SNMP systems provide relatively easy management of computer network systems. Their advantages have been known for some time, and thus SNMP systems are fairly ubiquitous in the network industry
Another ubiquitous component in computer networks is firewalls. Firewalls, as those of ordinary skill can attest, are very important in protecting the integrity and safety of both the physical components, and the data contained therein. Notwithstanding their significance, however, firewalls can add a level of complexity to communications between those outside the firewall, and those inside the firewall.
For example, it is well known to those of ordinary skill that certain firewalls will have different policies in regard to Internet Protocol (IP) communications. Some firewalls will have no drop policies, and in some cases, the firewalls will have a drop policy such that IP packet fragmentation is not allowed, as Denial of Service attacks commonly use fragmented packets. In the former, with no fragmentation drop policy, there should be no missed communications, or lost messages. Thus, for example, if an SNMP GetRequest is sent to a managed node across a firewall, and if the SNMP response to the GetRequest is greater than the allowed maximum transmission unit (MTU) that intermediate routers are allowing, then the packet will become fragmented before being forwarded to the next hop. If there are no drop policies, then the fragmented parts of the original SNMP response will be forwarded through the firewall to the SNMP manager.
However, if the firewall does have a drop policy, such that fragmented packets are not allowed (i.e., the fragmented packets will not be forwarded), then the packet is silently dropped by the intermediate firewall without notifying the end recipient (i.e., the SNMP manager) of the dropped packets. It's as if there was no response at all; in this case, the SNMP manager is left to wonder whether the original transmission made it to the destination, whether the communication was interrupted in transit, or whether the recipient is not working properly, among other problems.
As discussed above, firewalls are designed to provide protection to the external networks to which they are connected. One example of protection is warding off denial of service (DoS) or distributed denial of service (DDoS) attacks. As its name implies, a DoS is an attempt to make a computer resource or network unavailable to its intended users. There are many different methods for carrying out DoS attacks, but the overall goal is to prevent the computer resource or intended network from functioning properly. The attacks can cause temporary outages, or, in extreme cases, can put systems out of service for extended periods of time. There are, as those of ordinary skill in the art can appreciate, other reasons why a firewall will prevent successful communications between the SNMP manager and the managed nodes/agents. For example, it is possible that the firewall will prevent communications if JumboFrames (greater than about 1500 octets) are involved, among other reasons.
A common method of attack involves saturating the computer resource or intended network with numerous external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable. The consequence of these attacks generally forces the computer resource or intended network to reset, which means that it goes “off-line” for a period of time, or it uses so much resources that it cannot respond to legitimate uses, and thus is effectively off-line for the legitimate users. Therefore, providers of firewalls have included in their arsenal of countermeasures DoS defenses that attempt to prevent the takedown of the intended computer resource or network.
However, as those of ordinary skill can attest, legitimate (i.e., non-malicious) users can prompt a DoS defense that thwarts their request for data or communications. For example, if a legitimate user requests data or communicates with firewall protected nodes and exceeds the size limitation, then a DoS defense can be generated, thereby negating a legitimate use of the protected computer resource or network. One example of when this can occur is with the SNMP generated GetRequest; if the response to the legitimate GetRequest exceeds the size limitations for a firewall, then the communication can be effectively lost, although the SNMP manager has no knowledge or understanding of how or why the communication failure occurred.
Therefore, there is a need for a solution that enables proper exchange of SNMP messages when a drop policy is in place on a firewall.