Chapter 13Network Management Applications
Network and Systems Management
Management Applications
• OSI Model • Configuration• Fault• Performance• Security• Accounting
• Reports• Service Level Management• Policy-based management
Configuration Management
• Network Provisioning• Inventory Management
• Equipment • Facilities
• Network Topology• Database Considerations
Network Provisioning
• Network Provisioning• Provisioning of network resources
• Design• Installation and maintenance
• Circuit-switched network• Packet-switched network, configuration for
• Protocol • Performance• QoS
• ATM networks
Network Topology
• Manual• Auto-discovery by NMS using
• Broadcast ping• ARP table in devices
• Mapping of network• Layout• Layering
• Views• Physical• Logical
Network Topology Discovery
163.25.147.0163.25.147.0
163.25.145.0163.25.145.0163.25.145.0163.25.145.0 163.25.146.0163.25.146.0
163.25.146.128163.25.146.128
192.168.12.0192.168.12.0192.168.13.0192.168.13.0
140.112.5.0140.112.5.0
140.112.8.0140.112.8.0140.112.8.0140.112.8.0 140.112.6.0140.112.6.0
Discovery In a Network
What to be discovered in a network ? Node Discovery
The network devices in each network segment Network Discovery
The topology of networks of interest Service Discovery
The network services provided
NetworkNetwork Topology DiscoveryTopology Discovery Network Discovery + Node DiscoveryNetwork Discovery + Node Discovery
Node Discovery
Node Discovery Given an IP Address, find the nodes in
the same network. Two Major Approaches:
Use Ping to query the possible IP addresses.
Use SNMP to retrieve the ARP Cache of a known node.
Use ICMP ECHO
Eg: IP address: 163.25.147.12 Subnet mask: 255.255.255.0 All possible addresses:
163.25.147.1 ~ 163.25.147.254 For each of the above addresses, use
ICMP ECHO to inquire the address If a node replies (ICMP ECHO Reply), then
it is found. Broadcast Ping
Use SNMP
Find a node which supports SNMP The given node, default gateway, or
router Or try a node arbitrarily
Query the iipNetToMediaTablepNetToMediaTable in MIB-II IP group (ARP Cache)
ipNetToMediaIfIndex ipNetToMediaNetAddress
1 00:80:43:5F:12:9A 163.25.147.10 dynamic(3)2 00:80:51:F3:11:DE 163.25.147.11 dynamic(3)
ipNetToMediaPhysAddress ipNetToMediaType
Network Discovery
Network Discovery Find the networks of interest with their
interconnections Key Issue:
Given a network, what are the networks directly connected with it ?
Major Approach Use SNMP to retrieve the routing table
of a router.
Default Router
Routing table
Mapping of network
Traditional LAN Configuration
Physical
Logical
Virtual LAN Configuration
Physical
Logical
Fault Management
• Fault is a failure of a network component• Results in loss of connectivity• Fault management involves:
• Fault detection• Polling• Traps: linkDown, egpNeighborLoss
• Fault location• Detect all components failed and trace
down the tree topology to the source• Fault isolation by network and SNMP tools• Use artificial intelligence /
correlation techniques• Restoration of service• Identification of root cause of the problem• Problem resolution
Performance Management
• Tools• Protocol analyzers• RMON• MRTG
• Performance Metrics• Data Monitoring• Problem Isolation• Performance Statistics
Performance Metrics• Macro-level
• Throughput• Response time• Availability• Reliability
• Micro-level• Bandwidth• Utilization• Error rate• Peak load• Average load
Traffic Flow MeasurementNetwork Characterization
Four levels defined by IETF (RFC 2063)Four levels defined by IETF (RFC 2063)
Network Flow Measurements
• Three measurement entities:• MetersMeters gather data and build tables• Meter readersMeter readers collect data from meters• ManagersManagers oversee the operation
• Meter MIB (RFC 2064)• NetraMet - an implementation(RFC 2123)
Data Monitoring and Problem Isolation
• Data monitoring• Normal behavior• Abnormal behavior (e.g., excessive collisions,
high packet loss, etc)• Set up traps (e.g., parameters in alarm group
in RMON on object identifier of interest)• Set up alarms for criticality• Manual and automatic clearing of alarms
• Problem isolation• Manual mode using network and SNMP tools• Problems in multiple components needs
tracking down the topology• Automated mode using correlation technology
Performance Statistics
• Traffic statistics• Error statistics• Used in
• QoS tracking• Performance tuning • Validation of SLA (Service Level Agreement)• Trend analysis• Facility planning• Functional accounting
Event Correlation Techniques
• Basic elements• Detection and filtering of events• Correlation of observed events using AI• Localize the source of the problem• Identify the cause of the problem
• Techniques• Rule-based reasoning• Model-based reasoning• Case-based reasoning• Codebook correlation model• State transition graph model• Finite state machine model
Rule-Based Reasoning
Rule-Based Reasoning
• Knowledge base contains expert knowledge onproblem symptoms and actions to be taken
if thencondition action
• Working memory contains topological and stateinformation of the network; recognizes system going into faulty state
• Inference engine in cooperation with knowledge base decides on the action to be taken
• Knowledge executes the action
Rule-Based Reasoning
• Rule-based paradigm is an iterative process• RBR is “brittle” if no precedence exists• An exponential growth in knowledge base poses
problem in scalability• Problem with instability
if packet loss < 10% alarm green if packet loss => 10% < 15% alarm yellow if packet loss => 15% alarm red
• Solution using fuzzy logic
Configuration for RBR Example
RBR Example
Model-Based Reasoning
Model-Based Reasoning
• Object-oriented model• Model is a representation of the component it
models• Model has attributes and relations to other
models• Relationship between objects reflected in a
similar relationship between models
MBR Event Correlator
Example:
Recognized by Hub 1 model
Hub 1 model queries router model
Hub 1 fails
Router modeldeclares failure
Hub 1 modeldeclares NO failure
Router modeldeclares nofailure
Hub 1 modeldeclares Failure
Case-Based Reasoning
Input Retrieve Adapt Process
CaseLibrary
Figure 13.12 General CBR Architecture
Case-Based Reasoning
• Unit of knowledge• RBR rule• CBR case
• CBR based on the case experienced before; extend to the current situation by adaptation
• Three adaptation schemes• Parameterized adaptation• Abstraction / re-specialization adaptation• Critic-based adaptation
CBR Parameterized Adaption
CBR: Abstraction / Re-specialization
CBR: Critic-Based Adaptation
• Human expertise introduces a new case
CBR-Based CRITTER
Codebook Correlation Model:Generic Architecture
Network Monitors
EventModel
ConfigurationModel
Correlator Problems
Codebook Correlation Model
• Yemini, et.al. proposed this model • Monitors capture alarm events• Configuration model contains the configuration
of the network• Event model represents events and their causal
relationships• Correlator correlates alarm events with event
model and determines the problem that caused the events
Codebook Approach
• Correlation algorithms based upon coding approach to event correlation
• Problem events viewed as messages generated by a system and encoded in sets of alarms
• Correlator decodes the problem messages to identify the problems
Two phases of Codebook Approaches
1. Codebook selection phase: Problems to be monitored identified and the symptoms theygenerate are associated with the problem.This generates codebook (problem-symptom
matrix)2. Correlator compares alarm events with
codebook and identifies the problem.
Causality Graph
Labeled Causality Graph
• Ps are problems and Ss are symptoms• P1 causes S1 and S2• Note directed edge from S1 to S2 removed; S2 is caused directly or indirectly (via S1) by P1• S2 could also be caused by either P2 or P3
Codebook
• Codebook is problem-symptom matrix
• It is derived from causality graph after removing directed edges of propagation of symptoms
• Number of symptoms >= number of problems
• 2 rows are adequate to identify uniquely 3 problems
Correlation Matrix
• Correlation matrix is a reduced codebook
Correlation Graph
State Transition Model
State Transition Model Example
BackboneNetwork
Router
Hub1 Hub2 Hub3
NMS / Correlator
Physical Network
State Transition Graph
Finite State Machine Model
Finite State Machine Model
• Finite state machine model is a passive system; state transition graph model is an active system
• An observer agent is present in each node and reports abnormalities, such as a Web agent
• A central system correlates events reported by the agents
• Failure is detected by a node entering an illegal state
Security Management
• Security threats• Policies and Procedures• Resources to prevent security breaches• Firewalls• Cryptography• Authentication and Authorization• Client/Server authentication system• Message transfer security• Network protection security
Security Threats
• Modification of informationModification of information: Contents modified by unauthorized user, does not include address change
• MasqueradeMasquerade: change of originating address byunauthorized user
• Message Stream ModificationMessage Stream Modification: Fragments of message altered by an unauthorized user to modify the meaning of the message
• DisclosureDisclosure• Eavesdropping• Disclosure does not require interception of message
• Denial of service and traffic analysis are not considered as threats.
Security Threats
Polices and Procedures
Secured Communication Network
• Firewall secures traffic in and out of Network A• Security breach could occur by intercepting the message going from B to A, even if B has permission to access Network A• Most systems implement authentication with user id and password• Authorization is by establishment of accounts
No Security Breaches ?
Firewalls
• Protects a network from external attacks• Controls traffic in and out of a secure network• Could be implemented in a router, gateway, or
a special host• Benefits
• Reduces risks of access to hosts• Controlled access• Eliminates annoyance to the users• Protects privacy• Hierarchical implementation of policy and
and technology
Packet Filtering Firewall
Packet Filtering• Uses protocol specific criteria at DLC, network,
and transport layers• Implemented in routers - called screening router
or packet filtering routers• Filtering parameters:
• Source and/or destination IP address• Source and/or destination TCP/UDP port
address, such as ftp port 21• Multistage screening - address and protocol• Works best when rules are simple
Application Level Gateway
DMZ(De-Militarized Zone)
Cryptography
• Secure communication requires• Integrity protection: ensuring that the message
is not tampered with• Authentication validation: ensures the originator
identification• Security threats
• Modification of information• Masquerade• Message stream modification• Disclosure
• Hardware and software solutions• Most secure communication is software based
資訊安全之重點 機密性 (Confidentiality) 真實性 (Authentication) 完整性 (Integrity) 不可否認性 (Non-repudiation) 存取控制 (Access control) 可用性 (Availability)
Dear John: I am happy to know...
Dear John: I am happy to know...
atek49ffdlffffeffdsfsfsff …
atek49ffdlffffeffdsfsfsff …
plaintext plaintext
ciphertext ciphertextencryptionencryption decryptiondecryption
Encryption
Network
Cryptography / Encryption
Encryption Encode, Scramble, or Encipher the plaintext
information to be sent. Encryption Algorithm
The method performed in encryption. Encryption Key
A stream of bits that control the encryption algorithm.
Plaintext The text which is to be encrypted.
Ciphertext the text after encryption is performed.
Encryption
Encryption Key
Dear John: I am happy to know...
Plaintext
Encryption Algorithm
atek49ffdlffffeffdsfsfsff …
Ciphertext
Decryption
Decryption Key
Dear John: I am happy to know...
Plaintext
Decryption Algorithm
atek49ffdlffffeffdsfsfsff …
Ciphertext
Encryption / Decryption
Encryption Techniques
Private Key Encryption Encryption Key == Decryption Key Also called Symmetric-Key EncryptionSymmetric-Key Encryption,
Secret-Key EncryptionSecret-Key Encryption, or Conventional Conventional Cryptography.Cryptography.
Public Key Encryption Encryption Key Decryption Key Also called Asymmetric EncryptionAsymmetric Encryption
Private Key Encryption:- DES (Data Encryption Standard)
Adopted by U.S. Federal Government. Both the sender and receiver must know
the same secret key code to encrypt and decrypt messages with DES
Operates on 64-bit blocks with a 56-bit key
DES is a fast encryption scheme and works well for bulk encryption.
Issues: How to deliver the key to the sender safely?
Symmetric Key in DES
Other Symmetric Key Encryption Other Symmetric Key Encryption Techniques Techniques
3DES Triple DES
RC2, RC4 IDEA
International Data Encryption Algorithm
Key Size Matters!
Centuries
Decades
Years
Hours 40-bits
56-bits
168-bits*Triple-DES(recommendedfor commercial& corporate information)
Info
rmat
ion
Lif
etim
e
100’s 10K 1M 10M 100MBudget ($)
Public Key Encryption: RSA
The public key is disseminated as widely as possible. The secrete key is only known by the receiver.
Named after its inventors Ron Rivest, Adi Shamir, and Leonard Adleman
RSA is well established as a de facto standard
RSA is fine for encrypting small messages
Asymmetric Key in RSA
Symmetric Cipher(Conventional)
Asymmetric (RSA/D-H)
40 Bits 274 Bits 56 Bits 384 Bits 64 Bits 512 Bits 80 Bits 1024 Bits 96 Bits 1536 Bits112 Bits 2048 Bits120 Bits 2560 Bits128 Bits 3072 Bits192 Bits 10240 Bits
Average Time for Exhaustive Key Search
32 Bits 2 = 4.3 X 10 32 9
56 Bits 2 = 7.2 X 10 56 16Number of
Possible Key128 Bits 2 = 3.4 X 10
128 38
Time required at1 Encryption/uSEC
32 Bits ==> 2 usec =36 min31
56 Bits ==> 2 usec =1142 Years55
128 Bits ==> 2 usec =5X10 Years127 24
32 Bits ==> 2 millsec
56 Bits ==> 10 Hours
128 Bits ==> 5X10 Years18
Time required at
10 Encryption/uSEC6Performance
30~200 1
Key Length
Hybrid Encryption Technology:
PGP (Pretty Good Privacy)
Hybrid Encryption Technique First compresses the plaintext. Then creates a session key, which is a one-time-
only secret key. Using the session key, apply a fast conventional
encryption algorithm to encrypt the plaintext. The session key is then encrypted to the
recipient’s public key. This public key-encrypted session key is
transmitted along with the ciphertext to the recipient.
PGP Encryption
PGP Decryption The recipient uses its private key to
recover the temporary session key Use the session key to decrypt the
conventionally-encrypted ciphertext.
PGP Decryption
Message Digest
• Message digest is a cryptographic hash algorithm added to a message
• One-way function• Analogy with CRC• If the message is tampered with the message
digest at the receiving end fails to validate• MD5 (used in SNMPv3) commonly used MD• MD5 takes a message of arbitrary length (32-Byte)
blocks and generates 128-bit message digest• SHS (Secured Hash Standard) message digest
proposed by NIST handles 264 bits and generates 160-bit output
Digital Signatures
Digital signatures enable the recipient of information to verify the authenticity of the information’s origin, and also verify that the information is intact.
Public key digital signatures provide authenticationauthentication data integritydata integrity non-repudiationnon-repudiation
Technique: public key cryptography Signature created using private key and
validated using public key
Simple Digital Signatures
Secure Digital Signatures
Authentication and Authorization
• Authentication verifies user identification• Client/server environment
• Host/User Authentication• Ticket-granting system• Authentication server system• Cryptographic authentication
• Messaging environment• e-mail• e-commerce
• Authorization grants access to information• Read, read-write, no-access• Indefinite period, finite period, one-time use
Host Authentication Allow access to a service based on a source
host identifier, e.g. network address.
Issues A host can change its network address. Different users in the same host have the same authority.
ServiceService Allow Allow
Remote Login Host-B, Host-C, 140.131.59.20File Transfer Host-A, Host-B, PC-bmw, Directory Host-C, 140.131.62.211, PC-benz… …
User Authentication Enable service to identify each user
before allowing that user access. Password Mechanism
Generally, passwords are transferred on the network without any encryption.
Use encrypted passwords. Users tend to make passwords easy to remember. If the passwords are not common words, users will write
them down.
Host Authentication ++ User Authentication
Ticket-granting system
Ticket-granting system
• Used in client/server authentication system• Kerberos developed by MIT• Steps:
• User logs on to client workstation• Login request sent to authentication server• Auth. Server checks ACL, grants encrypted ticket to
client• Client obtains from TGS service-granting ticket
and session key• Appl. Server validates ticket and session key,
and then provides service
Service
ClientWorkstation
ApplicationServer /Service
AuthenticationServer
AuthenticationUserInput
Authentication
Proxy Server
Figure 13.39 Authentication Server
Authentication Server
Authentication Server
• Architecture of Novell LAN • Authentication server does not issue ticket• Login and password not sent from client
workstation• User sends id to central authentication server• Authentication server acts as proxy agent to the
client and authenticates the user with the application server
• Process transparent to the user
Message Transfer Security
• Messaging one-way communication• Secure message needs to be authenticated
and secured• Three secure mail systems
• Privacy Enhanced Mail (PEM)• Pretty Good Privacy (PGP)• X-400: OSI specifications that define
framework; not implementation specific
Privacy Enhanced Mail• Developed by IETF (RFC 1421 - 1424)• End-to-end cryptography• Provides
• Confidentiality• Authentication• Message integrity assurance• Nonrepudiation of origin
• Data encryption key (DEK) could be secret or public key-based originator and receiver agreed upon method
• PEM processes based on cryptography and message encoding
• MIC-CLEAR (Message Integrity Code-CLEAR)• MIC-ONLY• ENCRYPTED
PEM Processes
DEK = Data Encryption DEK = Data Encryption KeyKeyIK = Interexchange KeyIK = Interexchange KeyMIC = Message Integrity MIC = Message Integrity CodeCode
Use of PGP in E-mail
SNMPv3 Security
PrivacyModule
USMauthKey
USM
AuthenticationModule
wholeMsg
Figure 13.42 SNMP Secure Communication
password
authoritativeSnmpEngineId
scopedPDU
Encryption Key
EncryptedscopedPDU
authenticatedwholeMsg
HMAC Gen.
SNMPv3 Security
• Authentication key equivalent to DEK in PEM or private key in PGP
• Authentication key generated using user password and SNMP engine id
• Authentication key may be used to encrypt message• USM prepares the whole message including
scoped PDU• HMAC, equivalent of signature in PEM and PGP,
generated using authentication key and the whole message
• Authentication module provided with authentication key and HMAC to process incoming message
Virus Attacks
• Executable programs that make copies and insert them into other programs
• Attacks hosts and routers• Attack infects boot track, compromises cpu,
floods network traffic, etc.• Prevention is by identifying the pattern of the
virus and implementing protection in virus checkers
Accounting Management
• Least developed • Usage of resources• Hidden cost of IT usage (libraries)• Functional accounting• Business application
Report Management
Policy-Based Management
Policy-Based Management
• Domain space consists of objects (alarms with attributes)
• Rule space consists of rules (if-then)• Policy Driver controls action to be taken• Distinction between policy and rule; policy
assigns responsibility and accountability• Action Space implements actions
Service Level Management
• SLA management of service equivalent to QoS of network
• SLA defines• Identification of services and characteristics• Negotiation of SLA• Deployment of agents to monitor and control• Generation of reports
• SLA characteristics• Service parameters• Service levels• Component parameters• Component-to-service mappings