Chapter 13 Network Management Applications

Network and Systems Management

Management Applications OSI Model Configuration Fault Performance Security Accounting Reports Service Level Management Policy-based management

Configuration Management Network Provisioning Inventory Management Equipment Facilities Network Topology Database Considerations

Network Provisioning Provisioning of network resources Design Installation and maintenance Circuit-switched network Packet-switched network, configuration for Protocol Performance QoS ATM networks

Network Topology Manual Auto-discovery by NMS using Broadcast ping ARP table in devices Mapping of network Layout Layering Views Physical Logical

Network Topology Discovery

Discovery In a Network What to be discovered in a network ? Node Discovery The network devices in each network segment Network Discovery The topology of networks of interest Service Discovery The network services provided Network Topology Discovery Network Topology Discovery  Network Discovery + Node Discovery

Node Discovery Given an IP Address, find the nodes in the same network. Two Major Approaches: Use Ping to query the possible IP addresses. Use SNMP to retrieve the ARP Cache of a known node.

Use ICMP ECHO Eg: IP address: Subnet mask: All possible addresses: ~ For each of the above addresses, use ICMP ECHO to inquire the address If a node replies (ICMP ECHO Reply), then it is found. Broadcast Ping

Use SNMP Find a node which supports SNMP The given node, default gateway, or router Or try a node arbitrarily ipNetToMediaTable Query the ipNetToMediaTable in MIB-II IP group (ARP Cache) ipNetToMediaIfIndex ipNetToMediaNetAddress 1 00:80:43:5F:12:9A dynamic(3) 200:80:51:F3:11:DE dynamic(3) ipNetToMediaPhysAddressipNetToMediaType

Network Discovery Find the networks of interest with their interconnections Key Issue: Given a network, what are the networks directly connected with it ? Major Approach Use SNMP to retrieve the routing table of a router.

Default Router Routing table

Service Discovery Given a node, find out the network services provided by the node. Recall that each network service will use a dedicated TCP/UDP port. Standard TCP/UDP Ports: 0 ~ 1023 Two Approaches Use TCP Connection Polling (Port Scan) Use SNMP

If the node supports SNMP tcpConnTable Use SNMP to query tcpConnTable udpTable Use SNMP to query udpTable tcpConnRemPort listen(2) established(5) tcpConnState tcpConnLocalAddress tcpConnLocalPort tcpConnRemAddress udpLocalPort udpLocalAddress

Use TCP Connection Polling First specify the TCP services (i.e., TCP port numbers) to be discovered. For each TCP service to be discovered, use a TCP connection to try to connect to the corresponding TCP port of the node. If the connection is successfully established, then the service is found. Note that it is difficult to discover the UDP services following the same way.

Mapping of network

Traditional LAN Configuration Physical Logical

Virtual LAN Configuration Physical Logical

Fault Management Fault is a failure of a network component Results in loss of connectivity Fault management involves: Fault detection Polling Traps: linkDown, egpNeighborLoss Fault location Detect all components failed and trace down the tree topology to the source Fault isolation by network and SNMP tools Use artificial intelligence / correlation techniques Restoration of service Identification of root cause of the problem Problem resolution

Performance Management Tools Protocol analyzers RMON MRTG Performance Metrics Data Monitoring Problem Isolation Performance Statistics

Performance Metrics Macro-level Throughput Response time Availability Reliability Micro-level Bandwidth Utilization Error rate Peak load Average load

Traffic Flow Measurement Network Characterization Four levels defined by IETF (RFC 2063)

Network Flow Measurements Three measurement entities: Meters Meters gather data and build tables Meter readers Meter readers collect data from meters Managers Managers oversee the operation Meter MIB (RFC 2064) NetraMet - an implementation(RFC 2123)

Data Monitoring and Problem Isolation Data monitoring Normal behavior Abnormal behavior (e.g., excessive collisions, high packet loss, etc) Set up traps (e.g., parameters in alarm group in RMON on object identifier of interest) Set up alarms for criticality Manual and automatic clearing of alarms Problem isolation Manual mode using network and SNMP tools Problems in multiple components needs tracking down the topology Automated mode using correlation technology

Performance Statistics Traffic statistics Error statistics Used in QoS tracking Performance tuning Validation of SLA (Service Level Agreement) Trend analysis Facility planning Functional accounting

Event Correlation Techniques Basic elements Detection and filtering of events Correlation of observed events using AI Localize the source of the problem Identify the cause of the problem Techniques Rule-based reasoning Model-based reasoning Case-based reasoning Codebook correlation model State transition graph model Finite state machine model

Rule-Based Reasoning

Knowledge base contains expert knowledge on problem symptoms and actions to be taken if  then condition  action Working memory contains topological and state information of the network; recognizes system going into faulty state Inference engine in cooperation with knowledge base decides on the action to be taken Knowledge executes the action

Rule-Based Reasoning Rule-based paradigm is an iterative process RBR is “brittle” if no precedence exists An exponential growth in knowledge base poses problem in scalability Problem with instability if packet loss 10% 15%alarm red Solution using fuzzy logic

Configuration for RBR Example

RBR Example

Model-Based Reasoning

Object-oriented model Model is a representation of the component it models Model has attributes and relations to other models Relationship between objects reflected in a similar relationship between models

MBR Event Correlator Example: Recognized by Hub 1 model Hub 1 model queries router model Hub 1 fails Router model declares failure Hub 1 model declares NO failure Router model declares no failure Hub 1 model declares Failure

Case-Based Reasoning

Unit of knowledge RBRrule CBRcase CBR based on the case experienced before; extend to the current situation by adaptation Three adaptation schemes Parameterized adaptation Abstraction / re-specialization adaptation Critic-based adaptation

CBR Parameterized Adaption

CBR: Abstraction / Re-specialization

CBR: Critic-Based Adaptation Human expertise introduces a new case

CBR-Based CRITTER

Codebook Correlation Model: Generic Architecture

Codebook Correlation Model Yemini, et.al. proposed this model Monitors capture alarm events Configuration model contains the configuration of the network Event model represents events and their causal relationships Correlator correlates alarm events with event model and determines the problem that caused the events

Codebook Approach Correlation algorithms based upon coding approach to event correlation Problem events viewed as messages generated by a system and encoded in sets of alarms Correlator decodes the problem messages to identify the problems

Two phases of Codebook Approaches 1.Codebook selection phase: Problems to be monitored identified and the symptoms they generate are associated with the problem. This generates codebook (problem-symptom matrix) 2. Correlator compares alarm events with codebook and identifies the problem.

Causality Graph

Labeled Causality Graph Ps are problems and Ss are symptoms P1 causes S1 and S2 Note directed edge from S1 to S2 removed; S2 is caused directly or indirectly (via S1) by P1 S2 could also be caused by either P2 or P3

Codebook Codebook is problem-symptom matrix It is derived from causality graph after removing directed edges of propagation of symptoms Number of symptoms >= number of problems 2 rows are adequate to identify uniquely 3 problems

Correlation Matrix Correlation matrix is a reduced codebook

Correlation Graph

State Transition Model

State Transition Model Example

State Transition Graph

Finite State Machine Model

Finite state machine model is a passive system; state transition graph model is an active system An observer agent is present in each node and reports abnormalities, such as a Web agent A central system correlates events reported by the agents Failure is detected by a node entering an illegal state

Security Management Security threats Policies and Procedures Resources to prevent security breaches Firewalls Cryptography Authentication and Authorization Client/Server authentication system Message transfer security Network protection security

Security Threats Modification of informationModification of information: Contents modified by unauthorized user, does not include address change MasqueradeMasquerade: change of originating address by unauthorized user Message Stream ModificationMessage Stream Modification: Fragments of message altered by an unauthorized user to modify the meaning of the message DisclosureDisclosure Eavesdropping Disclosure does not require interception of message Denial of service and traffic analysis are not considered as threats.

Security Threats

Polices and Procedures

Secured Communication Network Firewall secures traffic in and out of Network A Security breach could occur by intercepting the message going from B to A, even if B has permission to access Network A Most systems implement authentication with user id and password Authorization is by establishment of accounts No Security Breaches ?

Firewalls Protects a network from external attacks Controls traffic in and out of a secure network Could be implemented in a router, gateway, or a special host Benefits Reduces risks of access to hosts Controlled access Eliminates annoyance to the users Protects privacy Hierarchical implementation of policy and and technology

Packet Filtering Firewall

Packet Filtering Uses protocol specific criteria at DLC, network, and transport layers Implemented in routers - called screening router or packet filtering routers Filtering parameters: Source and/or destination IP address Source and/or destination TCP/UDP port address, such as ftp port 21 Multistage screening - address and protocol Works best when rules are simple

Application Level Gateway DMZ (De-Militarized Zone)

Cryptography Secure communication requires Integrity protection: ensuring that the message is not tampered with Authentication validation: ensures the originator identification Security threats Modification of information Masquerade Message stream modification Disclosure Hardware and software solutions Most secure communication is software based

資訊安全之重點 機密性 (Confidentiality) 真實性 (Authentication) 完整性 (Integrity) 不可否認性 (Non-repudiation) 存取控制 (Access control) 可用性 (Availability)

Dear John: I am happy to know... Dear John: I am happy to know... atek49ffdlffffe ffdsfsfsff … atek49ffdlffffe ffdsfsfsff … plaintext ciphertext encryption decryption Encryption Network

Cryptography / Encryption Encryption Encode, Scramble, or Encipher the plaintext information to be sent. Encryption Algorithm The method performed in encryption. Encryption Key A stream of bits that control the encryption algorithm. Plaintext The text which is to be encrypted. Ciphertext the text after encryption is performed.

Encryption Encryption Key  Dear John: I am happy to know... Plaintext Encryption Algorithm atek49ffdlffffe ffdsfsfsff … Ciphertext

Decryption Decryption Key  Dear John: I am happy to know... Plaintext Decryption Algorithm atek49ffdlffffe ffdsfsfsff … Ciphertext

Encryption / Decryption

Encryption Techniques Private Key Encryption = Encryption Key = Decryption Key Symmetric-Key EncryptionSecret-Key Encryption Conventional Cryptography. Also called Symmetric-Key Encryption, Secret-Key Encryption, or Conventional Cryptography. Public Key Encryption  Encryption Key  Decryption Key Asymmetric Encryption Also called Asymmetric Encryption

Private Key Encryption: - DES (Data Encryption Standard) Adopted by U.S. Federal Government. Both the sender and receiver must know the same secret key code to encrypt and decrypt messages with DES Operates on 64-bit blocks with a 56-bit key DES is a fast encryption scheme and works well for bulk encryption. Issues: How to deliver the key to the sender safely?

Symmetric Key in DES

Other Symmetric Key Encryption Techniques 3DES Triple DES RC2, RC4 IDEA International Data Encryption Algorithm

Key Size Matters! Centuries Decades Years Hours 40-bits 56-bits 168-bits * Triple-DES (recommended for commercial & corporate information) Information Lifetime 100’s 10K 1M 10M 100M Budget ($)

Public Key Encryption: RSA The public key is disseminated as widely as possible. The secrete key is only known by the receiver. Named after its inventors Ron Rivest, Adi Shamir, and Leonard Adleman RSA is well established as a de facto standard RSA is fine for encrypting small messages

Asymmetric Key in RSA

Symmetric Cipher (Conventional) Asymmetric (RSA/D-H) 40 Bits 274 Bits 56 Bits 384 Bits 64 Bits 512 Bits 80 Bits 1024 Bits 96 Bits 1536 Bits 112 Bits 2048 Bits 120 Bits 2560 Bits 128 Bits 3072 Bits 192 Bits Bits Average Time for Exhaustive Key Search 32 Bits 2 = 4.3 X Bits 2 = 7.2 X Number of Possible Key 128 Bits 2 = 3.4 X Time required at 1 Encryption/uSEC 32 Bits ==> 2 usec =36 min Bits ==> 2 usec =1142 Years Bits ==> 2 usec =5X10 Years Bits ==> 2 millsec 56 Bits ==> 10 Hours 128 Bits ==> 5X10 Years 18 Time required at 10 Encryption/uSEC 6 Performance 30~200 1 Key Length

Hybrid Encryption Technology: PGP (Pretty Good Privacy) Hybrid Encryption Technique First compresses the plaintext. Then creates a session key, which is a one-time-only secret key. Using the session key, apply a fast conventional encryption algorithm to encrypt the plaintext. The session key is then encrypted to the recipient ’ s public key. This public key-encrypted session key is transmitted along with the ciphertext to the recipient.

PGP Encryption

PGP Decryption The recipient uses its private key to recover the temporary session key Use the session key to decrypt the conventionally-encrypted ciphertext.

PGP Decryption

Message Digest Message digest is a cryptographic hash algorithm added to a message One-way function Analogy with CRC If the message is tampered with the message digest at the receiving end fails to validate MD5 (used in SNMPv3) commonly used MD MD5 takes a message of arbitrary length (32-Byte) blocks and generates 128-bit message digest SHS (Secured Hash Standard) message digest proposed by NIST handles 2 64 bits and generates 160-bit output

Digital Signatures Digital signatures enable the recipient of information to verify the authenticity of the information ’ s origin, and also verify that the information is intact. Public key digital signatures provide authentication authentication data integrity data integrity non-repudiation non-repudiation Technique: public key cryptography Signature created using private key and validated using public key

Simple Digital Signatures

Secure Digital Signatures

Authentication and Authorization Authentication verifies user identification Client/server environment Host/User Authentication Ticket-granting system Authentication server system Cryptographic authentication Messaging environment e-commerce Authorization grants access to information Read, read-write, no-access Indefinite period, finite period, one-time use

Host Authentication Allow access to a service based on a source host identifier, e.g. network address. Issues A host can change its network address. Different users in the same host have the same authority. Service Allow Service Allow Remote LoginHost-B, Host-C, File TransferHost-A, Host-B, PC-bmw, DirectoryHost-C, , PC-benz…

User Authentication Enable service to identify each user before allowing that user access. Password Mechanism Generally, passwords are transferred on the network without any encryption. Use encrypted passwords. Users tend to make passwords easy to remember. If the passwords are not common words, users will write them down. + Host Authentication + User Authentication

Ticket-granting system

Used in client/server authentication system Kerberos developed by MIT Steps: User logs on to client workstation Login request sent to authentication server Auth. Server checks ACL, grants encrypted ticket to client Client obtains from TGS service-granting ticket and session key Appl. Server validates ticket and session key, and then provides service

Authentication Server

Architecture of Novell LAN Authentication server does not issue ticket Login and password not sent from client workstation User sends id to central authentication server Authentication server acts as proxy agent to the client and authenticates the user with the application server Process transparent to the user

Message Transfer Security Messaging one-way communication Secure message needs to be authenticated and secured Three secure mail systems Privacy Enhanced Mail (PEM) Pretty Good Privacy (PGP) X-400: OSI specifications that define framework; not implementation specific

Privacy Enhanced Mail Developed by IETF (RFC ) End-to-end cryptography Provides Confidentiality Authentication Message integrity assurance Nonrepudiation of origin Data encryption key (DEK) could be secret or public key-based originator and receiver agreed upon method PEM processes based on cryptography and message encoding MIC-CLEAR (Message Integrity Code-CLEAR) MIC-ONLY ENCRYPTED

PEM Processes DEK = Data Encryption Key IK = Interexchange Key MIC = Message Integrity Code

Use of PGP in

SNMPv3 Security

Authentication key equivalent to DEK in PEM or private key in PGP Authentication key generated using user password and SNMP engine id Authentication key may be used to encrypt message USM prepares the whole message including scoped PDU HMAC, equivalent of signature in PEM and PGP, generated using authentication key and the whole message Authentication module provided with authentication key and HMAC to process incoming message

Virus Attacks Executable programs that make copies and insert them into other programs Attacks hosts and routers Attack infects boot track, compromises cpu, floods network traffic, etc. Prevention is by identifying the pattern of the virus and implementing protection in virus checkers

Accounting Management Least developed Usage of resources Hidden cost of IT usage (libraries) Functional accounting Business application

Report Management

Policy-Based Management

Domain space consists of objects (alarms with attributes) Rule space consists of rules (if-then) Policy Driver controls action to be taken Distinction between policy and rule; policy assigns responsibility and accountability Action Space implements actions

Service Level Management SLA management of service equivalent to QoS of network SLA defines Identification of services and characteristics Negotiation of SLA Deployment of agents to monitor and control Generation of reports SLA characteristics Service parameters Service levels Component parameters Component-to-service mappings