0
7.3kviews
Explain Policy based security management in SNMPv3.

Subject: Telecom Network Management

Topic: Internet Management(SNMP)

Difficulty: Medium

1 Answer
2
117views

i. Both versions of SNMPv1 and SNMPv2 lack security features, notably authentication and privacy. The SNMPv3 solves these deficiencies but it has some inefficiency to deal with the access, service refusal, or unstable action.

ii. On the other hand, XML is being used to describe components and applications in a vendor and language neutral.

iii. A policy-based SNMP security management architecture using XML is a secure network management protocol that adopts the policy-based network management and the XML security features to the existing SNMPv3.

iv. SNMPv3 basic structure is embodied by discrete SNMP entities’ interaction. Each entity is embodied as the module that has single SNMP engine, exchanges message through these engines, or processes encryption, decryption and authentication to access target entities.

v. In SNMP basic structure, the roles of SNMP entities are as follows:

  • Dispatcher allows for concurrent support of multiple versions of SNMP messages in the SNMP engine.
  • Message Processing Subsystem is responsible for preparing messages to be transmitted and for extracting data from received messages.
  • Security Subsystem provides security services such as the authentication and privacy of messages.
  • Access Control Subsystem provides a set of authorization services that an application can be used for checking access rights.
  • Command Generator initiates SNMP Get, GetNext, GetBulk, and/or SetPDUs and processes the response to a request that it has generated.
  • Command Responder performs the appropriate protocol operation using access control and will generate a response message to be sent to the originator.
  • Notification Originator monitors the particular events or conditions, and generates Trap and/or Inform messages based on these events or conditions.
  • Notification Receiver listens for notification messages and generates response messages when it receives the message containing Inform PDU.
  • Proxy Forwarder forwards SNMP messages.SNMPv3 protocol achieves monitoring function about event or situation, message send-receive through ditto SNMP entities.

Architecture and Operation:

Policy-based SNMP security management architecture composed of several entities as follows:-

XML policy repository: Policy Database server maintaining XML security connection information. PEP determines the appropriate security policy referring to XML policy repository’s information. On the other hand, XML policy enforcer in agent side takes appropriate enforcement action for enforcing the designated security policy.

XML policy decision: It selects the most appropriate security policy among the policies maintained in XML policy repository, composes the PDU embedding the selected security policy and transmits the composed PDU to agent.

XML encryption: It encrypts the PDU converted to XML at manager.

XML decryption: It deciphers the PDU encrypted in XML at agent.

XML parser: It converts SNMP PDU to XML. It is not necessary to convert the SNMP PDU that is generated from XMP policy repository to XML. The XML parser is used to convert the application specific PDU to XML.

XML interpreter: It converts the XML PDU to SNMP PDU and gives the converted PDU to applications.

XML Policy enforcer: As an entity at agent application area, it enforces security policy.

Figure 10 shows the SNMP’s architecture in Manager with XML security function.

SNMP’s architecture in Manager with XML security function

SNMP’s architecture in Manager with XML security function

The security achievement processes at agent shown in Fig11 are as follows:

[SA1] Access control subsystem authenticates the request of manager.

[SA2] After having finished the approval process, Security Subsystem decrypts the message received from manager and applies an appropriate SNMP security model such as UBS model.

[SA3] XML decryption at Security Subsystem decrypts the PDU encrypted with XML.

[SA4] XML interpreter at Security Subsystem converts the decrypted PDU to SNMP PDU according to the rules maintained in XML policy repository and transmits the interpreted SNMP PDU Message processing Subsystem.

[SA5] Message processing Subsystem extracts data from PDU and send the extracted data to XML Policy enforcer at SNMP application.

[SA6] XML Policy enforcer applies the security policy to appropriate device and finishes security achievement process at Agent.

Security Achievement Processes at Agent

Security Achievement Processes at Agent

Please log in to add an answer.