Visit the Project Info on Sourceforge.
In this project I am trying to implement an application layer gateway
for SNMP v1. The Proxy shall act transparently just like the agents
configured to it and do some basic filtering to match the security issues.
Filtering done :
On the agent side there is a single interface visible to the agents, that acts just like a managerstation would do (standard NMS acts as trap receiver on port 162 and forwards/receives requests/responses on port 161).
On the managementstation's side there are multiple virtual interfaces configured, one for each agent, that can directly be contacted by one or more NMS on standard port 161 for requests.
On the proxy host basic network address translation (NAT) on OSI layer 4 is already done.
Received traps (agentside) will be sent out on the corresponding virtual interface to make it easy for the NMS to track the sender and react.
First I thought about using C/C++ for performance reasons, but soon I
realized, J2SDK1.4 is not that bad at all and best of all, all the basic
features I need (besides SNMP-functions) are already in the core API, so
no other libraries are neccessary.
Java has the big advantage, that the
time to market is really short (Clear names in the exceptions, not only SEG FAULT!)
The project implementation started on Tue, 2. April 2002 as part of a bigger corporate security package, while some thoughts about this kind of thing reach back about 8 months from that day.
Unpack the tar.gz of your choice to whereever you want it to reside.
You will need a Java-VM (I used SUN's J2-SDK 1.4)
To use it you will have to configure some virtual interfaces (I don't think
you've got a box with sufficient NICs!) With RedHat this is done as follows(e.g):
ifconfig eth0 10.1.1.100 netmask 255.255.255.0 broadcast 10.1.1.255 ifconfig eth0:0 10.1.1.101 netmask 255.255.255.0 broadcast 10.1.1.255 ifconfig eth0:1 10.1.1.102 netmask 255.255.255.0 broadcast 10.1.1.255 . . .You will have to add your default route in this subnet, e.g.
route add default gw 10.1.1.254At best write some startup scripts do that stuff everytime system is started...
The configuration of the proxy is done in the file mysnmp.conf (or any other
file given at the commandline)
The contents of this file are:
the debugmode
the main proxy address (on the agents' side)
one or more agents in this format:
Agent NameOfTheAgent Source "IP-Address of the NMS" [Source "another NMS"] InterfaceIP "IP-Address on the proxy the NMS will access" DestinationIP "real IP-address of the agent" Version 1 CommunityString public rwComString public ObjectID ".1.3.6.*" r [ObjectID] ".1.2.3" w [ObjectID] ".1.1.1.*" r endAgent
#Sample mysnmp.conf Bugtrackmode 0 ProxyAddress "10.1.1.100" Agent JBond Source "10.1.1.50" Source "10.1.1.60" InterfaceIP "10.1.1.101" DestinationIP "192.168.10.33" Version 1 CommunityString public rwComString public ObjectID ".1.3.6.*" r ObjectID ".1.2.3.4.5" w endAgent
#Sample mysnmp.conf, short commands b 0 p "10.1.1.100" a JBond s "10.1.1.50" s "10.1.1.60" i "10.1.1.101" d "192.168.10.33" v 1 c public r public o ".1.3.6.*" r o ".1.2.3.4.5" w endAgent
For more information please read the mysnmp.conf file
Simple run
java Starter [configfile]or
java -jar snmpproxy [configfile]You have to be root, since we are using priviledged ports (below 1024)!
This is some kind of security proxy, so there should not be a direct connection between
the NMS and the agents. All traffic should be routed over the proxy and direct access to the
agents should be blocked by a firewall.
The agents trap receiver should be configured to the proxy address. If only a special management
station is allowed to connect to the agent this would be the proxy address as well.
In the NMS the agents are not to be accessed by their real addresses but by the corresponding
virtual IP on the proxy. So don't put the real address but the virtual address on the proxy in the
address field. (HP OpenView allows you to access the agents via a proxy, so put the proxy address
in the proxy field; this will do al the SNMP-NAT for you, so SNMP-NAT is nor in the proxy (yet)).