The Simple Network Management Protocol (SNMP) is a widely used protocol that allows for both the reading and updating of configuration of devices on a network. The protocol is UDP -based and is commonly supported by network devices such as switches, routers, firewalls, printers, and servers.
An SNMP network usually consists of a manager, which can update data or request data from an agent, which stores data and can send events (also known as traps) back to the manager. (For more information, see our Guide to Microsegmentation.)
The SNMP Data Model
SNMP is, in general, a hierarchical key-value database. The keys in SNMP are known as object identifiers or OIDs and are basically a list of numbers separated by dots.
For example: 184.108.40.206.220.127.116.11
Each number in the OID sequence represents a category of values. The above example for instance refers to the following SNMP value:
1 .3 .6 .1 .2 .1 .1 .1 iso.org.dod.internet.mgmt.mib-2.system.sysDescr
which contains a description of the device.
Each key has a single value of a primitive type such as an integer or a string, or a defined type such as an OID or IP Address.
The key-value pairs are described in a Management Information Base (MIB) file, which gives information on each OID and the type of data that can be found there. There are many MIB files available, some of which are defined by the different SNMP RFCs (such as SNMPv2-SMI) and some that are proprietary vendor-defined MIB files that describe specific data available in their devices.
Using the key-value pair data model, it is also possible to describe more complex data structures such as tables in the SNMP data model. This is done using the following method:
- Each table is given an OID value. For instance, the OID 18.104.22.168.22.214.171.124 is for the ifTable that describes all the network interfaces of a device.
- Then, under the table OID, there is another OID that describes a single row in a table. In this case, ifEntry with the OID ifTable.1(126.96.36.199.188.8.131.52.1).
- Now, for each column in the table, there is another OID defined under the OID for the row. For example, the ifIndex column has the OID ifEntry.1 and the ifDescr column has the OID ifEntry.2.
- For the values themselves, each row in the table has an index that is appended to the OID of the column. For example, the ifIndex of the first row in the table would be ifIndex.1 and for the second row it would be ifIndex.2.
In this manner, an entire table can be stored using this key-value format and not just single values.
The SNMP Protocol
The SNMP protocol uses the UDP protocol to send and receive protocol data units (PDU). Some common PDU types are:
- Get – Retrieves the value of a single OID.
- Set – Sets the value for a single OID.
- GetNext – Gets the next value available after a specific OID. This can be used to discover the next available value in the database. The GetNext PDU can be used repeatedly to “Walk” through all the available values in a database starting from a specific value (or from the first value if 0 is used as the first OID).
- GetBulk – Returns the next multiple values after a specific OID. This is more efficient than using GetNext multiple times when multiple values are required.
- Response – A PDU containing the data requested by one of the above operations or an acknowledgement in case of a Set operation.
In addition to the above commands, a device can also send SNMP traps. An SNMP trap is a message that is sent from an agent back to the manager to notify it of some event such as a switch sending an event that a network interface has gone up or down.
Many SNMP browsers and libraries will also have an implementation of some helper functions to ease the reading of some common data types such as tables or will allow easily walking a subtree under a specific OID.
Since the SNMP database can contain sensitive data and can even allow changes to a device’s configuration, the protocol requires some sort of authentication. There are two main methods of authentication used, depending on the version of SNMP being used.
In versions 1 and 2c of the SNMP protocol, authentication is done using a community string. A community string is basically just a password that is sent to the agent by the manager. The agent will check the string against the list of defined community strings it has. If there is a match, it will check the permissions allowed for that password. In most cases, a specific community string can be allowed access to either send Get or Set requests and can also be limited to have access only to specific sub-trees of the SNMP database.
Some devices will also have a white list specifying which IP addresses are allowed to access the device over SNMP.
If the SNMP request does not match a valid community string or if the device is not allowed access for any other reason, the SNMP server will simply not respond. In this way, a client cannot know if a device even exists or if it supports SNMP if it does not know a valid community string.
One of the main disadvantages to using SNMP community strings is from the security aspect. First of all, there is only a single identifier (the community string) as opposed to having to know a username and password, and many devices also come pre-configured with the community string “public” already defined allowing access to read the device configuration. Also, the SNMP community string is not encrypted over the network, so anyone reading packets off of the network can see the community string in clear text.
The SNMP v3 protocol was introduced to solve some of the security issues that come with SNMP v2c. While it shares the same data model as previous versions, it solves the security issues by allowing user/password authentication with an SNMP server using password hashes. It also allows encryption of the data over the network. In addition, SNMP v3 also checks the integrity of the received data to make sure that it was not tampered with in transit.
SNMP can be a very powerful tool for the system administrator, giving access to data and configuration from a wide range of devices. It can be used for discovery, management, monitoring, and more.
While there are some security risks involved in using older versions of the protocol, SNMP v2c is still the most widely used in most data centers today.
In this blog post, we gave a brief overview of the SNMP protocol, and this will be the first of a multi-part series in which we will go over some more details of how to use SNMP and, specifically, how it can be used to map your network topology.