FOR IMMEDIATE RELEASE Contact: Marshall T. Rose Dover Beach Consulting, Inc. (415) 968-1052 David Preston Epilogue Technology Corporation (505) 271-9933 Tom Woolf Woolf Media Relations, Inc. (415) 508-1554
Epilogue Technology, IBM, and Other Providers Show Secure Network Management in Technology that is Ready to Interoperate with SNMPv2
WASHINGTON, D.C. (January 22, 1996) -- At ComNet '96 to be held here January 30 - February 1, Epilogue Technology Corporation and other leading SNMP implementors will jointly demonstrate the proposed User-based Security Model (USEC) extension to the SNMPv2c, the current release of the Simple Network Management Protocol approved in December. The demonstration will be conducted across the ComNet show network and will include USEC network management agents in the Epilogue Technology booth providing secure SNMP data to independently developed USEC-compliant management applications implemented by IBM and others.
The demonstration will show how simple it is to deploy and maintain a secure network management infrastructure using the current proposed USEC extension to SNMP. IBM will provide USEC support they have added to a NetView network management station running in their booth, which will interoperate with USEC-compliant SNMP agents from both Epilogue Technology and Glenn Waters of Bell-Northern Research, the original author of USEC, running in the Epilogue booth. In addition, USEC-compliant management applications written using the openly available SNMPTcl package running in the Epilogue booth will also interoperate with agents in both the Epilogue and IBM booths. (SNMPTcl is written by Marshall T. Rose of Dover Beach Consulting and Keith McCloghrie of Cisco Systems, two of the original authors of SNMP and SNMPv2.) Using a dynamic password-to-key algorithm that derives cryptographic key information, the demonstration will show how USEC can extend the current SNMP standard to safely and simply augment the security to network management. ``Transaction security in SNMPv2 has become a point of contention in recent months,'' notes Marshall T. Rose of Dover Beach Consulting, one of the co-authors of USEC. ``This demonstration clearly shows that USEC is ready to implement today to add security to SNMPv2. It will also demonstrate that USEC is easy to deploy, simple to use, and provides agent-friendly network management in keeping with the philosophy of SNMP.''
Rose and other members of the Internet Engineering Task Force (IETF) have been developing and refining USEC since last May. The most recent lab tests of USEC, conducted at the IETF meeting in December, were very successful and according to Rose and other IETF members, the USEC security scheme proved itself to be both easy to use and extremely portable. At ComNet, USEC will be demonstrated along with SNMPv2. SNMPv2 is the most recent IETF-approved community standard which includes all the administration functionality of SNMPv1 and the new mechanisms of SNMPv2, but without security. USEC extends SNMPv2c through an upgraded administrative infrastructure which incorporates security. Three independently developed USEC implementations will be shown to interoperate, thus demonstrating the universal compatibility of the emerging USEC standard.
``We were delighted to discover how easy it was to implement USEC as part of our Envoy SNMP agent,'' said David Preston, President of Epilogue Technology. ``This demonstration shows how easy it is for independent SNMP developers to create interoperable SNMPv2 applications that provide real security. Clearly, USEC is ready to deploy as part of SNMPv2 today.'' The USEC security model is designed to provide a simple yet robust authentication scheme centered on the SNMP agent for network management security. USEC supports three aspects of authentication: replay protection, message integrity, and origin identity.
Replay protection is designed to prevent an intruder from capturing an SNMP packet for use at a later time, such as a command to reboot a router. Message integrity ensures that the content of a packet cannot be changed without detection, e.g. changing a command to dump the routing tables to a command to modify the routing tables. Origin identity ensures that the identity of the originator of an SNMP operation is who he or she appears to be. To provision USEC, the system operator first creates a user identity that is associated with a password. From the password, a cryptographic key is automatically derived. The management station will then be able to enter into a low-level interaction with the agent to establish a secure network management environment, first using authentication to establish communication, then synchronizing the station and agent clocks to prevent replay attacks and attaching cryptographic checksums using the Keyed-MD5 algorithm. The result is a secure SNMP communication channel.
``The issues regarding security in SNMPv2 really aren't about security but about the administration framework in which security operates,'' Rose added. ``The USEC approach is in keeping with the core competencies of the original SNMP -- it makes decisions to favor small, efficient implementations rather than providing numerous options for unspecified future requirements. Put another way, with USEC we are asking the SNMP community to accept a simple, easy-to-implement, and cryptographically robust approach to authentication rather than providing hundreds of incompatible authentication and encryption options. USEC provides a simple, easy-to-deploy approach that makes it easy to provide universally compatible solutions, as we have shown here with the interoperability of several independently developed USEC solutions. Alternative SNMP security proposals add a significant amount of infrastructure to the agent and would prove impractical to use in the field. What's more important, this demonstration shows that USEC is available today, while alternative SNMPv2 security approaches haven't been tested.'' Anyone interested in more information about SNMP USEC can get it from The USEC Resource Page on the Internet. In addition, a USEC White Paper is available on request.
Epilogue Technology Corporation specializes in developing and marketing standards-based network management and protocol software products and support services to computer OEMs and computer systems manufacturers. Epilogue has licensed its products to more than 200 companies to date, including 3Com, Chipcom Corporation, IBM, Network General Corporation, Northern Telecom, and Optical Data Systems, among others. Epilogue customers have shipped more than 1 million network devices containing Epilogue Technology products worldwide.
Epilogue Technology Corporation is located at 11116 Desert Classic Lane, N.E., Albuquerque, NM 87111-7512; telephone: 505/271-9933; FAX: 505/271-9798.