Secure management using HP Network Node Manager SPI for SNMPv3

Similar documents
HP Instant Support Enterprise Edition (ISEE) Security overview

QuickSpecs HP ProCurve Manager Plus 3.1

HP E-PCM Plus Network Management Software Series Overview

Sample excerpt. HP ProCurve Threat Management Services zl Module NPI Technical Training. NPI Technical Training Version: 1.

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Chapter 3 Managing System Settings

Configure SNMP. Understand SNMP. This chapter explains Simple Network Management Protocol (SNMP) as implemented by Cisco NCS 4000 series.

SNMP. Simple Network Management Protocol

SilverCreek Compare Versions

HP ProCurve Manager Plus 3.0

Configuring the Cisco APIC-EM Settings

SNMP Simple Network Management Protocol

CSC 4900 Computer Networks: Security Protocols (2)

CISCO EXAM QUESTIONS & ANSWERS

System Requirements. Things to Consider Before You Install Foglight NMS. Host Server Hardware and Software System Requirements

CISCO EXAM QUESTIONS & ANSWERS

Network Security. Thierry Sans

SNMP. Simple Network Management Protocol Philippines Network Operators Group, March Jonathan Brewer Telco2 Limited New Zealand

Configure Site Network Settings

Cisco Wide Area Application Services: Secure, Scalable, and Simple Central Management

DELL EMC OPENMANAGE ESSENTIALS (OME) SNMPV3 SUPPORT

SilverCreek SNMP Test Suite

IBM C IBM Security Network Protection (XGS) V5.3.2 System Administration.

Configuring SNMP. Information about SNMP CHAPTER

Security, Internet Access, and Communication Ports

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

HP Identity Driven Manager Software Series

Cryptography and Network Security

RSA NetWitness Logs. Trend Micro InterScan Messaging Security Suite. Event Source Log Configuration Guide. Last Modified: Tuesday, April 25, 2017

SNMP and Network Management

ExamTorrent. Best exam torrent, excellent test torrent, valid exam dumps are here waiting for you

Cryptography and Network Security. Sixth Edition by William Stallings

The Security feature available on the ME 1200 Web GUI allows you to set the security configurations for

Internet Engineering Task Force (IETF) Obsoletes: 5953 July 2011 Category: Standards Track ISSN:

Configuring SNMP. Understanding SNMP CHAPTER

Security Considerations for Cloud Readiness

Restrictions for SNMP use on Cisco IOS XR Software

Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP,

Managing BIG-IP Devices with HP and Microsoft Network Management Solutions

CSCE 715: Network Systems Security

Configuring Simple Network Management Protocol

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

SilverCreek The World s Best-Selling SNMP Test Suite

Table of Contents. 2 MIB Style Configuration 2-1 Setting the MIB Style 2-1 Displaying and Maintaining MIB 2-1

External Alerting for Intrusion Events

Prof. Shervin Shirmohammadi SITE, University of Ottawa. Security Architecture. Lecture 13: Prof. Shervin Shirmohammadi CEG

Cisco RV180 VPN Router

Platform Settings for Firepower Threat Defense

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

DC-228. ADSL2+ Modem/Router. User Manual. -Annex A- Version: 1.0

ProCurve Manager Plus 2.3

Virtual Private Networks (VPN)

SNMP Agent Setup. Simple Network Management Protocol Support. SNMP Basics

CTS2134 Introduction to Networking. Module 08: Network Security

VPN Overview. VPN Types

Security, Internet Access, and Communication Ports

Configuring SNMP. About SNMP. SNMP Functional Overview

RSA NetWitness Logs. Event Source Log Configuration Guide

Infinite Device Management

Integration Guide. Auvik

Security, Internet Access, and Communication Ports

Xerox Device Agent Security and Evaluation Guide. November 2014 Version 5.1

IPSec. Overview. Overview. Levente Buttyán

HP OpenView Operations for UNIX: Advanced tools and techniques

Table of Contents. 2 MIB Style Configuration 2-1 Overview 2-1 Setting the MIB Style 2-1 Displaying and Maintaining MIB 2-1

HP JetAdvantage Security Manager. User Guide

N E T W O R K M A N A G E M E N T P R I N C I P L E S R E V I E W

The IPsec protocols. Overview

Access Security Guide for YA/YB.16.01

Configuring SNMP CHAPTER. This chapter describes how to configure the Simple Network Management Protocol (SNMP) on your access point.

HP Load Balancing Module

Cryptography and Network Security Chapter 16. Fourth Edition by William Stallings

Sample excerpt. Virtual Private Networks. Contents

Software Update C.09.xx Release Notes for the HP Procurve Switches 1600M, 2400M, 2424M, 4000M, and 8000M

CSC 6575: Internet Security Fall 2017

RSA NetWitness Logs. MySQL Enterprise. Event Source Log Configuration Guide. Last Modified: Wednesday, November 15, 2017

Brocade Virtual Traffic Manager and Parallels Remote Application Server

ArubaOS-Switch Access Security Guide for YA/YB.16.04

Windows 2000 minimum SP3, Windows Server 2003, Windows XP minimum SP2, Windows 7 d. TCP/IP Communication at the ATM with connectivity to Internet

This chapter describes how to configure Simple Network Management Protocol (SNMP) to monitor the Cisco ASA.

Facilities Manager Technical Overview

Session-based Security Model for SNMPv3 (SNMPv3/SBSM) David T. Perkins Wes Hardaker NMRG Meeting October 19, 2003

MIB Browser Version 10 User Guide

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Radius, LDAP, Radius, Kerberos used in Authenticating Users

DPtech IPS2000 Series Intrusion Prevention System User Configuration Guide v1.0

HP 6125G & 6125G/XG Blade Switches

Security Enhancements

HP 6125 Blade Switch Series

Russian Cyber Attack Warning and Impact on AccessEnforcer UTM Firewall

IDM Technical Overview

Configuring SNMP. Understanding SNMP CHAPTER

AplombTech Smart Router Manual

Configuring SNMP. Understanding SNMP CHAPTER

Develop Unified SNMP, XML, CLI, and Web-based Management for Embedded Real-Time Systems with MIBGuide

Defining IPsec Networks and Customers

Multi-Layered Security Framework for Metro-Scale Wi-Fi Networks

SNMP and Network Management

For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS Configuration Fundamentals Command Reference

Read the following information carefully, before you begin an upgrade.

Transcription:

IT Operations Network Management Secure management using HP Network Node Manager SPI for SNMPv3 2007 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice HP Software Universe June 18-22, 2007 The Venetian Las Vegas, Nevada

HP OpenView Network Node Manager SPI for SNMPv3 David Reid, SNMP Research Jeff Case, SNMP Research 2007 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice

Topics The new HP OpenView Network Node Manager SPI for SNMPv3 supports secure SNMP and SNMP management through firewalls. This session provides an overview and discussion of secure network management, including: The current Internet-Standard Management Framework; The security and administration features of SNMPv3; The technical architecture and configuration of the NNM SPI for SNMPv3; How to securely extend SNMP management through firewalls; 3 Elements of a complete solution

The current internet-standard management framework The security and administration features of SNMPv3 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice

SNMP in one slide Manager Requests Get Set Responses Common organization structure for management information (SMI) One naming space for all management objects (MIB) Communications Protocol (SNMP) Notifications Agents Networking Equipment Servers PCs Software Applications 5

Features of SNMPv3: security and administration Security Authentication: who is doing the communicating Privacy: protection from disclosure Authorization: what operations are allowed (e.g., read, write, notify) Access control: what information objects can be read or written Administrative framework to support the above 6

SNMPv1/SNMPv2c NOT secure Attacker Managed device(s) Administrative workstation Firewall SNMPv1/v2 traffic HPOV NNM Managed system(s) 7

Secure SNMPv3 Attacker Managed device(s) Administrative workstation Firewall SNMPv3 traffic HP OV NNM with NNM SPI for SNMPv3 Managed system(s) 8

SNMPv3 includes everything in versions 1 and 2c plus Authentication User-based authentication of messages Privacy The ability to encrypt management messages Authorization The concept of users View-based access control Restriction on what data may be read/written Administrative framework to support the above 9

Authentication The process of reliably determining the identity of the sender of a message Verify that the message received is the one sent Protects against following threats: Masquerade (spoof sender) Modification of information (change content) Modification of message stream (timing, limited replay) Standard specifies MD5 and SHA1 for strong authentication Private key model with localized keys More than good enough for virtually all applications today 10

Privacy Protection from the unauthorized disclosure of data Encrypt SNMP payload for privacy Private key model with localized keys Standard specifies DES (56-bit) Standard is extensible for stronger cryptography Triple-DES (168-bit keys) AES (128, 192, and 256 bit keys) Others possible 11

Authorization Each request is associated with a SNMPv3 user (system, person, or role) A user is a member of a group Mechanism to specify what each network manager (user) can do (read, write, notify) The management application determines how its users (operators) map to SNMPv3 users 12

Access control Like authorization, access control is performed by group Every SNMPv3 group (and therefore every user) has three associated lists of what objects can be accessed on each device (read, write, notify) This is very fine grained, down to individual instances, if desired Simple or complex combinations Examples: Read access to all network statistics Read/write access to configure notifications (e.g., traps) 13

SNMPv3 Administrative Framework All of this configuration information is stored in Management Information Base (MIB) tables Administrative subsystems defined by standards 14 User-based Security Model (USM) View-based Access Control Model (VACM) Standard supports remote configuration of: Users Groups Views Keys (generated from pass-phrases) Older versions including community strings, if any

SNMPv3 typical deployment scenarios A few user names are associated with management stations (e.g., ow1, nnmbldg4) Authentication used for all communications Both authentication and privacy used for sets Authentication and privacy used for retrieval of sensitive information (e.g., routing tables) SNMP security configuration management is done by 15 Hand: editing or copying over local configuration files Security configuration distribution application(s) via SNMPv3 set requests

HP OpenView NNM and SNMPv3 Desired solution Manage using familiar tools and procedures (e.g., NNM) Manage using existing complementary applications Manage using appropriate SNMP level SNMPv1 and SNMPv2c for monitoring older devices in trusted environments SNMPv3 for managing critical systems in less trusted regions SNMPv3 for managing remote sites through less trusted regions SNMPv3 for all configuration operations Common repository for security configuration data 16

Security solution HP OpenView NNM = HP OpenView NNM SPI for SNMPv3 Secure Management 17

HP OpenView NNM SPI for SNMPv3 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice

HP OpenView NNM SPI for SNMPv3 Integration was jointly developed by HP and SNMP Research Maps outbound SNMP requests to SNMPv3 requests sent to target agent Converts SNMPv3 responses from agent and sends back to NNM Receives notifications (traps and informs) Includes security configuration datastore Includes SNMPv3 Configuration Wizard application 19

HP OpenView NNM SPI for SNMPv3 HP OpenView NNM SPI for SNMPv3 20

Secure SNMP management through firewalls 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice

Management challenges presented by firewalls Many sites continue to depend on legacy (i. e., SNMPv1 and SNMPv2c) SNMP versions which provide no security Network administrators are reluctant to allow SNMP-based management through firewalls In many sites, nearly all UDP traffic is disallowed across firewalls Many SNMP agents in managed devices are not adequately configured or configurable to restrict the management information they divulge Many sites disable ICMP across firewalls 22

HP OpenView NNM secure polling agent Manage securely to multiple isolated sites over insecure Internet infrastructure Manage SNMPv1/SNMPv2c devices behind a firewall Preserve vast investment in SNMP-based management Do not have to upgrade all devices inside the firewall May want to upgrade to defend against threats from within Manage SNMPv3 devices behind a firewall that does not allow any SNMP traffic through the firewall 23

HP OpenView NNM Secure Polling Agent HP OpenView NNM SPI for SNMPv3 HP OpenView Secure Polling Agent 24

SNMPv3 over UDP through firewalls OV NNM plus the NNM SPI for SNMPv3 SNMPv3 / UDP through firewalls Sun HP Internet Device with SNMP Agent Linu x XP Internet Device with SNMP Agent 25

Management traffic in XML tunnel through firewalls OV NNM plus the NNM SPI for SNMPv3 HP OpenView NNM Secure Polling Agent SNMPv1/v2/v3 over UDP locally Management Information in XML over SSL over TCP through firewalls HP OpenView NNM Secure Polling Agent Sun HP Internet Device with SNMP Agent Linu x XP Internet Device with SNMP Agent 26

Key elements of a complete solution Secure agents Secure management applications Administrative policies Configuration management of users, keys, etc Coexist with legacy systems 27

Secure agents SNMPv3 agents available on most networking devices SNMPv3 agents available on most open operating systems and embedded real-time operating systems For integrated network and system management, smart agents based on SNMPv3 are available Support common SNMPV3 administrative framework Network monitoring Host resource monitoring File system monitoring Critical application monitoring Log file monitoring Service monitoring 28

Secure management applications HP OpenView Network Node Manager with HP OpenView NNM SPI for SNMPv3 After initial configuration, NNM functions work transparently MIB browser Node polling Data collection Partner applications which use NNM SNMP stack will also work transparently 29

Administrative policies Parts of an enterprise security policy include: Who can see what? Who can change what? How are users defined? What level of authentication? What level of encryption? How often are keys changed? Who can change security configurations? How are configurations changed/audited? 30

Configuration management issues Users, keys, notifications, etc. must be configured on both managers and agents Keys are generated from pass-phrases, passphrases not stored on managed devices Keys need to be changed periodically Configuration must be updated in a timely manner (e.g., deny rights to a terminated employee) Configuration needs to be done remotely from a security management station, using a secure and private method 31

Configuration management issues Need to configure manager platforms and agents in accordance with enterprise policies Can do it with vi or edit but really need something more friendly and powerful Security dependent on correct configurations Wizard and/or policy-based tools Configurable agents Configurable managers 32

Configuration management issues Configuration management applications are very helpful to reduce complexity and human error One agent at a time wizard application Policy-based, multiple-target distribution application 33

SNMPv3 configuration wizard 34

Policy-based SNMP configuration management 35

Coexist with legacy systems Some managed systems will not have SNMPv3 agents Cannot upgrade all agents at once NNM SPI for SNMPv3 is multi-lingual, so fully supports a heterogeneous SNMPv1/ SNMPv2c/SNMPv3 agent environment Old agent, old packet, old rules, old response New agent, new packet, new rules, new response Properly handle SNMPv1 traps Properly handle SNMPv2c traps and informs 36

Summary SNMPv3 provides secure management capabilities Secure SNMPv3 is available in today using the HP OpenView NNM SPI for SNMPv3 and SNMPv3 enabled agents HP OpenView Network Node Manager, the HP OpenView NNM SPI for SNMPv3, and the HP OpenView NNM Secure Polling Agent allows secure management through firewalls, even when managing SNMPv1/SNMPv2c devices After security credentials have been configured, operation using the NNM SPI for SNMPv3 is transparent to NNM functions Available today from HP or SNMP research. 37

Thank you! 2007 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice

HP OpenView NNM SPI for SNMPv3 NNM SPI for SNMPv3 SNMPv3 SPI supporting SNMPv3 standards: User-based Security Model View-based Access Control Model Monitor network devices using appropriate SNMP security level: SNMPv3, SNMPv2c, or SNMPv1 NNM Management Traffic in XML tunnel through Firewalls SNMPv1/v2/v3 over UDP locally SNMPv1/v2/v3 over UDP locally secure polling agent NNM Secure Polling Agent Securely manage DMZ Manage SNMPv1/SNMPv2c/SNMPv3 devices behind a firewall Securely manage multiple isolated sites over insecure Internet infrastructure 39

HP OpenView NNM Secure Polling Agent NNM SPI for SNMPv3 SNMPv3 SPI supporting SNMPv3 standards: User-based Security Model View-based Access Control Model Monitor network devices using appropriate SNMP security level: SNMPv3, SNMPv2c, or SNMPv1 NNM Management Traffic in XML tunnel through Firewalls SNMPv1/v2/v3 over UDP locally SNMPv1/v2/v3 over UDP locally secure polling agent NNM Secure Polling Agent Securely manage DMZ Manage SNMPv1/SNMPv2c/SNMPv3 devices behind a firewall Securely manage multiple isolated sites over insecure Internet infrastructure 40

41 HP Software Universe June 18-22, 2007 The Venetian Las Vegas, Nevada

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback