Simple Network Management Protocol (SNMP)

For the management and controlling of complex, heterogeneous IT infrastructures and networks which are a combination of multi-vendor devices, there is a need for standardized protocols and communication methods. The Simple Network Management Protocol (SNMP) became generally accepted for the management of heterogeneous IP-based network structures. The primary objectives of SNMP based network management are to reduce the complexity of the management functions and to have a

standard network management protocol that will enable all the vendors to comply with.

The increased popularity and implementation of IP-based communications networks contributed to the fact that the SNMP was established as defacto standard for network management solutions. SNMP is supported by all network hardware providers and proved as very effective for the management of complex networks.

The Simple Network Management Protocol was developed by the

International Standardization Organization (ISO) in 1988 as the universal network management solution. The SNMP standard is described in RFC 1157.

You can find the RFC (Request For Comment) documents on following Web sites:

•www.rfc-editor.org

•www.rfc.net Note

The SNMP architecture model is very easy and uses an open structure. The interfaces are open for all hardware and software providers.

The concept of SNMP and its extension SNMPv2, are essentially based on a distributed model. The first component is the network management program, which is a specified SNMP manager that is implemented on a network management station (NMS). The second component is administered SNMP agents on the different network components and systems (routers, hubs, switches, server, and so on). Figure 5 shows the basic concept.

Figure 5. Network management concept

The SNMP network management operates according to a Client/Server principle. In this model, the SNMP-agents represent the servers, which put information about their structure and status to the management station. The NMS (the client in this model the client) polls, in regular intervals, the status, topology, and other information of the agents for the administration and monitoring of the components.

The operating system of today’s network components have such an agent for the SNMP network management. The agent provides the local network and system parameters as well as status information of its components in a database structure (the management information base (MIB)).

The following information is an example of data available in the MIB:

• ARP information

Network Management System NMS

Console NSD

Agent Agent

Agent Agent

Server Switch

Client Router

• Interface status

• Configuration data for hardware and software • Performance data and error information

• Information on topology, connections, and protocols

This data available from the agent is the target for network management station requests. Through explicit requests to the network management station, the MIB fields for SNMP-agents will be selected. The station requests, in configurable intervals, the required MIB information for the managed agents and processes it for visualization. The successive query of all network components allows the network management station to build a complete topology and configuration database. On the basis of this

information, the management station builds the topology view and shows the actual status of the network infrastructure.

The query of performance and utilization data allows comprehensive performance analysis and reporting to be the basis for performance management. The setting of special MIB entries at the agents from the management station makes the central controlling and remote configuration of the agents possible.

The SNMP protocol defines the option that agents can send “traps” for special status information. The agents send traps to the management station for status changing, errors, or other events. The network management station can proactively react with special actions and solve problems in the IT infrastructure. Modern network management systems, such as Tivoli’s NetView, provide very flexible event and error management functions for event processing and automated actions appropriate for the defined enterprise workflow.

2.2.1 IP network communication

For configuring and administering the firewalls and other security functions (such as access control lists (ACL) of network routers), it is necessary to know which IP resources will be needed for the communication between the network management station and the SNMP-agents and back. See Table 2 for details.

Table 2. SNMP protocol

Function Source Destination Protocol Source- Port

Dest- Port SNMP-

Request

NM station SNMP-Agent UDP >1023 161

SNMP is an UDP based service. The SNMP agents of the network devices listen on UDP port 161. The network management station queries the required information from the UDP port 161 from a port greater than 1023.

The trap sending process is also an UDP service. The agents sends its traps to the management server, which is listening for traps on port 162. NetView accepts traps sent by both UDP and TCP protocols.

The SNMP authentication between server and client is based on a

“community” string. A read “community” string allows the NMS to read MIB data structures from the network device. A write community string allows for the setting of MIB-data at SNMP-agent and therefore the configuration of the network device. In the today’s version of SNMPv1 and SNMPv2, the

communication is not encrypted, so you have to make sure that only

authorized person have access to the SNMP communication. In general, you do not want someone unauthorized for the internal or external network to get SNMP information.

You need to ensure that only the authorized network management servers can manage your devices. There are different ways to do this:

• Secure the network devices from unauthorized SNMP access by choosing different SNMP community strings than the common community strings

“public” and “write” for the read and write, respectively, to the network devices. Register the authorized management servers at the SNMP management agents with the hostname and IP address. Registering these servers ensures that only the authorized stations have access to the provided management and configuration functions.

• Design a secure firewall architecture to prevent access to management information of network components from the outside. Modern firewall application provide effective functions against spoofing and hijacking attacks to the described client/server communication. (See Chapter 1,

“Introduction to firewalls” on page 3 for details.) In general, do not allow everyone to SNMP query your network devices.

SNMP-

Function Source Destination Protocol Source- Port

Dest- Port

The new SNMP version, SNMPv3, which will become common in the future, extends the client/server authentication and encrypts the SNMP

communication between server and clients.

Chapter 3, “Management across a single firewall” on page 41 describes the firewall and security aspects of the SNMP communication in detail and shows different communication scenarios and their configurations.