Network Management • All networks, whether large or small, benefit from some form of management. Network management involves configuring, monitoring, and possibly reconfiguring components in a network with the goal of providing optimal performance, minimal downtime, proper security, and flexibility. • This type of management is generally accomplished by using a network management system, which contains a software bundle designed to improve the overall performance and reliability of a system. • In a small network, network management systems might be used to identify users who present security hazards or to end misconfigured systems. • The most common computer network management system currently implemented is the Simple Network Management Protocol (SNMP), which was originally intended to be a short term solution to the network management issue. • There is an OSI-based network management system called Common Management Information Protocol (CMIP). • network management system be based on standards so that interoperability is also ensuredNETWORK MANAGEMENT OVERVIEWNetwork management involves monitoring and controlling a networking system so that it operates asintended. It also provides a means to configure the system while still meeting or exceeding designspecifications.The functions performed by a network management system can be categorized into the following fiveareas:1. Fault management refers to the detection, isolation, and resolution of network problems.2. Configuration management refers to the process of initially configuring a network and then adjusting itin response to changing network requirements.3. Accounting management involves tracking the usage of network resources.4.Performance management involves monitoring network utilization, end-to-end response time, and otherperformance measures at various points in a network.5.Security management refers to the process of making the network secure.A network contains a number of managed devices such as routers,bridges, switches, and hosts. Networkmanagement essentially involves monitor-ing and/or altering the con®guration of such devices. An agentis a part of a network management system that resides in a managed device.A network management station provides a text or graphical view of the entire network (or one of itscomponents). This view is provided by way of a management application or manager that resides on thestation.The Following figure shows portion of a departmental network to illustrate how the network managementconcepts might apply
Each host contains an agent that collects management information pertaining to the host. Similarly, therouter also contains its own agent. The manager in the management station can poll a particular agent toobtain specific management information, which for example, can be the number of packet losses in therouter.Network management system may operate in a centralized or distributed manner or include both types ofcomputing.SIMPLE NETWORK MANAGEMENT PROTOCOL (SNMP)In the early days of the Internet, the Internet Activities Board recognized the need for a managementframework by which to manage TCP/IP implementa-tions. The framework consists of three components:1. A conceptual framework that de®nes the rules for describing management information, known as theStructure of Management Information (SMI).2. A virtual database containing information about the managed device known as the ManagementInformation Base (MIB).3. A protocol for communication between a manager and an agent of a managed device, known asSimple Network Management Protocol (SNMP). • SNMP is an application layer protocol that is used to read and write vari-ables in an agents MIB. • The most current version is SNMPv3. • SNMP is based on an asynchronous request-response protocol enhanced with trap-directed polling • An SNMP manager sends messages to an agent via UDP destination port 161, while an agent sends trap messages to a manager via UDP destination port 162. • The messages (PDUs) exchanged via SNMP consist of a header and a data part. • The header contains a version ®eld, a community name ®eld, and a PDU type field.SNMP provdes three ways to access management information.1. Request/response interaction in which a manager sends a request to an agent and the agent respondsto the request.2 .Request/response interaction in which a manager sends a request to another manager and the latterresponds to the request.3. Unconfirmed interaction in which an agent sends an unsolicited Trap-PDU a manager. to A typical interaction between a manager and agent would proceed as follows. Themanager issues some form of get request that contains a unique request-id to match the response withthe request, a zero-valued error status/error index, and one or more variable bindings. The agent issuesa response containing the same request-id, a zero-valued error status if there is no error, and the samevariable bindings.
If an exception occurs for one or more of the variables, then the particularerror status for each relevant variable is returned as well. Version 3 of SNMP was formally documented in early 1998 [RFC 2271]. It presents amore complex framework for message exchange, the complexity being required both for extensibility andfor security reasons. The security system contains a user-based security model, as well as other securitymodels that may be implemented.The model uses the MD5 encryption scheme for verifying user keys, a SHA message digest algorithm(HMAC-SHA-96) to verify message integrity and to verify the user on whose behalf the message wasgenerated, and a CBC-DES symmetric encryption protocol for privacy. See [RFC 2274] for furtherinformation on the user-based securitymodel.STRUCTURE OF MANAGEMENT INFORMATION The Structure of Management Information (SMI) de®nes the rules for describingmanaged objects. In the SNMP framework managed objects reside in a virtual database calledthe Management Information Base (MIB). Several data types are allowed in SMI. The primitive data types consist of IN T E G E R ,O C T E T S T R ,IN G L,Land O B J E C T ID E N T.IF IE R NU A dditional user-de®data types are application speci®c. nedPrimitive data types are written in uppercase, while user-de®ned data types start with anuppercase letter but contain at least one character other than an uppercase letter. Table B.2 listssome of the data types permitted in SMI. An B J E C T ID E N T IF is represented as a sequence of nonnegative integers each O IE R whereinteger corresponds to a particular node in the tree. This data type provides a means foridentifying a managed object and relating its place in the object hierarchy.The internet (1) subtree itself has six subtrees:
The directory (1) subtree is reserved for future use describing how OSI direc-tory may be used in theInternet.The mgmt (2) subtree is used to identify ``standard objects that are registered by the Internet AssignedNumbers Authority (IANA).The experimental (3) subtree is for objects being used experimentally by work-ing groups of the IETF. Ifthe object becomes a standard, then it must move to the mgmt (2) subtree.The private (4) subtree is for objects de®ned by a single party, usually a vendor.It has a subtreeenterprise (1), which allows companies to register their network objects.The security (5) subtree is for objects related to security.The snmpv2 (6) subtree is reserved for housekeeping purposes for SNMPv2.This subtree includes objectinformation for transport domains, transport proxies, and module identitiesObject definitions are generally packaged into information modules. Three types of information modulesare defined using the SMI: • MIB modules, which serve to group dentitions of interrelated objects. • Compliance statements for MIB modules. These define a set of requirements that managed nodes must meet with respect to one or more MIB modules. • Capability statements for agent implementations. These specify the degree to which a managed node is able to implement objects that are defined in a MIB module.MANAGEMENT INFORMATION BASE The Management Information Base (MIB) is a virtual database used to define theFunctional and operational aspects of network devices. The information provided by the MIB represents the common view and structure ofmanagement capabilities that are shared between the management station and devices agent. Each definition of a particular object contains the following information about the object: itsname, the data type, a human-readable description, the type of access (read/write), and an objectidentifier.
REMOTE NETWORK MONITORING • An additional set of modules, known as Remote Network Monitoring (RMON), was developed in 1995. • These are considered to be not only an extension of the mib-2 but also an improvement. These are considered to be not only an extension of the mib-2 but also an improvement. • RMON uses a technique called remote management to obtain monitoring data. In this approach a network monitor (often called a probe) collects the data from the device. • The probe may stand alone or be embedded within the managed device. Management applications communicate with an RMON agent in the probe by using SNMP. • RMON also provides for a higher level of standardization of the information collected. • RMON is included as a subtree of mib-2 (rmon (16)). • RMON focuses on network management at layer 2 (data link).Security ProtocolsTo provide certain services, some communication protocols need to process the information they transmitand receive. . For example, protocols that provide reliable communication service encode the transmittedinformation to detect when transmission errors have occurred so that they can initiate corrective action.SECURITY AND CRYPTOGRAPHIC ALGORITHMSPublic communication networks traditionally have not been secure in the sense of providing high levels ofsecurity for the information that is transmitted.Information transmitted over the network is not secure and can be observed and recorded byeavesdroppers. This information can be replayed in attempts to access the server.Imposters can attempt to gain unauthorized access to a server, for example, a b$ank account or adatabase of personal records.An attacker can also ¯ood a server with requests, overloading the server resources and resulting in adenial of service to legitimate clients.An imposter can impersonate a legitimate server and gain sensitive information from a client, forexample, a bank account number and associated user pass-word.
These threats give rise to one or more of the following security requirements for information that istransmitted over a network:Privacy or con®dentiality: The information should be readable only by the intended recipient.Integrity: The recipient can con®rm that a message has not been altered during transmission.Authentication: It is possible to verify that the sender or receiver is who he or she claims to be.Nonrepudiation: The sender cannot deny having sent a given message.The need for security in communications is in fact also not new. This need has existed in militarycommunications for thousands of years. It should not be surprising then that the approaches developedby the military form the basis for providing security in modern networks.One feature that is new in the threats faced in computer networks is the speed with which break-inattempts can be made from a distance by using a network. Because the threats are implemented oncomputers, very high attempt rates are possible.
Applications of Cryptography to SecurityThe science and art of manipulating messages to make them secure is called cryptography. An originalmessage to be transformed is called the plaintext, and the resulting message after the transformation iscalled the ciphertext. The process of converting the plaintext into ciphertext is called encryption. Thereverse process is called decryption. The algorithm used for encryption and decryption is often called acipher. Typically, encryption and decryption require the use of a secret key. The objective is to design anencryption technique so that it would be very dif®cult if not impossible for an unauthorized party tounder- stand the contents of the ciphertext. A user can recover the original message only by decryptingthe ciphertext using the secret key. substitution ciphers are a common technique for altering messages in games and puzzles. Eachletter of the alphabet is mapped into another letter. The ciphertext is obtained by applying thesubstitution defined by the mapping to the plaintext. Transposition ciphers are another type of encryption scheme. Here the order in which the lettersof the message appear is altered. For example, the letters may be written into an array in one order andread out in a different order. If the receiver knows the appropriate manner in which the reading andwriting is done, then it can decipher the message. Substitution and transposition techniques are easilybroken.SECRET KEY CRYPTOGRAPHYFigure 11.2 depicts a secret key cryptographic system where a sender converts the plaintext P intociphertext C ˆ EK …P† before transmitting the original message over an insecure channel. The senderuses a secret key K for the encryption. When the receiver receives the ciphertext C, the receiver recoversthe plaintext by performing decryption DK …C†, using the same key K . It is the sharing of a secret, thatis, the key, that enables the transmitter and receiver to communicate.Symbolically, we can write P ˆ DK …EK …P††. Secret key cryptography is also referred to as symmetric key cryptography.The selection of the cryptographic method must meet several requirements. First of all, the methodshould be easy to implement, and it should be deployable on large scale.
Clearly, secret key cryptography addresses the privacy requirement. A mes- sage that needs to be keptcon®dential is encrypted prior to transmission, and any eavesdropper that manages to gain access to theciphertext will be unable to access the contents of the plaintext message. The Data Encryption Standard(DES) is a well-known example of a secret key system.A traditional method of authentication involves demonstrating possession of a secret. For example, in amilitary setting a messenger might be con®rmed to be authentic if he or she can produce the correctanswer to the speci®c question. A similar procedure can be used over a network, using secret keycryptography.CRYPTOGRAPHIC CHECKSUMS AND HASHES The usual approach to providing integrity is to transmit a cryptographic check-sum or hash along withthe unencrypted message. The transmitter and receiver share a secret key that allows them to calculatethe checksum that consists of a ®xed number of bits. To ascertain integrity, the receiver calculates thechecksum of the received message and compares it to the received checksum. If the check-sums agree,the message is accepted.A cryptographic checksum must be designed so that it is one way in that it is extremely dif®cultto ®nd a message that produced a given checksum.Furthermore, given a message, ®ndinganother message that would produce the same checksum should also be extremely dif®cult. Ingeneral the checksum is much shorter than the transmitted message. However, the cryptographicchecksum cannot be too short.The message digest 5 (MD5) algorithm is an example of a hash algorithm. The MD5 algorithm begins bytaking a message of arbitrary length and padding it into a multiple of 512 bits. A buffer of 128 bits is theninitialized to a given value. At each step the algorithm modi®es the content of the buffer according tothe next 512-bit block. When the process is completed, the buffer holds the 128- bit ``hash code. TheMD5 algorithm itself does not require a key.The keyed MD5, which combines a secret key with the MD5 algorithm, is widely used to produce acryptographic checksum. First the message is padded to a multiple of 512 bits. The secret key is also
padded to 512 bits and attached to the front and back of the padded message. The MD5 algorithm thencomputes the hash code.A general method for improving the strength of a given hash function is to use the hashed messageauthentication code (HMAC) method. Using MD5 as an example, HMAC works as follows. First, the sharedsecret is padded with zeros to 512 bits. The result is XORed with ipad, which consists of 64 repetitions of00110110. Second, the message is padded to a multiple of 512 bits. Third, the concatenation of theblocks in the ®rst two steps is applied to the MD5 algorithm to obtain a 128-bit hash. The hash ispadded to 512 bits. Fourth, the shared secret is padded with zeros to 512 bits, and the result is XORedwith opad, which consists of 64 repetitions of 01011010. Fifth, the blocks in the previous two stepsare applied to the MD5 algorithm to produce the ®nal 128-bit hash. The general HMAC procedureinvolves adjusting the block size (512 bits for MD5) and the hash size (128 bits for MD5) to the particularhash function. For example, SHA- 1 works with a block size of 512 and a hash size of 160 bits.PUBLIC KEY CRYPTOGRAPHYUnlike secret key cryptography, keys are not shared between senders and recei- vers in public keycryptography (sometimes also referred to as asymmetric cryp- tography). Public key cryptography wasinvented in 1975 by Dif®e and Hellman. It relies on two different keys, a public key and a private key. Asender encrypts the plaintext by using a public key, and a receiver decrypts the ciphertext by using aprivate key, as illustrated in Figure 11.4. Symbolically, a public key cryptographic system can beexpressed as P ˆ DK 2…EK 1…P††, where K 1 is the public key and K 2 is the private key. In some systemsthe encryption and decryp- tion process can be applied in the reverse order such as P ˆ EK 1…DK 2…P††.One important requirement for public key cryptography is that it must not be possi- ble to determine K 2from K 1. In general the public key is small, and the private key is large. The best-known example ofpublic key cryptography is the one developed by Rivest, Shamir, and Adleman, known as RSA.2Public key cryptography can also be used to produce a digital signature. To sign a message thetransmitter ®rst produces a no cryptographic checksum or hash of the message. The transmitter thenencrypts the checksum or hash using its private key to produce the signature. No one else can createsuch a signature. The transmitter then sends the message and the signature to the receiver.