement traffic

more working around > Use of NAT Allows MSPs to manage domains with overlapping IP addresses If all managed devices have a unique NAT IP address, then SPECTRUM can manage them directly without SDM If some or all of the managed devices have duplicate NAT IP addresses in different NAT zones, then ehealth and SPECTRUM can manage them with SDM > Source Based Routing Does anyone use or plan to use Source Based Routing Shows some promise but requires the Admin to make or set routing behavior We are looking to provide support for this in the future

Why are we still using SNMP > Simple > Interoperable > Widely Supported by both manager and agent communities > Standard, non-proprietary protocol to simultaneously manage devices from different vendors with single management system > Type of data acquired can be anything from the physical layer up to the application layer. Protocol analyzers cannot gather all of these.

Spectrum and ehealth Objectives > Native SNMP v1/v2c/v3 support Native stack Remove proxy > Integration SNMP config flow > Secure tunneling > Better and more integrated Overlapping IP management SDM > Unified solution for managing remote domains ehealth and SPECTRUM can use a common SDC for managing a remote domain > Lower admin burden

Secure Domain Manager > Who might want to use SDM Managed service providers (MSPs) Hotspot (Wi-Fi) access providers Enterprise managers > When do you use SDM/SDC Managing network elements in overlapping (or private) IP domains (NAT environments) Managing network elements behind firewalls configured to block SNMP and ICMP traffic Managing network elements across insecure network domains 24 April 2009 ehealth Scale Architecture Overview Copyright 2009 CA

Secure Domain Connector > The SDC is a lightweight application that installs on designated machines within the secure domain. > The SDC is installed as a service or daemon in the secure domain which reduces the maintenance time if the SDC platform should experience downtime. The service can be managed by the OS Auto-started, Re-started etc.. SDC will collect request should the SDM go down and forward them on to a designated backup when it comes on-line > Failover from primary to backup SpectroServer or ehealth Server information. 26 April 2009 ehealth Scale Architecture Overview Copyright 2009 CA

How do you make the decision on using Remote Poller or SDM > Test and use SDM/SDC as first choice Pay particular attention to bandwidth > Use Remote Poller Large Distributed Managed Networks approaching the high end of ehealth managed network elements You want ehealth to process v1 and v2c traps > Use SDM/SDC Lightweight Administration Lower Cost End to End Polling Scales with Spectrum, small to medium networks for ehealth

Benefits to SDM/SDC > To help with Performance No lag in Polling Live Health SDM/SDC scales with the SpectroServer ehealth performance in terms of elements is TBD > To help with Administration Lower Administrative overhead ehealth and Spectrum can share a SDC Optionally deployed with the Remote Poller > To help manage diverse geographical networks Supports Overlapping IP s > To help manage more securely Directional communication initialization FIPS 140-2 Compliance 29 April 2009 ehealth Scale Architecture Overview Copyright 2009 CA

Issues > Integration issues Working on consistency between the products Example: community strings and credential passing Faster support with common code