Traditional network service programs, such as File Transfer Protocol (FTP) and Telnet, only adopt simple security authentication without considering security measures in transfer architectures or implementing principles. Therefore, data transferred between users and servers is easily attacked by network hackers. In order to ensure the security of data transfer, the SSH has gradually replaced traditional network service programs for its secure features.
When the SSH is used, an SSH protocol needs to be established on application layer and a transport layer. The SSH protocol mainly includes a transport layer protocol, a user authentication protocol and a connection protocol. Wherein, the transport layer Protocol, which makes use of Transfer Control Protocol (TCP), is used to provide not only security measures, such as authentications, credits and integrity validations, but also a data compressing function. The user authentication protocol implemented over the Transport layer Protocol is used to implement identity authentications between servers and clients. The connection protocol implemented over the user authentication protocols is used to allocate multiple encrypted channels to some logical channels. Users can encrypt and compress all transferred data by using the SSH, thereby ensuring the security of data, and accelerating the speed of data transfer.
Simple Network Management Protocol (SNMP), which is implemented between a network management agent software operating on the managed device and a network management station, is a sort of standard protocol that is used to manage network devices, such as a server, a work station, a router, a switch and a hub etc. And it is an application layer protocol.
In consideration of the security of the SNMP, the Internet Engineering Task Force (IETF) has proposed an SNMPv3 standard. In the SNMPv3 standard, a user-based security model (USM) and a view based access control model (VACM) are added. Wherein, the USM security model requests that a security parameter, such as a share key, be configured in each pair of two SNMP engines communicating with each other. In general networks, one managed device may be managed by multiple network management stations. While at the same time, one network management station may need to manage a mass of devices. Therefore, the workload of configuring security parameters is generally very heavy.
To solve this problem, the IETF puts forward that the SSH can be used to transfer the SNMPv3 protocol. In order to reduce the cost of a device detecting procedure, a method which combines the SSH transport and user datagram protocol (UDP) is proposed. That is, the network management station uses the SNMP in a UDP transport mode to detect the managed device and uses the SNMP in an SSH transport mode to manage the managed device. Specifically, when the UDP transport mode is used, since there may be no share key between the network management station and the device to be detected, the communication security level of the SNMPv3 communication will be configured to be noAuthNoPriv, which means no packet validation and no secrecy measures are needed. In this way, the USM of the SNMP needs not to implement validations and encryptions for packets, thereby reducing the cost of the device detecting. And since the detected device performs no access control on the SNMP system information, the user can obtain the system information even without a validation. When a connection is established by using the SSH to transfer the SNMP, the managed device is operated by an Out-of-Band management firstly, that is, obtaining the host key by a manual configuration and then an identity authentication is implemented to a network management station server based on the obtained host key. When the validation passes, a communication link will be established between the managed device and the server.