Local Area Networks (LANs) in Aircraft - FTP Directory Listing - FAA
Local Area Networks (LANs) in Aircraft - FTP Directory Listing - FAA
Local Area Networks (LANs) in Aircraft - FTP Directory Listing - FAA
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
(MIB) <strong>in</strong>formation. Although the IETF has def<strong>in</strong>ed a great many standard MIB def<strong>in</strong>itions,<br />
vendors often implement these MIBs <strong>in</strong> idiosyncratic and nonstandard ways. The net result is<br />
that the greater the diversity of deployed devices with<strong>in</strong> a deployment, the harder it is to identify<br />
common MIB subsets that can be used to manage devices <strong>in</strong> a consistent way—and the less<br />
useful the total management system becomes. To correct this, vendors have built management<br />
systems 10 that operate at a higher level of abstraction. Such approaches overcome these<br />
limitations for the products that they support by creat<strong>in</strong>g localized clients that address the<br />
adm<strong>in</strong>istrative differences between vendor products and present these differences <strong>in</strong> a<br />
regularized (abstracted) manner. Unfortunately, due to the cost of creat<strong>in</strong>g the clients, only the<br />
more commonly deployed systems are supported by these systems <strong>in</strong> general. Consequently,<br />
there is no s<strong>in</strong>gle management system today that universally supports all IP products.<br />
IP networks are historically managed us<strong>in</strong>g the IETF’s SNMP. The first two versions of SNMP<br />
(SNMPv1, SNMPv2) do not have security provisions. While SNMPv3 does have well-def<strong>in</strong>ed<br />
security capabilities, helpful functions for enabl<strong>in</strong>g SNMP key management with<strong>in</strong> multivendor<br />
environments are optional and, therefore, irregularly supported by the various vendors. The net<br />
result is that SNMPv3 key management is questionable when deployed <strong>in</strong> large, multivendor<br />
environments, debatably mak<strong>in</strong>g SNMPv3 among the least secure of the major IETF-def<strong>in</strong>ed<br />
protocols for those environments. It is also possible that SNMPv3 <strong>in</strong> large, multivendor<br />
environments may be among the more vulnerable elements to attack with<strong>in</strong> those deployments—<br />
a dist<strong>in</strong>ctly undesirable situation for a protocol that is used to remotely configure and manage<br />
network devices.<br />
The follow<strong>in</strong>g sections (4.6.1 to 4.6.5) identify historic weaknesses <strong>in</strong> SNMPv3 security. These<br />
sections are listed <strong>in</strong> order of <strong>in</strong>creas<strong>in</strong>g importance. The IETF is currently <strong>in</strong> the process of<br />
enhanc<strong>in</strong>g SNMPv3 security with<strong>in</strong> the Integrated Security Model for SNMP (ISMS) work<strong>in</strong>g<br />
group to correct many of these problems. 11<br />
4.6.1 The SNMP has no Provisions for Two-Factored Authentication.<br />
Many deployments require their system and network adm<strong>in</strong>istrators to undergo two factored<br />
authentications to <strong>in</strong>crease the difficulty of hostile attackers successfully impersonat<strong>in</strong>g these<br />
important functions. SNMPv3 has no provisions to authenticate based on PKI, password,<br />
biometrics, or almost anyth<strong>in</strong>g else. SNMPv3 authentication is solely based on the user’s<br />
symmetric authentication key. Therefore, the protocol has no provisions for support<strong>in</strong>g two<br />
factored authentication.<br />
4.6.2 The SNMP Symmetric Keys may be Assembled From Passwords.<br />
The symmetric keys that are used to authenticate and provide privacy for SNMP<br />
communications may be <strong>in</strong>dependently established for each user or they may be algorithmically<br />
constructed from the user’s password. Although the former technique results <strong>in</strong> significantly<br />
better security, the latter is frequently used because it is the only commonly deployed<br />
10 e.g., HP OpenView; see http://www.managementsoftware.hp.com/<br />
11 See http://www.ietf.org/html.charters/isms-charter.html<br />
44