1 00:00:00,050 --> 00:00:01,170 In this lesson, 2 00:00:01,170 --> 00:00:04,470 we're going to discuss the Simple Network Management Protocol. 3 00:00:04,470 --> 00:00:06,210 SNMP is an internet protocol 4 00:00:06,210 --> 00:00:08,189 for collecting and organizing information 5 00:00:08,189 --> 00:00:10,590 about managed devices on IP networks, 6 00:00:10,590 --> 00:00:12,270 and for modifying that information 7 00:00:12,270 --> 00:00:14,280 to change the device's behavior. 8 00:00:14,280 --> 00:00:16,470 When we talk about managed devices, we're referring 9 00:00:16,470 --> 00:00:19,800 to any device that can communicate with an SNMP manager, 10 00:00:19,800 --> 00:00:23,580 known as the management information base, or MIB. 11 00:00:23,580 --> 00:00:25,665 Now, this includes things like routers, and switches, 12 00:00:25,665 --> 00:00:28,380 and firewalls, and printers, and servers, 13 00:00:28,380 --> 00:00:30,671 and even your end user client devices. 14 00:00:30,671 --> 00:00:32,622 SNMP can be used to send and receive data 15 00:00:32,622 --> 00:00:34,410 from these managed devices 16 00:00:34,410 --> 00:00:37,170 back to a centralized network management station. 17 00:00:37,170 --> 00:00:39,540 When you're configuring your SNMP architecture, 18 00:00:39,540 --> 00:00:42,360 you have to have a manager, and then you have agents. 19 00:00:42,360 --> 00:00:44,829 Now, the SNMP manager could be any machine on your network 20 00:00:44,829 --> 00:00:46,667 that's running the SNMP protocol 21 00:00:46,667 --> 00:00:48,510 to collect and process information 22 00:00:48,510 --> 00:00:50,910 from the devices on your LAN or WAN. 23 00:00:50,910 --> 00:00:53,580 Normally though, you're going to set this up on a server, 24 00:00:53,580 --> 00:00:56,220 especially in a large enterprise environment. 25 00:00:56,220 --> 00:00:58,350 Now, the agents are different network devices 26 00:00:58,350 --> 00:01:00,300 that are sending information about themselves 27 00:01:00,300 --> 00:01:02,760 over the network back to that manager. 28 00:01:02,760 --> 00:01:04,998 Usually, an agent is just running a background service 29 00:01:04,998 --> 00:01:06,930 to collect the data and send it back 30 00:01:06,930 --> 00:01:08,550 to the manager at regular intervals 31 00:01:08,550 --> 00:01:11,695 or when they're requested to do so by that manager. 32 00:01:11,695 --> 00:01:14,910 Now, the SNMP manager is essentially a master node, 33 00:01:14,910 --> 00:01:17,280 and it's going to be able to send and receive these messages 34 00:01:17,280 --> 00:01:20,160 to those agents using three different message types. 35 00:01:20,160 --> 00:01:23,370 These are Set, Get, and Trap messages. 36 00:01:23,370 --> 00:01:26,400 Now, the set and get messages are pretty straightforward. 37 00:01:26,400 --> 00:01:29,160 The set request is a manager to an agent request, 38 00:01:29,160 --> 00:01:31,230 and it's going to change the value of a variable 39 00:01:31,230 --> 00:01:32,880 or a list of variables. 40 00:01:32,880 --> 00:01:34,770 When this request is received by the agent, 41 00:01:34,770 --> 00:01:37,080 it's going to update its variables to the latest status 42 00:01:37,080 --> 00:01:39,150 and then provide a response to the manager 43 00:01:39,150 --> 00:01:41,940 with a list of all the new values for that variable. 44 00:01:41,940 --> 00:01:44,160 A get request is a manager-to-agent request 45 00:01:44,160 --> 00:01:47,250 to retrieve the value of a variable or a list of variables. 46 00:01:47,250 --> 00:01:48,197 Using a get request, 47 00:01:48,197 --> 00:01:50,670 one or more variable values can be requested 48 00:01:50,670 --> 00:01:52,200 from the agent by the manager. 49 00:01:52,200 --> 00:01:54,621 Now, a trap message is a little bit different, though, 50 00:01:54,621 --> 00:01:56,874 because these are going to be sent asynchronously 51 00:01:56,874 --> 00:02:00,240 as notifications from the agent to the manager. 52 00:02:00,240 --> 00:02:01,770 In the case of trap messages, 53 00:02:01,770 --> 00:02:03,150 the agent is going to send the information 54 00:02:03,150 --> 00:02:05,820 without first being requested from the manager. 55 00:02:05,820 --> 00:02:08,430 This allows the agents to notify the management station 56 00:02:08,430 --> 00:02:09,263 of any significant events 57 00:02:09,263 --> 00:02:11,730 that are occurring in near real time. 58 00:02:11,730 --> 00:02:13,895 In general, traps are going to be used to provide events 59 00:02:13,895 --> 00:02:17,400 or alarm notifications to the manager from the agent. 60 00:02:17,400 --> 00:02:19,747 Since trap messages are unsolicited information being sent 61 00:02:19,747 --> 00:02:22,650 from the managed devices back to your network manager, 62 00:02:22,650 --> 00:02:25,200 you might be wondering what kind of information is contained 63 00:02:25,200 --> 00:02:27,300 within an SNMP trap message. 64 00:02:27,300 --> 00:02:29,520 Well, this can include lots of things. 65 00:02:29,520 --> 00:02:31,920 Things like uptime, configuration changes, 66 00:02:31,920 --> 00:02:34,350 unexpected downtime of a particular network link, 67 00:02:34,350 --> 00:02:36,630 or other essential information on your network 68 00:02:36,630 --> 00:02:37,680 that's used in the monitoring 69 00:02:37,680 --> 00:02:40,920 and detection of unforeseen events and network outages. 70 00:02:40,920 --> 00:02:43,380 Now, there are two different methods used to encode the data 71 00:02:43,380 --> 00:02:45,554 inside your SNMP trap messages. 72 00:02:45,554 --> 00:02:49,470 These can be sent as granular traps or verbose traps. 73 00:02:49,470 --> 00:02:52,473 With a granular trap, each SNMP trap message is sent 74 00:02:52,473 --> 00:02:55,680 with a unique object identifier, or OID. 75 00:02:55,680 --> 00:02:57,465 This number allows the SNMP manager 76 00:02:57,465 --> 00:02:58,692 to distinguish each message 77 00:02:58,692 --> 00:03:01,170 as a unique message being received. 78 00:03:01,170 --> 00:03:04,020 Now, an OID is a unique object identifier, 79 00:03:04,020 --> 00:03:06,090 which identifies a variable that can be read 80 00:03:06,090 --> 00:03:08,220 or set via SNMP. 81 00:03:08,220 --> 00:03:10,500 As these individual OIDs are received, 82 00:03:10,500 --> 00:03:11,640 they're going to be consolidated 83 00:03:11,640 --> 00:03:15,210 and stored inside a translation file known as the MIB, 84 00:03:15,210 --> 00:03:17,340 or management information base. 85 00:03:17,340 --> 00:03:18,771 The MIB is used to describe the structure 86 00:03:18,771 --> 00:03:21,600 of the management data of a device subsystem 87 00:03:21,600 --> 00:03:23,190 using a hierarchal namespace 88 00:03:23,190 --> 00:03:25,710 containing the object identifier, that OID, 89 00:03:25,710 --> 00:03:27,330 as well as other information. 90 00:03:27,330 --> 00:03:30,600 Since the MIB contains all the details about the OID, 91 00:03:30,600 --> 00:03:32,970 this now allows the SNMP trap messages 92 00:03:32,970 --> 00:03:35,940 to send just the changes for particular OID 93 00:03:35,940 --> 00:03:38,850 and not the entire list of data known about every variable 94 00:03:38,850 --> 00:03:41,250 or measure on a specific device or system. 95 00:03:41,250 --> 00:03:43,020 This saves bandwidth on the network for us 96 00:03:43,020 --> 00:03:45,660 because SNMP traps don't send redundant information 97 00:03:45,660 --> 00:03:46,590 over the network. 98 00:03:46,590 --> 00:03:49,920 Instead, they seek to conserve network resources for us. 99 00:03:49,920 --> 00:03:51,840 Now, if we're using verbose traps, 100 00:03:51,840 --> 00:03:53,256 the SNMP traps may be configured 101 00:03:53,256 --> 00:03:56,040 to contain all the information about a given alert 102 00:03:56,040 --> 00:03:57,510 or event as a payload. 103 00:03:57,510 --> 00:03:58,710 Since more data's being sent 104 00:03:58,710 --> 00:04:00,120 to the manager from the device, 105 00:04:00,120 --> 00:04:02,790 it's going to take up more resources on that server 106 00:04:02,790 --> 00:04:04,470 for it to be able to analyze the data contained 107 00:04:04,470 --> 00:04:05,700 within each trap. 108 00:04:05,700 --> 00:04:06,602 This takes more resources 109 00:04:06,602 --> 00:04:08,730 and it's going to use up more bandwidth 110 00:04:08,730 --> 00:04:10,470 as it goes over our network. 111 00:04:10,470 --> 00:04:13,170 Now, data in these SNMP traps are going to be sent 112 00:04:13,170 --> 00:04:15,840 and stored in a key value pair configuration, 113 00:04:15,840 --> 00:04:17,880 this is known as variable binding. 114 00:04:17,880 --> 00:04:20,190 For example, I might have a list of variable bindings 115 00:04:20,190 --> 00:04:21,390 for a particular router. 116 00:04:21,390 --> 00:04:23,332 Things like SiteName, PR-Branch, 117 00:04:23,332 --> 00:04:26,700 criticality, high, severity, low, 118 00:04:26,700 --> 00:04:28,620 alarm description, high temperature, 119 00:04:28,620 --> 00:04:31,320 and other pertinent information for a given alarm or event, 120 00:04:31,320 --> 00:04:32,670 basically, that's going to be reported 121 00:04:32,670 --> 00:04:34,620 through one of these trap messages. 122 00:04:34,620 --> 00:04:37,140 Now, when you're implementing SNMP in your network, 123 00:04:37,140 --> 00:04:38,010 you need to keep in mind 124 00:04:38,010 --> 00:04:40,470 that there are three different versions of SNMP, 125 00:04:40,470 --> 00:04:42,180 and they're not all created equal. 126 00:04:42,180 --> 00:04:45,210 SNMP Version One, Version Two, and Version Three 127 00:04:45,210 --> 00:04:47,610 have different and varying levels of security. 128 00:04:47,610 --> 00:04:48,930 Now, as you can probably guess, 129 00:04:48,930 --> 00:04:50,571 SNMP Version Three is the newest, 130 00:04:50,571 --> 00:04:52,470 and it was built as an improved version 131 00:04:52,470 --> 00:04:56,130 over Version One and Version Two, making it the most secure. 132 00:04:56,130 --> 00:04:58,890 When you're dealing with SNMP Version One and Version Two, 133 00:04:58,890 --> 00:05:01,740 these versions use a community string to give them access 134 00:05:01,740 --> 00:05:04,290 to the devices as their security mechanism. 135 00:05:04,290 --> 00:05:07,110 Now, these community strings act as a shared secret key, 136 00:05:07,110 --> 00:05:09,475 but in SNMP Version One and Version Two, 137 00:05:09,475 --> 00:05:11,940 it was set and stored in plain text, 138 00:05:11,940 --> 00:05:13,680 making it really insecure. 139 00:05:13,680 --> 00:05:16,230 Now, these default community strings are either public, 140 00:05:16,230 --> 00:05:18,600 read-only, or private, read-write, 141 00:05:18,600 --> 00:05:21,390 and the devices are considered a huge security risk 142 00:05:21,390 --> 00:05:23,490 when they're using these default community strings 143 00:05:23,490 --> 00:05:27,600 in SNMPv1 and v2 because they're vulnerable to attack. 144 00:05:27,600 --> 00:05:29,880 So, in SNMP Version Three, 145 00:05:29,880 --> 00:05:32,730 there was some added security to overcome this issue. 146 00:05:32,730 --> 00:05:34,795 To mitigate the vulnerability with the community strings, 147 00:05:34,795 --> 00:05:38,280 SNMP Version Three provides three security enhancements, 148 00:05:38,280 --> 00:05:41,460 which added integrity, authentication, and confidentiality 149 00:05:41,460 --> 00:05:43,140 to the SNMP protocol. 150 00:05:43,140 --> 00:05:46,110 So, how does SNMP solve all these problems? 151 00:05:46,110 --> 00:05:48,750 Well, for integrity, they started hashing the messages 152 00:05:48,750 --> 00:05:50,160 before they were being transmitted 153 00:05:50,160 --> 00:05:51,630 to make sure nobody could alter the data 154 00:05:51,630 --> 00:05:54,540 as it was being sent from the routers or switches 155 00:05:54,540 --> 00:05:55,950 to the management node. 156 00:05:55,950 --> 00:05:56,880 For authentication, 157 00:05:56,880 --> 00:05:58,920 they start validating the source of the messages, 158 00:05:58,920 --> 00:06:00,750 that way, you knew where they came from. 159 00:06:00,750 --> 00:06:02,790 For confidentiality, they added encryption, 160 00:06:02,790 --> 00:06:04,050 and they started using DES, 161 00:06:04,050 --> 00:06:05,610 or the Data Encryption Standard, 162 00:06:05,610 --> 00:06:07,214 with a 56-bit encryption key 163 00:06:07,214 --> 00:06:09,930 to provide confidentiality and privacy. 164 00:06:09,930 --> 00:06:11,215 Now, if you know anything about encryption, 165 00:06:11,215 --> 00:06:14,130 you know that DES is considered a weak algorithm, 166 00:06:14,130 --> 00:06:17,070 and so, over time, it's been replaced by 3DES 167 00:06:17,070 --> 00:06:19,650 and now AES, the Advanced Encryption Standard, 168 00:06:19,650 --> 00:06:22,530 in newer devices, they rely on SNMPv3, 169 00:06:22,530 --> 00:06:24,990 but you can only use those newer algorithms 170 00:06:24,990 --> 00:06:26,591 if you have a firmware on your device 171 00:06:26,591 --> 00:06:28,740 that supports those newer algorithms. 172 00:06:28,740 --> 00:06:31,380 If not, you're still going to have to rely on DES. 173 00:06:31,380 --> 00:06:33,750 Now, another benefit of SNMP Version Three 174 00:06:33,750 --> 00:06:35,820 is that it groups our SNMP components 175 00:06:35,820 --> 00:06:38,370 into different entities to increase security. 176 00:06:38,370 --> 00:06:40,590 Each group can then be given different authorizations 177 00:06:40,590 --> 00:06:43,200 and access privileges, such as read, write, 178 00:06:43,200 --> 00:06:44,483 or read-write access. 179 00:06:44,483 --> 00:06:45,776 By allowing us to create groups 180 00:06:45,776 --> 00:06:47,850 of smaller and smaller sizes, 181 00:06:47,850 --> 00:06:49,410 we can better protect our networks 182 00:06:49,410 --> 00:06:51,960 and the SNMP traps that are being sent across them.