لطفا منتظر باشید ...
Network Management Protocols
Network management encompasses several different protocols that provide a wide variety of services that are used to manage a network. These services range from configuration management protocols, to monitoring and logging protocols, to time synchronization protocols.Of primary concern when selecting which protocol type to use to achieve a particular management objective is the level of security that the proposed protocol provides. Inherently, some management protocols are much more secure than other types that might provide a similar function. Also, a different version of the same protocol might provide an enhanced level of security compared to older versions.Table 10-2 shows a list of network management protocols that are commonly used to manage a typical network and the particular functionality that each provides.Table 10-2. For discussion purposes, protocols are grouped by network management usage type.NOTEThe protocols discussed in the next sections are not the only protocols available for use in the management of a network. These are just the most common ones that are used.
Remote-Access Protocols
The following remote-access protocols exist to assist a network administrator in the management of a network:
- Telnet
- SSH
- SSL
These protocols provide varying degrees of security, ranging from data being sent in clear text to the use of strong encryption and authentication.
Telnet
Telnet is a terminal-emulation protocol that is commonly used on TCP/IP-based networks. Telnet allows remote access to managed devices in clear text and, hence, provides the least-secure remote-access method described here. The initiation of a Telnet session requires the user to log in to the device by entering valid authentication credentials, which normally consist of a username and password. This authentication either can take place locally on the remote device or can be passed to an authentication server such as a RADIUS or TACACS+ server.Telnet uses TCP port 23 to establish connections.
SSH
SSH is a secure shell program that you can use to log in to another remote networked device and execute commands. It was developed by SSH Communications Security, Inc., and provides strong authentication and secure communications over insecure data links.SSH provides protections from Domain Name System (DNS), IP spoofing, and IP source routing attacks. Should an intruder be successful in compromising a network, then they are only able to force an SSH session to be disconnected. An intruder is unable to play back or hijack the connection when encryption is enabled. Additionally, if an SSH session with encryption is used instead of a normal Telnet session, the login password and normal data are sent in cipher text, making it almost impossible for an intruder to collect passwords.SSH uses TCP port 22 to establish connections, and its authentication methods include RSA, SecureID, and passwords.
SSL
SSL is a protocol that provides security and privacy over a connection. The protocol, developed by Netscape Communications Corporation, maintains the security and integrity of a communications link by using authentication and encryption.SSL supports server and client authentication. When an SSL session is initiated, the server sends its public key to the client. The client then uses this public key to generate a random secret key that is sent back to the server, thus creating a secret key exchange for the session.SSL uses TCP port 443. During the initial exchange or handshake process, the RSA public-key cryptosystem is used. After this key exchange is successful, several ciphers are available for use, including Rivest's Cipher 2 (RC2), RC4, International Data Encryption Algorithm (IDEA), Data Encryption Standard (DES), and Triple-DES (3DES).NOTERecently, SSL has been merged with other protocols and authentication methods by the IETF into a new protocol known as Transport Layer Security (TLS)
Reporting and Logging Protocol: Syslog
Syslog is a transport mechanism that is used to send event messages across a network. These events can be the result of the starting and stopping of a process, a threshold being reached, or the reporting of the current status of some condition or process.All syslog data is sent in clear text between the managed device and the logging server or management console. The protocol has no mechanism for authentication, and no message integrity checking is performed to ensure that data has not been manipulated while in transit. Consequently, an intruder could alter the data contained in syslog messages in an attempt to confuse the network administrator or even to disguise their actions.Syslog uses UDP port 514. To mitigate against syslog attacks, encrypt syslog traffic within an IPSec tunnel wherever possible.
Monitoring and Control Protocol: Simple Network Management Protocol
SNMP is a widely used network control and monitoring protocol. Developed in the late 1980s, SNMP has become the de facto standard for internetwork management. SNMPv3 is the most recent version of SNMP and defines a secure version of this previously fairly insecure protocol. It supports message integrity, authentication, and encryption.NOTEThe current version of Cisco IOS Release 12.2 supports SNMP versions 1, 2c, and 3.SNMPv1 is the original version of SNMP and is defined in RFC 1157. Security is based on community strings.SNMPv2c is an experimental IP defined in RFC 1901, RFC 1905, and RFC 1906. It uses the community string security model as defined in SNMPv1. The c in SNMPv2c stands for "community."SNMPv3 is the most recent version of SNMP and combines authentication with encryption of management data over the network. SNMPv3 is defined in RFCs 2273 through 2275. It supports username, MD5, or SHA authentication while supporting DES-56 encryption.The SNMP system contains two primary elements:
- A manager
The manager is the interface that the network administrator uses to perform the network management functions. This interface is commonly referred to as the management console or management engine. - Agents
Agents consist of hardware and software reporting activities in each network device being managed, which communicate with the manager. The data that is returned from these agents is structured in a hierarchal format called a Management Information Base (MIB). Each MIB defines what is obtainable from the managed device and what can be controlled in it. Agents can respond to specific requests from the SNMP manager or can be configured to report events as they occur by using a special message called an asynchronous trap.
Data that can only be received from a device but not written to the device via SNMP is referred to as read-only access, whereas information that can be read or written to a device is referred to as read-write access. This read-write access is controlled by community strings, which provide the very simple form of security found in the earlier versions of SNMP. However, these earlier versions of SNMP transmit community strings in clear text, so they are liable to being captured by a packet sniffer. Once these community strings are compromised, an intruder could reconfigure a remote device, via SNMP, if read-write access is allowed.An additional level of security can be incorporated into SNMP by the use of access control lists (ACLs). These lists can be configured to restrict SNMP access to only nominated devices.SNMP uses UDP ports 161 and 162. Agents listen on UDP port 161 while asynchronous traps are received on UDP port 162 at the management console.To mitigate against SNMP attacks, unless you are using SNMPv3, it is recommended that you use SNMP read-only community strings. Also, restrict device access to only the management consoles by using SNMP access control. Finally, for added security, you can use a tunneling protocol such as IPSec to secure the transport.
File Management Protocols: Trivial File Transfer Protocol
TFTP is a TCP/IP file transfer protocol and is commonly used by many network devices to transfer configuration or system files across a network. Unlike FTP, TFTP does not have any directory or password capabilities. Data is sent in clear text, which leaves the TFTP transfer susceptible to a packet-sniffing attack; this can lead to sensitive data or configuration information being obtained.TFTP uses UDP port 69 for control and uses the higher UDP ports, greater than 1023, for the data stream between the remote device and the TFTP server.To mitigate against TFTP attacks, encrypt TFTP traffic within an IPSec tunnel wherever possible.
Time Synchronization Protocols: Network Time Protocol
NTP is a TCP/IP protocol that provides the facility to synchronize the time of network devices to a common time source. Simple Network Time Protocol (SNTP) is a more simplified client-only version of NTP and, hence, can only receive time from an NTP server; it cannot be used to provide time services to other systems.
