This research paper covers the simple network management protocol concepts, its various versions with its advantages and drawbacks. I had discussed the three versions of SNMP and its features followed by brief discussion of functioning of SNMP in managing network with details of its precursors. The basic message types used by SNMP are discussed in detail like Get, GetNext, GetResponse, Set, and Trap or notify. The SNMPv2 is been developed to overcome the Drawbacks of SNMPv1.The protocol of SNMPv2 is discussed followed with SNMPv3. SNMPv3 is the latest one which improves upon both SNMP v1 and v2 by significantly adding to security.
The Simple Network Management Protocol (SNMP) is the standard operations & maintenance protocol for the Internet. SNMP based management not only produces management solutions for systems, applications, complex devices, and environmental control systems, but also provides the Internet management solutions supporting Web services. SNMPv3, the most recent standard approved by the Internet Engineering Task Force (IETF) adds secure capabilities (like encryption).
Simple Network Management Protocol (SNMP) is an application layer protocol that facilitates the exchange of management information between network devices. SNMP enables network administrators to manage network performance, find and solve network problems and plan for network growth. SNMP Facilitates the Exchange of Network Information between Devices
Need of SNMP
Because there are a wide variety of network elements that a NMS has to work with, a common protocol for managing these devices is essential. For example, a network may consist of a mix of Windows and Linux servers, routers from Cisco and other organizations etc. Network management protocols provide a standardized method for storing and accessing network management information.
Precursors of SNMP
Some of the precursors to the current network management protocols are
Simple Gateway Monitoring Protocol (SGMP),
High-Level Entity Management Systems (HEMS) and
Common Management Information Protocol (CMIP).
SNMP Basic Message Types
SNMP is based on the manager-agent model where the manager and agent communicate with each other through five basic message types.
5) Trap or notify
Even though there may be slight variations in the names of the messages (for example, in some literature Trap is specified as Notify), the basic messages and their functionality remains essentially the same.
The Get message allows the manger to get information for a specific variable. The MIB table stores the information that the manager needs.
Once the information from the managed device is received, if the manager needs to read the next record, the GetNext message is used.
For either the Get or the GetNext, the agent responds with the GetResponse.
If the manager wants to request a change to be made for a specific variable, it uses a Set message. Once the change has been made, the agent responds with a GetResponse message if the change has been successfully made. If the change has not been successfully made, then an error indication is sent.
A Trap is used when the agent sends unsolicited information to the management station. This happens when an action is needed from the network manager. For example, if a network element is on the verge of going down, the agent on the network element may send a Trap message.
SNMP Basic Components
A SNMP managed network consists of three key components:
A managed device is a piece of network equipment (including its software) that resides on a managed network. A managed device might be a host, router, bridge, hub, printer or modem. Managed device is a network node that contains an SNMP agent and that resides on a managed network. Managed devices collect and store management information and make this information available to NMSs using SNMP. Managed devices, sometimes called as network elements can be routers & access servers, switches, bridges, hubs, computer hosts, or printers. Within a managed device, there may be several so-called managed objects. These managed objects are the actual pieces of hardware within the managed device (for example, a network interface card), and the sets of configuration parameters for the pieces of hardware and software (for example, an intra-domain routing protocol such as RIP.
Agent is a network management software module that resides in a managed device. An agent has local knowledge of management information and translates that information into a form compatible with SNMP. Network Management Agent (NMA) is a resident process in each managed device. NMA is a process running in the managed device that communicates with the managing entity, taking local actions at the managed device under the command and control of the managing entity.
Network-Management Systems (NMSs)
A Network Management System (NMS) is a combination of hardware and software used to monitor and administer a network. NMS executes applications that monitor and control managed devices.
Drawbacks of SNMPv1
In spite of being widely used, SNMP has some serious shortcomings in security and data handling which are been discussed below
1) SNMP uses clear text (not encrypted) for sending the community string. The community string is the "password" for communication between the manager and the agent. Because the community string is in plaintext, it can be easily intercepted and security may be compromised.
2) SNMP works only on IP networks. With the emergence of IP as the dominant protocol on the Internet, this may not be a serious problem; however, there may be other types of networks (like Novell's IPX/SPX) that may need monitoring and SNMP will not work on those networks.
3) SNMP is inefficient when it has to retrieve a large dataset.
4) SNMP is based on UDP. Because UDP is connectionless, it does not acknowledge that messages have been received. In critical situations, this may be problematic for network administrators where they want to be absolutely sure that critical messages have in fact been delivered.
5) SNMP does not support manager-to-manager communications. Therefore, one manager does not know about the devices managed by another manager. This may become problematic where a distributed network management scheme is deployed.
SNMP Version 2 (SNMPv2) is an evolution of the initial version SNMPv1. Originally, SNMP v2 was published as a set of proposed Internet standards in 1993; currently, it is a Draft Standard. As with SNMPv1, SNMPv2 functions within the specifications of the Structure of Management Information (SMI). In theory, SNMP v2 offers a number of improvements to SNMPv1 including additional protocol operations.
To take care of these issues SNMP v2 is developed.
These enhancements include:
Improved Structure of Management Information (SMI)
Support for New MIB (Mgmt. Info. Base) objects
Support for multiprotocol networks
Enhancement of the SMI includes adding newer data types.
For example, the maximum size of the integers that SNMP can deal with is 232 - 1.
SNMP v2 provides supports for integers of this size but also raises the maximum size of integers that it can support to 264 - 1.
Increasing the size of the integers allows the devices to hold much larger values, even though a larger memory may be needed. It also differentiates between signed and unsigned integers.
SNMP v2 supports all five message types of SNMP (like Get, GetNext etc.), but also adds two new message types;
GetBulkRequest allows the retrieval of a large set of data in a single request, something that SNMP could not do. This reduces the time for data retrieval significantly. If the data set is too large to be sent in a single go, then the agent will send as much data as possible. The manager then needs to make another request for the remaining data.
InformRequest is used for manager-to-manager communication. One manager can send information to another manager. This allows hierarchical or distributed systems to communicate with each other.
SNMP works only on the IP protocol stack which makes it non functional on other networks. SNMP v2 is designed to work on IP, Appletalk, Novell IPX and OSI Connectionless Network Service (CLNS). SNMP v2 works exactly in the same way in all these protocols. While the ability to work with multiple protocols is useful, particularly if legacy systems are present; its importance may be diminishing because of the pervasiveness of IP based networks. The security of SNMP v2 is based on Secure SNMP (S-SNMP).
SNMP v2 provides both authentication and encryption. Authentication, in the form of community strings is provided in SNMP but encryption is not. SNMP v2 uses a secure method of authentication called the digest authentication protocol. It authenticates a message's origin and the integrity of the received message. To achieve this, the MD5 (message digest 5) algorithm is used.
SNMP v3 improves upon both SNMP v1 and v2 by significantly adding to security. For example, in SNMP v1 and v2 no security was available for the Set messages. SNMP v3 is also compatible with SNMP v1 and SNMP v2. Because SNMP v3 has a modular design which means it is not made up of a single structure but various components that are integrated with one another. The primary advantage of that is if network managers required implementing only part of SNMPv3 they could do that without having to implement the entire SMNPv3 architecture.
The building block of SNMPv3 architecture is the SNMP entity. Each entity, in turn is a collection of modules that provide services and interact with each other. Each entity can act as a manager or an agent or both. The SNMP entity has two components, the SNMP Engine and Application(s) and is identified by the SNMP Engine ID. The applications work with the functions of the SNMP engine. The modules that make up SNMP entities communicate with each other through the abstract services interface.
The abstract services interface has two components primitives and parameters. A primitive specifies the particular function to be performed while a parameter is used for passing data and control information. The command generator initiates the SNMP commands, Get, Get Next etc. and processes the responses that are received as a result of those commands. The command responder processes the set and set requests that come from a legitimate entity.
After processing the request it prepares a get-response message and sends it to the remote entity that made the request. The notification receiver listens for notification messages and generates a response when a message containing an Inform PDU is received. It registers with the SNMP engine to receive these messages. The notification originator generates an inform message or a trap. It also needs to find out where to send the message, which version of SNMP and what security parameters will have to be used. The proxy forwarder has a role similar to that of a proxy server. The proxy forwarder handles messages generated by the command generator, command responder, notification generator and report indicator.
Within the components of the SNMP Engine, the dispatcher allows multiple versions of SNMP messages concurrently. It has three functions. It sends messages to and receives messages from the network. It determines the version of the message and finds out the corresponding message processing model and interacts with it. Finally, it provides an abstract services interface to SNMP applications so that an incoming PDU is delivered to a local application as well as a PDU from a local application is delivered to a remote entity.
The SNMP message processing subsystem prepares messages for sending and extracts data from the messages received. It works with the dispatcher for handling version specific SNMP messages. The security subsystem is used for authentication and privacy protection. This may contain multiple security models. The access control subsystem provides authorization services so that applications can check access rights. This can be done for data retrieval, modification or for generating notifications.
While many new MIB specifications have been given for SNMPv3, the nodes with the SNMP modules are discussed here. This group includes seven new MIB groups. The basic SNMP management architecture is given in the SNMP Framework MIB. SNMP MIB is used for the message processing and dispatching subsystems. The snmpModules for applications has three groups: the target MIB, the notification MIB and the proxy MIB.
As mentioned previously, one reason why SNMPv3 was developed is security. SNMPv3 addresses four types of network security issues. These are modification of information, masquerade, modification of the message stream and disclosure. In modification of the message stream, an unauthorized user might change the data contents itself. The receiving end is unaware that the data has been altered. Modification does not alter the sender's or receiver's address. In masquerade, an unauthorized user sends information pretending to be an authorized user. The sender's address in this case can be changed. If someone combines masquerade and modification, then an altered message might be delivered and it would seem that the message has come from an authorized source. Since SNMP uses UDP, which is a connectionless service, the packets comprising a message could take different paths. These packets can arrive out odd order and they will have to be put back in order.
The intruder can reorder the message stream, thereby changing the order of the packets and the meaning of the message. Disclosure refers to the fact that the message may not be altered but someone may eavesdrop and decipher the contents of the message between the manager and an agent. SNMPv3 allows protection against these four types of security attacks. It does not protect against denial of service attacks and traffic analysis that may be performed by an unauthorized agent.
To protect against four types of attacks mentioned, SNMPv3 has adopted a User Based Security Model (USM). It serves two primary purposes; the first is to authenticate a message and the second to encrypt the message. The purpose of authentication is to make sure that the message source is genuine and the purpose of encryption is to make sure that the contents of the data are protected. The authentication service has two primitives defined, one for the generation of authentic outgoing messages and the other to validate an authenticated incoming message. Similarly two primitives are defined for encryption, one to encrypt outgoing messages and the other to decrypt incoming messages.
Authentication is done either by the hash function MD5 or SHA-1. SNMPv3 provides timeliness, thereby protecting against message delay or replay. To protect against the disclosure of the message it uses the cipher block chaining (CBC) mode of the DES encryption. A specific message format is also defined that supports authentication, timeliness and privacy and lays out procedures that can be used by one SNMP engine to obtain information from another SNMP engine. It also lays out procedures for the generation of keys, its update and use.
SNMPv3 also provides access control which deals with who can access the network components and what they have access to. In SNMPv1 and v2 this was done by a community based access policy. SNMPv3 provides a more secure and flexible approach to access control known as View-based Access Control model (VACM).
VACM has made up of five elements. These are:
A group is identified by a group name. A group is defined by the combination of a security model and a security name. The security name represents a prinicipal. The principal is a person or application requesting a service. All the elements belonging to certain group have the same access rights.
This provides the level of security for the message that contains the request. For example, read access might be allowed but not write access.
A SNMP context is a collection of management information that can be accessed by the SNMP entity. Each SNMP entity can have access to more than one context.
Sometimes access of a particular group has to be restricted to only a subset of the objects managed by the agents. A MIB view of the group defines the subset. The MIB view can be defined as a collection of subtree. A particular subtree can be included or excluded from the view. A subtree is defined as a node in the MIB, with all its subordinate elements.
Access policy determines the access rights to objects. The rights can be, for example, read-view, write-view and notify-view. The get-request, get-next-request, and get-bulk-request operations use the read-view. Set-request uses write-view. Notify-view is the group of object instances authorized for notification. The access rights given depend on many factors, like the principal making the request,, the security level, the security model being used, the MIB context, the object instance and the type of access requested.
The VACM MIB is where the data that VACM needs is stored. The vacmContextTable gives the locally available contexts. The vacmSecurityToGroupTable has a groupName, securityModel and securityName. The groupName gives the list of principals that operate under a security model. The vacmAccessTable is configured for defining access rights to groups. Access rights can be defined for one or more contexts, security models or security levels. The vacmAcessTable works with the vacmContextTable to determine the locally available contexts. The vacmAccessTable has two components, the vacmViewSpinLock and the vacmViewTreeFamilyAcessTable. The spin lock is used by the SNMP command generator application for coordinating the use of set operation in creating or modifying views. The use of the spin lock is optional. The vacmViewTreeFamilyTable describes the family of subtrees available in the MIB views in the local SNMP agent for each context.
Currently, there are three versions of SNMP defined and the overview of operations and features of various versions of SNMP v1, SNMP v2 and SNMP v3 are discussed below.
Basic Operations and Features
Get - Get message used by the NMS to retrieve the value of one or more object instances from an agent.
GetNext - GetNext message is used by the NMS to retrieve the value of the next object instance in a table or a list within an agent.
Set - Set message used by the NMS to set the values of object instances within an agent.
Trap - Trap message used by agents to asynchronously inform the NMS of a significant event.
SNMP v2 covers Additional Operations and Features
GetBulk - GetBulk is used by the NMS to efficiently retrieve large blocks of data.
Inform - Allows one NMS to send trap information to another NMS and to then receive a response.
SNMP v3 covers the Security Enhancement
User-based Security Model (USM) for SNMP message security.
View-based Access Control Model (VACM) for access control.
Dynamically configure the SNMP agents using SNMP SET commands.