• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Chapter 9
 

Chapter 9

on

  • 986 views

 

Statistics

Views

Total Views
986
Views on SlideShare
986
Embed Views
0

Actions

Likes
0
Downloads
35
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Chapter 9 Chapter 9 Presentation Transcript

    • INFO 331 Computer Networking Technology II Chapter 9 Network Management Glenn Booker
    • Network Management History
      • Network management didn’t exist in its current form until the 1980’s
        • From the ’40s to ’70s, networks were typically very homogeneous (proprietary-only), so network management tools were specific to that insular environment, if used at all
        • The advent of the PC and Macintosh made networks get much more heterogeneous, and increased the complexity of network management
    • Network Management
      • A network typically consists of many unrelated types of equipment, which are all supposed to work together in perfect harmony, in spite of the myriad protocols, operating systems, interfaces, etc. involved
        • Servers and workstations
        • Routers, switches, and hubs
        • Wireless access points and hosts
        • Firewalls
    • Network Management
      • In order to manage this mess, there is often a Network Operations Center (NOC) to coordinate maintenance, upgrades, monitoring, optimization (if you have time), repairs, etc.
        • Akin to a pilot’s cockpit, or the control room for a power station, or the mixing board at a concert
    • Network Management
      • We need to know
        • What to monitor
          • What is worth focusing your attention on?
        • How to analyze what we see
        • How to respond to changing conditions (fix problems)
        • How to proactively manage the system (prevent problems)
    • Typical Problems
      • Even a simple network can have challenges which help motivate the need for network management
      • Detect interface card failure at a host or router
        • The host or router might report the interface failure to the NOC
        • Better, network monitoring might reveal imminent failure, so the card is replaced before failure
    • Typical Problems
      • Monitor traffic to guide resource deployment
        • Traffic patterns or congestion monitoring can show which parts of the network are most used
        • This could lead to improved usage of servers, simplifying physical layout or improving the speed of high traffic LAN segments, or make good upgrade decisions
    • Typical Problems
      • Detect rapid routing changes
        • Routing can become unstable, causing rapid changes in routing tables ( route flapping )
        • The network admin would like to know this is happening before something crashes as a result!
      • Host is down
        • Network monitoring could detect a system down before the user notices it
    • Typical Problems
      • Monitor SLAs
        • Service Level Agreements (SLAs) are contracts to guarantee specific services, such as Internet service, in terms of availability, throughput, latency, and other agreed-upon measures
          • Major ISPs (tier 1) can provide SLAs to major business customers
        • If you pay for this service, it’s nice to know if they are really providing what you paid for!
      Image from www.answers.com/topic/symbionese-liberation-army Not this SLA!
    • Typical Problems
      • Intrusion detection
        • The network admin can look for traffic from odd sources, destined for unusual ports, lots of SYN packets, and other security threats we recently covered
        • This can lead to refinement of filters & firewalls
    • ISO Network Management
      • ISO has produced guidance on the types of network management activities
        • ISO network management ( ISO/IEC 10733:1998 )
        • ISO network security ( ISO/IEC TR 13335 , ISO/IEC 18026:2007 and ISO/IEC 18028-1:2006 )
          • See Global IHS for buying ISO standards
      • Cisco overview white paper (free, unlike ISO standards, and summarized herein thru slide 32 )
    • ISO Network Management
      • ISO identifies five areas of network management:
      • Fault Management
        • Detect, isolate, notify, and correct faults encountered in the network
      • Configuration Management
        • Configuration aspects of network devices such as configuration file management, inventory management, and software management
    • ISO Network Management
      • Performance Management
        • Monitor and measure various aspects of performance so that overall performance can be maintained at an acceptable level
      • Security Management
        • Provide access to network devices and corporate resources to authorized individuals
      • Accounting Management
        • Usage information of network resources
    • Fault Management
      • This is the main focus of network management for most organizations
      • Faults are errors or problems in the network
        • Often a shorter term perspective than performance management
      • Hence fast detection of problems is critical, often via color-coded graphical network maps
    • Fault Management
      • Typically want a network management platform to do:
        • Network discovery and topology mapping
        • Event handler
        • Performance data collection and presentation
        • Management data browsing
      • Network management platforms include HP OpenView, Aprisma Spectrum, and Sun Solstice
    • Fault Management
      • Devices can send SNMP traps ( RFC 3410 ) of events which change their status
      • These events are logged, such as in a Management Information Base (MIB)
      • Platforms can be geographically located, and communicate with each other to centralize network monitoring
        • Web interfaces on devices can allow remote management and configuration
    • Fault Management
      • Equipment vendors often use different management systems
        • They can communicate using CORBA or CIM standards to exchange management data
      • Troubleshooting a network often uses TFTP and syslog servers
        • The trivial FTP (TFTP) server stores configuration files; routers and switches can send system log (syslog) messages to the syslog server
    • Fault Management
      • Faults can be detected with SNMP trap events, SNMP polling, remote monitoring ( RMON , RFC 2819) and syslog messages
        • Module changing to up or down state
        • Chassis alarms for hardware failures (fans, memory, voltage levels, temperature, etc.)
        • Responses can be just notification and logging of the event, or shutdown of that device, e.g. temps can be defined for warning, critical, or shutdown
    • Fault Management
      • Fault detection can also be done at the protocol or interface levels
        • Such as a router interface failure
      • A management station polls the device to determine status or measure something (CPU usage, buffer failure, I/O drops, etc.), and flags it with an RMON alarm when the measure exceeds some threshold value
    • Configuration Management
      • Configuration management (CM) tracks what equipment and software is in the network
      • Can assess which elements are causing trouble, or which vendors are preferred
        • What if a vendor recalls a certain device? Do you have any of them? Where?
        • Whose routers or switches are most reliable?
        • Where do you send a service vendor to replace a dead router?
    • Configuration Management
      • CM data includes
        • Make, model, version, serial number of equipment
        • Software versions and licenses
        • Physical location of hardware
          • Site, building, room, rack number, etc.
        • Contact info for equipment owners and service vendors
      • Naming conventions are often used to keep names meaningful, not just yoda.drexel.edu
    • Configuration Management
      • CM also includes file management
        • Changes to device configuration files should be carefully controlled, so that older versions can be used if the new ones don’t work
        • A change audit log can help track changes, and who made them
      • Inventory management is based on the ability to discover what devices exist, and their configuration information
    • Configuration Management
      • Software management can include the automation of software upgrades across devices
        • Download new software images, verify compatibility with hardware, back up existing software, then load new software
        • Large sites may script the process and run during low activity times
    • Performance Management
      • The same SNMP methods to capture fault data can be used for performance data, such as queue drops, ignored packets, etc.
        • These can be used to assess SLA compliance
      • On a larger scale, WAN protocols (frame relay, ATM, ISDN) can also collect performance data
    • Performance Management
      • Performance management tools include
        • Concord Network Health
        • InfoVista VistaView
        • SAS IT Service Vision
        • Trinagy TREND
      • These all collect, store, and analyze data from around one’s enterprise, and typically use web-based interfaces to allow access to it from anywhere
    • Performance Management
      • Increased network traffic has led to more attention to user and application traffic
        • RFC 4502 (replacing RFCs 2021 and 3273) defines how RMON can be used to analyze applications and the network layer, not just lower layer (e.g. MAC) protocols
        • Many other performance monitoring tools exist, e.g. Cisco NetFlow
    • Security Management
      • Security management covers controlling access to the network and its resources
        • Can include monitoring user login, refusing access to failed login attempts, as well as either intentional or unintentional sabotage
      • Security management starts with good policies and procedures
        • The minimum security settings for routers, switches, and hosts is important to define
    • Security Management
      • Methods for control of security at the device level (router) include
        • Access control lists (ACLs) and what they are permitted to do
        • User ID’s and passwords
        • Terminal Access Controller Access Control System (TACACS)
      • TACACS (RFC 1492) is a security protocol between devices and a TACACS server
    • Security Management
      • A refinement of TACACS is TACACS+, which gives more detailed control over who can access a given device
        • It separates the Authentication (verify user), Authorization (control remote access to device), and Accounting functions (collect security information for network management) (AAA)
        • In Cisco’s world, commands starting aaa , tacacs-server , set authentication , set authorization , and set accounting manage these functions
    • Security Management
      • In SNMP, configuration changes can be made to routers and switches just like from a command line
        • Hence strong SNMP passwords are critical!
        • SNMP management hosts (managing entities in Kurose) should have static IP, and sole SNMP rights with network devices (managed devices) according to a specific Access Control List (ACL)
    • Security Management
      • SNMP can set router security:
        • Privilege Level = RO (read only) or = RW (read and write); only RW can change router settings
        • Access Control List (ACL) can be set to only allow specific hosts to request router management info
          • ACL control over interfaces can help prevent spoofing
        • View – controls what router data can be viewed
        • SNMPv3 provides secure exchange of data
      • Switches can restrict Telnet and SNMP via an IP Permit List
    • Accounting Management
      • Accounting management measures utilization of the network so that specific groups or users can be billed correctly for snarfing up resources
        • Yes, it’s about money
        • Data can be collected using various tools, such as NetFlow, IP Accounting, Evident Software
      • This can also be used to measure how well SLAs are being followed or not
    • Network Management Infrastructure
      • Network management is like the CEO of an organization getting status reports from middle managers, and they get status from first line managers
        • The CEO has to make decisions about the entire company based on this data
          • Corrective action may be needed, based on good or bad results obtained
          • The CEO of General Motors may build new plants, or shut others down
    • Network Management Infrastructure
      • Network management establishes managers (called managing entities , often located in a NOC) who are allowed (via an ACL) to talk to network devices ( managed devices , such as servers or routers)
        • Each managed device has a network management agent , who collects the desired data
        • Each managed device has one or more managed objects (such as network cards, memory chips, etc.)
    • Network Management Infrastructure
    • Network Management Infrastructure
      • Descriptions of all managed objects, and the devices they belong to, are collected in the Management Information Base (MIB)
        • The MIB is a database of managed object data
      • Managed devices communicate with managing entities using a network management protocol
        • Devices don’t generally talk to each other, but managing entities can
    • Network Management Infrastructure
      • The network management protocol doesn’t manage the network per se – it just provides a means for the network admin to do so
    • Network Management Standards
      • The architecture just described applies to most any network management approach
      • Many specific standards have been developed
        • The OSI CMISE/CMIP standards, used in telecommunications
        • In the Internet, SNMP (Simple Network Management Protocol, RFC 3410)
          • We’ll focus on the latter
    • SNMP isn’t Simple!
      • It was derived from SGMP (1987)
      • Key goals of network management include
        • What is being monitored?
        • How much control does the network admin have?
        • What is the form of data reported and exchanged?
        • What is the communication protocol for exchange of data?
    • SNMP
      • To address these goals, SNMP has four modular parts
        • Network management objects, called MIB objects
          • The MIB tracks MIB objects
          • A MIB object might be a kind of data (datagrams discarded, description of a router, status of an object, routing path to a destination, etc.)
          • MIB objects can be grouped into MIB modules
    • SNMP
        • A data definition language, SMI (Structure of Management Information)
          • SMI defines what an object is, what data types exist, and rules for writing and changing management information
        • A protocol, SNMP, for the exchange of information and commands between manager-agent and manager-manager (between two managing entities)
        • Security and administrative capabilities
    • SMI
      • SMI is defined by RFCs 2578, 2579, and 2580 (1999)
      • SMI has three levels of structure
        • Base data types
        • Managed objects
        • Managed modules
      [SMI is part of MIB, so a SMI object is the same as a MIB managed object.]
    • SMI
      • SMI Base Data Types are an extension on the ASN.1 structure (Abstract Syntax Notation One, ISO X.680:1998)
      • There are eleven basic data types (p. 769)
        • Signed and unsigned (>0) integers, IP addresses, counters, time in 1/100 second counts, etc.
        • Most important is the OBJECT IDENTIFIER type, which allows definition of an SMI object as some ordered collection of other data types
    • SMI
        • The OBJECT IDENTIFIER is like a struct in C
        • Here, it names an Object
      • To create a managed object, the OBJECT-TYPE construct is used
        • Over 10,000 object-types have been defined – these are the heart of data that can be collected for network management
      • [Analogy: OBJECT IDENTIFIER defines the class, OBJECT-TYPE instantiates the object]
    • SMI Objects
      • An object-type includes four fields
        • Syntax – is the data type of the object
        • Max-access – is whether the object can be read, written, created, etc.
        • Status – is whether the object is current, obsolete, or deprecated
        • Description – gives a definition of the object
    • SMI Modules
      • The MODULE-IDENTITY construct creates a module from related objects
        • Fields include when it was last updated, the organization who did so, contact info for them, a description of the module, a revision entry, and description of the revision
      • The end of the MODULE-IDENTITY gives the ASN.1 code for the type of information in the module (many are MIB-2)
    • SMI Modules
      • There are other kinds of modules
        • NOTIFICATION-TYPE for making SNMP-Trap and information request messages
        • MODULE-COMPLIANCE for defining managed objects that an agent must implement
        • AGENT-CAPABILITIES defines what agents can do with respect to object and event notification definitions
    • MIB
      • The Management Information Base (MIB) stores a current description of the network
      • Data is collected from agents in each device about the objects in that device
      • There are over 100 standard MIB modules, plus many more vendor-defined
      • To identify these modules, the IETF borrowed a convention from ISO – the ASN.1 structure
    • MIB
      • The ASN.1 object identifier tree structure gives a number (1.3.6.1.2.45) to every object within ISO, ITU-T, or joint ISO/ITU-T control
      • We care about stuff under 1.3.6.1.2.1
        • ISO (1)
          • ISO identified organization (3)
            • US DoD (6)
              • Internet (1)
              • Management (2) (ran out of indents!)
              • MIB-2 (1)
    • MIB
      • Under the MIB-2 category, we have 16 choices, including
        • System (1)
        • Interface (2)
        • Address translation (3)
        • Lots of protocols (ip, icmp, tcp, udp, etc.)
        • Transmission (10)
        • SNMP (11)
        • RMON (16)
      Apologies to http://www.sptimes.com/2002/07/08/Xpress/Letdown_aside___MIB_I.shtml
    • MIB
      • The excerpts in the text are from
        • MIB-2 / system (Table 9.2, p. 774)
        • MIB-2 / udp (Table 9.3)
      • What was the point of all this?
        • This gives the organization of all existing MIB modules – e.g. so if you want to know what TCP information is readily available, you can find what has already been predefined
        • This keeps you from reinventing the wheel!
    • MIB
      • For a current list of known MIB modules, see the Internet Official Protocol Standards, RFC 5000
        • Put “-MIB” after a protocol, and search for it
          • RSVP-MIB or RMON-MIB or OSPF-MIB, etc.
        • Or search for “using SMIv2”, the current version of SMI, to find RFC names which define MIBs
    • SNMP Protocol Operations
      • The purpose of SNMP is to exchange MIB information between agents and managing entities, or between two managing entities
      • Much of SNMP works on request-response mode – the managing entity requests data, and the agent responds with that data
      • Problems or exceptions are reported with a trap message – they go just from agent to managing entity
    • SNMP Message Types
      • SNMP messages are called PDUs (protocol data units) (RFC 3416)
      • There are seven types of PDUs (p. 776)
        • From manager (managing entity) to agent there are three kinds of GetRequest (to read agent data), plus SetRequest (to set the value of agent data)
        • From agent to manager there is the SNMPv2-Trap PDU to report exceptions (RFC 3418)
    • SNMP Message Types
        • From manager to manager there is an InformRequest message to pass on MIB data
        • And finally, most messages are responded to using a … Response message
      • We’re not going to dwell on the format of a PDU message – it’s up to 484 octets long
      • PDU messages should be sent over UDP, per RFCs 3417 and 4789
        • Also possible to send over AppleTalk, IPX, etc.
    • SNMP Message Types
        • SNMP listens on port 161 normally; port 162 for trap messages
      • Hence the sender needs to determine if a Response was received or not
        • RFCs are vague on retransmission policies
      • SNMP is described across many RFCs
        • The best place to start looking is RFC 3416, which summarizes the SNMP Management Framework
    • Security and Administration
      • This is a key area of improvement in SNMPv3 over SNMPv2
      • Managing entities run SNMP applications , which typically have
        • A command generator (create Get messages)
        • A notification receiver (to catch traps)
        • A proxy forwarder (forwards requests, notifications, and responses)
    • Security and Administration
      • Agents have
        • A command responder (answers Get messages, and applies Set requests)
        • A notification originator (create traps)
      • Any kind of PDU is created by the SNMP application, then has a security/message header applied
        • An SNMP message consists of (the security/message header) plus (the PDU)
    • SNMP Message Header
      • The header consists of
        • SNMP version number
        • A message ID
        • Message size info
        • If the message is encrypted, then the type of encryption is added, per RFC 3411
      • The SNMP message is passed to the transport protocol (probably UDP)
    • SNMP Message Header
      • Quote from RFC 3411, “This architecture recognizes three levels of security:
        • without authentication and without privacy (noAuthNoPriv)
        • with authentication but without privacy (authNoPriv)
        • with authentication and with privacy (authPriv)”
    • SNMP Security
      • Since SNMP can change settings (Set Request message), security is very important
      • RFC 3414 describes the user-based security approach
        • User name, which has a password, key value, and/or defined access privileges
      • Encryption (privacy) is done with DES symmetric encryption in Cipher Block Chaining mode
    • SNMP Security
      • Authentication uses HMAC (RFC 2104)
        • Take the PDU message, m, and a shared secret key, K (can be a different symmetric key than used for encryption)
        • Compute a Message Integrity Code (MIC) over the message AND the key K
        • Transmit m and MIC(m,K)
        • Receiver also computes MIC(m,K) and compares it to what was received
    • SNMP Security
      • SNMP provides protection against playback attacks by keeping a counter in the receiver
      • Acts like a nonce
        • Actually tracks time since last reboot of receiver and number of reboots since network management software was loaded – RFC 3414
      • If counter in a received message is close enough to the actual value, treat the message as a nonreplay (new) message
    • SNMP Security
      • Provides view-based access control (RFC 3415) by mapping which information can be viewed by which users, or set by them
        • In contrast with RBAC (role-based) or OBAC (organization-based) access control approaches
      • Tracks this info in a Local Configuration Datastore (LCD), parts of which are managed objects (which can be managed via SNMP)
    • ASN.1
      • We saw earlier that MIB variables are tied to the ISO standard ASN.1
        • It’s connected to XML and Bluetooth as well, so it’s worth not ignoring
      • It’s defined by ITU-T X.680 to X.683 and ISO/IEC 8824
      • Purpose is to describe data exchanged between two communicating applications
        • So it’s kind of a middleware for data exchange
    • ASN.1
      • Without ASN.1, it would be easy to define dozens of logical approaches for describing the contents of a data file, and storing it
        • ASN.1 gets everyone to agree on how to do so
      • Part of its need comes from the little-endian vs. big-endian problem
        • Little-endian architecture stores the least significant bit of integers first
          • Intel and DEC/Compaq Alpha CPUs are little-endian
    • ASN.1
      • Big-endian stores the most significant bit first
        • Sun and Motorola processors are big-endian
      • SMI and ASN.1 offer a presentation service to translate between different machine-specific formats
        • This resolves the order in which bytes are sent, so that something sent in ASN.1 format from an Intel chip can be read correctly by a Sun chip
    • ASN.1
      • ASN.1 provides its own defined data types, much like SMI (slide 43)
        • Are used to create structured data types
      • ASN.1 also provides various types of encoding rules
        • The Basic Encoding Rules (BER) tell how to send data over the network (as in, byte by byte), using the Type of data, its Length, and Value (TLV)
          • Data can be text, audio, video, etc.
    • ASN.1
      • Other type of encoding rules include
        • Packed Encoding Rules (PER) – for efficient binary encoding
        • Distinguished Encoding Rules (DER) – canonical encoding for digital signatures
        • XML encoding rules (XER)
    • Summary
      • So in wrapping up, we’ve covered the ISO outline of network management
        • Fault, Configuration, Performance, Security, and Accounting Management
      • Seen network management infrastructure elements and how they work in SNMP
        • SMI to define data types, objects, and modules
        • MIB to collect object data across the network
        • ASN.1 communicates across hardware platforms