Upload
nguyenkien2020471
View
228
Download
0
Embed Size (px)
Citation preview
8/8/2019 DE CUONG SMNP
1/25
SNMP v3
Chng I: Giao thc qun l mng snmp1.Khi nim:
K t khi cng b u tin vo nm 1988, giao thc qun l n gin (SNMP) nhanh chng tr thnh 1 giao thc qun l mng thng dng cho cc mng my tnh datrn c s TCP/IP. SNMP nh ngha mt giao thc cho vic trao i thng tin qun l,nhng nhiu hn th. N cng nh ngha mt nh dng cho cc i din qun l thng tinv mt khun kh cho vic t chc h thng phn phi vo h thng qun l v qun l il. ngoi ra, mt s cu trc c s d liu ring, gi l c s thng tin qun l (MIBs), c nh ngha nh l mt phn ca b ng dng SNMP, nhng MIB ring qun l cc
i tng cho cc ch qun l mng chung nht. , bao gm bridge, router v cc mngLan.
SNMP l mt tp hp n gin cc hot ng gip nh qun tr mng c th qun l,thay i trng thi ca mng.SNMP c th dng qun l cc h thng Unix, Window,my in, ngun in Ni chung, tt c cc thit b c th chy cc phn mm cho php lyc thng tin SNMP u c th qun l c. Khng ch cc thit b vt l mi qun lc m c nhng phn mm nh web server, database. Hot ng theo m hnh manager/agent. Mt ng dng ca Agent c nhn dng quaa ch IP ca n v mt cng UDP.
S dng kt ni khng nh hng trao i thng tin gia cc phn t v h thngqun l mng (trng hp ny s dng UDP). UDP truyn cc gi theo cc khi ring
bit.Tuy vy c th s dng ty cc giao thc khc truyn gi tin SNMP. Cc gi tinsau khi truyn qua mng ,cc phn t mng hay h thng qun l vn gi nguyn nhdng ca SNMP. SNMP s dng UDP (User Datagram Protocol) nh l giao thc truynti thng tin gia cc manager v agent. Vic s dng UDP, thay v TCP, bi v UDP lphng thc truyn m trong hai u thng tin khng cn thit lp kt ni trc khi dliu c trao i (connectionless), thuc tnh ny ph hp trong iu kin mng gp trctrc, h hng v.v.
-i vi cc phng thc get/set/response th SNMP agent lng nghe port UDP 161,cn phng thc trap th SNMP trap receiver lng nghe port UDP 162.
-SNMP s dng 3 lnh c bn sau:+Read :c SNMP dng c thng tin t thit b .Cc thng tin ny c cung
cp qua cc bin SNMP lu tr trn thit b v c thit b cp nht.+Write :c SNMP dng ghi cc thng tin iu khin ln thit b bng cch thay
igi tr cc bin SNMP.+Trap :dng nhn cc s kin gi t thit b n SNMP.Mi khi c s kin xy ra
trn thit b mt lnh Trap s c gi ti NMS.Ngoi ra SNMP cn s dng mt s lnh ty bin qun l mng
-Trong SNMP c 3 vn cn quan tm: Manager, Agent v MIB (ManagementInformation Base).
1
http://vi.wikipedia.org/wiki/UDPhttp://vi.wikipedia.org/wiki/TCPhttp://vi.wikipedia.org/wiki/TCPhttp://vi.wikipedia.org/wiki/UDPhttp://vi.wikipedia.org/wiki/TCP8/8/2019 DE CUONG SMNP
2/25
Hnh1:M hnh snmp
MIB: l c s d liu dng phc v cho Manager v Agent.Manager: l mt server c chy cc chng trnh c th thc hin mt s chc nng
qun l mng. Manager c th xem nh l NMS (Network Manager Stations). NMS c khnng thm d v thu thp cc cnh bo t cc Agent trong mng.
Agent: l mt phn trong cc chng trnh chy trn cc thit b mng cn qun l. N cth l mt chng trnh c lp nh cc deamon trong Unix,. Ngy nay, a s cc thit bhot ng ti lp IP u c ci t SMNP agent.
SMI l quy tc quy nh cu trc nh dng thng tin trong c s d liu MIBObject ID v MIB
+Object: mt thit b h tr SNMP c th cung cp nhiu thng tin khc nhau,mithng tin gi l mt object.v d nh :cc port ang up hay down ,...
+Mi object c mt tn gi v mt m s nhn dng object m s gi lobjectID (OID) hay ObjectID l nh danh ca mt i tng c th gim st c , ccthao tc get/set thng tin ca i tng u thng qua nh danh ca chng.
Tn thit b c gi l sysNameTng s port giao tip c gi l ifNumbera ch Mac address ca mt port c gi l ifPhyAddressS byte nhn trn mt port c gi l ifInOctets
-MIB(management information base) l mt cu trc d liu gm cc i tng cqun l (managed object),c dng cho vic qun l cc thit b chy trn nn TCP/IP
.MIB l kin trc chung m cc giao thc qun l trn TCP/IP nn tun theo, trong cSNMP.MIB c th hin thnh mt file v c th biu din thnh mt cy.MIB c thc chun ha hoc t to(khi bn t nh ngha mt i tng hoc mt communitystring no th bn phi to cho n mt MIB mi th cc agent mi c th truyn thngc vi nhau mi hiu c i tng m bn nh ngha )
2
8/8/2019 DE CUONG SMNP
3/25
2. MIB
2.1. MIB
Mt MIB l mt tp hp ca cc i tng qun l. Mt MIB lu tr thng tin cthu thp bi tc nhn qun l ni ht, trn mt thit b qun l cho vic khi phc sau bi mt giao thc qun l mng.
Mi mt i tng trong mt MIB c mt b xc nhn duy nht m t cc ngdng qun l s dng xc nhn v khi phc li gi tr ca i tng xc nh. MIB cmt cu trc ging hnh cy ni m cc i tng ging nhau c nhm li di cngmt nhnh ca cy MIB. V d, cc b m giao din khc nhau c nhm li dinhnh giao din ca cy MIB.
Cu trc MIB c biu din logic bi mt cy phn tng. Gc ca cy khng c tnv chia thnh ba nhnh chnh: y ban t vn cho mng in thoi v in bo, ISO vchung gia ISO/CCITT.
Nhng nhnh ny ri vo mi phm tr di y c xc nh vi cc chui vnbn ngn v s nguyn. Cc chui vn bn miu t cc tn i tng ngc li cc snguyn t i tng xc nh rng phn mm cho php to s tha thun, s miu tm ha ca cc tn. B xc nh i tng trong phn tng mng MIB l kt qu ca ccnhn s trn cc node dc theo ng dn t gc n i tng. MIB mng chun c biu din bi b xc nh i tng 1.3.6.1.2.1, c th c tm tt nh sauiso.org.dod.internet.mgmt.mib.
Hnh 2: Phn tng mng MIB
3
8/8/2019 DE CUONG SMNP
4/25
Cc chun MIB c xc nh trong cc RFC khc nhau. V d, RFC 1213, qun lthng tin c s cho qun l mng ca cc mng da trn m hnh TCP/IP: MIB-II, nhngha TCP/IP MIB.
B sung n cc chun MIB, vendors c th cha nhnh ca cy con MIB v to cci tng qun l di nhnh ny. Mt router MIB ca Cisco s dng chung c itng qun l chun v ni b.
Mt cy MIB ca router Cisco cha mt vi nh ngha i tng qun l chun, baogm t cc nhm sau:
-Nhm giao din (bao gm miu t giao din, loi, a ch vt l, m cc gi tin nv i).
-Nhm IP (bao gm thit b ang hot ng nh gateway IP, s gi tin u vo, sgi tin b loi b bi v li).
-Nhm ICMP (bao gm s gi tin ICMP nhn c, s bn tin li).
-Thnh phn ni b Cisco ca cy MIB cha cc i tng qun l ni b c giithiu bi Cisco, nh cc i tng sau y cho router:
-Cc b m nh, va, ln v cc land.
-B nh chnh v b nh ph.
-Giao thc ti nguyn.
nh ngha ni b ca cc i tng qun l phi c bin son thnh NMS trc khichng c th c s dng; kt qu l u ra nhiu miu t hn vi cc tham s v cc s
kin c th c tham chiu bng tn.2.2 MIB-II
MIB-II h tr mt s lng cc giao thc mi v cung cp cu trc thng tin chi tithn. N duy tr thch hp vi phin bn trc y, MIB-II gi li b xc nh i tngging vi MIB-I (1.3.6.1.2.1).
MIB-II c 10 nhnh con c nh ngha trong RFC 1213, k tha t MIB-I trongRFC 1066. Mi nhnh c mt chc nng ring:
system (1.3.6.1.2.1.1) nh ngha mt danh sch cc i tng gn lin vi hotng ca h thng nh: thi gian h thng khi ng ti by gi, thng tin lin lc ca h
thng v tn ca h thng.interfaces (1.3.6.1.2.1.2) Lu gi trng thi ca cc interface trn mt thc th qun
l. Theo di mt interface up hoc down, lu li cc octet gi v nhn, octet li hayb hy b.
at (1.3.6.1.2.1.3) Nhm at (address translation) b phn i, n ch cung cp khnng tng thch ngc. Nhm ny c b t MIB-III tr i.
- ip (1.3.6.1.2.1.4) Lu gi nhiu thng tin lin quan ti giao thc IP, trong c phn nh tuyn IP.
4
8/8/2019 DE CUONG SMNP
5/25
-icmp (1.3.6.1.2.1.5) Lu cc thng tin nh gi ICMP li, hy.- tcp (1.3.6.1.2.1.6) Lu cc thng tin khc dnh ring cho trng thi cc kt ni TCP
nh: ng, lng nghe, bo gi- udp (1.3.6.1.2.1.7) Tp hp cc thng tin thng k cho UDP, cc datagram vo v ra,
-egp (1.3.6.1.2.1.8) Lu cc tham s v EGP v bng EGP ln cn.-Transmission (1.3.6.1.2.1.10) Khng c i tng no trong nhm ny, nhng nnh ngha cc mi trng c bit ca MIB.
-snmp (1.3.6.1.2.1.11) o lng s thc thi ca SNMP trn cc thc th qun l vlu cc thng tin nh s cc gi SNMP nhn v gi.Mc d nh nga MIB-II l mt ci tin trn MIB-I, nhng vn cn nhng vn chagii quyt c:
-MIB-II vn l mt thit b trung tm, c ngha l s tp trung ca n trn cc thit bring bit, khng phi mng ton vn hoc lung d liu
-MIB-II l da trn bu chn, c ngha l d liu c lu tr trong cc thit b qun
l v mt h thng qun l phi yu cu (bu chn) n thng qua giao thc qun l;d liu khng c gi t ng.
Chng II: SNMPv3
1.Kin trc SNMPv31.1 cc thnh phn ca SNMPv3
Mt thay i quan trng trong SNMPv3 l tt c cc agent v manager u c gi
chung l thc th SNMP. Mt thc th SNMP bao gm hai thnh phn: cng c SNMP(snmp engine) v cc ng dng ( applications )
Hnh 3 :thc th snmp
5
8/8/2019 DE CUONG SMNP
6/25
1.1.1 snmp engine
Mt engine bao gm bn thnh phn :phn h giao vn( dispatcher) , phn h x lbn tin (message processing subsystem) ,phn h bo mt (security subsystem) , phn hiu khin truy nhp (access control subsystem). Cng vic ca dispatcher l gi v nhn
bn tin .N c gng xc nhn version ca mi bn tin nhn c v nu version c htr th iu khin message n phn h x l bn tin(message processing subsystem).Dispatcher cng gi bn tin snmp ti cc thc th khc,
Phn h x l bn tin chun b bn tin gi v tch phn d liu t cc bn tin nhnc .Mt phn h x l c th gm nhiu modules x l bn tin. V d nh phn h cmodules x l cc yu cu cho version 1,cc yu cu ca version 2 , version 3.N cngc th cha module cho cc kiu x l khc.
Phn h bo mt cung cp cc dch v xc thc v ring t .Xc thc s dng ccommunity strings hoc xc thc da trn ngi dng snmpv3.Xc thc ngi dng sdng thut ton m ha MD5 hoc SHA xc thc ngi dng m khng cn gipassword dng clear-text .Cc dch v ring t s dng thut ton DES m ha v
gii m bn tin SNMP .Hin ti DES l thut ton duy nht c s dng ,nhng thutton khc c th c s dng trong tng lai.Phn h iu khin truy nhp c kh nng p ng cho vic iu khin truy nhp i
tng MIB .Bn c th iu khin cc i tng no m ngi dng c th truy nhpcng nh hot ng no c php truy nhp thc hin i tng .V d nh bnc th mun gii hn quyn truy cp ca ngi dng mc read-write tng phn cacy mib-2 ,trong khi cho php c trn ton b cy.
1.1.2 snmpv3 applicationVersion 3 chia snmp thnh mt s ng dng sau:-B to lnh :to ra cc lnh get,getnext ,getbulk ,v set request v x l cc p ng
.Nhng ng dng ny c thc thi bi Network management station (NMS), v vy nc th s dng t vn v t yu cu tr li cc thc th trn cc router, switch ,unixhost
-B p ng lnh:p ng cc lnh get ,get-next ,get-bulk ,v set request .Nhngng dng ny c thc thi bi mt thc th trn router hoc unix host
-B pht bn tin : pht cc bn tin trap v cnh bo .ng dng ny c thc thi bimt thc th trn router hoc unix host .i vi version 1 ,version 2 b pht tin l mtphn ca snmp agent .
-B nhn bn tin:nhn cc bn tin trap v to bn tin.Nhng ng dng ny c thcthi bi NMS
-B chuyn tip y quyn :t ng chuyn tip cc bn tin gia cc thc th
6
8/8/2019 DE CUONG SMNP
7/25
1.2.Kin trc ca SNMPv3 manager v agent
1.2.1 kin trc snmp manager
Hnh 4 :kin trc snmp managerSNMP manager tng tc vi SNMP agents bng cch s dng lnh(get,getnext
,getbulk,set)v nhn cc bn tin cnh bo (trap ,inform).Manager c th cng tng tc
7
Mt (nhiu) ng dng:
B pht bn tin B nhn bntin
B to lnh
Phn h con x lbn tin
Phn h con bo mt
iu vn PDU
iu vn bn tin
otherMP*
v3MP*
v2cMP*
v1MP* M hnh bomt khc
M hnh bomt ngi
dng
Mng
UDP IPX other
8/8/2019 DE CUONG SMNP
8/25
vi cc manager khc bng cch s dng inform request pdu v nhn inform responsepdu.Trong thut ng SNMPv3 mt SNMP manager bao gm cc ng dng:
-ng dng to lnh :gim st v qun l iu khin d liu cc agent uxa.Chng s dng cc pdu ca SNMPv1 v /hoc SNMPv2 bao gm get,getnext ,getbulkv set.
-ng dng pht bn tin:bt u l cc bn tin bt ng b ,trong trng hp camt manager ,informRequest pdu c s dng cho ng dng ny .-ng dng nhn bn tin :qu trnh x l bn tin bt ng b n .Nhng bn tin ny
bao gm informRequest ,SNMPv2-Trap ,v SNMPv1 trap pdu .Trong trng hp mtpdu informRequest n ,ng dng nhn bn tin s p ng vi mt respond pdu1.2.2 kin trc snmp agent
n
8
ng dng bp ng lnh
iu khin truycp
ng dng bpht bn tin
Phn h con bomt
Phn h con x lbn tin
iu vn PDU
iu vn bn tin
otherMP*
v3MP*
v2cMP*
v1MP* M hnh bo
mt khc
M hnh bomt ngi
dng
Mng
UDP IPX other
MIB
ng dng bchuyn tip y
quyn
8/8/2019 DE CUONG SMNP
9/25
Hnh 5:m hnh kin trc snmp agentMt agent c th cha 3 kiu ng dng :
-ng dng p ng lnh : cung cp truy nhp qun l d liu .Nhng ng dngny p ng yu cu n bng cch ly ra v hoc thit lp cc objects c qun l v
sau s dng mt Response PDU-ng dng pht lnh ban u l cc bn tin bt n b ,trong trng hp agent , pduSNMPv2 trap hoc SNMPv1 trap c s dng cho ng dng ny.
-ng dng chuyn tip i din :chuyn tip bn tin gia cc thc thSNMP engine cho mt agent c tt c cc thnh phn tm thy trong engine SNMP
cho manager,tr mt phn h iu khin truy nhp.Phn h ny cung cp cc dch v tincy (authorization) truy nhp n MIB c v thit lp cc objects qun l .Nhngdch v ny c thc hin trn c s ni dung ca cc PDU.S thc thi ca phn h bomt c th h tr mt hoc nhiu m hnh iu khin truy nhp c trng.Bi vy mhnh bo mt VACM ch c xc nh ring cho SNMPv3,c xc nh trong RFC3415
1.3 Cc lnh trong snmpv3SNMPv3 thc hin trao i thng tin qun l da vo cc lnh sau:
Getrequest: manager gi getrequest cho agent yu cu agent cung cpthng tin no da vo objectID (trong getrequest c cha OID). V d:mun ly thng tin tn ca device 1 th manager gi bn tin getrequestOID=1.3.6.1.2.1.1.5 n device 1 ,tin trnh SNMP agent trn device 1 snhn c bn tin v to bn tin tr li. Trong mt bn tin Getrequest c thcha nhiu OID c ngha l dng mt getrequest c th ly v cng lc nhiuthng tin.
Getnextrequest : manager gi getnextrequest c cha mt objectID cho agent
yu cu cung cp thng tin nm k tip objectID trong MIB.Do mtMIB c nhiu OID c sp cp th t khng lin tc ,nu bit mt OID thkhng xc nh c OID k tip .Do ta cn getnextrequest ly gi tr
v OID k tip .Nu thc hin getnextrequest lin tc th ta s ly c tonb thng tin ca agent.
Setrequest : manager gi setrequest cho agent t gi tr cho i tng caagent da vo objectID.C th t li tn cho mt my tnh hay router bng phn mm SNMP manager bng cch gi bn tin setrequest c OIDl1.3.6.2.1.1.5.0(sysName.0)v c gi tr tn mi cn t. C th shutdown mtport trn switch bng phn mm SNMP manager bng cch gi bn tin c
9
8/8/2019 DE CUONG SMNP
10/25
OID l 1.3.6.1.2.1.2.2.1.7 (ifAdminstatus) v c gi tr bng 2. (ifAdminstatusc 3 gi tr 1:UP, 2 DOWN, 3 TESTING).Ch c nhng object c quynREAD_WRITE mi c th thay i c gi tr.
GetResponse : agent gi getresponse cho manager tr li khi nhn cgetrequest getnextrequest.Trong bn tin getresponse c cha OID ca objectc request v gi tr ca object .
Trap :agent t ng gi trap cho manager khi c mt s kin xy ra i vimt object no trong agent.Cc s kin ny khng phi l cc hot ngthng xuyn ca cc agent m l s kin mang tnh bin c .v d :khi cmt port down ,khi ngi dng login khng thnh cng ,khi thit b khi ngli ....agent s gi bn tin trap cho manager.Tuy nhin khng phi mi bin cu c agent gi trap ,cng khng phi mi agent u gi trap khi xy racung mt bin c .Vic agent gi hay khng gi trap cho bin c no l dohng sn xut device/agent quy nh . Phng thc trap l c lp vi ccphng thc request/reponse .SNMP request/response dng qun l cnSNMP trap dng cnh bo .Ngun gi trap gi l trap sender v ni nhntrap gi l trap receiver.Mt trap sender c th c cu hnh gi trap nnhiu trap receiver cng lc. C hai loi trap :trap ph bin (generic-trap) vtrap c th (specific trap).generic trap c quy nh trong cc chun caSNMP ,cn specific trap do ngi dng t nh ngha (hng sn xut thit bnh ngha ).Loi trap l mt s nguyn gip cha trong bn tin trap ,da vo m pha nhn trap bit bn tin trap c ngha g.Cc dng bn tin trap thng thng bao gm:
- Coldstart :thng bo rng thit b gi bn tin ny ang khi ngli v cu hnh ca n c th b thay i sau khi khi ng .
- WarmStart :thng bo rng thit b gi bn tin ny ang khing v gi nguyn cu hnh c .
- LinkDown : thng bo rng thit b gi bn tin ny pht hinc mt trong nhng kt ni truyn thng ca n b li .Trongbn tin trap c tham s ch ra ifIndex ca kt ni b li
- LinkUp :thng bo rng thit b gi bn tin ny pht hin cmt trong cc kt ni truyn thng ca n khi phc trli.Trong bn tin trap c tham s ch ra ifIndex ca kt ni ckhi phc.
- AuthenticationFailure : thng bo rng thit b gi bn tin ny nhn c mt bn tin khng c chng thc thnh cng
10
8/8/2019 DE CUONG SMNP
11/25
(bn tin b chng thc khng thnh cng c th thuc nhiu giaothc khc nhau nh telnet,ssh,snmp,...).Thng thng trap nyxy ra l do ngi dng ng nhp khng thnh cng vo thit b .
- EgpNeighborloss : thng bo rng mt trong s nhng exteriorgateway protocol (giao thc ca ng bn ngoi ) ca thit b gi
trap b coi l down v quan h i tc (peer relationship) giahai bn khng cn c duy tr .- EnterpriseSpecific : thng bo rng bn tin trap ny khng thuc
cc kiu generic nh trn m n l mt loi bn tin do ngi dngt nh ngha .
Ngi dng c th t nh ngha thm cc loi trap lm phong ph thmkh nng cnh bo ca thit b nh: boardFailed, configChanged,PowerLossCh nhng trap sender v trap receiver cng h tr mt MIB mic th hiu ngha ca cc specific trap.
get-bulk:cho php ly thng tin qun l t nhiu phn trong bng.Dng get
c th lm c iu ny ,tuy nhin kch thc ca cu hi c th b gii hnbi agent.Khi nu agent khng th tr li ton b yu cu ,n gi tr mtthng ip li m khng c d liu ,Vi lnh getbulkagent s gi cngnhiu tr li nu c th .Do vic tr li mt phn ca yu cu c th xyra.Hai trng cn khai bo trong getbulk l nonrepeaters(bo cho agentbit N i tng u tin c th tr li li nh mt cu lnh getn) vmax-repetition(bo cho agent bit cn c gng tng ln ti a M yu cuget-next cho i tng cn li).
notification: chun ha nh dng PDU ,nhn din cc lnh getv set. inform: cung cp c ch truyn thng gia nhng NMS vi nhau.Khi mt
NMS gi mt SNMP inform cho mt NMS khc ,NMS nhn c s gi tr
mt ACK xc nhn s kin .Vic ny ging c ch ca get vset. report :c a ra trong bn nhp ca SNMPv2 sau ny c a vo trong
SNMP v3.c dng truyn thng gia cc h thng SNMP v32. Vn bo mt trong SNMPv3 2.1 Cc nguy c b tn cng:
- Masquerading (mo danh) :c ngha l mt attacker mo danh mt ai thchin mt s cng vic da trn danh ngha ngi .Trong vn bo mt mng hinnay ,c l y l mi e da nguy him nht.Mt trong cc cch thc mo danh lspoofing (nh la ngi s dng ).Nu mt attacker mo danh nh mt managementthnh cng ,th attacker c th vo cc mc qun l mng vi s xc thc quyn hn l
ng n : attacker c th lm bt c iu g m danh ngha ngi m attacker mo danhc th lm c .- Modification of information (Chnh sa thng tin) :mi e da ca vic chnh
sa thng tin c ngha l mt ngi th 3 no c th xm nhp vo trong qu trnhtruyn dn bn tin v chnh sa chng.Sau bn tin b chnh sa ny c truyn tingi c quyn nhn bn tin tht.By gi ngi nhn gi tin ngh rng bn tin c gibn tin c gi bi mt ngun tht s ng tin trong khi ni dung ca n b thayi .Trong mng qun l ,mt qun l mng c xc thc c th to ra mt bn tin PDU
11
8/8/2019 DE CUONG SMNP
12/25
c ngha qun l .Nu mt attacker tn cng thnh cng vo qu trnh truyn dn, ccPDU c th b chnh sa trong khi cc thng tin xc nhn vn khng b thay i .Tuynhin y l kh nng xy ra nu nh PDU khng k hiu cng nh khng c m ha.
- Message stream modification (Chnh sa lung thng tin) :c ngha l lungthng tin b sa i bng mt s cch thc .iu ny c ngha l cc thng tin c th
c xp xp li hoc c ti hin li.Thit k ban u ca mng qun l l qun lgiao thc khng kt ni.V vy hu ht cc giao thc qun l u c thit k hot ngtrn dch v vn chuyn phi kt ni .Lung d liu chnh sa l mi e da tim nngtrong mng qun l.Mt attacker c th ghi li cc thng tin qun l m cho php ttrouter.Sau da trn c im attacker c th s dng bt cc gi tin thc hin ttrouter bt c khi no.
- Disclosure :mi e da b l thng tin c ngha l tin cy ca thng tin b r r(l ra) i vi tt c mi ngi nhng ngi khng nn nhn thy chng . bo mttrong mng thng thng ,lu lng thng tin vo khng c m ha .Tng t trongmng qun l mt vi PDU qun l c th mang mt s thng tin ct yu v mng v ccnode c qun l trong .V vy nu mt attacker theo di c lu lng trong cc
on mng ,th attacker c th ly c mt s thng tin quan trng .Cc thng tin ny cth c s dng nh l c s cho cc kiu xm nhp khc nh mo danh.Mt cch chng li mi e da b r r thng tin l m ha bn tin
- Denial of service (DoS) (t chi dch v )iu ny c ngha l mt vi dch vmng s b kha theo mt cch thc no .Attacker c th c gng m mt kt ni TCPti mt host mt cch lin tc v l cch kha tt c cc yu cu kt ni khc .Trongmng qun l iu ny cng c ngha l mt actacker tin hnh kha lung d liu cagiao thc qun l thng tin gia manager v agent.Trong mng qun l ,DoS c th lmt chui lin tip nu nh cc mi e da khc nhau din ra.V d ,nu mt attackertin hnh thnh cng vic mo danh v thc hin nh l mt ngi qun l ,attacker cth a ra lnh shutdown ti mt router xc nh no .V iu ny thc s mi e dat chi dch v din ra.
- Traffic pattern analysis (phn tch kiu lu lng )l mi e da m ni chathng tin ca bn tin b b qua.Tht s nhng thng tin thit yu ca h thng c tonn t nhng kiu lung lu lng thng thng .C hai mi e da cui cng ny rtkh c th ngn chn
2.2 Bo mt trong version 3Bo mt l vn yu km nht k t khi SNMP ra i .Vn xc thc trong
SNMP ch yu da vo password dng clear-text gia mt manager v mt agent.Password c truyn di dng clear-text r rng l khng an ton ,n hon ton c thb nh cp, truy ln li v lm sp h thng mng .
Trong SNMPv3 th vn bo mt c quan tm v m bo an ninh hn i
vi version 1 v version 2 .Vn chnh ca SNMPv3 l an ninh a ch ,khng c sthay i v giao thc ,khng i mi qu trnh hot ng .SNMPv3 tch hp tt c cchot ng ca SNMPv1 v SNMPv2.(cp quyn truy nhp)
SNMPv3 s dng MD5 v SHA to ra cc gi tr hash cho tng thng ipSNMP .Thao tc ny gip cho php xc thc u cui cng nh ngn nga thay i dliu v cc kiu tn cng .Thm vo , cc phn mm qun tr SNMPv3 v cc agent cth dng DES m ha gi tin, cho php bo mt tt hn .(ton vn ,m ha v xcthc)
12
8/8/2019 DE CUONG SMNP
13/25
2.2.1 cu trc bn tin SNMPv3
Cc trng trong bn tin SNMPv3Nm trng u tin (message header) c to bi phn h x l bn tin bn gi v
c x l bi phn h x l bn tin bn nhn.Phn tiu x l bn tin bao gm: msgversion: thit lp l version 3. msgID :c xc nh duy nht ,c dng gia cc thc th SNMP phi
hp bn tin request v response v bi vic x l bn tin phi hp qu trnhx l bn tin bi cc phn h khc nhau trong kin trc.Ga tr ID thuckhong [0; 2^31-1].
msgMaxSize :truyn t kch thc ln nht ca gi tin trong cc octet ch tr bi ngi gi bn tin,vi mt khong 484 n 2^31-1.Kch c on lnnht ny ngi gi c th chp nhn c t mt engine SNMP khc(bt cmt p ng hay mt s kiu bn tin khc).
msgFlags: mt chui octet cha 3 c :reportableflag ,privflag , authflag.Nu creportableflag=1 th mt Report PDU phi c gi tr v ngi gi, khi c cgi tr l 0 ,bn tin Report PDU c th khng c gi tr v .reportableflagc thit lp =1 bi ngi gi trong tt c cc bn tin cha mt request (get,set) hoc mt inform v thit lp bng 0 cho cc bn tin cha mt response,mt trap hoc mt report PDU. Mt khc, Privflag v authflag c thit lpbi ngi gi ch ra mc bo mt c p dng cho bn tin .S kt hpny c ch ra nh sau:
13
8/8/2019 DE CUONG SMNP
14/25
Privflag authflag Mc bo mt0 0 Khng xc thc, khng m ha0 1 Bn tin xc thc
1 1 Bn tin m ha v xc thc
msgSecurity model:xc nh trong khong [0 ;2^31-1] m ch ra rng m hnhbo mt c s dng bi bn gi chun b bn tin v bi vy m hnh bomt ny phi c s dng bn nhn x l bn tin ny.Cc gi tr cquy nh nh sau:
Value Security model1 SNMPv12 SNMPv2c3 USM
Su trng tip theo ch ra cc tham s bo mt s dng bi USM. Khi mt bn tin ira ngoi (outgoing message) c chuyn qua m hnh bo mt ngi dng USM bngphn h x l bn tin (message processor).M hnh USM s kt ni vi cc tham s linquan n bo mt trong phn tiu ca bn tin. Cc gi tr x l trong m hnh bo mtngi dng cha trong cc trng . Cc tham s lin quan n bo mt c trnh bysau y:
- msgAuthoritativeEngineID: trng snmpEngineID ca ng c snmp tin cygn vo trong qu trnh trao i thng tin.Nh vy .cc gi tr ny lin quan n nguntrong cc bn tin trap ,response, hoc report, v lin quan n ch trong cc bn tin
get,getnext, getbulk,set hoc inform.- msgAuthoritativeEngineBoots:gi tr snmpEngineBoot ca mt ng c SNMPtin cy c gn vo trong qu trnh trao i thng tin. snmpEngineBoots l mt snguyn nm trong khong t 0 n (2^31)-1,gi tr ny biu din thi gian ng cSNMP ny c cu hnh ban u hoc ly li cu hnh ban u k t khi n bt uc cu hnh
- msgAuthoritativeEngineTime:gi tr snmpEngineTime ca ng c SNMPgn vo trong qu trnh trao i thng tin.Ga tr snmpEngineTime l mt s nguyn nmtrong khong t 0 n (2^31)-1 ,gi tr ny biu din s giy k t khi ng c SNMP tincy ny tng ln n snmpEngineBoots cui cng .Mi ng c SNMP tin cy p nggi tr snmpEngineTime ca chnh n tng ln mt giy.Mt ng c khng tin cy c
kh nng p ng cho s tng ln snmpEngineTime(its notion of snmpEngineTime nim ca snmpEngineTime ca n ) cho mi ng c tin cy xa vi ng c m ngiao tip .
- msgUserName:thng tin i din cho ngi dng c thm quyn c dngtrao i thng tin .Mc ch chnh ca ngi dng l nm gi cc kha b mt v mt vithng tin lin quan n bo mt nh thut ton m ha c s dng UserName xcnh thm quyn bn trong USM s kt ni (map)mt m hnh bo mt c lp m xc
14
8/8/2019 DE CUONG SMNP
15/25
nh securityName bi mt s chuyn i xc nh .Bi vy userName l mt chui k tm con ngi c th c c . - msgAuthenticationParameters:l null (khng c gi tr hay b trng)nu xcnhn khng c s dng trong s trao i thng tin .Ni cch khc l mt tham sxc thc .Hin nay theo nh ngha ca m hnh USM ,tham s xc thc l mt m xc
thc bn rin HMAC.- msgPrivacyParameters:l null nu cc chnh sch ring t khng c s dng trao i thng tin.Mt khc y l mt tham s ring t.theo nh ngha ca USMtham s ring t l mt gi tr dng to nn gi t ban u ca thut ton chui s khamt hiu DES.
Cui cng l PDU tp trung cc contextEngineID v contextName to thnh phm viPDU,c s dng cho vic x l PDU.
2.2.2qu trnh gi nhn bn tin trong cc mc an ninh.
SNMPv3 cung cp c cc m hnh an ninh v cc cp an ninh:
Mt m hnh an ninh l mt chin lc nhn thc m thit lp cho mtngi s dng v mt nhm m trong cng c tr. Mt mc anh ninh l mc v an ninh c cho php trong mt m hnh an
ninh.
S kt hp ca m hnh an ninh v mc an ninh s xc nh k thut anninh no c s dng trong khi x l mt gi tin SNMP. Ba m hnh an ninh cth l: SNMPv1, v2c v v3. Bng cho thy nhng s kt hp ca m hnh vmc an ninh c ngha l g.
M hnh Mc Nhn thc M ho nghav1 noAuthNoPriv Chui chung Khng S dng s ging chuichung cho nhn thc
V2c noAuthNoPriv Chui chung Khng S dng s ging chuichung cho nhn thc
V3 noAuthNoPriv username Khng S dng s ging usernamecho nhn thc
V3 authNoPriv MD5 hoc SHA Khng Cung cp kh nng nhnthc da trn thut tonHMAC-MD5 hoc HMAC-
SHAV3 authPriv MD5 hoc SHA DES Cung cp s nhn thc datrn cc thut ton HMAC-MD5 hoc HMAC-SHA.Cung cp thm 56-bit mho DES thm vo phnnhn thc da theo chunCBC-DES (DES-56)
15
8/8/2019 DE CUONG SMNP
16/25
8/8/2019 DE CUONG SMNP
17/25
2.2.2.2 trao i bn tin authNoPrivNu chng ta gi s rng vic truyn thng gia manager v agent l xc thc (agent
mun chc chn v bn tin n t manager yu cu n v ngc li manager mun cchc chn v p ng tht s n t agent ch ) th bn gi phi phn loi bn tin theomt thut ton no (s dng MD5 hoc hm SHA ) v n thm vo trong trngmsgAuthenticationParameters ca phn msgSecurityParameters.
Bn nhn s xa phn digest t bn tin ,lu n vo trong khu vc phn phi tmthi ,ni trong khong khng gian c xa vi octets zero v tnh ton messagedigest.Nu tnh ton message digest l ging vi digest nhn c th bn tin c xcthc .Cc trng hp khc kh nng k mo danh ang c thc hin nhng hot ng bthp php.
Lu rng bn tin xc thc khng cn tr vic xem xt ni dung ca bn tin .Hnh sau ch ra s trao i bn tin c xc thc gia manager v agent.
Thc s th hnh trn cn thiu mt phn quan trng ca xc thc . ngn chnvic tn cng lp li USM s dng c ch timeliness. tng n gin l engine c thmquyn s duy tr 2 i tng l snmpEngineBoots v snmpEngineTime, tham chiuthi gian ni ht .engine khng c thm quyn cn ng b lng lo vi mi SNMP
engine c thm quyn m n giao tip vi ,V mc ch ny engine khng c thm quyngi mt bn copy cc b ca 3 bin cho mi engine ID xa.
+snmpEngineBoot ca engine xa+snmpEngineTime : khi nim engine ca snmpEngineTime cho engine c
thm quyn t xa.+latestReceivedEngineTime :gi tr cao nht ca msgAuthoritativeEngineTime
m va nhn c bi engine ny cho engine c thm quyn t xa.
17
8/8/2019 DE CUONG SMNP
18/25
Trong mi thc th bn tin yu cu xc thc bao gm quan im engine cathi gian v khi ng engine xa.Khi ng phi ph hp v thi gian phi nm trongca s thi gian 150 .Nu nhn c bn tin khng y iu kin ny report-pdukhng trong ca s thi gian s c gi tr li.Engine c thm quyn thm vo vickhi ng v thi gian ca n vo trong report v bn tin p ng v vy engine khng c
thm quyn c th update sao chp cc b nhng gi tr ny.iu ny c gii thchbng hnh sau y:
2.2.2.3 chuyn i bn tin authprivNu chng ta gi s rng vic truyn thng gia manager v agent c bo v
khi b l thng tin mt phng php m ha c p dng ,khng phi ton b bn tinc m ha m ch phm vi pdu .thut ton c chn trong SNMPv3 l m ha s
(cipher block chaining CBC) kiu tiu chun m ha d liu (DES).Khch hng c tdo la chn s dng thut ton khcLu rng m ha c ng dng v bn tin phi c xc thc thnh cng.
18
8/8/2019 DE CUONG SMNP
19/25
3. Cc loi m hnh bo mt
Trong cc RFCs cp n SNMPv3, u m t kin trc tng quan cccu trc bn tin c bit v cc c im an ninh m khng h m t mt nhdng SNMP PDU mi. iu ny c ngha l cc nh dng PDU SNMPv1 vSNMPv2 hin ti phi c s dng trong mt kin trc mi. Theo nhiu RFCs t2271 n 2275 th c th hiu l SNMPv3 l SNMPv2 thm cng thm chcnng an ninh v qun tr. Di y s trnh by nhng kh nng an ninh v nhnthc c cung cp bi SNMPv3 USM (User Security Model: M hnh an ninhngi dng), l m hnh an ninh da vo ngi dng v iu khin truy nhptrn c s thm tra. 3.1 M hnh bo mt da trn ngi dng user security model
RFC 3414 xc nh m hnh bo mt ngi dng USM.USM cung cp cc dch v ringt ,xc thc cho SNMP v n c thit k chng li cc mi e da: chnh sa thngtin, mo danh, chnh sa lung thng tin(snmp c thit k hot ng theo giao thcvn chuyn phi kt ni .Bi vy xut hin mi nguy c cc bn tin c sp xp li ,b trhoc b lp li lm cho hot ng ca management hot ng khng xc nhnc ),nguy c thng tin b l .
USM khng chng li c cc mi e da nh t chi dch v(attacker cn tr victrao i thng tin gia manager v agent) ,phn tch lu lng (attacker c th quan stc cc tham s chung v lu lng gia manager v agent).
SNMPv3 xc nh USM nh l mt s chn la m hnh bo mt nhng khch hngc t do la chn thc thi m hnh ca chnh h.
3.1.1 Chc nng bo mt.Hai chc nng bo mt c xc nh trong USM l :xc thc v m ha . h
tr chc nng ny mt SNMP engine yu cu phi c hai gi tr l t kha ring vkha xc nhn .Vic phn chia cc gi tr thnh hai t kha c duy tr bi ngi sdng sau:
+Ngi dng trong mt phm vi ni ht :bt k mt quy tc no trong SNMPengine hot ng qun l c xc thc .
19
8/8/2019 DE CUONG SMNP
20/25
+Ngi dng truy cp t xa:bt c mt nguyn tc no m mt SNMP engine vic truyn thng c thc thi(desired thm vo).
Cc gi tr kha ring v kha xc nhn khng c truy nhp thng qua
SNMP.USM cho php s dng mt trong hai giao thc xc thc lun phin :HMAC-MD5-96 v HMAC-SA-96. m ha USM s dng chui kha mt hiu ca chun mha d liu (DES).
3.1.2 kha
C thc th SNMP xc thc v m ha u yu cu mt key thch hp .v vy tt ccc thut ton mt m s dng l i xng ,hoc cc side phi s dng cng mt key.
n gin ha gnh nng cho vic qun l key trn nhng ngi qunl(principal),mi ngi qun l ch c yu cu duy tr mt key xc thc n v mtkey m ha n.Nhng key ny khng c lu trong mt MIB v khng c truy nhpthng qua SNMP.
vic trin khai key mt cch n gin SNMPv3 xut thut ton mt khucho key.Thc th SNMP tnh ton key t password s dng mt hm hash xc nh.Vcng mt password nn n s to ra cng mt key. lm c iu ny th n ginnhng secure khng phi kh nng tt nht c th t c ,key c tnh ton c hnnh trong mt khu vc (localized) .authoritative engine id c bc vi key c tnhton v hm hash c p dng trn chui octet.iu ny chc chn rng cng mtpasword cung cp cc key khc nhau cho cc engine id khc nhau.Nu key ca mt thcth vn khng ph v security ca nhng thc th khc .
20
8/8/2019 DE CUONG SMNP
21/25
8/8/2019 DE CUONG SMNP
22/25
3.1.4 Timeliness mechanisms(c ch tnh thi hn thi gian )
Vn xc thc d liu da trn hn nh thi gian
USM gm mt thit lp c ch timeliness m bo chng li cc bn tin tr vcc bn tin lp li.Mi SNMP engine c th tng hot ng nh mt engine c thmquyn phi duy tr gi tr trng snmpEngineBoots v snmpEngineTime n thi gianquy nh ni ht ca n.Khi mt snmp engine c ci t u tin 2 trng gi tr trn
c ci t bng 0.Ngay sau ,snmpEngineTime c tng thm 1 n v sau migiy.Nu snmpEngineTime (ever) tng n gi tr ln nht ca n (2^31) -1th,snmpEngineBoots c tng ln ,nu h thng phi khi ng li ,vsnmpEngineTime c t t 0 v li bt u tng.S dng mt c ch ng b .mtengine khng c thm quyn duy tr mt gi tr thi gian c lng cho mi engine cthm quyn m n giao tip vi(communicates).Ga tr c lng ny c t vo miouting message .v cho php nhn ra engine c thm quyn gii hn bt c khu vc
22
8/8/2019 DE CUONG SMNP
23/25
hoc thi hn message ti (to determine whether or not the incoming message is timelyng lc ,hp thi).
C ch ng b lm vic theo cch thc nh sau:Mt engine khng c thm quyngi mt gi tr cc b (ni ht) trong ba gi tr c th thay i c cho mi engine snmpengine c thm quyn c bit n cho mi engine (gi tr c trng cho mi engine):
SnmpEngineBoots:gi tr mi nht ca snmpEngineBoots cho mi engine c thmquyn iu khin t xa.SnmpEngineTime: l biu hin (quan im) ca mi engine trong gi tr
snmpEngineTime cho mi engine c thm quyn iu khin t xa.Ga tr ny c ngb vi engine c thm quyn iu khin t xa bi mt qu trnh x l ng b c mt di y.Gia cc s kin ng b,cc gi tr c tng ln theo logic mt n v/1sduy tr mt (loose lng lo synchronization with the remote authoritative engine).
LatestReceivedEngineTime: l gi tr cao nht ca msgAuthoritativeEngineTimem engine nhn c t mt engine c thm quyn iu khin t xa.gi tr ny c cpnht bt c khi no mt gi tr ln hn ca msgAuthoritativeEngineTime c nhn.Mcch ca vic thay i gi tr ny l bo v chng li cc tp tin lp li m cn tr cc
biu hin u im ca gi tr snmpEngineTime ca engine snmp khng c thmquyn(advancing).Thit lp 3 gi tr thay i c duy tr cho mi engine c thm quyn iu khin t
xa c bit n nhn dng cc engine ny(to this engine).Thi gian ng b xy ra nh l mt phn ca th tc nhn mt bn tin SNMP.Nh
vy khng c th tc ng b thi gian r rng c yu cu bi mt engine SNMPkhng c thm quyn .Ch rng bt c khi no gi tr ni ht snmpEngineID c thayi (v d nh thng qua vic khm ph ra)hoc khi giao tip bo mt c thit lp utin vi mt engine SNMPc thm quyn ,gi tr ni ht snmpEngineBoots vlatestReceivedEngineTime nn c t t 0.iu ny s gy ra thi gian ng b xy rakhi thng tin xc nhn tip theo c nhn.
3.2 M hnh iu khin truy nhp da trn c s thm tra
Nu ch bo mt SNMPv3 c xt trn th s xy ra vn l nu chng ta cnhng ngi dng m mun sp t cc mc phn quyn khc nhau (v d chng tamun cho php administrator c th reset/reboot thit b t xa trong khi chng ta munngn cn nhng ngi dng thng thng lm vic ny hoc cng mt thi im chngta cho php nhiu ngi c trng thi ca cc agent xa).iu ny khng phnloi ngi dng bng cch s dng xc nhn v cc key /password ring ca mi ngidng.
VACM s dng MIB xc nh nhng ngi dng no c th truy nhp phnno ca mt MIB agent vi nhng iu kin xc nh.iu kin ny bao gm securitylevel (v d phn tt yu ca MIB c th c truy cp ch khi s dng cc yu cu cxc nhn,nhng phn khc ch c truy cp khi c yu cu c m ha v xc thc),security model(v d nh chng ta khng mun cho php SNMPv1 hoc SNMPv2qun l truy nhp bng cu hnh v3),userName (v d bob c th truy nhp tt c cci tng trong MIB,trong khi liz c ch c th truy nhp 2 phn ca cyMIB),viewType(v d nh ngi s dng c th c php c nhng khng c ghi,chnh sa i tng),v conxtext i tng tn ti
23
8/8/2019 DE CUONG SMNP
24/25
VACM khng xc nh ng truy nhp c th cho mi i tng (instance)ntrong MIB ca agent .Hn na n xc nh chng thng qua mi nhnh cacy(subtree).Subtree l mt s thit lp tt c cc i tng v object instances m cchung phn tin t object xc nh cho tn ca chng .
Hn na chng ta gi s rng ngi dng (m agent bit) c th truy nhp tt c
cc object trong MIB.trong trng hp agent a ng (s dng nhiu mib) khng cbo v tt c,v vy chng ta c th s dng SNMPv1 hoc SNMPv2 manager ly rachnh sa tt c cc object.Nu bn c th nhn thy NVAgentCfg1.text file th bn c ththy rng VacmViewTreeFamilyTabble cha trong cc hng ring l vi viewName=every thing v subtree = 1.3.6.1.Ni theo cch khc nh v d trn bob c th truynhp tt c cc instances MIB trong agent.
iu khin truy nhp l mt chc nng bo mt c thc hin mc PDU.iukhin truy nhp xc nh c ch gii hn bt c s truy nhp no mt object ciu khin trong mt MIB ni ht bi mt ngi qun l xa(princial) c php.Vnbn SNMPv3 xc nh m hnh iu khin truy nhp da trn c s thm tra.
VACM s dng SNMP-VIEW-BASED-ACM-MIB xc nh cc chnh sch
truy nhp cho agent ny v lm cho n c kh nng cu hnh t xa s dng .RFC 3415 ch ra bng thay i nh th no trong VACM MIB n hot ngtrong vic to ra iu khin truy nhp chnh xc .
Who:s kt hp ca securityModel v securityName xc nh tn ca hot ngny.N xc nh a ra mt qun l m s giao tip ca n c bo v bi vic a rasecurityModel.S kt hp ny hu nh thuc v mt nhm trong engine SNMP ny /
vacmSecurityToGroupTable cung cp groupName,a ra securityModel vsecurityName.Where:contextName xc nh khu vc thm cc phn t qun l c tm
thy(desired management obkect is to be found).vacmContextTable cha mt danh schcc contextName c nhn bit.
How :s kt hp ca securityModel v securitylevel xc nh lm th no incomingrequest hoc inform PDU c bo v.S kt hp ca who, where,v how xc nhkhng c hoc c mt entries(u vo )trong bng vacmAccessTable.
24
8/8/2019 DE CUONG SMNP
25/25
Why:viewType xc nh ti sao truy nhp c yu cu hot ng : c ,vit hoccnh bo.S la chn u vo trong vacmAccessTable cha mt MIB viewName chomt trong ba kiu hot ng ny v viewType c s dng chn mt viewName xcnh .ViewName ny chn xem mt MIB ph hp(appropriate) tvacmViewTreeFamilyTable.
What:variableName l mt object ngi xc nh m tin (prefix)ca ngi xc nh mt kiu object xc nh(indentifies a specific object type and whose suffixindentifies a specific obkect instance.the object type indicates what type of managementinformation is requested).
Which :the object instance indicates which specific item of information isrequested.
5,Tm tt bo mt trong version 3III,M phng bo mt trong SNMPv3 bng phn mm1,M t cch ci t SNMP
2,V d gim st m hnh my tnh v kt qu thu c (dng phnmm wireshark bt gi tin trn card mng )