SNMP: Simple Network Management Protocol

1. Briefs
Simple Network Management Protocol (SNMP) is a component of the Internet Protocol Suite (IPS). The IPS is the set of communications protocols used for the Internet and other similar networks; it is commonly also known as TCP/IP, named from two of the most important protocols in it: TCP and IP.

The IPS consists of 4 abstraction layers: Link, Internet, Transport, and Application Layer. SNMP operate in the Application Layer of the IPS (Layer 7 of the OSI model). DNS, HTTP, IMAP, IRC, RPC, SMTP, SSH, Telnet, TSL/SSL also work in this layer.

SNMP is an "Internet-standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, ups, and more.”. It is the most popular protocol in use to manage networked devices to facilitate the exchange of management information between networked devices. The SNMP protocol enables network and system administrators to remotely monitor and configure devices on the network.


2. Works
By using SNMP, we able to monitor networks and devices. Those network elements which have management agents, responsible for performing the network management functions requested by the network management stations. The SNMP is used to communicate management information between the network management stations and the agents in the network elements.

SNMP is built around the concept of "managers" and "agents." Manager software (commonly installed on a network management system) makes requests to agent software running on a host or device to gather data on the operational status, configuration, or performance statistics of that system (polling). Some agents allow configuration parameters to be changed by managers, while others provide read-only statistics and configuration information. Additionally, agents can generate ad hoc messages to manager systems to inform them of unusual events (traps).

The following is a typical what SNMP do:

• The SNMP agent receives requests on UDP port 161.
• The manager may send requests from any available source port to port 161 in the agent.
• The agent response will be sent back to the source port on the manager.
• The manager receives notifications (Traps and InformRequests) on port 162.
• The agent may generate notifications from any available port.

3. Protocols/ports

• SNMP uses 161/udp for general purpose (request/response) communications, and 162/udp for traps.
• Additionally, the SNMP multiplexing protocol uses 199/tcp.
• Another SNMP extension, the AgentX protocol uses 705/tcp.

4. Administrative Relationships
The SNMP architecture admits a variety of administrative relationships among entities that participate in the protocol. Below are the terms that are commonly found:

• SNMP Application entities. The entities residing at management stations and network elements which communicate with one another using SNMP.
• SNMP Protocol entities. The peer processes which implement the SNMP, and thus support the SNMP application entities.
• SNMP community. A pairing of an SNMP agent with some arbitrary set of SNMP application entities. Each SNMP community is named by a string of octets, that is called the community name for said community.
• Authentic SNMP message. An SNMP message originated by an SNMP application entity that is belongs to the SNMP community named by the community component ofsaid message.
• Authentication scheme. The set of rules by which an SNMP messageis identified as an authentic SNMP message for a particular SNMP community.
• Authentication service. An implementation of a function that identifies authentic SNMP messages according to one or more authentication schemes.
• SNMP MIB view. For any network element, a subset of objects in the MIB that pertain to that element.
• SNMP access mode. An element of the set { READ-ONLY, READ-WRITE }.
• SNMP community profile. A pairing of a SNMP access mode with a SNMP MIB view. A SNMP community profile represents specified access privileges to variables in a specified MIB view. For every variable in the MIB view in a given SNMP community profile, access to that variable is represented by the profile according to the following conventions:
  

1. if said variable is defined in the MIB with "Access:" of "none," it is unavailable as an operand for any operator;
2. if said variable is defined in the MIB with "Access:" of "read-write" or "write-only" and the access mode of the given profile is READ-WRITE, that variable is available as an operand for the get, set, and trap operations;
3. otherwise, the variable is available as an operand for the get and trap operations.
4. In those cases where a "write-only" variable is an operand used for the get or trap operations, the value given for the variable is implementation-specific.

• SNMP access policy. A pairing of a SNMP community with a SNMP community profile. An access policy represents a specified community profile afforded by the SNMP agent of a specified SNMP community to other members of that community. All administrative relationships among SNMP application entities are defined in terms of SNMP access policies.
• SNMP proxy access policy. For every SNMP access policy, if the network element on which the SNMP agent for the specified SNMP community resides is not that to which the MIB view for the specified profile pertains.
• SNMP proxy agent. The SNMP agent associated with a proxy access policy.
  

5. Structure of Management Information
Management information is viewed as a collection of managed objects, residing in a virtual information store, termed the Management Information Base (MIB). Collections of related objects are defined in MIB modules. These modules are written in the SNMP MIB module language, which contains elements of OSI's Abstract Syntax Notation One (ASN.1) language. STD 58, RFCs 2578, 2579, 2580, together define the MIB module language, specify the base data types for objects, specify a core set of short-hand specifications for data types called textual conventions, and specify a few administrative assignments of object identifier (OID) values.

6 SNMP Applications
It is the purpose of RFC 2573, "SNMP Applications" to describe the five types of applications which can be associated with an SNMP engine. They are:

• Applications which initiate SNMP Read-Class, and/or Write-Class requests, called 'Command Generators.'
• Applications which respond to SNMP Read-Class, and/or Write-Class requests, called 'Command Responders.'
• Applications which generate SNMP Notification-Class PDUs, called 'Notification Originators.'
• Applications which receive SNMP Notification-Class PDUs, called 'Notification Receivers.'
• Applications which forward SNMP messages, called 'Proxy Forwarders.'
  

7.Securities
SNMP versions 1 and 2c are subject to packet sniffing of the clear text community string from the network traffic, because they do not implement encryption. All versions of SNMP are subject to brute force and dictionary attacks for guessing the community strings, authentication strings, authentication keys, encryption strings, or encryption keys, because they do not implement a challenge-response handshake.

Entropy is an important consideration when selecting keys, passwords and/or algorithms. Although SNMP works over TCP and other protocols, it is most commonly used over UDP that is connectionless and vulnerable to IP spoofing attacks. Thus, all versions are subject to bypassing device access lists that might have been implemented to restrict SNMP access, though SNMPv3's other security mechanisms should prevent a successful attack.

SNMP's powerful configuration (write) capabilities are not being fully utilized by many vendors, partly due to lack of security in SNMP versions before SNMPv3 and partly due to the fact that many devices simply are not capable of being configured via individual MIB object changes.


8. SNMP development
SNMP version 1 (SNMPv1)
SNMPv1 is the initial implementation of the SNMP protocol, it is widely used and is the de facto network-management protocol in the Internet community. (RFC 1155, 1156, 1157, 1213).
Version 1 has been criticized for its poor security. Authentication of clients is performed only by a "community string", in effect a type of password, which is transmitted in cleartext.

SNMP version 2 (SNMPv2)
SNMPv2 (RFC 1441–1452), revises version 1 and includes improvements in the areas of performance, security, confidentiality, and manager-to-manager communications. However, the new party-based security system in SNMPv2, viewed by many as overly complex, was not widely accepted.

Community-Based SNMP version 2, or SNMPv2c, is defined in RFC 1901–1908. SNMPv2c comprises SNMPv2 without the controversial new SNMP v2 security model, using instead the simple community-based security scheme of SNMPv1. While officially only a "Draft Standard", this is widely considered the de facto SNMPv2 standard.

User-Based SNMP version 2, or SNMPv2u, is defined in RFC 1909–1910. This is a compromise that attempts to offer greater security than SNMPv1, but without incurring the high complexity of SNMPv2. A variant of this was commercialized as SNMP v2*, and the mechanism was eventually adopted as one of two security frameworks in SNMP v3.

SNMP version 3 (SNMPv3)
SNMPv3 makes things look much different by introducing new textual conventions, concepts, and terminology. SNMPv3 primarily added security and remote configuration enhancements to SNMP.

Security has been the biggest weakness of SNMP since the beginning. Authentication in SNMP Versions 1 and 2 amounts to nothing more than a password (community string) sent in clear text between a manager and agent. Each SNMPv3 message contains security parameters which are encoded as an octet string. The meaning of these security parameters depends on the security model being used.

SNMPv3 provides important security features:

• Confidentiality - Encryption of packets to prevent snooping by an unauthorized source.
• Integrity - Message integrity to ensure that a packet has not been tampered with in transit including an optional packet replay protection mechanism.
• Authentication - to verify that the message is from a valid source.

SNMPv 3 as defined by RFC 3411–RFC 3418 is the current standard version of SNMP.
The IETF has designated SNMPv3 a full Internet standard, the highest maturity level for an RFC.

In practice, SNMP implementations often support multiple versions: typically SNMPv1, SNMPv2c, and SNMPv3.