snmpv3? JMX!

An interesting tidbit from visit to a customer specializing in monitoring/management of large-scale deployments - few companies in their experience are deploying SNMPv3-based management solutions.

SNMPv1 and SNMPv2c are widely used for deploying monitoring solutions, but they don't offer any security, so aren't appropriate for management since if your SNMP MIB has any modifiable OIDs, it becomes wide open to attack.

SNMPv2usec provides a security model, but was never a standard (it never left "experimental" status), and didn't get very widely deployed. SNMPv3 does provide a strong security model, and thus is much more appropriate for management-style applications.

So why isn't SNMPv3 perceived as catching on for management? Probably two reasons - one is that it's really hard to configure the security aspects of SNMP, and the other is that SNMP is such a Simple Network Management Protocol that doing any state-changing operations is really painful when all you can do is set the values of elements in a MIB - doing anything that requires function parameters becomes a real pain!

SNMPv3 has its own security model, requiring some considerable configuration in order to be operational, and the SNMPv3 security model doesn't tie in with the platform security model, which is a shame since that means you have to manage an SNMP-specific set-up rather than just setting up accounts and permissions the once. Being able to integrate into the wikipedia!{Pluggable_Authentication_Modules}"platform security model" or the network identity model is a real boon.

It would appear that whilst SNMP will always be around for monitoring, people are using other protocols to deal with management. There are various specific protocols for niche areas of the management space such as IPMI, but in terms of general-purpose solutions the two that seem to stand out in terms of mind-share are JMX (available in all Java platforms) and the newly emerging WS-MAN standard.

JMX is a great technology for Java-based management. It's really easy to use, it doesn't impose any top-down modeling paradigm (e.g. you don't need to model a MIB, then compile the MIB to get code - you can just write Java), and it's built-in to the Java platform.

WS-MAN is emerging as one of the web 2.0 ws-\* web-services. It's more flexible than JMX in that it's a generic web-service that you can code up against in any language, but it's not going to be as performant as something like JMX for exactly those same reasons - web-services in XML are notoriously verbose and inefficient on the wire.

If you're a Java programmer, then you'll be interested to know that you can write manager (client-side) or agent (server-side) software for all of these protocols in Java:

Other interesting blogs and articles around these subjects include:

Comments:

Post a Comment:
Comments are closed for this entry.
About

nickstephen

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today