What is SNMP?

What is SNMP? It is a protocol.

Its full name is Simple Network Management Protocol

The Simple Network Management Protocol (SNMP) was first proposed by the Internet Engineering Task Organization (IETF) research team to solve the router management problems on the Internet. It can be used on IP, IPX, appletalk, OSI, and other transmission protocols.

SNMP actually refers to a collection of network management specifications, including the Protocol itself, the definition of data structures, and some related concepts.

Simple Network Management Protocol (SNMP) is one of the earliest Network Management Protocols proposed. It has been widely used and supported since its launch, especially since it was quickly supported by hundreds of vendors, these include IBM, HP, sun, and other large companies and vendors. SNMP has become an industrial standard in the network management field and is widely supported and applied. Most network management systems and platforms are based on SNMP.

1. SNMP Overview

The predecessor of SNMP is the simple gateway monitoring protocol (sgmp), which is used to manage communication lines. Subsequently, sgmp was greatly modified, especially when SMI and MIB compliant with Internet definitions were added: the improved protocol was the famous SNMP. The goal of SNMP is to manage software and hardware platforms produced by many manufacturers on the Internet. Therefore, SNMP is greatly affected by the internet standard network management framework. Now <a href = http://net-snmp.cn> snmp </a> has come out of the third version of the protocol, its function has been greatly enhanced and improved.

The SNMP architecture is designed around the following four concepts and objectives: to keep the software cost of the agent as low as possible; to maximize the remote management function, in order to make full use of Internet network resources, the architecture must have room for expansion; maintain the independence of SNMP, and do not rely on specific computers, gateways and network transmission protocols. In recent improvements, we have added the goal of ensuring the security of the SNMP system.

In addition, SNMP provides four management operations: Get operations are used to extract specific network management information; get-Next operations are used to traverse activities to provide powerful management information extraction capabilities; set operations are used to control management information (modify and set). Trap operations are used to report important events.

Ii. SNMF management and control framework and implementation

1. SNMP management and control framework

SNMP defines the relationship between a management process (manager) and a management agent. This relationship is called a community ). The semantics of the description community is very complex, but its syntax is very simple. Software located on the network management workstation (Operation Management Process) and network elements that use SNMP to communicate with each other to manage the network is called the SNMP application entity. Several Application entities and SNMP are combined to form a community. Different communities are distinguished by names. The community names must comply with the hierarchical naming rules of the Internet, it is composed of non-reserved strings. In addition, an SNMP application entity can join multiple communities.

The application entity of SNMP operates on the management objects in the Internet management information library. A subset of management objects that an SNMP application entity can operate on is called the snmp mib authorization range. The SNMP application entity still has further access control restrictions on access to management objects within the authorization scope, such as read-only and read/write. In the SNMP architecture, each community is required to define its authorization scope and access methods to each object. The files that record these definitions are called "Community definition files ".

SNMP Packets are always from each application entity. The message contains the name of the community where the application entity is located. In SNMP, such packets are called "packets with identity signs". The community name is used when management processes and management agents exchange and manage information packets. Management information reports include the following two parts:

(1) The community name, along with some sender's identification information (additional information), is used to verify that the sender is indeed a member of the community. The community is actually used to implement identity authentication between management application entities;

(2) data, which is the information that must be exchanged between two management application entities.

In versions earlier than version 3, SNMP only implements simple identity authentication. The receiver determines whether the receiving and receiving sides are in the same community based on the community name, and the additional information mentioned above has not been applied. After verifying the identity of the Management proxy or management process for sending packets, the recipient must check its access permissions. Access permission check involves the following factors:

(1) which objects can be read/written and managed by members in a common body? These read/write objects are called "authorized objects" of the community (within the scope of authorization );

(2) The Community Members define an Access Mode for each object within the authorization scope: Read-only or read/write;

(3) operations (including Get, get-Next, set, and trap) that can be performed by each management object (class) within the scope of authorization );

(4) Management Information Library (MIB) restrictions on the access methods of each object (for example, MIB can specify which objects can only be read but not written ).

The management proxy determines whether the access (operation) of the management object requested by other members in the community is allowed through the pre-defined access modes and permissions. The Community concept is also applicable to the proxy agent, except that the objects contained in the proxy are mainly the contents of other devices.

2. SNMP implementation method in order to provide a means to traverse the management information library, SNMP uses a tree naming method in its MIB to name each management object instance. The name of each object instance is composed of an object class name and a suffix. The names of object classes are not repeated, so there is little danger of duplicate names between object instances of different object classes.

In the definition of a community, it is generally necessary to specify the scope of management objects authorized by the community, and correspondingly specify which object instances are the "jurisdiction" of the Community. Accordingly, the definition of a community can be imagined as a multi-Cross Tree, providing a means to traverse all management object instances in alphabetical order. With this method, SNMP can use the get-next operator to sequentially locate the next object from an object. The result returned by the get-next (Object-instance) operation is an object instance identifier and its related information. The object instance is placed behind the specified identifier and bject-instance object in the preceding multi-tree. The advantage of this method is that even if you do not know the specific name of the management object instance, the management system can find it one by one and extract its relevant information. The process of traversing all management objects can start with the first object instance (this instance must be provided), and then use get-Next one by one until an error is returned (indicating that there is no management object instance) end (completing traversal ).

Because the information is stored in the form of a table (a data structure), in the management concept of SNMP, all tables are considered as Subtrees, one of which is a table (and its name) is the root node of the corresponding subtree. Each column is the subnode under the root, and each row in a column is the subnode under the column node, and is the leaf node of the subtree, as shown in. Therefore, based on the previous sub-tree traversal idea, table traversal is to first access all elements in the first column, then access all elements in the second column ......, Until the last element. If you try to get the "Next" element of the last element, an error mark is returned.

SNMP tree table structure

In SNMP, most management information is stored in tables. A table corresponds to an object class, and each element corresponds to an object instance of this class. In this case, you can use the get-next method or the get/set method described later for operations on a single element (object instance) in an object in the management information table. The following describes the overall operations of a row in the table.

(1) Add a row: you can add a row in a table using only one set operation through SNMP. Each variable in the Operation corresponds to a column element in the row to be added, including the object instance identifier. If a table contains eight columns, the set operation must provide eight operands, corresponding to the corresponding elements of the eight columns.

(2) Delete a row: You can also use SNMP to call a set operation to delete a row, which is easier than adding a row. To delete a row, you only need to use the set operation to set any element (object instance) in the row to "invalid. However, this operation has an exception: the address translation group object has a special table (address translation table), which does not define an "invalid" condition for an element. Therefore, in SNMP, the address in the table is set to an empty string, and the empty string is regarded as an illegal element.

When deleting a row, whether or not the element of a row in the table actually disappears is related to the specific implementation of each device (management agent. Therefore, in network management operations, the running management process may obtain "invalid" data from the Management proxy, that is, the deleted content of elements that are no longer in use, therefore, the management process must be able to determine the legitimacy of data through the content of each data field.

Iii. Background Knowledge

In the early 1990s S, SNMP was developed to simplify device management and data acquisition in large networks. Many network-related software packages, such as HP's OpenView and Nortel Networks's opti;network management system, as well as free software such as Multi Router Traffic Grapher (MRTG, SNMP is used to simplify network management and maintenance.

Because SNMP works very well, network hardware vendors began to add SNMP to each device they created. Today, all kinds of network devices can see the default enabled SNMP service, from the switch to the router, from the firewall to the network printer, no exception.

The problem is that SNMP installed by many vendors uses default communication strings (such as passwords). These communication strings areProgramIt is essential to obtain device information and modify configurations. The advantage of using the default communication string is that software on the network can directly access the device without complicated configuration.

The communication string mainly contains two types of commands: GET command and set command. The GET command reads data from a device, which is usually an operation parameter, such as the connection status and interface name. The SET command allows you to set certain parameters of a device. This type of function is generally restricted, for example, if you disable a certain yundun, yund) and maliciously modify network parameters.

The most common default communication strings are public (read-only) and private (read/write). In addition, there are many manufacturers' private default communication strings. Some form of default communication string can be found on almost all network devices running SNMP.

The security mechanisms of SNMP 2.0 and SNMP 1.0 are weak, and communication is not encrypted. All communication strings and data are sent in plaintext. Once attackers capture network communication, they can use various sniffer tools to directly obtain the communication string, even if the user changes the default value of the Communication string.

In recent years, SNMP 3.0 has solved some problems. To protect communication strings, SNMP 3.0 uses des (Data Encryption Standard)AlgorithmIn addition, SNMP 3.0 can use MD5 and Sha (secure hash algorithm) technologies to verify node identifiers, so as to prevent attackers from impersonating the identity of management nodes to operate the network. For more information about SNMP 3.0, see http://www.ietf.org/rfc/rfc2570.txt.

Although SNMP 3.0 has been around for a while, it has not been widely used yet. If the device was a product two or three years ago, it is likely that SNMP 3.0 is not supported at all. Even some newer devices only support SNMP 2.0 or SNMP 1.0.

Even if the device already supports SNMP 3.0, many vendors still use standard communication strings, which are not a secret to hacker organizations. Therefore, although SNMP 3.0 provides more security features than earlier versions, its actual effect is still limited if it is improperly configured.

4. Disable SNMP

To avoid the security risks caused by the SNMP service, the most thorough method is to disable SNMP. If you do not use SNMP to manage the network, you do not need to run it. If you do not know whether it is necessary to run SNMP, you probably do not need it. Even if you want to use SNMP later, you should disable it as long as it is no longer in use, and enable it only when you do need to use SNMP.

The following describes how to disable the SNMP service on common platforms.

■Windows XP and Windows 2000

In XP and Windows 2 K, right-click my computer and choose manage ". Expand "services and applications" and "services", select the SNMP service from the service list, and stop the service. Then, open the "properties" dialog box of the service and set the start type to "disabled" (according to Microsoft's default settings, the SNMP service is not installed in win 2 k/XP by default, but many software will automatically install the service ).
■ Windows NT 4.0

Select Start> set, open the service setup program, select the SNMP service in the service list, stop the service, and disable the Startup type.

■ Windows 9x

Open the network setup program of the control panel, select "Microsoft SNMP proxy" from the list of installed components on the "configuration" page, and click "delete ". Check HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ runservices and HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ runregistration key to confirm that snmp.exe does not exist.

■ CISCO systems hardware

For Cisco network hardware, run the "no snmp-server" command to disable the SNMP service. To check whether SNMP is disabled, run the "show SNMP" command. These commands are only applicable to platforms running Cisco IOS. For non-IOS Cisco devices, see the random document.

■ HP hardware

For all HP network devices that use the jetdirect card (most HP network printers use it), use Telnet to connect to the IP address of the jetdirect card, and then execute the following command:

SNMP-config: 0
Quit

These commands disable the SNMP service of the device. However, disabling SNMP affects service discovery and the port monitoring mechanism that uses SNMP to obtain device status.

■ Red Hat Linux

For Red Hat Linux, you can use linuxconf to delete SNMP lines from the automatically started service list, or directly Delete the lines that start SNMP from the/etc/services file. For other Linux systems, the operation methods should be similar.

5. Ensuring SNMP security

If it is really necessary for some devices to run SNMP, you must ensure the security of these devices. The first thing to do is to determine which devices are running the SNMP service. Unless port scanning is performed on the entire network on a regular basis to fully master the services running on each machine and device, one or two SNMP services may be omitted. Note that devices such as network switches and printers also run the SNMP service. Determine the running status of the SNMP service, and then take the following measures to ensure service security.

■ Load SNMP Service Patches

Install the patch of the SNMP service to upgrade the SNMP service to version 2.0 or later. Contact the device manufacturer to learn about security vulnerabilities and patch updates.

■ Protect SNMP communication strings

An important protection measure is to modify all default communication strings. Check and modify standard and non-standard communication strings one by one according to the instructions in the device documentation. Do not omit any character strings. If necessary, contact the manufacturer for detailed instructions.

■ Filter SNMP

Another protection measure that can be used is to filter SNMP communication and requests on the network border, that is, block the port used by SNMP requests on the firewall or VBR. Standard SNMP services use ports 161 and 162. Vendor-proprietary implementations generally use ports 199, 391, 705, and 1993. After these ports are disabled, the ability of the external network to access the internal network is limited. In addition, you should write an ACL on the vro of the internal network, only a specific trusted SNMP management system is allowed to operate SNMP. For example, the following ACL only allows SNMP communications from (or to) the SNMP Management System and limits all other SNMP communications on the network:

Access-list 100 permit IP host W. x. y any
Access-list 100 deny UDP ANY EQ SNMP
Access-list 100 deny UDP ANY EQ SNMPTRAP
Access-list 100 permit IP any

The first line of this ACL defines the trusted Management System (W. x. y ). Use the following command to apply the preceding ACL to all network interfaces:

Interface serial 0
IP Access-group 100 in

in short, the invention of SNMP represents a major improvement in network management. It is still a powerful tool for efficient management of large networks. However, earlier versions of SNMP are inherently insecure, even if the latest version has problems. Like other services running on the network, the security of the SNMP service cannot be ignored. Do not blindly ensure that the SNMP service is not running on the network. Maybe it hides on a certain device. Network services that are essential already have too many worrying security issues, so it is best to disable services that are not necessary such as SNMP-at least try to ensure its security.