SNMP-Proxy / ALG

Visit the Project Info on Sourceforge.


c2002 by Markus Griedl

Intro

In this project I am trying to implement an application layer gateway for SNMP v1. The Proxy shall act transparently just like the agents configured to it and do some basic filtering to match the security issues.
Filtering done :

( * not fully implemented yet, see source code)
All agents should be accessed only over the security proxy !

Technology

On the agent side there is a single interface visible to the agents, that acts just like a managerstation would do (standard NMS acts as trap receiver on port 162 and forwards/receives requests/responses on port 161).

On the managementstation's side there are multiple virtual interfaces configured, one for each agent, that can directly be contacted by one or more NMS on standard port 161 for requests.

On the proxy host basic network address translation (NAT) on OSI layer 4 is already done.

Received traps (agentside) will be sent out on the corresponding virtual interface to make it easy for the NMS to track the sender and react.

Why Java

First I thought about using C/C++ for performance reasons, but soon I realized, J2SDK1.4 is not that bad at all and best of all, all the basic features I need (besides SNMP-functions) are already in the core API, so no other libraries are neccessary.
Java has the big advantage, that the time to market is really short (Clear names in the exceptions, not only SEG FAULT!)

Project

The project implementation started on Tue, 2. April 2002 as part of a bigger corporate security package, while some thoughts about this kind of thing reach back about 8 months from that day.

Installation

Unpack the tar.gz of your choice to whereever you want it to reside.
You will need a Java-VM (I used SUN's J2-SDK 1.4)
To use it you will have to configure some virtual interfaces (I don't think you've got a box with sufficient NICs!) With RedHat this is done as follows(e.g):

ifconfig eth0 10.1.1.100 netmask 255.255.255.0 broadcast 10.1.1.255
ifconfig eth0:0 10.1.1.101 netmask 255.255.255.0 broadcast 10.1.1.255
ifconfig eth0:1 10.1.1.102 netmask 255.255.255.0 broadcast 10.1.1.255
.
.
.
You will have to add your default route in this subnet, e.g.
route add default gw 10.1.1.254
At best write some startup scripts do that stuff everytime system is started...

Configuration

The configuration of the proxy is done in the file mysnmp.conf (or any other file given at the commandline)
The contents of this file are:
the debugmode
the main proxy address (on the agents' side)
one or more agents in this format:

Agent NameOfTheAgent
Source		"IP-Address of the NMS"
[Source 	"another NMS"]
InterfaceIP 	"IP-Address on the proxy the NMS will access"
DestinationIP	"real IP-address of the agent"
Version		1
CommunityString	public
rwComString	public
ObjectID	".1.3.6.*" 	r
[ObjectID]	".1.2.3"   	w
[ObjectID]	".1.1.1.*"	r
endAgent

Example:
NMS station (10.1.1.50), another NMS station (10.1.1.60), Proxyaddress (10.1.1.100),a agent named "JBond" with the Virtual agent address (10.1.1.101), real agent address (192.168.10.33), no debug messages, all InternetObjectIDs readable (.1.3.6.*), the fantasy ObjectID .1.2.3.4.5 with read/write access
will lead to a config file as follows:
#Sample mysnmp.conf

Bugtrackmode 0
ProxyAddress "10.1.1.100"

Agent 		JBond
Source 		"10.1.1.50"
Source 		"10.1.1.60"
InterfaceIP	"10.1.1.101"
DestinationIP	"192.168.10.33"
Version		1
CommunityString	public
rwComString	public
ObjectID	".1.3.6.*" 	r
ObjectID 	".1.2.3.4.5" 	w
endAgent


There is also a possibility to make the configs shorter by using:
#Sample mysnmp.conf, short commands

b 		0
p		"10.1.1.100"

a		 JBond
s		"10.1.1.50"
s		"10.1.1.60"
i		"10.1.1.101"
d		"192.168.10.33"
v		1
c		public
r		public
o		".1.3.6.*" 	r
o	 	".1.2.3.4.5" 	w
endAgent

The endAgent-keyword is the only command that has NO short form !
Don't forget the " " where necessary and the r / w behind the ObjectIds

For more information please read the mysnmp.conf file

Starting up

Simple run

java Starter [configfile]
or
java -jar snmpproxy [configfile]
You have to be root, since we are using priviledged ports (below 1024)!
If it doesn't give you a "Up and running" and starts to draw dots but spits out an exception check your java classpath and if the (virtual) interfaces are configured correctly
You might want to place this command in a startup script as well (perhaps even the same one configuring the interfaces).
Since there is no possibilty to generate log files simply pipe the stdout to a file if you want to see what's benn happening

Configuring the network, agents & the NSM

This is some kind of security proxy, so there should not be a direct connection between the NMS and the agents. All traffic should be routed over the proxy and direct access to the agents should be blocked by a firewall.
The agents trap receiver should be configured to the proxy address. If only a special management station is allowed to connect to the agent this would be the proxy address as well.
In the NMS the agents are not to be accessed by their real addresses but by the corresponding virtual IP on the proxy. So don't put the real address but the virtual address on the proxy in the address field. (HP OpenView allows you to access the agents via a proxy, so put the proxy address in the proxy field; this will do al the SNMP-NAT for you, so SNMP-NAT is nor in the proxy (yet)).

Tested with

Version History

Future


Feel free to visit our distributor:

SourceForge.net Logo