Changes

From Free Knowledge Base- The DUCK Project: information for everyone
Jump to: navigation, search

Simple Network Management Protocol

6,955 bytes added, 17:50, 24 November 2010
Reverted edits by [[Special:Contributions/Atekysepiko|Atekysepiko]] ([[User_talk:Atekysepiko|Talk]]); changed back to last version by [[User:Admin|Admin]]
The following lines were added (+) and removed (-):
SNMP works by sending messages, called protocol data units (PDUs), to different parts of a network. SNMP-compliant devices, called agents, store data about themselves in Management Information Bases (MIBs) and return this data to the SNMP requesters.  SNMP uses five basic messages (GET, GET-NEXT, GET-RESPONSE, SET, and TRAP) to communicate between the SNMP manager and the SNMP agent.  There are variations to account for additional message types (see the six listed below) based on the version of SNMP being used.SNMP works by sending messages, called protocol data units (PDUs), to different parts of a network. SNMP-compliant devices, called agents, store data about themselves in Management Information Bases (MIBs) and return this data to the SNMP requesters.  SNMP uses five basic messages (GET, GET-NEXT, GET-RESPONSE, SET, and TRAP) to communicate between the SNMP manager and the SNMP agent.  There are variations to account for additional message types (see the six listed below) based on the version of SNMP being used.  Many network elements support only SNMPv1 and SNMPv2c. Support for SNMPv3 is minimal.[[Image:snmpipnetwork.png]]=== versions === SNMPv1    SNMPv1,    which implements community-based security SNMPv2c    SNMPv2    with community-based security SNMPv2u    SNMPv2    with user-based security SNMPv2    SNMPv2    with party-based security SNMPv3    SNMPv3,    which implements user-based security=== Communication Architecture ===To get information from an SNMP device, a "manager" (SNMP terminology for a client) will send a "GetRequest" or "GetNextRequest" to an "agent" (the SNMP term for a server) and the requested information or an error message will be sent back in a "Response." If a manager wants to modify information on an agent, a "SetRequest" will be sent with a corresponding response to confirm or report an error.The unsolicited message form is called a "trap." This kind of message is usually sent by agents on start-up, on status change and in response to error conditions. Traps are not only unsolicited but they are also unreliable. Like syslog messages they are sent via User Datagram Protocol and whether they are received depends on whether they make it to the destination (remember, UDP is an unreliable, best-effort service) and whether the manager is listening.The information on the agent is stored in what is called a Management Information Base (MIB). This is a hierarchical data structure (not, as it is often mistakenly called, a database) that describes all the "objects" that a device can report the status of and, in some cases, set the value of.=== Direct Router and Server monitoring with SNMP ===SNMP provides a method of managing network hosts such as workstation or server computers, routers, bridges, and hubs from a centrally-located computer running network management software. SNMP performs management services by using a distributed architecture of management systems and agents[[Image:snmpipnetwork2.png]]The monitored device(s) must be equipped with SNMP, SNMP must be enabled on the device and the machine PRTG must be allowed access to the SNMP interface.  The most common usage is monitoring the bandwidth usage of leased lines, routers and firewalls. But you can also monitor the usage of servers, managed switches or printers.=== Monitoring Microsoft Windows ===In order to monitor Windows Servers/Workstations the SNMP Service has to be started, if this isn't the case you have to install it.  # Open the Windows Components wizard# In Components, click Management and Monitoring Tools (but do not select or clear its check box), and then click Details.# Select Simple Network Management Protocol check box, and click OK.# Click Next. To open the Windows Components wizard, click Start, point to Settings, click Control Panel, double-click Add/Remove Programs, and then click Add/Remove Windows Components.Certain Windows components require configuration before thay can be used. If you installed one or more of these components, but did not configure them, when you click Add/Remove Windows Components, a list of components that need to be configured is displayed. To start the Windows Components wizard, click Components.You must be logged on as an administrator or a member of the Administrators group in order to complete this procedure. If your computer is connected to a network, network policy settings might also prevent you from completing this procedure.SNMP starts automatically after installation. For your monitoring software set the  Sample-Rate at least to 10 seconds.=== Security of SNMP and Exploitation ===SNMP is vulnerable because it is often automatically installed on many network devices with "public" as the read string and "private" as the write string. This would mean that systems might be installed on a network without any knowledge that SNMP is functioning and using these default keys.This default installation of SNMP provides an attacker with the means to perform reconnaissance on a system, and, an exploit that can be used to create a denial of service. SNMP MIBs provide information such as the system name, location, contacts, and sometimes even phone numbers. This soft intelligence can be very useful in social engineering. An attacker could call an organization and use the system contact and system name to gain a password from an unsuspecting user. The telephone number for the system contact could be used to provide a dialing prefix that the attacker could use for war dialing.SNMP information also provides a great deal of hard intelligence about the system. One MIB provides the system description that reveals the operating system that the host is using. This can be matched against known exploits that would allow the attacker to gain further access into the SNMP host. SNMP data also provides interface descriptions, types, and other interface configuration information. This interface information can be gathered from more that one system to allow an attacker to piece together a network map of an organization showing how systems are interconnected. Some MIBs are writeable allowing the attacker to change the system configuration creating a denial of service opportunity. One such MIB is "ifAdminStatus". "IfAdminStatus" is set to "1" when the interface is operational and to "2" when it is down. An attacker could set "ifAdminStatus" to "2" using the SNMP set PDU which could disconnect the host from the network creating a denial service. "Public" and "private" are not the only default or easy guessable community stings which are used. Some Solaris systems use "all private" by default. HP SNMP agents have been known to use "snmpd" as their default community strings. A Compaq customer advisory notice stated that, "Insight Manager Console using Compaq Insight Manager Version 3.00" will only use the first three characters of any community string that is used, making this agent very susceptible to a brute force SNMP attack. To harden your security exercise conservative use of SNMP. SNMP should not be enabled on devices that do not require it. It is better to push the information from the managed devices using SNMP traps rather that polling the devices using SNMP agents. SNMP community write strings can be disable if the network management platform only poll devices and does not change the remote devices configuration.If SNMP is needed the community strings should be set at their maximum length and include a combination of letters, numbers, and special characters to avoid a brute force attack. All network devices should be scanned using an SNMP vulnerability scanner to ensure that they do not use the default community strings.SNMP access should also be limited to only the devices that require SNMP for monitoring. This can be accomplished by allowing only authorized clients to access UDP port 161. All access to UDP port 161 should be denied from external networks.