CHEP2006 Network Information and Management Infrastructure Igor Mandrichenko, Eileen Berman, Phil DeMar, Maxim Grigoriev, Joe Klemencic, Donna Lamore, Mark Leininger, Don Petravick, Vladimir Podstavkov, Randy Reitz Fermi National Accelerator Laboratory

CHEP2006 Challenges of FNAL LAN management Specifics of FNAL network Large Open, dynamic Exposed Successful network and network security management requires coordinated cooperation of key players: Data Communications Computer Security Users Desktop support

CHEP2006 What is NIMI ? NIMI stands for Network Information and Management Infrastructure Hardware – 2 Linux servers Database with quasi-real time network status data PostgreSQL Network Data Collector Data access and application building framework Python as programming language PostgreSQL as the database solution (Kerberized) SOAP as middleware communication mechanism Kerberos, X509 as authentication mechanisms Zope as Web interface development tool

CHEP2006 Big Picture

CHEP2006 NIMI Database PostgreSQL based Stores network state quasi-realtime data Uses PostgreSQL backup functionality to make backup in 3 locations Another disk on the same server Backup NIMI DB server FNAL CD Backup Server Data is kept since March 2004 < 5GB on disk

CHEP2006 NIMI Collector Collects network state information from network devices Stores data in NIMI Database and makes it available to applications Information collected: DHCP leases (quasi-realtime) ARP tables (periodic polls) VPN sessions (periodic polls) Switch forwarding tables (periodic polls)

CHEP2006 NIMI-Based Applications Network Inventory Up-to-date inventory of network devices and services Scanners Configuration problems Software version monitoring Vulnerabilities TIssue Computer Security Issue Tracking workflow system Fed by scanners

CHEP2006 Network Inventory Provides up-to-date information about network devices present on the LAN New node discovery Periodic subnet pings (every 2 minutes) ARP tables (delayed up to 15 minutes) Uses ping scans and ARP tables data for node discovery Collects information about OS version and services found on each computer Most of new nodes scanned within 5 minutes Helps optimize efficiency of other Scanners

CHEP2006 Scanners Run on Scanner Farm Use data from Inventory Scanner to scan new nodes within minutes of their arrival, and then re- scan them in lazy manner as they stay online Three areas: Vulnerabilities (Vulnerability Scanner) System misconfiguration Outdated software Vulnerability Scanner Uses nmap to detect vulnerabilities Scanners supply events for TIssue

CHEP2006 TIssue Workflow engine used to keep track of security vulnerabilities and network-related issues Provides flexible abstract interface to plug in Detectors (e.g. Scanners) Keeps track of events in detector-independent way Communicates with machine administrators via and web interface Requests blocks of network addresses as the enforcement tool Zope-based web GUI uses X509 certificates as the authentication mechanism

CHEP2006 Advantages of using NIMI Common data storage easily available to applications Simple modular design of the system Collector – deals with variety of vendor-specific network data Central database APIs Middleware Carefully chosen set of software tools covering all areas of application development PostgreSQL Python SOAP Zope Kerberos, X509

CHEP2006 NIMI: Success Story Recent computer security related events have demonstrated that applications such as TIssue and Inventory Scanner are very reliable, powerful and useful computer security and network management tools NIMI provides building blocks for rapid development of applications like these We continue new application development using NIMI as the framework