Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Adversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.
Simple Network Management Protocol (SNMP) is a network protocol that is native to IP networks and compatible with most network devices. SNMP monitoring provides a standardized way for network engineers and admins to gather information about networking equipment, and helps ensure that a company’s network is running smoothly. Many network monitoring tools rely on SNMP to gain visibility into network infrastructure, such as routers, switches, and firewalls. SNMP was developed in 1988 as a utility to be standardized across all networking equipment. Major network appliance vendors built SNMP support into their devices so network engineers had a uniform way to gather information from their devices, independent of the vendor they purchased their equipment from. Today, few additional protocols have been as widely adopted as SNMP. In this article, we’ll discuss how SNMP monitoring works, the key types of information you can collect with it, and how to get started with using SNMP to monitor your networking equipment. How SNMP Monitoring WorksSNMP monitoring can be used to collect information from your entire fleet of network devices. SNMP relies on a client-server application model, where a software server component (the SNMP Manager) collects information by querying a software client component (the SNMP Agent), which runs on a network device. You can also configure the SNMP Agent to send information to the manager without being queried. The SNMP Agent comes pre-installed on most network devices. To start collecting device information, you would enable SNMP on the device, and configure an SNMP Manager to begin communicating with the device. Components of SNMP MonitoringSNMP provides a flexible framework, with several components working together to enable network engineers to monitor the health and performance of devices:
These pieces work together to allow network engineers to extract useful information from network devices, regardless of the vendor, the device type, or the software running on the device. SNMP Monitoring CommandsThe SNMP Manager uses a set of commands to get information about managed devices from SNMP Agents. Agents also use commands to send device information to managers. These are some basic SNMP commands that managers and agents use for monitoring network devices:
Note that in most cases, network engineers and admins don’t explicitly run these commands. Rather, they rely on monitoring applications to run SNMP commands behind the scenes and gather data from devices. As the SNMP protocol has matured, additional features have been added to improve its security and efficiency. Under v1, the initial version of the protocol, SNMP managers would authenticate to SNMP agents through the use of a password (called a community string). However, this community string was sent in plain text, making it easy for unauthorized parties to gain access to device information. In addition, SNMP v1 supported only 32-bit counters when it counted the bytes transferred through network interfaces. After reaching the 32-bit limit (approximately 4.3 billion bytes), the counter would reset, and you would lose the device data you had collected to that point. This limitation made it challenging to measure throughput in large, modern networks. The release of SNMP v2, which is still widely used today, helped resolve some of the weaknesses of SNMP v1. First, SNMP v2 added 64-bit counters to accommodate higher network throughputs. This version also introduced new commands to expand the functionality and improve the efficiency of the protocol. For example, the GetBulk command introduced the ability for SNMP managers to fetch multiple pieces of information about a device by using a single message. The Trap command gave SNMP agents the ability to asynchronously send data to an SNMP Manager without being polled. SNMP v3 is the most secure of the three versions. In this most recent version, a username and password are required to retrieve device information, and device data is encrypted. Because of these enhanced security measures, v3 is the version of SNMP that is recommended for devices that are reachable from the public internet. SNMP MetricsSNMP allows you to collect a wide variety of metrics from network devices, such as uptime, throughput, temperature, interface errors, CPU utilization, and memory usage. An advanced SNMP-compatible monitoring tool enables teams to analyze changes in such metrics over time, to visualize their metrics in dashboards, and to alert on metrics that exceed a specified threshold. To add more context to metrics, some network monitoring tools offer tagging. Tags add dimensions to your device metrics so that the performance of different subsets of devices can be aggregated, analyzed, and compared. For example, you can tag each device by datacenter location to understand if devices within a specific datacenter are exhibiting an outsized number of errors. Network engineers and admins are responsible for ensuring that their organization’s network is continuously available and performing as expected. In order to help ensure network health and performance, you need visibility into the performance of all your network devices. Datadog Network Device Monitoring (NDM) leverages SNMP to automatically discover and monitor network devices at any scale and across multiple vendors. You can aggregate metrics across all devices or use tags to filter down to a specific subset when you are investigating a network outage or incident. With machine-learning based alerts, you can get notified automatically when bandwidth utilization or another metric approaches a critical threshold. Most importantly, a single pane of glass unifies network device metrics with infrastructure, application, and security metrics. Thanks to this unified view, engineers and administrators across an organization can work together to monitor and improve the delivery of the company’s services over the network. Get started with Network Device Monitoring today to get complete visibility into your network. Datadog provides visibility into your entire inventory of SNMP-managed devices. |