Chapter 5

Network Management
Security

1
 Basic Concepts of SNMP
• SNMP is an Application Layer (Layer 7) protocol, using
UDP ports 161 and 162, that facilitates the exchange
of management information between network devices.
• SNMP-managed network consists of a management
system (NMS), agents, and managed devices

• The management system

– executes monitoring applications and controls managed devices
– executes most of the management processes and provides the
bulk of memory resources used for network management
– A network might be managed by one or more management
systems.
2
• SNMP agent
– resides on each managed device and translates local
management information data, stored in the management
database of the managed device, such as performance
information or event and error information caught in software
traps ,into a readable form for the management system which
is also referred to as the Network Management Station (NMS)
– use get-requests that transport data to the network
management software.
– capture data from Management Information Bases (MIBs),
which are device parameter and network data repositories, or
from error or change traps
• A managed element, such as a router, a switch, a
computer, or a firewall
– is accessed via the SNMP agent.
– collect and store management information, making it available
through SNMP to other management systems having the same
protocol compatibility. 3
Protocol context of SNMP

4
Proxy Configuration

5
6
• When using SNMP,
– managed devices are monitored and controlled using
three common SNMP commands: read, write, and
trap.
– The read command is used by an NMS to monitor
managed devices.
– The write command is used by an NMS to control
managed devices. Using this command, the NMS can
change the values of variables stored within
managed devices.
• Finally, the SNMP trap command is used by managed
devices to report events to the NMS. SNMP traps are
simply messages that alert the SNMP manager of a
condition on the network. Ex. interface transitioning
from an up state to a down state
7
 – primary issue with SNMP traps is that they are
unacknowledged. This means that the sending device
is incapable of determining whether the trap was
received by the NMS.
• SNMP informs are SNMP traps that include a
confirmation of receipt from the SNMP
manager.
• These messages can be used to indicate failed
authentication attempts, or the loss of a
connection to a neighbor router.
• If the manager does not receive an inform
request, then it does not send a response. If
the sender never receives a response, then the
inform request can be sent again.
8
• Devices can be configured to send SNMP traps or
informs to an NMS
R2#config t
R2(config)#snmp-server community unsafe RO
R2(config)#snmp-server community safe RW
R2(config)#snmp-server host 1.1.1.1 traps readonlypassword rtr syslog
• the snmp-server host [hostname | address] command is
used to specify the hostname or IP address of the NMS
• To allow the NMS to poll the local device, SNMPv1 and
SNMPv2c require that a community string be specified
for either read-only or read-write access using the
snmp-server community <name> [ro | rw]
9
 SNMP v1 and v2
• SNMPv1
– Trap – an unsolicited message (reporting an alarm
condition)
– operates over protocols such as User Datagram
Protocol (UDP), Internet Protocol (IP), and the OSI
Connectionless Network Service (CLNS)
• SNMPv2
– improvements in the areas of performance, security,
confidentiality, and manager-to-manager
communications
– allows the use of TCP
– defines two new operations: GetBulk and Inform
(GetBulk operation is used to retrieve large blocks of
data efficiently) 10
 Comparison of SNMPv1 and SNMPv2
SNMPv1 PDU SNMPv2 PDU Direction Description
GetRequest GetRequest Manager to agent Request value for
each listed object
GetRequest GetRequest Manager to agent Request next value
for each listed
object
------ GetBulkRequest Manager to agent Request multiple
values
SetRequest SetRequest Manager to agent Set value for each
listed object
------ InformRequest Manager to Transmit
manager unsolicited
information
GetResponse Response Agent to manager Respond to
or Manage to manager request
manager(SNMPv2)
Trap SNMPv2-Trap Agent to manager Transmit
unsolicited
Henric Johnson information 11
SNMPv1 Community Facility
• SNMP Community – Relationship
between an SNMP agent and SNMP
managers.
• Three aspect of agent control:
– Authentication service
– Access policy
– Proxy service

12
SNMPv1 Administrative
Concepts

13
 SNMPv3
• SNMPv3 defines a security capability to be used
in conjunction with SNMPv1 or v2
• Introduces three additional security services:
message integrity, authentication, and
encryption

14
SNMP3 Message Format
with USM

Henric Johnson 15
User Security Model (USM)
• Designed to secure against:
– Modification of information
– Masquerade
– Message stream modification
– Disclosure
• Not intended to secure against:
– Denial of Service (DoS attack)
– Traffic analysis

16
 View-Based Access Control
Model (VACM)
• VACM has two characteristics:
– Determines whether access to a managed
object should be allowed.
– Make use of an MIB that:
• Defines the access control policy for this agent.
• Makes it possible for remote configuration to be
used.

17
Access control decision

18
 Operating System Security
• refers to providing a protection system
to computer system resources such as
CPU, memory, disk, software programs and
most importantly data/information stored
in the computer system
• A computer system must be protected
against unauthorized access, malicious
access to system memory, viruses,
worms etc

19
• Protection VS Security
– Protection refers to a mechanism for controlling the
access of programs, processes or users to the
resources
• Prevent the mischievous, intentional violation of
an access restriction
• Ensure that each program component uses system
resources only in ways consistent with system
policies
• Protection is strictly an internal problem
• distinguish between authorized and unauthorized
– Security is a measure of confidence that the
integrity of a system and its data will be preserved
• requires also consideration of the external
environment 20
• Layers of Computer System

• Where should the security of the system be

placed?
• The security of a layer could normally be
compromised by attacks from lower layers!
21
Security Problems
• Security violations can be categorized as
intentional or accidental
• It is easier to protect against accidental
security violations
• Protection methods mostly consider accidental
security violations
• A threat is a potential for a security violation
• An attack is the attempt to break security

22
• Breach of confidentiality - Unauthorized
reading of data. Goal of the intruder: Capture
secret data
• Breach of integrity - Unauthorized modification
of data. E.g. modification of source code
• Breach of availability - Unauthorized
destruction of data
• Theft of service - Unauthorized use of
resources. E.g. intruder may install a daemon
that acts as a file server
• Denial of service - Preventing legitimate use of
the system.

23
Methods to break security
• Masquerading - pretends to be someone else

• Replay attack

• Man in the middle attack

24
To protect a system, we must take security
measures at four levels: (separation)
• Physical
• Human
• Operating system
• Network
Physical
• The site containing the computer system must be
physically secured against armed or secret entry by
intruders
Human
• Authorization must be done carefully to assure that
only appropriate users have access to the system.
Users may also be tricked into providing access rights
(e.g. phishing) 25
Operating system
• System must protect itself from accidental or
intentional security breaches
Network
• Interception of data on network lines could reveal
private data; Interception of data could constitute a
remote denial-of-service attack

The security of a system is as weak as its weakest point.

Therefore, all aspects must be addressed for security
to be maintained.

26
Program Threats
• Processes, along with the kernel are the only means of
accomplishing work on a computer
• Therefore, a security thread is most often posed by a
program
– Trojan horse: A code segment that misuses its environment
– Trap door: The designer of a program may leave a hole in the
software that only he is capable of using.
– Logic bomb: A program that initiates a security incident only
under certain circumstances. hard to detect
– Stack and buffer over flow: caused by poor programming.
The attacker sends more data than the program was
expecting
– Viruses: A virus is a fragment of code embedded in a
legitimate program and `infect` other programs. Very
specific to architectures, operating systems and applications
27
System and Network Threats
• System and network threats involve the abuse
of services and network connections
• The services are available over a network, the more
likely it is that a bug is available to exploit
• Increasingly, operating system are secure by default
• This means that many services (e.g. FTP, telnet, ssh) are
disabled by default
• They have to be specifically enabled by the system
administrator
• The threats includes
– Worms: produce copies of itself, using up system
resources

28
 – Port scanning: a means for an intruder to detect a systems
vulnerabilities to attack. If a vulnerability for a specific system
running typically on a specific port is known, the attacker could
try to connect to the specific port and test if the program in
question is actually available on this port
– Denial of service: aim at disrupting legitimate use of a system
or facility. Since the attacks use the same mechanisms as normal
operation, it is impossible to prevent them.
Security tools
• Cryptography
– Encryption
– Key distribution
– Authentication
• User Authentication: typically based on
– The possession of something (key or card)
– Knowledge of something ( identifier and password)
– Attribute of the user (fingerprint, retina pattern, signature)

29
• Implementing security defense
– Several layers of security are better than one layer
– Penetration tests to test security
– Intrusion detection
• Firewall to protect systems and networks
Trusted Operating System
• There are a few basic concepts that are fundamental
when dealing with trusted OS:
• the kernel-is the part of the OS that performs the
lowest-level functions
• the security kernel-is responsible for enforcing the
security mechanisms of the entire OS
• the reference monitor (RM) is the part of the security
kernel that controls access to objects
• the trusted computing base (TCB)- is everything in the
trusted OS necessary to enforce the security policy 30
Security Policy and Security Model
• A security policy is a statement of the security we
expect the system to enforce. The security can be
expressed as a number of well-defined, consistent and
implementable rules.
• A security model is a representation of the security
policy for the OS.
• A formal security model is a mathematical description
(formalization) of the rules of the security policy. It
could be used for formal proofs of security.

31
Developing a secure OS
• The development of secure OS can be made in
six steps:
– analyze of the system
– choose/define a security policy
– choose/create a security model (based on the policy)
– choose implementation method
– make a (conceptual) design
– verify the correctness of the design
– make an implementation
– verify the implementation (?)
• There are feed-back loops between all of the
above steps. Errors may occur in all above steps
32