UNIT - VIE Basic concepts of SNMP, SNMPv1 Community facility and SNMPv3. Intruders, Viruses and related threats. 7.1 BASIC CONCEPTS OF SNMP Network Management Architecture: A network management stem is a collection of tools for network monitoring and control that is integrated in the following senses: A single operator interface with a powerful but user-friendly set of commands for performing most or all network management tasks A minimal amount of separate equipment. That is, most of the hardware and software required for network management is incorporated into the existing user equipment. A network management system consists of ineremental hardware and software additions implemented among existing network components. The software used in accomplishing the network management tasks resides in the host computers and communications processors. A network management system is designed to view the entire network as a unified architecture, with addresses and labels assigned to each point and the specific attributes of each element and link known to the system. The model of network management that is used for SNMP includes the following key elements: Management station Management agent Management information base Network management protocol The management station is typically a stand-alone device that serves as the interface for the human network manager info the network management system. The management agent responds to requests for information fiom a management station, responds to requests for actions from the management station, and may asynchronously provide the management station with important but unsolicited information. To manage resources in the network, each resource is represented as an object. An object is, essentially a data variable that represents one aspect of the managed agent. The collection of objects is referred to asa management information base (MIB). ‘The management station and agents are linked by a network management protocol. The protocol used for the management of TCP/IP networks is the Simple Network Management Protocol (SNMP). This protocol inchides the following key capabilities: 1 P. Madhuravani‘© Get: Enables the management station to retrieve the value of objects at the agent ‘* Set: Enables the management station to set the value of objects at the agent ‘© Notify: Enables an agent to notify the management station of significant events Network Management Protocol Architecture SNMP is a simple tool for network management. It defines a limited, easily implemented management information base (MIB) of scalar variables and two-dimensional tables, and it defines a streamlined protocol to enable a manager to get and set MIB variables and to enable an agent to issue unsolicited notifications, called raps. SNMP was designed to be an application-level protocol that is part of the TCP/IP protocol suite. It is intended to operate over the User Datagram Protocol (UDP), defined in RFC 768. 7.2 SNMPvi COMMUNITY FACILITY SNMP network management has several characteristics not typical of all distributed applications. The application involves a one-to-many relationship between a manager and a set of agents: The manager is able to get and set objects in the agents and is able to received traps from the agents. Thns, from an operational or control point of view, the manager "manages" a number of agents. There may be a number of managers, each of which manages all or a subset of the agents in the configuration. These subsets may overlap, Each agent controls its own local MIB .and must be able to control the use of that MIB by a number of managers. There are three aspects of this control: 2 P. Madhuravani«Authentication service: The agent may wish to limit access to the MIB to authorized managers. * Access policy: The agent may wish to give different access privileges to different managers. * Proxy service: An agent may act as proxy fo other agents. This may involve implementing the authentication service and/or access policy for the other agents on the proxy system. An SNMP community is a relationship between an SNMP agent and a set of SNMP managers that defines authentication, access control, and proxy characteristics. The community concept is a local one, defined at the agent. The agent establishes one community for each desired combination of authentication, access control, and proxy characteristics Each community is given a unique (within this agent) community name, and the managers within thet community are provided with and must employ the community name in all get and set operations. The agent may establish a number of communities, with overlapping manager membership Authentication Service The purpose of the SNMPvl authentication service is to assure the recipient that an SNMPv1 message is from the source that it claims to be from, SNMPvI only provides far a trivial scheme far authentication. Every message (get or put request) from a manager to an agent includes a community name. This name functions as a password, and the message is assumed to be authentic if the sender knows the password, Access Policy By defining 'a community, an agent limits access to its MIB to a selected set of managers. By the use of more than one community the agent can provide different categories of MIB access to different managers. There are two aspects to this access control: SNMP MIB view: A subset of the objects within an MIB. Different MIB views may be defined for each community. The set of objects in a view need not belong to a single sub-tree of the MIB. © SNMP access mode: An element of the set (READ-ONL Y, READ-WRITE). An access mode is defined for each community. ae saat bd SNMP —o en SNMP community Ser cman community nase SNMP acess poy SNMP+1 Administrative Concepts P. Madhuravani7.3 SNMPv3 SNMPV3 defines a security capability to be used in conjunetion with SNMPv2 (preferred) or SNMPv1 Fig indicates the relationship among the different versions of SNMP by means of the formats involved. \V3-MH= SNMPV3 message header PDU = Protocol data unit SNMP Architecture: SNMP architecture defined in standard RFC 2571 consists of SNMP entities. These entities are interactive and are organized as an abstract set of fimetions and parameters that are used for passing control and data information. They act either as an agent node, manager node or both. SNMP entities comprises of collection of individual units that communicate with each other in order to provide functions. The RFC 2571 architecture reflects a key design requirement for SNMPv3 Design a modular architecture that 1 2 3. It allows minimum and cheaper services to be implemented over broad spectrum of finctioning surounding It is possible to move some part of the architecture forward in a conventional way even though general agreements have not reached all its part. It is possible to adopt other security models. “> SNMP Entity Each SNMP entity includes a single SNMP engine. An SNMP engine implements functions for sending and receiving messages, authenticating and encrypting/decrypting messages, and controlling access to managed objects. These functions are provided as services to one or more applications that are configured with the SNMP engine to form an SNMP entity. 4 P. MadhuravaniTraditional SNMP manager; A traditional SNMP manager interacts with SNMP agents by issuing commands (get, set) and by receiving trap messages; the manager may also interact with other managers by issuing Inform Request PDUs, which provide alerts, and by receiving Inform Response PDUs, which acknowledge Inform Requests. In SNMPv3 terminology, a traditional SNMP manager includes three categories of applications: 1. Command Generator Application 2. Notification Originator Application 3. Notification Receiver Application SNMP Entity [Notification [_apptications 3 SNMP ee i | 1 ) User-based security Vesage model Aispatches ae ‘Other security Farspoot Mapping (eg., RFC 1906) PT upp. Network Command Generator Application: This application examines and modifies the management data of remote agents. It utilizes SNMPv1 and/or SNMPv2 processing module containing Get, GetBulk, GetNext and SetMessages. Notification Originator Application: In case of traditional SNMP manager, this application is responsible for starting the transmission of asynchronous messages like InformRequest PDU. Notification Receiver Application: It is responsible for processing incoming asynchronous messages which may be either InformRequest PDU, SNMPv1 Trap PDU’s or SNMPv2 Trap PDU. P. Madhuravani% Traditional SNMP Agent: SNMP agent consists of three kinds of applications. They are as follows: 1, Command Responder Application 2. Notification Originator Application 3. Proxy Forwarder Application, upp} | 1x | ++ + | other SNMP entity Transport mapping (eg. RFC 1906) Message 2 aoe + iy mle Proxy ‘Command ‘Notification forwarder responder originator applications applications MIB instrumentation Command Responder Application: This application make provisions for accessing management data. It is responsible for responding to every incoming request PDU. It does this by restoring the managed entity and/or by defining the managed entity. Notification Originator Application the transmission of asynchronous message like, Trap PDU of both SNMPv1, n case of traditional SNMP agent, this application is used for starting NMP v2. Proxy Forwarder Application: This application is responsible for forwarding messages between the entities. 6 P. MadhuravaniOne of the two most publicized threats to security is the intruder (the other is viruses), generally referred to as a hacker or cracker. + Masquerader: An individual who is not authorized to use the computer and who penetrates a system's access controls to exploit a legitimate user's account + Misfeasor: A legitimate user who accesses data, programs, or resources for which such access is not authorized, or who is authorized for such access but misuses his or her privileges + Clandestine user: An individual who seizes supervisory control of the system and uses this control to evade auditing and access controls or to suppress audit collection ‘The masquerader is likely to be an outsider; the misfeasor generally is an insider; and the clandestine user can be either an outsider or an insider. I ‘TRUSION TECHNIQUES The objective of the intruder is to gain access to a system or to increase the range of privileges accessible on a system. Generally, this requires the intruder to acquire information that should have been protected. In some cases, this information is in the form of a user password. With knowledge of some other user's password, an intruder can log in to a system and exercise all the privileges accorded to the legitimate user. Typically, a system must maintain a file that associates a password with each authorized user. If such a file is stored with no protection, then it is an easy matter to gain access to it and lea passwords. The password file can be protected in one of two ways: + One-way function: The system stores ouly the value of @ fimetion based on the user’s password. When the user presents a password, the system transforms that password and compares it with the stored value. In practice, the system usually performs a one-way transformation (not reversible) in which the password is used to generate a key for the one-way fimetion and in which a fixed-length output is produced. + Access control: Access to the password file is limited to one or a very few accounts. On the basis of a survey of the literature and interviews with a number of password crackers, reports the following techniques for learning passwords: Try default passwords used with standard accounts that are shipped with the sy administrators do not bother to change these defaults. Exhaustively try all short passwords (those of one to three characters) Try words in the system's online dictionary ot a list of likely passwords. Examples of the latter are readily available on hacker bulletin boards. Collect information about users, such as their full names, the names of their spouse and children, pictures in their office, and books in their office that are related to hobbies. Try users’ phone numbers, Social Security numbers, and room numbers. ‘Try all legitimate license plate numbers for this state. Use a Trojan horse to bypass restrictions on access. Tap the line between a remote user and the host system. tem. Many we 5 pa 7 P. Madhuravani7.5 VIRUSES AND RELATED THREATS Malicious Programs Name Description Virus Attaches itself to a program and propagates copies of itself to other programs Worm Program that propagates copies of itself to other computers Logic bomb Triggers action when condition occurs Trojan horse Program that contains unexpected additional functionality Backdoor (trapdoor) | Pragram modification that allows unauthorized access to functionality Exploits Code specific to a single vulnerability or set of vulnerabilities Downloaders Program that installs other items on @ machine that is under attack. Usually, a downloader is sent in an e-mail ‘Auto-rooter Malicious hacker tools used to break into new machines remotely Kit (virus generator) | Set of tools for generating new viruses automatically Spammer programs —_| Used to send large volumes of unwanted e-mail Flooders Used to attack networked computer systems with 2 large volume of traffic to carry out a denial of service (DoS) attack Keyloggers Captures keystrokes on a compromised system Rootkit Set of hacker tools used after attacker has broken into @ computer system and gained root-level access Zombie Program activated on an infected machine that is activated to launch attacks on other machines Backdoor A backdoor, also known as a trapdoor, is a secret entry point into a program that allows someone that is aware of the backdoor to gain access without going through the usual security access procedures. 8 P. MadhuravaniLogic Bomb One of the oldest types of program threat, predating viruses and worms, is the logic bomb. The logic bomb is code embedded in some legitimate program that is set to "explode" when certain conditions are met. Examples of conditions that can be used as triggers for a logic bomb are the presence or absence of certain files, a particular day of the week or date, or a particular user running the application. Once triggered, a bomb may alter or delete data or entire files, cause a machine halt, or do some other damage. Trojan Horses A Trojan horse is a useful, or apparently useful, program or command procedure containing hidden code that, when invoked, performs some unwanted or harmful function, Zombie A zombie is a program that secretly takes over another Intemnet-attached computer and then uses that computer to launch attacks that are difficult to trace to the zombie's creator. Zombies are used in denial-of-service attacks, typically against targeted Web sites. ‘The Nature of Viruses A virus is a piece of software that can "infect" other programs by modifying them; the modification includes a copy of the virus program, which can then go on to infect other programs. During its lifetime, a typical virus goes through the following four phases: + Dormant phase: The virus is idle. The virus will eventually be activated by some event, such as a date. the presence of another program or file, or the capacity of the disk exceeding some limit. Not all viruses have this stage. + Propagation phase: The virus places an identical copy of itself into other programs or into certain system areas on the disk. Each infected program will now contain a clone of the virus, which will itself enter a propagation phase. + Triggering phase: The virus is activated to perform the function for which it was intended. As with the dormant phase, the triggering phase can be caused by a variety of system events, including a count of the number of times that this copy of the virus has made copies of itself. + Execution phase: The fnnction is performed. The function may be harmless, such as a message on the screen, or damaging, such as the destruction of programs and data files. ‘Types of Viruses The most significant types of viruses: + Parasitic virus: The traditional and still most common form of virus. A parasitic virus attaches itself to executable files and replicates, when the infected program is executed, by finding other executable files to infect. + Memory-resident virus: Lodges in main memory as part of a resident system program. From that point ou, the virus infects every program that executes. + Boot sector virus: Infects a master boot record or boot record and spreads when a system is booted fiom the disk containing the virus. 9 P. Madhuravani+ Stealth virus: A form of virus explicitly designed to hide itself from detection by antivirus software. + Polymorphic virus: A virus that mutates with every infection, making detection by the "signature" of the virus impossible. + Metamorphic virus: As with a polymorphic virus, a metamorphic virus mutates with every infection. The difference is that a metamorphic virus rewrites itself completely at each iteration, increasing the difficulty of detection, Metamorphic viruses my change their behavior as well as their appearance Macro Viruses In the mid-1990s, macro viruses became by far the most prevalent type of virus. Macro viruses are particular threatening for a number of reasons: 1. A macro virus is platform independent. Virtually all of the macro viruses infect Microsoft Word documents, Any hardware platform and operating system that supports Word can be infected. 2. Macro viruses infect documents, not executable portions of code. Most of the information introduced onto a computer system is in the form of a document rather than a program. 3. Macro viruses are easily spread. A very common method is by electronic mail. E-mail Viruses A more recent development in malicious software is the e-mail virus. The first rapidly spreading e-mail viruses, such as Melissa, made use of a Microsoft Word macro embedded in an attachment. If the recipient opens the e- mail attachment, the Word macro is activated. Then 1. The e-mail virus sends itself to everyone on the mailing list in the user's e-mail package 2. The virus does local damage, Worms A womn is a program that can replicate itself and send copies from computer to computer across network connections. Upon arrival, the worm may be activated to replicate and propagate again. In addition to propagation, the worm usually performs some unwanted function, To replicate itself, a network worm uses some sort of network vehicle. Examples include the following: + Electronic mail facility: A worm mails a copy of itself to other systems, + Remote execution capability: A worm executes a copy of itself on another system. + Remote login capability: A worm logs onto a remote system as a user and then uses commands to copy itself fiom one system to the other. 10 P, Madhuravani