ABSTRACT
With the growth in computer networks that are used in organizations, there is a need to have a way in which networks are managed and monitored. This phenomenon is taking shape as more and more companies develop new applications to sustain their networks. There different types of traffic that are found to be traversing computer networks need to be monitored. SNMP management console is one of Network Instruments application that brings cross-platform SNMP standards to the Observer. Network administrators and consultants will find SNMP management tools important in the monitoring, diagnosis and repair of networks. Network monitoring helps in having continued service delivery. There are many tools that are used for network analysis and monitoring. This paper will focus on the evaluation of four recently published papers and how their developments can be applied to the Simple Network Monitoring Protocol (SNMP) in monitoring a network. This includes multiple attack detection using SNMP; security is brought to SNMPV3, WBEM enabled solution for non-homogeneous network and SNMP MBI browser.
It will also give an overview of how SMTP Observer is interfaced to monitor and promote SNMP protocol
INTRODUCTION
SNMP is a concept base on the management of information base, managers and agents. At least one manager node in every configuration should run SNMP management software. In order to manage network devices such as bridges, servers, workstations and routers, agent software modules are used responsible for access of MIB objects that reflect on the activity and resources at each an individual node. For instance, an object that tracks and keeps a record of the number of packets sent and received via a link into the node determines the load at that point of the network. Likewise, an object can be set to give the state of a link and the manager has the capabilities to enable or disable the link according to the corresponding value of the object. There are SNMP-capable devices and network-management stations. SNMP have managers and agents.
This has been discussed in the sections before. A manager is a server that runs software that can be used to manage a network. Managers are commonly referred to as network management stations (NMSs). The tasks that an NMS undertakes is polling and receiving traps that come from agents in the network. A poll is the procedure of asking/querying an agent for some information. An agent can be a hub, router, UNIX server or switch. This information can later be used to determine if there is an event which has taken place. Traps are set in an asynchronous manner without following the queries that are emanating from the NMS. NMS has a responsibility for reacting to the information that they get from the agent. An example is when the T1 line of the internet goes down, the router can send a trap to the NMS .
An agent is software that runs on the network devices that are being managed. This software can be separate, like daemon in UNIX or it could be incorporated into the operating system or low-level operating systems like those of Cisco Routers. The current IP devices that are built today come with some SNMP capability integrated to the firmware. The work of many system administrators is made simpler with the fact that many devices have SNMP capabilities. The agent gives management information to the NMS by keeping track to the way the device operates and relaying this information to the NMS. An example is that the agent on a router will detect the various statuses of the interfaces of the router and relay this information to the NMS. The information will include which interface is up, which interface is down, which interface is receiving data, which interface is sending data. This way, the monitoring is being undertaken in the router interface. The NMS can then send some queries on which interface are up, which interface is down. This way, the NMS will undertake the needed action if one of the interfaces is down. If the agent will realize that something bad had taken place, it will send a trap to the NMS. This trap comes from the agent and is targeted at the NMS. Appropriate action will be undertaken. When there is a transition from bad state to a good state some devices will send a signal “all clear”. This is important in wanting to know if the problem was resolved. This will avoid more time trying to resolve the problem .
MULTIPLE ATTACK DETECTION USING SNMP
In this journal, the SNMP protocol gives the devices in a network the ability to relay internal information to a managing entity that collects them and analyze to arrive at an informed decision about network management. The role of the managing entity is to monitor the various variables in use and instill changes where necessary. This gives administrators the luxury of having not to manage the systems physically as well as their maintenance. The first version of SNMP utilized clear text community strings for identification. Public community strings gave the SNMPv1 read access to information stored by internal devices while private strings allowed both read and write rights. Therefore, the clear text mechanisms exposed SNMP devices to dictionary attacks through a tool known as onesixtyone. This enabled the attacking of SNMP protocol on the network. Other tools such as snmpwalk initiated legitimate requests to the SNMP hosts. This is done by traversing the remote host’s SNMP tree thereby getting its requests to every object that the host has. Without analytical and monitoring tools such as Observer, SNMP signals and traffic on the networks could not be managed.
For instance, the SNMP- PAMP-1 (PAMP is a signal that indicates clear danger to the system. In this literature PAMP is synonymous with the human Pathogen Antigen Molecular Pattern but with the systems approach) is the stem for example an intrusion threat. In this based on authentication failures that are received by the management entity. In the scenario where the SNMP dictionary attack occurs through the uses of a file of commonly used community strings, a number of authentication failures are exhibited equivalent to the number of incorrect incoming community strings attached. A maximum of 15 authentication failures per second is set.
Fig.1 Data on PAMP 1
SNMP-PAMP-2 is based on a variety of ICMP destination unreachable errors that generate DU errors at the beginning of the attack. Thus, just like the TCP NYN, (NYN is a kind of scanning tool that is used by attackers to scan the TCP remote ports that are open to be used to launch the attacks) the signal scan for the SNMP dictionary attack is recycled. In the scenario where the remote host running the SNMP protocol is attacked, a large number of Destination Unreachable errors is created in respect to the attack SNMP-PAMP category. SNMP DS-1 refers to the number of outgoing community strings per second and is more reliable than SNMP-PAMP-1 because it utilizes the outgoing traffic rather than responses from the host. In the SNMP SS-1 protocol, the communication is through a request packet delivered to the remote SNMP device which is accompanied by a RESPONSE message. Each response is characterized by consequent request ID identical with the request packet initially received. The ID request makes it possible to track the request-response status, and in the case where no response packet is sent over, it implies that it was lost in the network traffic. It can also implies that the remote device is non-functional thereby initiating a probe. In addition, it can be as a result of some other unintended packet that was sent.
Fig.2 PAMP2 Data displayed on SNMP.
SNMP-SS2 presents a different scenario and is based on the number of requests an object is requested in a second. In case of an attack, the SNMP protocol demands that an object be made available such as system description objects.
As such, each sent object will initiate a request for the same object. This is typically important for management entities and system administrators who desire to have GET the request that is useful for polling various variables.
SNMP Observer integrates the functionalities of the standard and expert versions to bring SNMP device management, RMON compliance and web reporting. It is the sole network analyzer built on a unified code set. Thus, it offers unlimited seamless integration with other devices apart from the entire Observer family. Some of the leading features include multiple views of device data of both the readable and writable SNMP objects, monitor notifications obtained as a result of SNMP trigger and alarm configurations for SNMP data. In addition, apart from reporting SNMP data in real time, it also collects data for baseline comparisons and output findings in the form of charts, tables, lists, and graphical techniques.
In order to obtain sufficient information regarding the performance of a network, the exchange of information between the network devices and the network monitoring solution is crucial. Devices can sometimes lack the capacity to run management applications; therefore, most of the computer processing and management options is presented to analytical and monitoring applications such as Observer.
SNMP utilizes simple SNMP commands such as GetRequest, GetNextRequest, GetBulkRequest and SetReQuest formats to get or store a value form SNMP agents. Observer has a full-function SNMP management console that allows the polling configuration and analysis of any device within the SNMP protocol. For instance in the management of security, the Observer Suite requires for the configuration of IP address, SNMP community string, the version of SNMP being used and model and the maker of the device. The web review of the readable and writable SNMP objects is shown.
Fig. 3 Web based Network monitoring
The journal under consideration covers both the diagnosis and repair of switches using the Observer suite SNMP-supported statistics that are presented in the chart value format. Likewise, the long term trending using the SNMP console that tracks charted SNMP statistics for a long time. The network activity summary below can track and object for an extended time.
Fig.4 Extended network summary
SECURITY IS BROUGHT TO SNMPV3.
Such are the resources for implementing a network-management system. However with the new SNMPv3, network security deficiencies are resolved. According to the Internet Protocol Journal (2008), SNMPv3 is issued as a package of Proposed Standards to handle administration and security. SNMPv3 is a set authentication, privacy and access control features meant to deliver services in an efficient and flexible manner. It incorporates the principal concept that is the entity for providing services or projects in operation. A principal in this scenario represents an individual or set of individuals operating in a particular role. It’s based on the management station and issues SNMP commands to agent systems. The knowledge of the principal and the target agent gives a basis for determining the security features that are tailored to suit individual principals, information exchange and the agent systems. Thus it’s an opportunity for security managers to define the authentication, access control and privacy concerns in assigning network authorizations to concerned users.
The User Security Module (USM) manual contained in RFC2574 is used to define authentication and privacy issues and security threats. These features are outlined in SNMP protocol.
An in-transit message originating from an authorized entity can be altered in the process of transmission. This results in modification of information thus affecting the management operations and the attainment of the set objectives.
This may happen in such a way that masquerading threats affects the management operations of an unauthorized entity by feigning an authorized entity. SNMP is designed to operate in an unconnected transport protocol. Therefore this protocol present a security challenge in the management of reordered, delayed and replayed content that may pose as security threats. By controlling the modification of message stream, these threats are mitigated. In the same manner, an entity could study the trend of information exchange between the manager and the agent thereby learning the values of the managed objects and adoptive control measures for undisclosed objects that present security threats.
SNMPv3 is superior to versions one and two since it is build on modular fashion that includes each SNMP entity in a single SNMP engine. The engine is tasked with the implementation of sent and receive commands, authentication, encryption/description, and access control to managed objects. The functions are included as services in the applications configurations to result in an SNMP entity.
The modular architecture provides the following advantages; Roles of SNMP entity is dictated by the modules implemented in the entity. The agent and the manager require different entities. Second, the different versions of each module are defined by the modular structure to enhance coexistence and transition. This feature makes it possible to make alternatives or advanced capabilities without the need to go to newer versions.
SNMPv3 uses the transport layer protocol to relay SNMP information under two application layers; PDU processing and message processing layer. PDU layer defines the management commands while the messaging layer deals with the message headers and addition of security-related features.
Fig. 5 SNMPv3 message format
Network trending can be configured to output the relevant statistics that need to be used in order to optimize resources on the necessary information only. In order to view web reports configuration of the network trending options in the Observer must be done. Two types of information are necessary; monitoring of specific servers and the network trending data. From the network trending options in the observer menu, and under setting button, change the sampling divider. The SNMP trending options chooses the version of SNMP running. In our case SNMPv3 is selected. SNMPv3 provides the security and encryption in addition to version one and two features. As such the following features need to be configured: Security user name, context engine ID, Community string, and SNMPv3 Security.
In order to report on the server activity for instance, Netlive trending is used. Observer reporting Server focuses on reports and delivers at an interval specified by the user. Mostly, it focuses on the past one hour and the reports appear on an updated scrolling bar every 20 seconds. The trending window appears once configuration has been done on the Trending Tap settings. In the settings tap choose the Network Trending options and specify the parameters to display. The window as shown below displays the activity in the last hour with a 20 seconds update between them.
Fig. 6 Activity display in 20s interval
WEB BASED ENTERPRISE MANAGEMENT (WBEM) ENABLED SOLUTION FOR NON-HOMOGENEOUS NETWORK
The rapid growth of the internet has necessitated the development of object oriented Web Based Enterprise Management initiatives. This development has been geared towards the management o0f enterprise systems and distributed heterogeneous computer environments. Among the management protocols, Simple Network Management Protocol and Common Management Information Protocol are the commonly used management systems. The later provide a consistent portable and uniform solution for heterogeneous networking environments. CMIP gives additional services on managed resources, sophisticated event notification and filtering of selected subset of management information.
WBEM is a package of system management solutions that brings together the management of distributed computing environments. In the WBEM environment, Extensible Markup Language XML is used. XML is the rules that encode documents in the machine readable form. Due to the large size of XML documents, data transmission is decreased hence inefficiency arises. Documents encoded in XML take more bandwidth in the transmitting network. To counter this inefficiency, a technology known as BinaryXML is used to compress data transmission.
Binary XML is utilized in the WBEM prototype where enlarged and distributed systems need to be integrated into standardized management protocols. The inefficiency in non-homogenous systems caused by lack of interoperability leads to increased cost of ownership. WBEM compliant systems with only SNMP and CMIP based non-homogenous networks require the use of gateways to provide an interface for the management of both frameworks. This proposed network is technologically and platform neutral and is consistent with the specific management standard. Therefore end to end message communication between the manager and the agent is attained thus achieving the ultimate goal of interoperability.
A mapping known as communication translation is developed to convert WBEM CIM operations into SNMP and CMIP. The integration of CIM and XML gives CIM-XML encoding standard that is used to create Document Type Definition format utilized in CIM class and instances. The operation of CIM over HTTP defines a mapping environment that allows the implementation of CIM in an open standardized manner.
Fig. 7 WBEM architecture
The integration approach is divided into two, Protocol Neutral and the Specific Gateway approach. WBEM solution for non-homogenous networks contains three components; SNMP AGENT, WBEM Gateway and the CMIP manager. The gateway is in between the two components and acts as a protocol converter. It translates the M-GET requests to SNMP-GET requests.
Enhanced object oriented WBEM technology is based on binary XML EXI architecture. EXI’s main objective included an add-on feature that improves performance and efficiency of the message communication between WBEM client and WBEM server.
In spite the fact that CIM is gaining momentum in the management of enterprises, systems and networks, SNMP is the defacto standard for the management of networks and instrumentation. CIM offers the capabilities for definitions of the associations between components thus its object-oriented approach makes it easier to track relationships between managed objects. By using monitoring tools such as tkined, the measured parameters are displayed on the CIM interface as shown below.
Fig.9 Measured parameters on the tkined interface.
SNMP MBI BROWSER
It is an SNMP network management tool that analyses the communication between the various agents on a computer network. This software uses both SNMPv1. SNMPv2, and SNMPv3 protocols to manage the devices in the SNMP network including routers, printers and servers. An analysis of the field, network, and proprietary MIB files is possible through the use of this device tool. The tool is instrumental when used with SNMP Observer to predict network traffic, browsing MIBs and other management operations. The tool has the possibility to mange SNMP mibwalk files from a number of vendors. With advanced capabilities such as MIB Tree representation, ASgent IOD/ Value responses, MIB searchable grids, and MIB variable definitions windows, network management and error detection and repair is simplified.
Fig. 10 MIB variables.
CONCLUSION
Today, the rapid increase in computing power has necessitated the need for network management tools. The literature has focused on two management protocols; SNMP and CMIP. SNMP consist of three components; manager, agents and management information base. Integration of Observer in the SNMP has made it possible to obtain sufficient information regarding the performance of a network, the exchange of information between the network and the devices. SNMPv3 is the proposed standard that corrects the security vulnerabilities evident in version one and two. Its main features include authentication, access control and privacy management. SNMP is the valuable tool that can be used for monitoring the health of workstations. When integrated with Observer, it provides real time statistics of the network management station. CMIP on the other hand utilizes object oriented approach to track how managed objects are interrelated and interdependent. CMIPs based BinaryXML has been reviewed in the literature. Web Based Enterprise Management compliant systems with only SNMP and CMIP based non-homogenous networks requires the use of gateways to provide an interface for the management of both frameworks. Therefore end to end message communication between the manager and the agent is achieved thus attaining the ultimate goal of interoperability. Finally, the SNMP MIB browser has been shown to provide advanced communication between agents and devices in a computer network it monitors the devices in a network including the routers switches and servers and feeds back up to date information on the state of the network.
References
Brenton, C., & Hunt, C. (2002). Mastering network security. New York: John Wiley & Sons. Book
Douglas Mauro, K. S. (2009). Essential SNMP. O'Reilly Media, Inc. Book
Marchette, D. J. (2001). Computer intrusion detection and network monitoring: A statistical viewpoint. New York: Springer. Book
Mauro, D., & Schmidt, K. (2005). Essential SNMP (2 ed.). (Illustrated, Ed.) New York: O'Reilly Media, Inc. Book
Ralph Stair, G. R. (2011). Principles of information systems. . Cengage Learning. Book
Schneier, B. (2010). Secrets and lies: Digital security in a networked world. New York: John Wiley and Sons. Book
Walter J. Glenn, T. N. (2005). Mcdst Self-paced Training Kit :. Microsoft GmbH. Magazine