SNMP: Simple Network Management Protocol

1. Briefs
Simple Network Management Protocol (SNMP) is a component of the Internet Protocol Suite (IPS). The IPS is the set of communications protocols used for the Internet and other similar networks; it is commonly also known as TCP/IP, named from two of the most important protocols in it: TCP and IP.

The IPS consists of 4 abstraction layers: Link, Internet, Transport, and Application Layer. SNMP operate in the Application Layer of the IPS (Layer 7 of the OSI model). DNS, HTTP, IMAP, IRC, RPC, SMTP, SSH, Telnet, TSL/SSL also work in this layer.

SNMP is an "Internet-standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, ups, and more.”. It is the most popular protocol in use to manage networked devices to facilitate the exchange of management information between networked devices. The SNMP protocol enables network and system administrators to remotely monitor and configure devices on the network.


2. Works
By using SNMP, we able to monitor networks and devices. Those network elements which have management agents, responsible for performing the network management functions requested by the network management stations. The SNMP is used to communicate management information between the network management stations and the agents in the network elements.

SNMP is built around the concept of "managers" and "agents." Manager software (commonly installed on a network management system) makes requests to agent software running on a host or device to gather data on the operational status, configuration, or performance statistics of that system (polling). Some agents allow configuration parameters to be changed by managers, while others provide read-only statistics and configuration information. Additionally, agents can generate ad hoc messages to manager systems to inform them of unusual events (traps).

The following is a typical what SNMP do:

• The SNMP agent receives requests on UDP port 161.
• The manager may send requests from any available source port to port 161 in the agent.
• The agent response will be sent back to the source port on the manager.
• The manager receives notifications (Traps and InformRequests) on port 162.
• The agent may generate notifications from any available port.

3. Protocols/ports

• SNMP uses 161/udp for general purpose (request/response) communications, and 162/udp for traps.
• Additionally, the SNMP multiplexing protocol uses 199/tcp.
• Another SNMP extension, the AgentX protocol uses 705/tcp.

4. Administrative Relationships
The SNMP architecture admits a variety of administrative relationships among entities that participate in the protocol. Below are the terms that are commonly found:

• SNMP Application entities. The entities residing at management stations and network elements which communicate with one another using SNMP.
• SNMP Protocol entities. The peer processes which implement the SNMP, and thus support the SNMP application entities.
• SNMP community. A pairing of an SNMP agent with some arbitrary set of SNMP application entities. Each SNMP community is named by a string of octets, that is called the community name for said community.
• Authentic SNMP message. An SNMP message originated by an SNMP application entity that is belongs to the SNMP community named by the community component ofsaid message.
• Authentication scheme. The set of rules by which an SNMP messageis identified as an authentic SNMP message for a particular SNMP community.
• Authentication service. An implementation of a function that identifies authentic SNMP messages according to one or more authentication schemes.
• SNMP MIB view. For any network element, a subset of objects in the MIB that pertain to that element.
• SNMP access mode. An element of the set { READ-ONLY, READ-WRITE }.
• SNMP community profile. A pairing of a SNMP access mode with a SNMP MIB view. A SNMP community profile represents specified access privileges to variables in a specified MIB view. For every variable in the MIB view in a given SNMP community profile, access to that variable is represented by the profile according to the following conventions:
  

1. if said variable is defined in the MIB with "Access:" of "none," it is unavailable as an operand for any operator;
2. if said variable is defined in the MIB with "Access:" of "read-write" or "write-only" and the access mode of the given profile is READ-WRITE, that variable is available as an operand for the get, set, and trap operations;
3. otherwise, the variable is available as an operand for the get and trap operations.
4. In those cases where a "write-only" variable is an operand used for the get or trap operations, the value given for the variable is implementation-specific.

• SNMP access policy. A pairing of a SNMP community with a SNMP community profile. An access policy represents a specified community profile afforded by the SNMP agent of a specified SNMP community to other members of that community. All administrative relationships among SNMP application entities are defined in terms of SNMP access policies.
• SNMP proxy access policy. For every SNMP access policy, if the network element on which the SNMP agent for the specified SNMP community resides is not that to which the MIB view for the specified profile pertains.
• SNMP proxy agent. The SNMP agent associated with a proxy access policy.
  

5. Structure of Management Information
Management information is viewed as a collection of managed objects, residing in a virtual information store, termed the Management Information Base (MIB). Collections of related objects are defined in MIB modules. These modules are written in the SNMP MIB module language, which contains elements of OSI's Abstract Syntax Notation One (ASN.1) language. STD 58, RFCs 2578, 2579, 2580, together define the MIB module language, specify the base data types for objects, specify a core set of short-hand specifications for data types called textual conventions, and specify a few administrative assignments of object identifier (OID) values.

6 SNMP Applications
It is the purpose of RFC 2573, "SNMP Applications" to describe the five types of applications which can be associated with an SNMP engine. They are:

• Applications which initiate SNMP Read-Class, and/or Write-Class requests, called 'Command Generators.'
• Applications which respond to SNMP Read-Class, and/or Write-Class requests, called 'Command Responders.'
• Applications which generate SNMP Notification-Class PDUs, called 'Notification Originators.'
• Applications which receive SNMP Notification-Class PDUs, called 'Notification Receivers.'
• Applications which forward SNMP messages, called 'Proxy Forwarders.'
  

7.Securities
SNMP versions 1 and 2c are subject to packet sniffing of the clear text community string from the network traffic, because they do not implement encryption. All versions of SNMP are subject to brute force and dictionary attacks for guessing the community strings, authentication strings, authentication keys, encryption strings, or encryption keys, because they do not implement a challenge-response handshake.

Entropy is an important consideration when selecting keys, passwords and/or algorithms. Although SNMP works over TCP and other protocols, it is most commonly used over UDP that is connectionless and vulnerable to IP spoofing attacks. Thus, all versions are subject to bypassing device access lists that might have been implemented to restrict SNMP access, though SNMPv3's other security mechanisms should prevent a successful attack.

SNMP's powerful configuration (write) capabilities are not being fully utilized by many vendors, partly due to lack of security in SNMP versions before SNMPv3 and partly due to the fact that many devices simply are not capable of being configured via individual MIB object changes.


8. SNMP development
SNMP version 1 (SNMPv1)
SNMPv1 is the initial implementation of the SNMP protocol, it is widely used and is the de facto network-management protocol in the Internet community. (RFC 1155, 1156, 1157, 1213).
Version 1 has been criticized for its poor security. Authentication of clients is performed only by a "community string", in effect a type of password, which is transmitted in cleartext.

SNMP version 2 (SNMPv2)
SNMPv2 (RFC 1441–1452), revises version 1 and includes improvements in the areas of performance, security, confidentiality, and manager-to-manager communications. However, the new party-based security system in SNMPv2, viewed by many as overly complex, was not widely accepted.

Community-Based SNMP version 2, or SNMPv2c, is defined in RFC 1901–1908. SNMPv2c comprises SNMPv2 without the controversial new SNMP v2 security model, using instead the simple community-based security scheme of SNMPv1. While officially only a "Draft Standard", this is widely considered the de facto SNMPv2 standard.

User-Based SNMP version 2, or SNMPv2u, is defined in RFC 1909–1910. This is a compromise that attempts to offer greater security than SNMPv1, but without incurring the high complexity of SNMPv2. A variant of this was commercialized as SNMP v2*, and the mechanism was eventually adopted as one of two security frameworks in SNMP v3.

SNMP version 3 (SNMPv3)
SNMPv3 makes things look much different by introducing new textual conventions, concepts, and terminology. SNMPv3 primarily added security and remote configuration enhancements to SNMP.

Security has been the biggest weakness of SNMP since the beginning. Authentication in SNMP Versions 1 and 2 amounts to nothing more than a password (community string) sent in clear text between a manager and agent. Each SNMPv3 message contains security parameters which are encoded as an octet string. The meaning of these security parameters depends on the security model being used.

SNMPv3 provides important security features:

• Confidentiality - Encryption of packets to prevent snooping by an unauthorized source.
• Integrity - Message integrity to ensure that a packet has not been tampered with in transit including an optional packet replay protection mechanism.
• Authentication - to verify that the message is from a valid source.

SNMPv 3 as defined by RFC 3411–RFC 3418 is the current standard version of SNMP.
The IETF has designated SNMPv3 a full Internet standard, the highest maturity level for an RFC.

In practice, SNMP implementations often support multiple versions: typically SNMPv1, SNMPv2c, and SNMPv3.

Relaying or redirecting access to another IP/Port

I have a machine with two cards: xl0 (192.168.168.168 and it's alias 10.10.10.10)
xl1 (222.xx.xx.xx). They would serve an internal and external connection respectively to a web server named test.fer.com. Every web access from internet will be passed to xl1, and xl0 for intranet use, and the real web server run on another machine (10.10.10.11) will serve any request.

For this configuration to work, a port must be listening on www port. I have use Apache and applied virtual host, it works fine.

I would try another way, using relayd on OpenBSD 4.7.
relayd is a daemon to relay and dynamically redirect incoming connections to a target host. Its main purposes are to run as a load-balancer, application layer gateway, or transparent proxy.

The daemon is able to monitor groups of hosts for availability, which is determined by checking for a specific service common to a host group. When availability is confirmed, layer 3 and/or layer 7 forwarding services are set up by relayd.

Layer 3 redirection happens at the packet level; to configure it, relayd communicates with pf.
To allow relayd to properly set up pfrules, the following line is required in the filter section of pf.conf:

anchor "relayd/*"

Layer 7 relaying happens at the application level and is handled by relayd itself.
Various application level filtering and protocol-specific-balancing options are available for relays.

Here an example of relayd.conf or relay daemon configuration file
#
# Macros
relayd_lokal="10.10.10.10"
relayd_lokal_int="xl0"
relayd_ip="222.xx.xx.xx"
relayd_port ="80"
relayd_int="xl1"
mywebserver ="10.10.10.11"

table { $mywebserver }
serverku_port="80"

# Global Options
interval 10
timeout 1000
prefork 5

log updates

redirect anchor_name {
listen on $relayd_ip port $relayd_port interface $relayd_int
# tag every packet that goes thru the rdr rule with RELAYD
tag RELAYD
sticky-address
forward to port $serverku_port mode roundrobin check tcp
}


http protocol "www_service" {
tcp { nodelay, socket buffer 65536 }
header append "$REMOTE_ADDR" to "X-Forwarded-For"
header append "$SERVER_ADDR:$SEVER_PORT" to "X-Forwarded-By"
}

relay "www_forwarder" {
listen on $relayd_lokal port $relayd_port
protocol "www_service"
forward to $mywebserver port $serverku_port
}


Remind that in pf.conf to put rule something like this:
pass in log on $ext_if inet proto tcp from any to $mywebserver port 80 flags S/SA synproxy state tagged RELAYD

Adding a file set later on OpenBSD

I have to install the gd library that requires the X components and experiencing this error
=================================
#cd /usr/ports/graphics/gd
#make install
===> Checking files for gd-2.0.35p0
>> Fetch http://www.libgd.org//releases/gd-2.0.35.tar.gz
..
installation failed (I forgot the error messages)
After installing xbase47.tgz and repeat the installation of gd, pieces of the following error appears

===> Verifying specs: jpeg.>=62 png.>=2 iconv.>=2 jpeg.>=62 png.>=2 iconv.>=2 c expat fontconfig freetype m z
Missing library for fontconfig
Missing library for freetype
=================================

Previously, I chose file sets without X components. Lately, I have to install some package that requires one or more files sets that are not selected before.
As you recall, when installing OpenBSD, we select the following file sets to be installed:

bsd - This is the Kernel. REQUIRED.
bsd.mp - Multi-processor (SMP) kernel
bsd.rd - RAM disk kernel
base47.tgz - Contains the base OpenBSD system. REQUIRED.
etc47.tgz - Contains all the files in /etc. REQUIRED.
comp47.tgz - Contains the compiler and its tools, headers and libraries.
man47.tgz - Contains man pages
misc47.tgz - Contains misc info, setup documentation
game47.tgz - Contains the games for OpenBSD
xbase47.tgz - Contains the base libraries and utilities for X11
xetc47.tgz - Contains the /etc/X11 and /etc/fonts configuration files
xfont47.tgz - Contains X11's font server and fonts
xserv47.tgz - Contains X11's X servers
xshare47.tgz - Contains manpages, locale settings, includes, etc. for X

For the case above, there are two ways I can do:
First, use the installation media such as CD-ROM, and choose Upgrade (rather than Install).
Second, use tar command to install the file on the root of the filesystem.

I chose the last way and do these:
1. Download these file sets and save them into the directory /home/binsar.
# wget -nd -P /home/binsar http://ftp.jaist.ac.jp/pub/OpenBSD/4.7/i386/xbase47.tgz
# wget -nd -P /home/binsar http://ftp.jaist.ac.jp/pub/OpenBSD/4.7/i386/xshare47.tgz
--2011-01-05 05:38:15-- http://ftp.jaist.ac.jp/pub/OpenBSD/4.7/i386/xshare47.tgz
Connecting to ftp.jaist.ac.jp (ftp.jaist.ac.jp)|150.65.7.130|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2946170 (2.8M) [application/x-gzip]
Saving to: `/home/binsar/xshare47.tgz'
100%[======================================>] 2,946,170 135K/s in 22s
2011-01-05 05:38:37 (131 KB/s) - `/home/binsar/xshare47.tgz' saved [2946170/2946170]

2. Install the file sets into root directory (The 'p' option in the tar command in order to restore the file permissions properly!!!).

#tar xzvphf /home/binsar/xbase47.tgz -C /
#tar xzvphf /home/binsar/xshare47.tgz -C /

3. Update the shared library cache (without rebooting) by run ldconfig to add all the X libraries to the cache:
# ldconfig -m /usr/X11R6/lib


or simply reboot my system, and this will be done automatically by the rc startup script.

4. Try install the gd library
#cd /usr/ports/graphics/gd
#make install clean
# pkg_info
...
autoconf-2.61p3 automatically configure source code on many Un*x platforms
bzip2-1.0.5 block-sorting file compressor, unencumbered
cvsup-16.1hp2-no_x11 network file distribution system
db-4.6.21p0 Berkeley DB package, revision 4
gd-2.0.35p0 library for dynamic creation of images
gdbm-1.8.3p0 GNU dbm
...

Programs close very frequent for Data Execution Prevention

Data Execution Prevention (DEP) is a security feature that helps prevent damage from viruses and other security threats by monitoring your programs to make sure they use system memory safely.Harmful programs can try to attack Windows by attempting to run (also known as execute) code from system memory locations reserved for Windows and other authorized programs. These types of attacks can harm your programs and files.

DEP can help protect your computer by monitoring your programs to make sure that they use system memory safely. If DEP notices a program on your computer using memory incorrectly, it closes the program and notifies you.

This happened to me very frequent. For example, when using IE, FF and Opera, the web browser suddenly terminate, and closed. The same cases also appear, while working with Adobe, MSOffice, OpenOffice.

I open Task Manager and found strange program "in my opinion", DOIMEK.EXE.
The file reside in User's home directory. I watch another file exist with same size to ALG.EXE, with SHR attributes, and dated 2010-10-21.

I run msconfig, in Startup tab, unchecked Doimek.exe and one other name that I forgot, to not load at start.
After rebooting, still...CPU Usage is too high for long time, specially for doimek.exe


No relevant results while Googling doimek.exe and alg.exe, at time of writing this post, probably I am wrong with those file, but I have remove them from my machine, and CPU Usage is decrease.

Pinging General Failure after uninstalling Norton

My machine has Vista installed and Norton as anti virus and for internet security.
I just remove Norton by using Uninstall in Vista's Control Panel and could not found
any uninstallation program that come with it.
The anti virus has gone, but two Live Update still reside as Service and one service named like Symantec Application ... ( I forgot the complete name). They could not be uninstalled. I leave them as is, than try to work with my local web with results:

- My local web could not be reach.
- Try with three kinds of different software databases to test local connection, no success.
- Try a ping command to domain name, even localhost or 127.0.0.1, come with General Failure reply.
- As administrator try to reset winsock and IPv4:
C:\Windows\System32>netsh winsock reset catalog
C:\Windows\System32>netsh int ipv4 reset reset.log
C:\Windows\System32>netsh int ipv6 reset reset.log
restart the machine, still General Failure.

Then I arrived here and use it to completely remove Norton software.
It works again.

SQL math

What the result of these SQL Statements:

SELECT 1/2, 2 - (2 * (1/2));

SELECT 1 * 1.52, 1.0 * 1.52, 1.0 * 1.520, 1.00 * 1.520;

Please try with any kind of database software!

Using PHP Radius Extension

The FreeRADIUS server software package includes several tools to assist in testing and using the server, some pf them is Radclient and Radtest. To work with applications such as Web inventory Systems, the system has to connect with Radius server using Radius Client. Today I use PHP Radius Extension as Radius client.

PHP Radius client library
This package is PECL extension for Radius (Remote Authentication Dial In User Service). This extension is based on the libradius of FreeBSD. It allows clients to perform authentication and accounting by means of network requests to remote servers.


Auth_RADIUS
This package is a php wrapper around the php radius extension. There are different Classes for the different authentication methods available through RADIUS. If we are using CHAP-MD5 or MS-CHAP authentication, we will also need the Crypt_CHAP package. In addition, if using MS-CHAP authentication, we will need to enable the mhash and mcrypt extension in php.ini. Documentation of the radius extension is available through the PHP manual at http://www.php.net/radius

In previous install link, my sistem has these modules installed
# php -m
[PHP Modules]
Core
date
ereg
gd
libxml
mysql
mysqlnd
pcre
Reflection
session
SPL
standard

I started the installation with the following sequence:

1. Install Auth_Radius a PEAR wrapper classes for the RADIUS PECL.
#/usr/ports/net/pear-Auth_RADIUS
#make
===> Registering installation for pear-1.9.1
===> Returning to build of pear-Auth_RADIUS-1.0.6
===> Configuring for pear-Auth_RADIUS-1.0.6
===> Registering installation for pecl-radius-1.2.5
#make install
----------------------------------------------------------------------
Libraries have been installed in:
/usr/ports/net/pecl-radius/work/radius-1.2.5/modules
****************************************************************************
The following line has been added to your /usr/local/etc/php/extensions.ini
configuration file to automatically load the installed extension:
extension=radius.so
****************************************************************************
===> Returning to build of pear-Auth_RADIUS-1.0.6
===> Generating packing list
===> Generating temporary packing list
===> Checking if net/pear-Auth_RADIUS already installed
===> Installing examples in /usr/local/share/examples/pear/Auth_RADIUS.
install ok: channel://pear.php.net/Auth_RADIUS-1.0.6
===> Registering installation for pear-Auth_RADIUS-1.0.6

# make clean
===> Cleaning for pear-1.9.1 ###PEAR framework for PHP
===> Cleaning for php5-5.3.3_2
===> Cleaning for pecl-radius-1.2.5 ###Radius client library for PHP
===> Cleaning for php5-xml-5.3.3_2
===> Cleaning for pear-Auth_RADIUS-1.0.6 ###PEAR wrapper classes for the RADIUS PECL


2. Install additional package
#/usr/ports/security/pear-Crypt_CHAP
extension=mcrypt.so
extension=hash.so

3. List modules installed
# php -m
[PHP Modules]
Core
date
ereg
gd
hash
libxml
mcrypt
mhash
mysql
mysqlnd
pcre
radius
Reflection
session
SPL
standard
xml

# pear list
Installed packages, channel pear.php.net:
=========================================
Package Version State
Archive_Tar 1.3.7 stable
Auth_RADIUS 1.0.6 stable
Console_Getopt 1.2.3 stable
Crypt_CHAP 1.0.2 stable ### here version 1.0.2
PEAR 1.9.1 stable
Structures_Graph 1.0.3 stable


4.I have to upgrade Crypt_CHAP (replace mhash function to hash function, because I'm on php5.3)
# pear upgrade
downloading Crypt_CHAP-1.5.0.tar ...
Starting to download Crypt_CHAP-1.5.0.tar (Unknown size)
........done: 22,528 bytes
upgrade ok: channel://pear.php.net/Crypt_CHAP-1.5.0
Installed packages, channel pear.php.net:
=========================================
Package Version State
Archive_Tar 1.3.7 stable
Auth_RADIUS 1.0.6 stable
Console_Getopt 1.2.3 stable
Crypt_CHAP 1.5.0 stable
PEAR 1.9.1 stable
Structures_Graph 1.0.3 stable

5. Restart Apache service
#apachectl graceful

6. Start Radius in debug mode



7. Test authentication



8. Use sample number 2 from here and modify arguments as needed, and test it. It works.