Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Wireless security wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Computer security wikipedia , lookup
Computer network wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
Distributed firewall wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
INFO 331 Computer Networking Technology II Chapter 9 Network Management Dr. Jennifer Booker INFO 331 chapter 9 1 www.ischool.drexel.edu Network Management History • Network management didn’t exist in its current form until the 1980’s – From the ’40s to ’70s, networks were typically very homogeneous (proprietary-only), so network management tools were specific to that insular environment, if used at all – The advent of the PC and Macintosh made networks get much more heterogeneous, and increased the complexity of network management INFO 331 chapter 9 2 www.ischool.drexel.edu Network Management • A network typically consists of many unrelated types of equipment, which are all supposed to work together in perfect harmony, in spite of the myriad protocols, operating systems, interfaces, etc. involved – – – – Servers and workstations Routers, switches, and hubs Wireless access points and hosts Firewalls INFO 331 chapter 9 3 www.ischool.drexel.edu Network Management • In order to manage this mess, there is often a Network Operations Center (NOC) to coordinate maintenance, upgrades, monitoring, optimization (if you have time), repairs, etc. – Akin to a pilot’s cockpit, or the control room for a power station, or the mixing board at a concert INFO 331 chapter 9 4 www.ischool.drexel.edu Network Management • We need to know – What to monitor • What is worth focusing your attention on? – How to analyze what we see – How to respond to changing conditions (fix problems) – How to proactively manage the system (prevent problems) INFO 331 chapter 9 5 www.ischool.drexel.edu Typical Problems • Even a simple network can have challenges which help motivate the need for network management • Detect interface card failure at a host or router – The host or router might report the interface failure to the NOC – Better, network monitoring might reveal imminent failure, so the card is replaced before failure INFO 331 chapter 9 6 www.ischool.drexel.edu Typical Problems • Monitor traffic to guide resource deployment – Traffic patterns or congestion monitoring can show which parts of the network are most used – This could lead to improved usage of servers, simplifying physical layout or improving the speed of high traffic LAN segments, or make good upgrade decisions INFO 331 chapter 9 7 www.ischool.drexel.edu Typical Problems • Detect rapid routing changes – Routing can become unstable, causing rapid changes in routing tables (route flapping) – The network admin would like to know this is happening before something crashes as a result! • Host is down – Network monitoring could detect a system down before the user notices it INFO 331 chapter 9 8 www.ischool.drexel.edu Typical Problems • Monitor SLAs Not this SLA! – Service Level Agreements (SLAs) are contracts to guarantee specific services, such as Internet service, in terms of availability, throughput, latency, and other agreed-upon measures • Major ISPs (tier 1) can provide SLAs to major business customers – If you pay for this service, it’s nice to know if they are really providing what you paid for! Image from www.answers.com/topic/symbionese-liberation-army INFO 331 chapter 9 9 www.ischool.drexel.edu Typical Problems • Intrusion detection – The network admin can look for traffic from odd sources, destined for unusual ports, lots of SYN packets, and other security threats we recently covered – This can lead to refinement of filters & firewalls INFO 331 chapter 9 10 www.ischool.drexel.edu ISO Network Management • ISO has produced guidance on the types of network management activities – ISO network management (ISO/IEC 10733:1998) – ISO security management (ISO/IEC TR 13335:2004, ISO/IEC 18026:2009 and ISO/IEC 18028-1:2006) • See Global IHS for buying ISO standards INFO 331 chapter 9 11 www.ischool.drexel.edu ISO Network Management • Cisco overview white paper (free, unlike ISO standards, and summarized herein thru slide 35) • ISO identifies five areas of network management – Fault, configuration, performance, security, and accounting management INFO 331 chapter 9 12 www.ischool.drexel.edu ISO Network Management • Fault Management – Detect, isolate, notify, and correct faults encountered in the network • Configuration Management – Configuration aspects of network devices such as configuration file management, inventory management, and software management INFO 331 chapter 9 13 www.ischool.drexel.edu ISO Network Management • Performance Management – Monitor and measure various aspects of performance so that overall performance can be maintained at an acceptable level • Security Management – Provide access to network devices and corporate resources to authorized individuals • Accounting Management – Usage information of network resources INFO 331 chapter 9 14 www.ischool.drexel.edu Fault Management • This is the main focus of network management for most organizations • Faults are errors or problems in the network – Often a shorter term perspective than performance management • Hence fast detection of problems is critical, often via color-coded graphical network maps INFO 331 chapter 9 15 www.ischool.drexel.edu Fault Management • Typically want a network management platform to do: – Network discovery and topology mapping – Event handler – Performance data collection and presentation – Management data browsing • Network management platforms include HP OpenView, Aprisma Spectrum, and Sun Solstice INFO 331 chapter 9 16 www.ischool.drexel.edu Fault Management • Devices can send SNMP traps (RFC 3410) of events which change their status • These events are logged, such as in a Management Information Base (MIB) • Platforms can be geographically located, and communicate with each other to centralize network monitoring – Web interfaces on devices can allow remote management and configuration INFO 331 chapter 9 17 www.ischool.drexel.edu Fault Management • Equipment vendors often use different management systems – They can communicate using CORBA or CIM standards to exchange management data • Troubleshooting a network often uses TFTP and syslog servers – The trivial FTP (TFTP) server stores configuration files; routers and switches can send system log (syslog) messages to the syslog server INFO 331 chapter 9 18 www.ischool.drexel.edu Fault Management • Faults can be detected with SNMP trap events, SNMP polling, remote monitoring (RMON, RFC 2819) and syslog messages – Module changing to up or down state – Chassis alarms for hardware failures (fans, memory, voltage levels, temperature, etc.) – Responses can be just notification and logging of the event, or shutdown of that device, e.g. temps can be defined for warning, critical, or shutdown INFO 331 chapter 9 19 www.ischool.drexel.edu Fault Management • Fault detection can also be done at the protocol or interface levels – Such as a router interface failure • A management station polls the device to determine status or measure something (CPU usage, buffer failure, I/O drops, etc.), and flags it with an RMON alarm when the measure exceeds some threshold value INFO 331 chapter 9 20 www.ischool.drexel.edu Configuration Management • Configuration management (CM) tracks equipment and software in the network • Can assess which elements are causing trouble, or which vendors are preferred – What if a vendor recalls a certain device? Do you have any of them? Where? – Whose routers or switches are most reliable? – Where do you send a service vendor to replace a dead router? INFO 331 chapter 9 21 www.ischool.drexel.edu Configuration Management • CM data includes – Make, model, version, serial number of equipment – Software versions and licenses – Physical location of hardware • Site, building, room, rack number, etc. – Contact info for equipment owners and service vendors • Naming conventions are often used to keep names meaningful, not just yoda.drexel.edu INFO 331 chapter 9 22 www.ischool.drexel.edu Configuration Management • CM also includes file management – Changes to device configuration files should be carefully controlled, so that older versions can be used if the new ones don’t work – A change audit log can help track changes, and who made them • Inventory management is based on the ability to discover what devices exist, and their configuration information INFO 331 chapter 9 23 www.ischool.drexel.edu Configuration Management • Software management can include the automation of software upgrades across devices – Download new software images, verify compatibility with hardware, back up existing software, then load new software – Large sites may script the process and run during low activity times INFO 331 chapter 9 24 www.ischool.drexel.edu Performance Management • The same SNMP methods to capture fault data can be used for performance data, such as queue drops, ignored packets, etc. – These can be used to assess SLA compliance • On a larger scale, WAN protocols (frame relay, ATM, ISDN) can also collect performance data INFO 331 chapter 9 25 www.ischool.drexel.edu Performance Management • Performance management tools include – Concord Network Health – InfoVista VistaView – SAS IT Service Vision – Trinagy TREND • These all collect, store, and analyze data from around one’s enterprise, and typically use web-based interfaces to allow access to it from anywhere INFO 331 chapter 9 26 www.ischool.drexel.edu Performance Management • Increased network traffic has led to more attention to user and application traffic – RFC 4502 (replacing RFCs 2021 and 3273) defines how RMON can be used to analyze applications and the network layer, not just lower layer (e.g. MAC) protocols – Many other performance monitoring tools exist, e.g. Cisco NetFlow INFO 331 chapter 9 27 www.ischool.drexel.edu Security Management • Security management covers controlling access to the network and its resources – Can include monitoring user login, refusing access to failed login attempts, as well as either intentional or unintentional sabotage • Security management starts with good policies and procedures – The minimum security settings for routers, switches, and hosts is important to define INFO 331 chapter 9 28 www.ischool.drexel.edu Security Management • Methods for control of security at the device level (router) include – Access control lists (ACLs) and what they are permitted to do – User ID’s and passwords – Terminal Access Controller Access Control System (TACACS) • TACACS (RFC 1492) is a security protocol between devices and a TACACS server INFO 331 chapter 9 29 www.ischool.drexel.edu Security Management • A refinement of TACACS is TACACS+, which gives more detailed control over who can access a given device – It separates the Authentication (verify user), Authorization (control remote access to device), and Accounting functions (collect security information for network management) (AAA) INFO 331 chapter 9 30 www.ischool.drexel.edu Security Management • In Cisco’s world, AAA functions are managed with commands such as – – – – – aaa tacacs-server set authentication set authorization set accounting INFO 331 chapter 9 31 www.ischool.drexel.edu Security Management • In SNMP, configuration changes can be made to routers and switches just like from a command line – Hence strong SNMP passwords are critical! – SNMP management hosts (‘managing entities’ in Kurose) should have static IP, and sole SNMP rights with network devices (managed devices) according to a specific Access Control List (ACL) INFO 331 chapter 9 32 www.ischool.drexel.edu Security Management • SNMP can set router security: – Privilege Level = RO (read only) or = RW (read and write); only RW can change router settings – Access Control List (ACL) can be set to only allow specific hosts to request router management info; ACL control over interfaces can help prevent spoofing INFO 331 chapter 9 33 www.ischool.drexel.edu Security Management – View – controls what router data can be viewed – SNMPv3 provides secure exchange of data • Switches can restrict Telnet and SNMP via an IP Permit List INFO 331 chapter 9 34 www.ischool.drexel.edu Accounting Management • Accounting management measures utilization of the network so that specific groups or users can be billed correctly for snarfing up resources – Yes, it’s all about money – Data can be collected using various tools, such as NetFlow, IP Accounting, Evident Software • This can also be used to measure how well SLAs are being followed or not INFO 331 chapter 9 35 www.ischool.drexel.edu Other aspects of net mgmt • So network management is a huge field • We’ll focus on basic infrastructure issues – Omit service management, network administration, provisioning, and sizing networks (see TINA and TMN standards) INFO 331 chapter 9 36 www.ischool.drexel.edu Network Management Infrastructure • Network management is like the CEO of an organization getting status reports from middle managers, and they get status from first line managers – The CEO has to make decisions about the entire company based on this data • Corrective action may be needed, based on good or bad results obtained • The CEO of General Motors may build new plants, or shut others down INFO 331 chapter 9 37 www.ischool.drexel.edu Network Management Infrastructure • Network management establishes managers (called managing entities, often located in a NOC) who are allowed (via an ACL) to talk to network devices (managed devices, such as servers or routers) – Each managed device has a network management agent, who collects the desired data – Each managed device has one or more managed objects (such as network cards, memory chips, etc.) INFO 331 chapter 9 38 www.ischool.drexel.edu Network Management Infrastructure INFO 331 chapter 9 39 www.ischool.drexel.edu Network Management Infrastructure • Descriptions of all managed objects, and the devices they belong to, are collected in the Management Information Base (MIB) – A MIB is a database of managed object data • Managed devices communicate with managing entities using a network management protocol – Devices don’t generally talk to each other, but managing entities can INFO 331 chapter 9 40 www.ischool.drexel.edu Network Management Infrastructure • The network management protocol doesn’t To managing manage the entity network per se – it just provides a means for the network admin to do so INFO 331 chapter 9 Managed device (host, server, router, printer, etc.) Network mgmt Agent Managed object 1 Managed object 2 41 www.ischool.drexel.edu Network Management Standards • The architecture just described applies to most any network management approach • Many specific standards have been developed – The OSI CMISE/CMIP standards, used in telecommunications – In the Internet, SNMP (Simple Network Management Protocol, RFCs 3411-3418) • We’ll focus on SNMP INFO 331 chapter 9 42 www.ischool.drexel.edu SNMP isn’t Simple! • Derived from SGMP (RFC 1028, 1987) • Key goals of network management include – What is being monitored? – What form of control does the network administrator have? – What is the form of data reported and exchanged? – What is the communication protocol for the exchange of data? INFO 331 chapter 9 43 www.ischool.drexel.edu SNMP • To address these goals, SNMP has four modular parts – Network management objects, called MIB objects • The MIB tracks MIB objects • A MIB object might be a kind of data (datagrams discarded, description of a router, status of an object, routing path to a destination, etc.) • MIB objects can be grouped into MIB modules INFO 331 chapter 9 44 www.ischool.drexel.edu SNMP – A data definition language, SMI (Structure of Management Information) • SMI defines what an object is, what data types exist, and rules for writing and changing management information – A protocol, SNMP, for the exchange of information and commands between manager-agent and manager-manager (between two managing entities) – Security and administrative capabilities INFO 331 chapter 9 45 www.ischool.drexel.edu SMI • SMI is defined by RFCs 2578-2580 (1999) • SMI has three levels of structure – Base data types – Managed objects – Managed modules SMI Modules SMI Objects SMI Base Data Types [SMI is part of MIB, so a SMI object is the same as a MIB managed object.] INFO 331 chapter 9 46 www.ischool.drexel.edu SMI • SMI Base Data Types are an extension on the ASN.1 structure (Abstract Syntax Notation One, ISO/IEC 8824:2008) • There are eleven basic data types (p. 767) – Signed and unsigned (>0) integers, IP addresses, counters, time in 1/100 second counts, etc. – Most important is the OBJECT IDENTIFIER type, which allows definition of an SMI object as some ordered collection of other data types INFO 331 chapter 9 47 www.ischool.drexel.edu SMI – The OBJECT IDENTIFIER is like a struct in C – Here, it names an Object • To create a managed object, the OBJECTTYPE construct is used – Over 10,000 object-types have been defined – these are the heart of data that can be collected for network management – Analogy: OBJECT IDENTIFIER defines the class, OBJECT-TYPE instantiates the object INFO 331 chapter 9 48 www.ischool.drexel.edu SMI Objects • An object-type includes four fields – SYNTAX – is the data type of the object, e.g. ‘Counter32’ – MAX-ACCESS – is whether the object can be read, written, created, e.g. ‘read-only’ – STATUS – is whether the object is current, obsolete, or deprecated, e.g. ‘current’ – DESCRIPTION – gives a definition of the object, which is a long text narrative INFO 331 chapter 9 49 www.ischool.drexel.edu SMI Modules • The MODULE-IDENTITY construct creates a module from related objects – Fields include when it was last updated, the organization who did so, contact info for them, a description of the module, a revision entry, and description of the revision • The end of the MODULE-IDENTITY gives the ASN.1 code for the type of information in the module (often MIB-2) INFO 331 chapter 9 50 www.ischool.drexel.edu SMI Modules • For examples, these MIB modules (MODULE-IDENTITY) are defined – For IP and ICMP in RFC 4293 – For TCP in RFC 4022 – For UDP in RFC 4133 – For RMON (remote monitoring) in RFC 4502 INFO 331 chapter 9 51 www.ischool.drexel.edu SMI Modules • There are other kinds of modules – NOTIFICATION-TYPE for making SNMP-Trap and information request messages – MODULE-COMPLIANCE for defining managed objects that an agent must implement – AGENT-CAPABILITIES defines what agents can do with respect to object and event notification definitions INFO 331 chapter 9 52 www.ischool.drexel.edu MIB • The Management Information Base (MIB) stores a current description of the network • Data is collected from agents in each device about the objects in that device • There are over 200 standard MIB modules, plus many more vendor-defined • To identify these modules, the IETF borrowed a convention from ISO – the ASN.1 structure INFO 331 chapter 9 53 www.ischool.drexel.edu MIB • The ASN.1 object identifier tree structure gives a number (e.g. 1.3.6.1.2.45) to every object within ISO, ITU-T, or joint ISO/ITU-T control • We care about stuff under 1.3.6.1.2.1 – ISO (1) • ISO identified organization (3) – US DoD (6) » Internet (1) » Management (2) » MIB-2 (1) (ran out of indents!) INFO 331 chapter 9 54 www.ischool.drexel.edu MIB • Under the MIB-2 category, we have 16 choices, including – System (1) – Interface (2) – Address translation (3) – Lots of protocols (ip, icmp, tcp, udp, etc.) – Transmission (10) – SNMP (11) – RMON (16) Apologies to http://www.sptimes.com/2002/07/08/Xpress/Letdown_aside___MIB_I.shtml INFO 331 chapter 9 55 www.ischool.drexel.edu MIB • The excerpts in the text are from – MIB-2 / system (Table 9.2, p. 772) – MIB-2 / UDP (Table 9.3, p. 773) • What was the point of all this? – This gives the organization of all existing MIB modules – e.g. so if you want to know what TCP information is readily available, you can find what has already been predefined – This keeps you from reinventing the wheel! INFO 331 chapter 9 56 www.ischool.drexel.edu SNMP Protocol Operations • The purpose of SNMP is to exchange MIB information between agents and managing entities, or between two managing entities • Much of SNMP works on request-response mode – the managing entity requests data, and the agent responds with that data • Problems or exceptions are reported with a trap message – they go just from agent to managing entity INFO 331 chapter 9 57 www.ischool.drexel.edu SNMP Message Types • SNMP messages are called PDUs (protocol data units) (RFC 3416) • There are seven types of PDUs (p. 790) – From manager (managing entity) to agent there are three kinds of GetRequest (to read agent data), plus SetRequest (to set the value of agent data) – From agent to manager there is the SNMPv2Trap PDU to report exceptions (RFC 3418) INFO 331 chapter 9 58 www.ischool.drexel.edu SNMP Message Types – From manager to manager there is an InformRequest message to pass on MIB data – And finally, most messages are responded to using a … Response message • We’re not going to dwell on the format of a PDU message – it’s up to 484 octets long • PDU messages should be sent over UDP, per RFCs 3417 and 4789 – Also possible to send over AppleTalk, IPX, … INFO 331 chapter 9 59 www.ischool.drexel.edu SNMP Message Types – SNMP listens on port 161 normally; port 162 for trap messages • Hence the sender needs to determine if a Response was received or not – RFCs are vague on retransmission policies • SNMP is described across many RFCs – The best place to start looking is RFC 3416, which summarizes the SNMP Management Framework INFO 331 chapter 9 60 www.ischool.drexel.edu Security and Administration • This is a key area of improvement in SNMPv3 over SNMPv2 • Managing entities run SNMP applications, which typically have – A command generator (create Get messages) – A notification receiver (to catch traps) – A proxy forwarder (forwards requests, notifications, and responses) INFO 331 chapter 9 61 www.ischool.drexel.edu Security and Administration • Agents have – A command responder (answers Get messages, and applies Set requests) – A notification originator (create traps) • Any kind of PDU is created by the SNMP application, then has a security/message header applied – An SNMP message consists of (the security/message header) plus (the PDU) INFO 331 chapter 9 62 www.ischool.drexel.edu SNMP Message Header • The header consists of – SNMP version number – A message ID – Message size info – If the message is encrypted, then the type of encryption is added, per RFC 3411 • The SNMP message is passed to the transport protocol (probably UDP) INFO 331 chapter 9 63 www.ischool.drexel.edu SNMP Message Header • From RFC 3411, “This architecture recognizes three levels of security: – without authentication and without privacy (noAuthNoPriv) – with authentication but without privacy (authNoPriv) – with authentication and with privacy (authPriv)” INFO 331 chapter 9 64 www.ischool.drexel.edu SNMP Security • Since SNMP can change settings (Set Request message), security is very important • RFC 3414 describes the user-based security approach – User name, which has a password, key value, and/or defined access privileges • Encryption (privacy) is done with DES symmetric encryption in Cipher Block Chaining mode INFO 331 chapter 9 65 www.ischool.drexel.edu SNMP Security • Authentication uses HMAC (RFC 2104) – Take the PDU message, m, and a shared secret key, K (can be a different symmetric key than used for encryption) – Compute a Message Integrity Code (MIC) over the message AND the key K – Transmit m and MIC(m,K) – Receiver also computes MIC(m,K) and compares it to what was received INFO 331 chapter 9 66 www.ischool.drexel.edu SNMP Security • SNMP provides protection against playback attacks by keeping a counter in the receiver INFO 331 chapter 9 67 www.ischool.drexel.edu SNMP Security • The counter acts like a nonce – Actually tracks time since last reboot of receiver and number of reboots since network management software was loaded (RFC 3414) • If counter in a received message is close enough to the actual value, treat the message as a nonreplay (new) message INFO 331 chapter 9 68 www.ischool.drexel.edu SNMP Security • Provides view-based access control (RFC 3415) by mapping which information can be viewed by which users, or set by them – In contrast with RBAC (role-based) or OBAC (organization-based) access control approaches • Tracks this info in a Local Configuration Datastore (LCD), parts of which are managed objects (which can be managed via SNMP) INFO 331 chapter 9 69 www.ischool.drexel.edu ASN.1 • We saw earlier that MIB variables are tied to the ISO standard ASN.1 – It’s connected to XML and Bluetooth as well, so it’s worth not ignoring • It’s defined by ITU-T X.680 to X.683 and ISO/IEC 8824 • Purpose is to describe data exchanged between two communicating applications – So it’s kind of a middleware for data exchange INFO 331 chapter 9 70 www.ischool.drexel.edu ASN.1 • Without ASN.1, it would be easy to define dozens of logical approaches for describing the contents of a data file, and storing it – ASN.1 gets everyone to agree how to do so • ASN.1 tries to identify every possible standardized object – no small goal! INFO 331 chapter 9 71 www.ischool.drexel.edu ASN.1 • Part of its need comes from the littleendian vs. big-endian problem – Little-endian architecture stores the least significant bit of integers first • Intel and DEC/Compaq Alpha CPUs are little-endian – Big-endian stores the most significant bit first • Sun and Motorola processors are big-endian INFO 331 chapter 9 72 www.ischool.drexel.edu ASN.1 • SMI and ASN.1 offer a presentation service to translate between different machine-specific formats – This resolves the order in which bytes are sent, so that something sent in ASN.1 format from an Intel chip can be read correctly by a Sun chip INFO 331 chapter 9 73 www.ischool.drexel.edu ASN.1 • ASN.1 provides its own defined data types (p. 798), much like SMI (slide 47) – Are used to create structured data types • ASN.1 also provides various types of encoding rules – The Basic Encoding Rules (BER) tell how to send data over the network (as in, byte by byte), using the Type of data, its Length, and Value (TLV) • Data can be text, audio, video, etc. INFO 331 chapter 9 74 www.ischool.drexel.edu ASN.1 • Other type of encoding rules include – Packed Encoding Rules (PER) – for efficient binary encoding – Distinguished Encoding Rules (DER) – canonical encoding for digital signatures – XML encoding rules (XER) INFO 331 chapter 9 75 www.ischool.drexel.edu Summary • So in wrapping up, we’ve covered the ISO outline of network management – Fault, Configuration, Performance, Security, and Accounting Management • Seen network management infrastructure elements and how they work in SNMP – SMI to define data types, objects, and modules – MIB to collect object data across the network – ASN.1 communicates across hardware platforms INFO 331 chapter 9 76 www.ischool.drexel.edu