Question

Briefly explain two modes to convey information in the SNMP protocol.

Answer 1

The heart of SNMP is comprised of just two components, a Management Station and Agent. These communicate with each other using either UDP or TCP packets on ports 161 (for queries) and 162 (for trap alerts).

Management Station

The Management Station is a simple, centralized piece of software that operates as the back-end. Often running on a dedicated workstation, it polls network connected devices with SNMP enabled, requesting system information to collect and store. This data can then be displayed as charts, graphs and other visual aides that represent a network’s performance.

To ensure both the Management Station and device can communicate the same SNMP language, a Management Information Base (MIB) is used. This is essentially a book of what questions can be asked of each device, allowing them to store the necessary answers readily available.

Since the Management Station wouldn’t otherwise be able to natively understand every device it polls, the MIB is loaded from the manufacturer as a translator of sorts. We will look at this aspect of SNMP more in the next section, but it’s an integral part of what makes the Management Station such a powerful component.

Agents

The Agent represents an individual node on the network, often built directly in to the hardware or software that will need to be monitored. Handling most of the work, it collects local system information than can be queried by the Management Station in the form of of a GET request. Furthermore, it translates that data in to answers that can be understood before sending back the response.

The System is Overheating!
The CPU has exceeded 90% Usage!
Disk 1 has 4% Disk Space Left!

While the Agent mostly responds to incoming commands, it also has the capabilities of sending out alerts known as Trap messages. Rather than waiting for the Management Station to ask for an update, it can provide immediate notice when a problematic event occurs. We will touch on these again in more depth below, but they are an essential form of communication sent from a remote Agent.

Management Information Base (MIB)

Although it remains the most complex aspect of SNMP, the Management Information Base (MIB) acts as nothing more than a translation tool between Management Station and Agent. Supplied by the device’s manufacturer, it tells the collector how to interpret the incoming messages in to usable data.

Within the MIB database is a hierarchical structure, also known as a Tree or Table, compromised of objects (OIDS) that represent all important aspects of the device. An object could be defined as the Memory Status, Network Status, etc. Each object represents one part of the hardware (or software) that can be observed and reported on as per the manufacturer’s specifications.

Most monitoring solutions will handle the grunt work for you, where it is impossible to track potentially hundreds or thousands of MIBs and OIDs. In cases where a System Administrator wishes to perform a custom poll on a specific OID, it is necessary to use an MIB Browser to locate it.

Object Identifiers (OID)

Much like a name, Object Identifiers are a unique string of decimal separated numbers assigned to each component of an individual device. In contrast to an IP or MAC address however, the digits used in OIDS can contain extensive information about the equipment such as the manufacturer, organization and device type.

In fact Wireshark, a network protocol analyzer, offers an OUI lookup tool via their website that can identify this data based on their own Manufacturer database. Each vendor has their own specification, and this can take an input list and return the relevant information.

SNMP Traps

As mentioned before, Traps are messages sent from a remote SNMP agent to the Management Station. They act as alerts, providing immediate notification to the collector that a certain event is taking place, such as overheating or resource utilization surpassing a threshold.

Since polling uses a round robin approach, iterating through a list of agents and requesting updates one by one, new information can be significantly delayed reaching the back-end. If we were to rely on this exclusively, waiting for the next poll to take place before reporting urgent matters could be detrimental to a system’s health. Instead, agents are configured with ability to initiate contact as well when certain events occur, ensuring that critical matters are available as quickly as possible.

The SNMP Protocol has managed to stay relevant for over 30 years, thanks in part to several revisions that helped it adapt to changes. As with many protocols, the significant lack of security was the most pressing concern for modern networks and was the primary focal point in each update.

Version 1: As the initial specification released in 1988, SNMPv1 still remains widely used even today. Despite the continued support, it has severe security flaws that make it vulnerable to malicious parties. Most notably is the fact authentication data is transmitted in plain text across the network, making it easily stolen from malicious 3rd parties.

Version 2: In effort to address this issue, progress on SNMPv2 was launched in 1993 with a Party Based security scheme. Despite vast improvements over the original release, it was considered too complex and resulted in several community based forks. The most popular of which became known as SNMPv2c, replacing the new security model with the original Community Based Authentication (that inherently flawed model from V1), while preserving the rest of the added features.

Ultimately considered the de facto standard for V2, it also remains operable even now by most management systems. With the advent of V3 however, it too was made obsolete and ongoing is support is regarded as backwards compatibility for older devices.

Version 3: In 1998, the current standard we use today was made available. Seeking to further enhance security practices, a user based system was adopted instead, providing the choice between 3 different options in authentication and encryption.