UNIT-V System (NMS).

This commonly shared database

Basic Concept of SNMP: between the Agent and the Manager is called
Simple Network Management Protocol (SNMP): Management Information Base (MIB).
SNMP is used to check all the network devices, one Typically these MIB contains standard set of
by one every day, are working properly or not. If an statistical and control values defined for hardware
organization has 1000 of devices then is a hectic task. nodes on a network.
To ease these up, Simple Network Management In short, MIB files are the set of questions that a
Protocol (SNMP) is used. SNMP Manager can ask the agent. Agent collects
Simple Network Management Protocol (SNMP) – these data locally and stores it, as defined in the MIB.
SNMP is an application layer protocol which uses So, the SNMP Manager should be aware of these
UDP port number 161/162.SNMP is used to monitor standard and private questions for every type of agent.
the network, detect network faults and sometimes
even used to configure remote devices.
What is SNMP?
Simple Network Management Protocol (SNMP) is an
application–layer protocol defined by the Internet
Architecture Board (IAB) in RFC1157 for exchanging
management information between network devices. It
is a part of Transmission Control Protocol/ Internet
Protocol (TCP⁄IP) protocol suite.
Fig 5.1 Architecture of SNMP
SNMP is one of the widely accepted protocols to
SNMP messages –
manage and monitor network elements. Most of the
Different variables are:
professional–grade network elements come with
Get: SNMP manager sends this message to request
bundled SNMP agent. These agents have to be
data from SNMP agent. It is simply used to retrieve
enabled and configured to communicate with the
data from SNMP agent. In response to this, SNMP
network management system (NMS).
agent responds with requested value through response
message.
SNMP components –
GetNext: This message can be sent to discover what
There are 3 components of SNMP:
data is available on a SNMP agent. The SNMP
SNMP Manager: It is a centralized system used to
manager can request for data continuously until no
monitor network. It is also known as Network
more data is left. In this way, SNMP manager can take
Management Station (NMS)
knowledge of all the available data on SNMP agent.
GetBulk: This message is used to retrieve large data
SNMP agent: It is a software management software
at once by the SNMP manager from SNMP agent. It is
module installed on a managed device.
introduced in SNMPv2c.
Managed devices can be network devices like PC,
router, switches, servers etc.
Set: It is used by SNMP manager to set the value of
Managed Devices: A managed device or the network
an object instance on the SNMP agent.
element is a part of the network that requires some
form of monitoring and management e.g. routers,
Response:It is a message send from agent upon a
switches, servers, workstations, printers, UPSs, etc...
request from manager. When sent in response to Get
messages, it will contain the data requested. When
Management Information Baseman consists of
sent in response to Set message, it will contain the
information of resources that are to be managed.
newly set value as confirmation that the value has
These information is organized hierarchically. It
been set.
consists of objects instances which are essentially
Trap:These are the message send by the agent
variables.
without being requested by the manager. It is sent
Every SNMP agent maintains an information database
when a fault has occurred.
describing the managed device parameters. The
Inform: It was introduced in SNMPv2c, used to
SNMP manager uses this database to request the agent
identify if the trap message has been received by the
for specific information and further translates the
manager or not. The agents can be configured to set
information as needed for the Network Management
This study source was downloaded by 100000861573692 from CourseHero.com on 12-09-2024 23:50:14 GMT -06:00

https://www.coursehero.com/file/144231838/IS-UNIT-Vpdf/
 trap continuously until it receives an Inform message.
It is same as trap but adds an acknowledgement that
trap doesn’t provide.
Fig 5.2 Protocol context of SNMP
SNMP security levels –
It defines the type of security algorithm performed on
SNMP packets. These are used in only SNMPv3.
There are 3 security levels namely:
1. noAuthNoPriv –
This (no authentication, no privacy) security
level uses community string for authentication
and no encryption for privacy.
2. authNopriv – This security level
(authentication, no privacy) uses HMAC with
Md5 for authentication and no encryption is
used for privacy.
3. authPriv – This security level (authentication,
privacy) uses HMAC with Md5 or SHA for
authentication and encryption uses DES-56
algorithm.
SNMP versions –
There are 3 versions of SNMP:
1. SNMPv1 –
It uses community strings for authentication and
use UDP only.
2. SNMPv2c –
It uses community strings for authentication. It
uses UDP but can be configured to use TCP.
3. SNMPv3 –
It uses Hash based MAC with MD5 or SHA for
authentication and DES-56 for privacy. This
version uses TCP. Therefore, conclusion is the
higher the version of SNMP, more secure it will
be.
SNMPv1 Community facility and SNMPv3
SNMP is the newest version of SNMP. Its primary
feature is enhanced security. SNMPv3 defines the
secure version of the SNMP. SNMPv3 protocol also
This study source was downloaded by 100000861573692 from CourseHero.com on 12-09-2024 23:50:14 GMT -06:00
https://www.coursehero.com/file/144231838/IS-UNIT-Vpdf/
facilitates remote configuration of the SNMP entities.
It is defined by RFC 1905, RFC 1906, RFC 3411,
RFC 3412, RFC 3414, RFC 3415.
There are four main parts to
the SNMPv3 architecture.
The interaction between these systems to provide the
necessary data requested is depicted in the following
figure:
Figure 1. The primary parts of the SNMPv3
architecture
This illustration shows and example of
the SNMPv3 architecture. The DPI2 subagent, smux
peer, SNMP manager, and SNMP agent are shown. In
addition, how they communicate with each other is
shown.
• SNMP agent
The SNMP agent receives requests from, and makes
responses to, the SNMP manager.
• DPI2 subagents
A DPI2 subagent, such as hostmibd, communicates
with the DPI2 agent, which, in SNMPv3, is part of the
SNMP agent.
• SMUX peers
A SNMP Multiplexing (SMUX) peer, such as gated,
when started, will establish the connection
to TCP 199 and will initialize the SMUX association.
• SNMP manager
The SNMP manager runs clsnmp, which is
compatible with SNMPv1, SNMPv2c, and SNMPv3.
• MIB variables
Information on MIB variables can be found in the
following locations.
Intruders:
The objective of the intruder is to gain access to a
system or to increase the range of privileges
accessible on a system. Most initial attacks use system
or software vulnerabilities that allow a user to execute
code that opens a back door into the system.
The intruder attempts to acquire information that
should have been protected. In some cases, this
information is in the form of a user password. With
 knowledge of some other user’s password, an intruder
can log in to a system and all information available on
system.
Intruder attacks range from the benign to the serious.
At the benign end of the scale, there are many people
who simply wish to explore internets and see what is
out there. At the serious end are individuals who are
attempting to read privileged data, perform
unauthorized modifications to data, or disrupt the
system
There are three classes of intruders:
Masquerader: An individual who is not authorized to
use the computer and who penetrates a system’s
access controls to exploit a legitimate user’s account.
The masquerader is likely to be an outsider.
Misfeasor: A legitimate user who accesses data,
programs, or resources for which such access is not
authorized, or who is authorized for such access but
misuses his or her privileges. The misfeasor generally
is an insider.
Clandestine user: An individual who seizes
supervisory control of the system and uses this control
to evade auditing and access controls or to suppress
audit collection. The clandestine user can be either an
outsider or an insider.
Following are some examples of intrusion:
Performing a remote root compromise of an e-mail
server
Defacing a Web server
Guessing and cracking passwords
Copying a database containing credit card numbers
Viewing sensitive data, including payroll records and
medical information, without authorization
1) Logic Bombs
• Logic bombs are programmed threats that lie
dormant in commonly used software for an
extended period of time until they are triggered; at
this point, they perform a function that is not the
intended function of the program in which they are
contained.
• Logic bombs usually are embedded in programs
by software developers who have legitimate
access to the system.
• Conditions required to trigger a logic bomb
include the presence or absence of certain files, a
particular day of the week, or a particular user
running the application.
2) Trojan Horses
• Trojan horses resemble a program that the user
wishes to run - a game, a spreadsheet, or an editor.
While the program appears to be doing what the
user wants, it actually is doing something else
This study source was downloaded by 100000861573692 from CourseHero.com on 12-09-2024 23:50:14 GMT -06:00
https://www.coursehero.com/file/144231838/IS-UNIT-Vpdf/
unrelated to its advertised purpose, and without
the user's knowledge.
• For example, the user may think that the program
is a game. While it is printing messages about
initializing databases and asking questions like
"What do you want to name your player?" and
"What level of difficulty do you want to play?" the
program may actually be deleting files,
reformatting a disk, or otherwise altering
information.
Viruses and related threats:
A virus is a piece of software that can “infect” other
programs by modifying them.
The modification includes a copy of the virus
program, which then can go to infect other programs.
A virus can do anything that other programs do. The
only difference is that it attaches itself to another
program and executes secretly when the host program
is run.
Once a virus is executing, it can perform any function
such as erasing files and programs.
Most viruses carry out their work in a manner that is
specific to a particular operating system and in some
cases specific to a particular hardware platform. Thus
they are designed to take advantage of the details and
weaknesses of particular systems.
A virus can be prepended or post pended to an
executable program, or it can be embedded in some
other fashion. The key to its operation is that the
infected program, when invoked, will first execute the
virus code and then execute the original code of the
program.
During its lifetime a typical virus goes through
following 4 phases:
Dominant Phase: The virus is idle. The virus will
eventually be activated by some event, such as a date,
the presence of another program or file, or the
capacity of the disk exceeding some limit.
Propagation Phase: The virus places an identical
copy of itself into other programs or into certain
system areas on the disk.
Triggering Phase: The virus is activated to perform
the function for which it was intended.
Execution Phase: The function is performed. The
function may be harmless of damaging.
Types of viruses:
 Parasitic Virus: The traditional and still most • Network worm programs use network connections
common form of virus. A parasitic virus attaches itself to spread from system to system. Once active
to executable and replicates when the infected within a system, a network worm can behave as a
program is executed. computer virus or bacteria, or it could implant
Memory resident Virus: Lodges in main memory as Trojan horse programs or perform any number of
part of a resident system program. From that point on, disruptive or destructive actions.
the virus infects every program that executes.
Boot-Sector Virus: Infects a master boot record or Firewall:
boot record and spreads when a system is booted from Firewall is a security barrier between two networks
the disk containing the virus. that screens traffic coming in and out of the gate of
Stealth Virus: A form of virus explicitly designed to one network to accept or reject connections and
hide itself from detection by antivirus software. services according to a set of rules.
Polymorphic Virus: A virus that mutates with every A firewall is like a secretary for a network which
infection, making detection by the “signature” of the examines requests for access to the network. It
virus impossible. decides whether they pass a reasonableness test. If
Metamorphic Virus: A metamorphic virus mutates they pass it they are allowed through and if not they
with every infection. The difference is that a are refused.
metamorphic virus rewrites itself completely at each 1. There are essentially three types of firewalls.
iteration, increasing the difficulty of detection. Each type of firewall filters packets by
Metamorphic viruses may change their behaviour as examining the data up to a particular layer of
well as their appearance. the network protocol stack.
Macro Virus The firewalls are:
Macro viruses infect files that are created using i. A packet filter is a firewall that operates at the
certain applications or programs that contain macros. network layer.
These mini-programs make it possible to automate
series of operations so that they are performed as a
single action, thereby saving the user from having to
carry them out one by one.
Examples of macro viruses: Relax, Melissa.A,
Bablas, O97M/Y2K.
E-Mail viruses:
A more recent development in malicious software is
the e-mail virus. The first rapidly spreading e-mail
viruses such as Melissa, made use of a Microsoft word
ii. A stateful packet filter is a firewall that lives at the
macro embedded in an attachment. If the recipient
transport layer.
opens the e-mail attachment, the word macro is
iii. An application proxy is a firewall that operates at
activated. Then,
the application layer where it functions as a proxy.
• The e-mail virus sends itself to everyone on the
mailing list in the user’s email package.
• The virus does local damage.
Worms:
• A worm is a program that can replicate itself and
send copies from computer to computer across
network connections. Upon arrival, the worm may
be activated to replicate and propagate again.
• In addition to propagation, the worm usually
performs some unwanted function. An e-mail Circuit-levelgateway:
virus has some of the characteristics, of a worm, A circuit-level gateway is a firewall that provides
because it propagates itself from system to system. User Datagram Protocol (UDP) and Transmission
A worm actively seeks out more machines Control Protocol (TCP) connection security, and
launching pad for attacks on other machines. works between an Open Systems Interconnection
This study source was downloaded by 100000861573692 from CourseHero.com on 12-09-2024 23:50:14 GMT -06:00

https://www.coursehero.com/file/144231838/IS-UNIT-Vpdf/
 (OSI) network model’s transport and application
layers such as the session layer. Unlike application
gateways, circuit-level gateways monitor TCP data
packet handshaking and session fulfillment of firewall
rules and policies.
may support a modern pool that provides dial-in
capability for traveling employees and telecommuters.
ii. The firewall does not protect against internal
threats, such as a disgruntled employee or an
employee who unwittingly cooperates with an
external attacker.
iii. The firewall cannot protect against the transfer of
virus-infected programs or files. Because of the
variety of operating systems and applications
supported inside the perimeter it would be impractical
and impossible for the firewall to scan all incoming
files for viruses.

Trusted system: (trusted computer system or trusted

FirewallDesign Principles:
i. All traffic from inside to outside and vice versa
must pass through the firewall. This is achieved by
physically blocking all access to the local network
except via the firewall. The configurations used for
this are screened Host Firewall (Single and Dual) and
Screened Subnet Firewall.
ii. Only authorized traffic as defined by the local
security policy will be allowed to pass. Various types
of firewalls that can be used are Packet-Filters,
Stateful Filters and Application Proxy Filters.
iii. The firewall itself is immune to penetration. This
implies that use of a trusted system with a secure
operating system.
operating system)
A trusted system is a system that is relied upon to a
specified extent to enforce a specified security policy.
(Or)
The extent to which someone who relies on a system
can have confidence that the system meets its
specifications (degree of assurance).
Initially Trusted system was based on the reference
monitor concept, depicted in below Figure. The
reference monitor is a controlling element in the
hardware and operating system of a computer that
regulates the access of subjects to objects on the basis
of security parameters of the subject and object

Techniques for Control:

Four general techniques that firewalls use to control
access and enforce security policy are as follows
i. Service Control- This determines the types of
internet services that can be accessed inbound or
outbound.
ii. Direction Control: This determines the direction in
which particular service requests may be initiated and
allowed to flow through the firewall.
iii. User Control: Control access to a service
according to which user is attempting to access it.
This feature is typically applied to users inside the
firewall perimeter.
iv. Behavior Control: Controls how particular services Fig 5.5 the reference monitor concept
are used.

Limitations of Firewalls:
i. The firewall cannot protect against attacks that
bypass the firewall. Internal systems may have dial-
out capability to connect to an ISP. An internal LAN
This study source was downloaded by 100000861573692 from CourseHero.com on 12-09-2024 23:50:14 GMT -06:00

https://www.coursehero.com/file/144231838/IS-UNIT-Vpdf/
 Intrusion detection systems (IDS):
Intrusion Detection System (IDS) defined as a Device
or software application which monitors the network or
system activities and finds if there is any malicious
activity occur. Outstanding growth and usage of
internet raises concerns about how to communicate
and protect the digital information safely.
In a number of cases, absolute protection is not
feasible, but it is practical to detect security attacks.
For example, there are intrusion detection systems
designed to detect the presence of unauthorized
individuals logged onto a system.An IDS is a set of
automated tools designed to detect unauthorized
access to a host system and Will be notified abnormal
traffic if detected.
Types of Intrusion-Detection systems
Network Intrusion Detection System: - identifies
intrusions by examining network traffic and monitors
multiple hosts. Network Intrusion Detection Systems
gain access to network traffic by connecting to a hub,
network switch configured for port mirroring, or
network tap. An example of a NIDS is Snort.
Weaknesses: A network based IDS, on the other
hand, only examines network traffic on the segment to
which it is directly connected, but it cannot detect an
attack that travels through a different network
segment.
Host-based Intrusion Detection System: - consists
of an agent on a host which identifies intrusions by
analyzing system calls, application logs, file-system
modifications (binaries, password files, capability/acl
databases) and other host activities and state.
This study source was downloaded by 100000861573692 from CourseHero.com on 12-09-2024 23:50:14 GMT -06:00
https://www.coursehero.com/file/144231838/IS-UNIT-Vpdf/
Weaknesses: Host-based systems require installation
on the particular device that you wish to protect.
Hybrid Intrusion Detection System: - combines one
or more approaches. Host agent data is combined with
network information to form a comprehensive view of
the network. An example of a Hybrid IDS is Prelude.
INTRUDERS
One of the most publicized attacks to security is the
intruder, generally referred to as hacker or cracker.
Three classes of intruders are as follows:
Masquerader – an individual who is not authorized to
use the computer and who penetrates a system’s access
controls to exploit a legitimate user’s account.
Misfeasor – a legitimate user who accesses data,
programs, or resources for which such access is not
authorized, or who is authorized for such access but
misuse his or her privileges.
Clandestine user – an individual who seizes
supervisory control of the system and uses this control
to evade auditing and access controls or to suppress
audit collection.
The masquerader is likely to be an outsider; the
misfeasor generally is an insider; and the clandestine
user can be either an outsider or an insider.
The following techniques are used for learning
passwords.
• Try default passwords used with standard
accounts. Many administrators do not bother to
change these defaults.
• Exhaustively try all short passwords.
• Try words in the system’s online dictionary or a list
of likely passwords.
• Collect information about users such as their full
names, the name of their spouse and children,
pictures in their office and books in their office that
are related to hobbies.
• Try user’s phone number, social security numbers
and try all legitimate license plate numbers.
Principle countermeasures:
Detection – concerned with learning of an attack,
either before or after its success.
Prevention – challenging security goal and an uphill
bottle at all times.
 Firewall Design Principles
• Firewall is a security barrier between two
networks that screens traffic coming in and out
of the gate of one network to accept or reject
connections and services according to a set of
rules.
• For a firewall to be effective the design of the
firewalls should be efficient. The various
principles that should be adopted while
designing a firewall are as follows:
Firewall Characteristics:
i. All traffic from inside to outside and vice versa
must pass through the firewall. This is achieved by
physically blocking all access to the local network
except via the firewall.
ii. Only authorized traffic as defined by the local
security policy will be allowed to pass. Various types
of firewalls that can be used are Packet-Filters,
Stateful Filters and Application Proxy Filters.
iii. The firewall itself is immune to penetration. This
implies that use of a trusted system with a secure
operating system.
Techniques for Control:
Four general techniques that firewalls use to control
access and enforce security policy are as follows
i. Service Control- This determines the types of
internet services that can be accessed inbound or
outbound.
ii. Direction Control: This determines the direction in
which particular service requests may be initiated and
allowed to flow through the firewall.
iii. User Control: Control access to a service
according to which user is attempting to access it.
This feature is typically applied to users inside the
firewall perimeter.
iv. Behaviour Control: Controls how particular
services are used.
prohibits vulnerability and provides protection from
spoofing and routing attacks.
ii. A firewall provides a location for monitoring
security-related events. Audits and alarms can be
implemented on the firewall system.
iii. A firewall is a convenient platform for several
internet functions that are not security related which
include network address translator and a network
management function.
iv. A firewall can serve as the platform for IPsec.
Using the tunnel mode capability, the firewall can be
used to implement virtual private networks.
Limitations of Firewalls:
i. The firewall cannot protect against attacks that
bypass the firewall. Internal systems may have dial-
out capability to connect to an ISP. An internal LAN
may support a modern pool that provides dial-in
capability for traveling employees and telecommuters.
ii. The firewall does not protect against internal
threats, such as a disgruntled employee or an
employee who unwittingly cooperates with an
external attacker.
iii. The firewall cannot protect against the transfer of
virus-infected programs or files. Because of the
variety of operating systems and applications
supported inside the perimeter it would be impractical
and impossible for the firewall to scan all incoming
files for viruses.

Capabilities of Firewalls: The expectations

from a firewall are as follows
i. A firewall defines a single choke point that keeps
unauthorized users out of the protected network,
This study source was downloaded by 100000861573692 from CourseHero.com on 12-09-2024 23:50:14 GMT -06:00

https://www.coursehero.com/file/144231838/IS-UNIT-Vpdf/
Powered by TCPDF (www.tcpdf.org)