基于SNMPv3的安全网管技术研究
摘要
随着以TCP/IP为核心的计算机信息网络的发展与普及,产生了对网络管理的巨大需求。尤其是异构的复杂网络环境,给网络管理带来了新的挑战,其中安全性尤为重要。如何实施高效安全的网络管理,已成为构建企业网络所最关心的问题。在当前的网管体系结构中,SNMP扮演了重要角色,它的版本逐渐从v1发展到v3。
本论文结合现代网管需求特征,研究基于SNMPv3的网络管理与安全策略,给出了一个基于SNMPv3的安全网管系统的具体实现。
首先,论文对SNMP的基础理论作了必要介绍,包括管理信息结构,管理信息库以及协议操作过程。然后,详细介绍了SNMPv3的框架结构,说明了其中各个模块的功能和新的消息格式。在此基础上,讨论了SNMPv3的安全性,包括加密鉴别机制以及合时性检测,重点介绍了基于用户的安全模型和基于视图的访问控制。
在介绍了基础理论之后,论文阐述了安全网管系统的实现方法,包括SNMP协议栈,用户管理程序和拓扑发现模块。协议栈使用COM开发,具有高效、资源占用少的特点。用户管理程序扩展了SNMPv3安全框架,并采用了新的密钥方案,安全性得到了很大提高。拓扑发现模块采用了一种层次化的拓扑发现方法,它使用了路由表算法和基于ARP的算法,高效实用。由于使用了灵活的结构,拓扑算法可以方便的加以替换。
设计模式是面向对象设计的经验总结,描述了一个特定的场景和针对它的解决方案。在安全网管系统的设计中,使用了很多设计模式,使得它更灵活、优雅,具有更好的复用性。
最后,根据网管的发展趋势,讨论了采用新技术时遇到的问题以及可能的解决方案。本论文的工作对后继开发具有一定的参考价值。
As TCP/IP-based networks begin to reach everywhere in the society, the challenge of managing them becomes very important and demanding. In particular, the complexity in heterogeneous network environment brings network management many fresh problems, among which the most important is security. How to carry out operative and secure network management is a deep concern problem of enterprise network construction. Among the network management architectures, SNMP plays a significant role and its version has been developed from vl to v3.
The thesis focuses on researching the secure policies of SNMPv3-based network management according to modern management needs, and proposes an implementation method of a secure network management system (SNMS) based on SNMPvS.
In the first place, the paper introduces some knowledge about SNMP, include SMI (Structure of Management Information), MIB (Management Information Base) and protocol operations. Secondly, the architecture of SNMPvS is elaborated, the module function and new message format is also described. After that, the security in SNMPvS is discussed including privacy &authentication mechanism and time-window detection. The emphasis is put on USM (User-based Security Model) and VACM (View-based Access Control Model).
Furthermore, the paper discusses the implementation of the SNMS, including SNMP protocol-stack, user-manage application and
topology-discovery module. The protocol-stack is developed using COM, which is high-performance and economical. In the user-manage application , the architecture of SNMPvS is extended, and a new privacy key scheme is employed, which make the application more secure. A layering way of topology discovery is introduced in topology-discovery module. The algorithm that uses Routing-Table method and APvP-based method is effective & applicable, and is easily replaced because of the flexible structure.
Design Pattern is the experience in OOP, and elucidates a scene and a solution for it. In the design of SNMS, many design patterns are used, which
provide flexible, elegant and reusable solutions.
At last according to network management tendency, problems and possible solution when adapting new technology are discussed. All this could be a good reference for further development.
本论文结合现代网管需求特征,研究基于SNMPv3的网络管理与安全策略,给出了一个基于SNMPv3的安全网管系统的具体实现。
首先,论文对SNMP的基础理论作了必要介绍,包括管理信息结构,管理信息库以及协议操作过程。然后,详细介绍了SNMPv3的框架结构,说明了其中各个模块的功能和新的消息格式。在此基础上,讨论了SNMPv3的安全性,包括加密鉴别机制以及合时性检测,重点介绍了基于用户的安全模型和基于视图的访问控制。
在介绍了基础理论之后,论文阐述了安全网管系统的实现方法,包括SNMP协议栈,用户管理程序和拓扑发现模块。协议栈使用COM开发,具有高效、资源占用少的特点。用户管理程序扩展了SNMPv3安全框架,并采用了新的密钥方案,安全性得到了很大提高。拓扑发现模块采用了一种层次化的拓扑发现方法,它使用了路由表算法和基于ARP的算法,高效实用。由于使用了灵活的结构,拓扑算法可以方便的加以替换。
设计模式是面向对象设计的经验总结,描述了一个特定的场景和针对它的解决方案。在安全网管系统的设计中,使用了很多设计模式,使得它更灵活、优雅,具有更好的复用性。
最后,根据网管的发展趋势,讨论了采用新技术时遇到的问题以及可能的解决方案。本论文的工作对后继开发具有一定的参考价值。
As TCP/IP-based networks begin to reach everywhere in the society, the challenge of managing them becomes very important and demanding. In particular, the complexity in heterogeneous network environment brings network management many fresh problems, among which the most important is security. How to carry out operative and secure network management is a deep concern problem of enterprise network construction. Among the network management architectures, SNMP plays a significant role and its version has been developed from vl to v3.
The thesis focuses on researching the secure policies of SNMPv3-based network management according to modern management needs, and proposes an implementation method of a secure network management system (SNMS) based on SNMPvS.
In the first place, the paper introduces some knowledge about SNMP, include SMI (Structure of Management Information), MIB (Management Information Base) and protocol operations. Secondly, the architecture of SNMPvS is elaborated, the module function and new message format is also described. After that, the security in SNMPvS is discussed including privacy &authentication mechanism and time-window detection. The emphasis is put on USM (User-based Security Model) and VACM (View-based Access Control Model).
Furthermore, the paper discusses the implementation of the SNMS, including SNMP protocol-stack, user-manage application and
topology-discovery module. The protocol-stack is developed using COM, which is high-performance and economical. In the user-manage application , the architecture of SNMPvS is extended, and a new privacy key scheme is employed, which make the application more secure. A layering way of topology discovery is introduced in topology-discovery module. The algorithm that uses Routing-Table method and APvP-based method is effective & applicable, and is easily replaced because of the flexible structure.
Design Pattern is the experience in OOP, and elucidates a scene and a solution for it. In the design of SNMS, many design patterns are used, which
provide flexible, elegant and reusable solutions.
At last according to network management tendency, problems and possible solution when adapting new technology are discussed. All this could be a good reference for further development.
引文
1) 杨家海.网络管理原理与实现技术.清华大学出版社.2000.9
2) David Zeltserman. A Practical Guide to SNMPv3 and Network Management. Prentice Hall. 2000.5
3) 郭军.网络管理.北京邮电大学出版社.2001.9
4) William Stallings.SNMP网络管理.胡成松.中国电力出版社.2001.9
5) 白英彩.计算机网络管理系统设计与应用.清华大学出版社.1998.9
6) 岑贤道,常安青.网络管理协议及应用开发.清华大学出版社.1998.7
7) 潘爱民.COM原理与应用.清华大学出版社.1999.11
8) Robert J. Oberg. Understanding&Programming COM+.刘谦.2001.1
9) Don Box. Essential COM.潘爱民.中国电力出版社.2001.8
10) Kraig Brockschmidt. Inside OLE. 2nd Edition. Microsoft Press. 1995.4
11) Tom Armstrong. ATL Developer's Guide. 董梁.第二版.电子工业出版社.2000.11
12) Brent Rector. ATL Internals.潘爱民.中国电力出版社.2001.10
13) Mikey Williams.Windows 2000编程技术内幕.前导工作室.机械工业出版社.1999.12
14) David J. Kruglinski. Visual C++技术内幕.潘爱民.第四版.清华大学出版社.1999.1
15) Jim Beveridge. Win32多线程程序设计.侯捷.华中科技大学出版社.2002.1
16) Grady Booch The Unified Modeling Language User Guide. Addison-Wesley. 1999.6
17) Wendy Boggs. Mastering UML with Rational Rose. 电子工业出版社.2000.3
18) Erich Gamma. Design Patterns,Elements of Reusable Object-Oriented Software. Addison-Wesley. 1996.8
19) 李天剑.基于SNMP网络拓朴自动构造的一种实现.计算机系统应用.2000,2
20) 凌军.基于ARP和SNMP的网络拓朴自动发现算法.武汉大学学报.2001,1;69—70
21) 徐宇辉.基于DCOM的分布式网络管理系统的模型和实现.小型微型计算机系统.2002,2:219-221
22) 谭东晖.一种基于策略的网络管理体系结构.小型微型计算机系统.2001,11
23) 王海洲,李晓.基于WEB管理技术的安全网络管理系统.计算机工程.2002,1
24) 王平.一个基于SNMP的简单网络管理系统的设计与实现.小型微型计算机系统.2001,9:1048—1049
25) 贺俊峰,卢燕飞.IP网网络拓朴生成的设计与实现.数据通信.2002,2:45-46
26) 凌琦.SNMP三大功能模块的研究和实现.计算机应用研究.2002,7:78-80
27) 郑瑞,徐敬东.主动网络管理系统模型设计.计算机工程与应用.2002,38:150-152
28) 李倩,宋如顺.网络拓朴发现中信息收集方式的分析与研究.计算机应用.2001,12:17-19
29) 李桂.基于ICMP和SNMP的网络拓朴发现算法研究及实现.微型机与应用.1998,17:33-35
30) Hanan L.Lutfiyya,Michael A.Bauer. Fault Management in Distributed Systems:A Policy-Driven Approach. Journal of Network and Systems Management. 2000,4:499-506
31) Haggerty P. The Benefits of CORBA-based Networking Management. Communications of ACE. 1998,40:73-79
32) Redlich JP, Suzuki M. Distributed Object Technology for networking. IEEE Communication Magazine. 1998,26:100-111
33) Filipiak. Design of network management architecture for heterogeneous networks using object oriented approach. Proceedings of the Integrated Network Management. 1993,3:59-70
34) J.P. Martin-Flatin. A Survey of distributed enterprise network and systems management. Journal of Network and Systems Management. 1999,7:9-26
35) J.W. Hong,J.T. Park. Web-based intranet services and network management. IEEE Communications Magazine. 1997,10:100-110
36) 李莉,王中.基于PUSH方式的WEB网管模块的设计与实现.小型微型计算机系统.2002,6:656-657
37) 徐斌,钱德沛.网络管理中PUSH机制的研究.2002,3:282—285
38) Manfred R.Siegl, Georg Trausmuth. Hierarchical network management. In
Proceedings JENC6. 1996,6
39) F. Stamatelopoulos. Platform-based architecture for multiple domain network management. IEEE International Conference on Communication'95. 1995,6
40) 刘姝.网络自动拓朴发现算法的研究与设计.计算机应用研究.2002,2:52—53
41) W. Richard Stevens. TCP/IP Illustrated,Volume 1:The Protocals. Addison Wesley, 1994
42) Sean Harnedy. Total SNMP(2nd Edition) Prentice Hall. 1999
43) 翟纲,但海涛.基于SNMPv3的安全网管的研究.通信技术.2003,1.
44) Douglas R. Essential SNMP. O'REILLY. 2001
45) M. Rose. Structure and Identification of Management Information for TCP/IP-based Internets. RFC 1155. 1990,5
46) K. McCloghrie. Management Information Base for Network Management of TCP/IP-based internets: MIB-Ⅱ. RFC 1213. 1991,3
47) J. Case, R. Mundy. Introduction to Version 3 of the Internet-standard Network Management Framework. RFC 2570. 1999,4
48) D. Harrington, R. Presuhn. An Architecture for Describing SNMP Management Frameworks. RFC 2571. 1999,4
49) J. Case, D. Harrington. Message Processing and Dispatching for the Simple Network Management Protocol (SNMP) . RFC 2572. 1999,4
50) D. Levi, P. Meyer. SNMP Applications. RFC 2573. 1999,4
51) U. Blumenthal, B. Wijnen. User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3). RFC 2574.1999,4
52) B. Wijnen, R. Presuhn. View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP). RFC 2575. 1999,4
2) David Zeltserman. A Practical Guide to SNMPv3 and Network Management. Prentice Hall. 2000.5
3) 郭军.网络管理.北京邮电大学出版社.2001.9
4) William Stallings.SNMP网络管理.胡成松.中国电力出版社.2001.9
5) 白英彩.计算机网络管理系统设计与应用.清华大学出版社.1998.9
6) 岑贤道,常安青.网络管理协议及应用开发.清华大学出版社.1998.7
7) 潘爱民.COM原理与应用.清华大学出版社.1999.11
8) Robert J. Oberg. Understanding&Programming COM+.刘谦.2001.1
9) Don Box. Essential COM.潘爱民.中国电力出版社.2001.8
10) Kraig Brockschmidt. Inside OLE. 2nd Edition. Microsoft Press. 1995.4
11) Tom Armstrong. ATL Developer's Guide. 董梁.第二版.电子工业出版社.2000.11
12) Brent Rector. ATL Internals.潘爱民.中国电力出版社.2001.10
13) Mikey Williams.Windows 2000编程技术内幕.前导工作室.机械工业出版社.1999.12
14) David J. Kruglinski. Visual C++技术内幕.潘爱民.第四版.清华大学出版社.1999.1
15) Jim Beveridge. Win32多线程程序设计.侯捷.华中科技大学出版社.2002.1
16) Grady Booch The Unified Modeling Language User Guide. Addison-Wesley. 1999.6
17) Wendy Boggs. Mastering UML with Rational Rose. 电子工业出版社.2000.3
18) Erich Gamma. Design Patterns,Elements of Reusable Object-Oriented Software. Addison-Wesley. 1996.8
19) 李天剑.基于SNMP网络拓朴自动构造的一种实现.计算机系统应用.2000,2
20) 凌军.基于ARP和SNMP的网络拓朴自动发现算法.武汉大学学报.2001,1;69—70
21) 徐宇辉.基于DCOM的分布式网络管理系统的模型和实现.小型微型计算机系统.2002,2:219-221
22) 谭东晖.一种基于策略的网络管理体系结构.小型微型计算机系统.2001,11
23) 王海洲,李晓.基于WEB管理技术的安全网络管理系统.计算机工程.2002,1
24) 王平.一个基于SNMP的简单网络管理系统的设计与实现.小型微型计算机系统.2001,9:1048—1049
25) 贺俊峰,卢燕飞.IP网网络拓朴生成的设计与实现.数据通信.2002,2:45-46
26) 凌琦.SNMP三大功能模块的研究和实现.计算机应用研究.2002,7:78-80
27) 郑瑞,徐敬东.主动网络管理系统模型设计.计算机工程与应用.2002,38:150-152
28) 李倩,宋如顺.网络拓朴发现中信息收集方式的分析与研究.计算机应用.2001,12:17-19
29) 李桂.基于ICMP和SNMP的网络拓朴发现算法研究及实现.微型机与应用.1998,17:33-35
30) Hanan L.Lutfiyya,Michael A.Bauer. Fault Management in Distributed Systems:A Policy-Driven Approach. Journal of Network and Systems Management. 2000,4:499-506
31) Haggerty P. The Benefits of CORBA-based Networking Management. Communications of ACE. 1998,40:73-79
32) Redlich JP, Suzuki M. Distributed Object Technology for networking. IEEE Communication Magazine. 1998,26:100-111
33) Filipiak. Design of network management architecture for heterogeneous networks using object oriented approach. Proceedings of the Integrated Network Management. 1993,3:59-70
34) J.P. Martin-Flatin. A Survey of distributed enterprise network and systems management. Journal of Network and Systems Management. 1999,7:9-26
35) J.W. Hong,J.T. Park. Web-based intranet services and network management. IEEE Communications Magazine. 1997,10:100-110
36) 李莉,王中.基于PUSH方式的WEB网管模块的设计与实现.小型微型计算机系统.2002,6:656-657
37) 徐斌,钱德沛.网络管理中PUSH机制的研究.2002,3:282—285
38) Manfred R.Siegl, Georg Trausmuth. Hierarchical network management. In
Proceedings JENC6. 1996,6
39) F. Stamatelopoulos. Platform-based architecture for multiple domain network management. IEEE International Conference on Communication'95. 1995,6
40) 刘姝.网络自动拓朴发现算法的研究与设计.计算机应用研究.2002,2:52—53
41) W. Richard Stevens. TCP/IP Illustrated,Volume 1:The Protocals. Addison Wesley, 1994
42) Sean Harnedy. Total SNMP(2nd Edition) Prentice Hall. 1999
43) 翟纲,但海涛.基于SNMPv3的安全网管的研究.通信技术.2003,1.
44) Douglas R. Essential SNMP. O'REILLY. 2001
45) M. Rose. Structure and Identification of Management Information for TCP/IP-based Internets. RFC 1155. 1990,5
46) K. McCloghrie. Management Information Base for Network Management of TCP/IP-based internets: MIB-Ⅱ. RFC 1213. 1991,3
47) J. Case, R. Mundy. Introduction to Version 3 of the Internet-standard Network Management Framework. RFC 2570. 1999,4
48) D. Harrington, R. Presuhn. An Architecture for Describing SNMP Management Frameworks. RFC 2571. 1999,4
49) J. Case, D. Harrington. Message Processing and Dispatching for the Simple Network Management Protocol (SNMP) . RFC 2572. 1999,4
50) D. Levi, P. Meyer. SNMP Applications. RFC 2573. 1999,4
51) U. Blumenthal, B. Wijnen. User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3). RFC 2574.1999,4
52) B. Wijnen, R. Presuhn. View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP). RFC 2575. 1999,4