S 2.144 Selection of a suitable network management protocol

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

Currently, the standard protocols for network management are:

• SNMP (Simple Network Management Protocol); SNMP is described in RFC 1157. Request for Comment (RFC) is the term of a standard established in the internet society.
• CMIP (Common Management Information Protocol); CMIP is described in the ITU-T standard X.711 and/or in ISO/IEC 9596-1.

In the following, the essential advantages and disadvantages of the two protocols are outlined as an aid to decision-making when selecting a network management protocol.

SNMP

Two components are defined for SNMP: manager and agent. One or possibly several managers and one agent per IT system to be monitored and/or configured with the help of SNMP are installed in a local network. The agents use these systems to collect information and store this information to an MIB (Management Information Base). They use a connectionless protocol to exchange messages with the manager so that SNMP is not bound to any specific transport protocol. However, implementation on UDO/IP usually takes place nowadays. Other implementations are also possible and present, though (e.g. using OSI, AppleTalk, SPX/IPX). SNMP is available in different versions. There are different SNMP versions and SNMPv1, SMPv2, and SNMPv3 are commonly used at the moment. Both the original version SNMPv1 and SNMPv2 (RFC 1901-1908) are still sometimes used. From a security point of view, SNMPv1 and SMPv2 should not be used.

The first two SNMP versions, SNMPv1 and SMPv2, only support simple authentication, based on community strings transmitted in clear text. SNMPv3 contains improved security mechanisms and should therefore be used.

If an older version of SNMP than SNMPv3 must be used, this must be justified and documented; first and foremost the risks should be disclosed and accepted. By default, the community strings "public" and "private" are preset for SNMP, typically with the access rights "read" or "read and write". Community strings are like passwords. Therefore, it is absolutely necessary to replace the preset community strings with other strings that are difficult to guess and changed regularly (see S 4.82 Secure configuration of active network components). The individual network elements should have different community strings. The access authorisations related to the community strings must be set to the minimum absolutely required. Access to the network element via SNMP should be restricted to the network management stations with the help of access control lists (see S 4.80 Secure access mechanisms for remote administration).

If SNMPv3 is possible from a technical point of view, it should be used. If SNMP is not required, SNMP should be disabled.

SNMP is a very simple protocol, which knows five types of messages. Managers and agents use these messages to exchange the so-called management information, predominantly consisting of values of status variables, stored in the management agent and describing the respective status of the related managed object. The status variables (name and type) existing in the individual agents are described in the management database (MIB). Here, the information is organised hierarchically and an unambiguous identification number is assigned to each value, which thus defines an unambiguous sequence for the variables. The types of messages include in detail:

• GetRequest: is sent from the manager to the agents in order to retrieve the value of one or several status variables.
• GetNextRequest: is sent from the manager to the agents in order to retrieve the value or the next values according to the sequence of the variables in the MIB.
• SetRequest: is sent from the manager to the agents in order to set the value of a variable there.
• GetResponse: is sent from the agent to the manager in order to send the requested values or to confirm the setting of a variable value.
• Trap: is used by the agent in order to inform the manager about exceptional events. As opposed to a GetResponse message, a Trap message is sent without any prior request of the manager.

The main advantages and disadvantages include:

• Advantages:
• • SNMP has a simple design and is thus easy to implement. This reduces its susceptibility to errors and improves the stability of the protocol.
  • SNMP is used on a widespread basis and is regarded as a de-facto standard. As a result, it is supported by nearly all products in network and system technology environment.
  • The protocol can be adapted very easily to future requirements. For this
  • reason as well as the above-mentioned widespread use of SNMP, this protocol can be considered extremely future-oriented, thus providing a high degree of investment protection.
  • SNMP is a simple, connectionless protocol on the transport level. Consequently, the transmission of SNMP packets in a network is more efficient than the connection-oriented CMIP.
  
  
  
• Disadvantages:
• • The use of SNMP (SNMPv1 and SNMPv2) harbours security risks which could allow intruders to obtain detailed information on the system and network environment. Except for community names (which, in the case of SNMP, allow the formation of groups and in the case of SNMPv1 and SNMPv2 provide basic password protection), no real password protection is available for access to network components.
  • Due to its simple nature and the features it possesses, the SNMP protocol exhibits shortcomings when operated in very large or rapidly expanding networks.
  • The performance of version 1 proves inadequate in the case of complex MIB queries, as the complete MIB tree always needs to be specified.
  
  
  

One of the huge disadvantages of version 1 of the SNMP is the lack of support for an authentication when accessing the monitored components. Version 2 of the SNMP partially compensates for these disadvantages; additionally, the performance for MIB retrievals was increased.

However, there also are different variants in the SNMPv2 regarding the supported security. Only the versions SNMPv2* and SNMPv2u provide the option of symmetrical, user-based authentication, while SNMPv2c is continues to be based on communities. In SNMP, communities are used in order to consolidate the individual network components in areas, on the one hand, and as password substitute when accessing these on the other hand. Additionally, SNMPv2* provides the option of data encryption according to the Data Encryption Standard in Cipher Block Chaining mode (DES-CBC). Due to the different variants within SNMPv2, manufacturers of network components and network management systems experience high levels of uncertainty, and so implementations according to SNMPv2 are not yet extensive and are interoperable to a limited extent only.

The different manifestations of SNMPv2 were consolidated in the next SNMP version (SNMPv3).

CMIP

As opposed to SNMP, CMIP is based on an implemented OSI protocol batch (the OSI layers 1 to 3 are implemented as protocol batch) and therefore also works in a connection-oriented manner. This restricts the use of the CMIP to components offering the required hardware and software requirements for implementing an entire OSI batch. Due to the high requirements entailed by this implementation, a "CMIP Over TCP/IP" (CMOT) was also defined (RFC 1189). This also allows for also operation of CMIP in pure TCP/IP networks.

One of the objectives of developing CMIP was to develop object-oriented management. Accordingly, CMIP is consistently designed in an object-oriented manner. Within the CMIP, a CMIP machine (CMIPM) assumes the tasks performed by the manager in SNMP. The agents of the objects to be managed provide this CMIPM, which are implemented as software just like the SNMP manager, with service requests for initiating certain actions and, vice versa, the CMIPM provides the agents of the objects to be managed with CMIP messages. The objects to be managed are managed in several trees characterised by different relations and access types in accordance with the basic principles of the object-oriented approach.

Due to the described object structure, the CMIP is very powerful and complex. The protocol itself, however, consists of relatively few operations, which make the entire management on the basis of the object structure mentioned above possible.

The main advantages and disadvantages include:

• Advantages:
• • Due to its object-oriented design, CMIP offers many more possibilities than SNMP, including the execution of actions and the management of instances of management objects.
  • CMIP offers more security than SNMP, particularly due to the availability of mechanisms for access control, user authentication and auditing.
  • The CMIP protocol is defined by OSI, thus constituting an official, international standard, whereas SNMP is only regarded as a de-facto standard based on an RFC.
  • CMIP does not have the above-mentioned shortcomings of SNMP.
  
  
  
• Disadvantages:
• • CMIP is a very complex protocol, whose diverse features are rarely required or capable of being used in their entirety. Due to the large number of possible settings, configuration of this protocol is very difficult, and requires a great deal of know-how on the part of the administrator.
  • CMIP requires roughly ten times more system resources than SNMP. For this reason, it has to be operated on powerful hardware which is only provided by a small number of active network components. The OSI protocol stack, which consumes additional resources, also generally has to be implemented. CMOT constitutes an exception here.
  • Due to the complexity of this protocol and the corresponding implementations, CMIP is potentially more susceptible to errors than SNMP implementations.
  • Very few implementations of CMIP are presently available; except in the area of telecommunications, this protocol is encountered very infrequently in practice.
  
  
  

It must be checked on a case-by-case basis which network management protocol is suitable for the respective purpose. For this, the security requirements for network management must be formulated and coordinated. If the TCP/IP protocol batch is already used in the local network and if the security requirements are low, SNMPv1 lends itself as a solution. Nevertheless, higher security requirements may also be an argument for the use SNMPv2 or CMIP. When using CMIP, the protocol batch CMIP is to be implemented on must then be considered. Either on the OSI batch (CMIP) or on the TCP/IP batch (CMOT).

It must also be considered that CMIP and/or CMOT are not currently supported by all active network components and network management systems. Before using CMIP, it must be checked carefully whether the components and clients used are CMIP-compatible.

Review questions:

• Is the use of obsolete network management protocols such as SNMPv1 and SNMPv2 avoided?
• If obsolete network management protocols absolutely must be used: Have the risks entailed been documented and justified?
• When using SNMP: Are the community strings changed, assigned individually on a network level, and changed regularly?
• When using SNMP: Have minimum access authorisations of the community strings been set?
• When using SNMP: Is access to the network element using SNMP restricted to the network management stations with the help of access control lists?
• Is it checked which network management protocol is suitable for the intended purpose?
• Do all network components and network management systems support the selected version of CMIP/CMOT and/or SNMP?