syslog (1) The purpose of syslog is to write system messages to a log The purpose of syslog is to write system messages to a log Syslog messages can include everything from critical alarm conditions to ordinary debugging statement Syslog messages can include everything from critical alarm conditions to ordinary debugging statement It provides a general trail of activities It provides a general trail of activities It provides the capability for the device to emit event messages without solicitation It provides the capability for the device to emit event messages without solicitation

syslog (2) Syslog message has 2 parts Syslog message has 2 parts –A message header and the message body The message body contains the content of the message itself (english text, unstructured) The message body contains the content of the message itself (english text, unstructured) The message header contains minimal but essential information in structured manner The message header contains minimal but essential information in structured manner

General syslog message – IP Address – IP Address – sequence number – sequence number Apr 12 18:01:55:643 – local time Apr 12 18:01:55:643 – local time ENV_MON – facility emitting the alarm ENV_MON – facility emitting the alarm 1 – severity 1 – severity SHUTDOWN – Event SHUTDOWN – Event

syslog Protocol IETF is in process of passing a particular version of syslog as a standard IETF is in process of passing a particular version of syslog as a standard –RFC 3164 BSD syslog protocol –RFC 3195 reliable delivery for syslog Refer to RFC3164 (RFC 5424) Refer to RFC3164 (RFC 5424) –UDP is used as transport service –Port 514

definition A machine that can generate a message will be called a "device". A machine that can generate a message will be called a "device". A machine that can receive the message and forward it to another machine will be called a "relay". A machine that can receive the message and forward it to another machine will be called a "relay". A machine that receives the message and does not relay it to any other machines will be called a "collector". This has been commonly known as a "syslog server". A machine that receives the message and does not relay it to any other machines will be called a "collector". This has been commonly known as a "syslog server".

syslog message Consists of 3 parts :PRI /HEADER/MSG Consists of 3 parts :PRI /HEADER/MSG Length Maximum 2048 bytes or less Length Maximum 2048 bytes or less

PRI (Priority) part Priority – combination of a facility and severity Priority – combination of a facility and severity –Facility – category of a message (kernel message), it is a numeric code –Severity – numeric code 0 -7, 0 is the most severe –Priority is formed by multiplying the numeric code of the facility by 8 and adding the severity –Facility 7 and severity 3, so priority = 59

Example of Facility code

Example of Severity

HEADER part (1) The HEADER part contains a timestamp and an indication of the hostname or IP address of the device The HEADER part contains a timestamp and an indication of the hostname or IP address of the device The HEADER part of the syslog packet MUST contain visible (printing) characters (7-bit Ascii) The HEADER part of the syslog packet MUST contain visible (printing) characters (7-bit Ascii) HOSTNAME field will contain the hostname or IP address HOSTNAME field will contain the hostname or IP address Timestamp field will contain the local time and is in the format of “Mmm dd hh:mm:ss" Timestamp field will contain the local time and is in the format of “Mmm dd hh:mm:ss"

HEADER part (2) Mmm –month of the year with the first character in uppercase and the other two characters in lowercase Mmm –month of the year with the first character in uppercase and the other two characters in lowercase “Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, Dec” dd -dd is the day of the month. dd -dd is the day of the month. –If the day of the month is less than 10, then it MUST be represented as a space and then the number. For example, For example, – the 7th day of August would be represented as "Aug 7", with two spaces between the "g" and the "7

HEADER part (3) hh:mm:ss is the local time. hh:mm:ss is the local time. The hour (hh) is represented in a 24-hour format. The hour (hh) is represented in a 24-hour format. –Valid entries are between 00 and 23 The minute (mm) and second (ss) entries are between The minute (mm) and second (ss) entries are between

MSG part (1) It contains some additional information of the process that generated the message, and then the text of the message It contains some additional information of the process that generated the message, and then the text of the message It has 2 fields : TAG and CONTENT It has 2 fields : TAG and CONTENT TAG field will be the name of the program or TAG field will be the name of the program or process that generated the message.(not exceed 32 chars) process that generated the message.(not exceed 32 chars) CONTENT field contains the details of the message. CONTENT field contains the details of the message. –This has traditionally been a freeform message that gives some detailed information of the event

Example of syslog message Oct 11 22:14:15 mymachine su: ’su root’ failed for lonvick on /dev/pts/8 Oct 11 22:14:15 mymachine su: ’su root’ failed for lonvick on /dev/pts/8 - priority - priority Oct 11 22:14:15 – timestamp Oct 11 22:14:15 – timestamp mymachine – hostname mymachine – hostname su – TAG su – TAG : ’su root’ failed for lonvick on /dev/pts/8- Content : ’su root’ failed for lonvick on /dev/pts/8- Content

Security consideration (1) Authentication Authentication –The syslog delivery mechanism does not strongly associate the message with the message sender –a misconfigured machine may send syslog messages to a collector representing itself as another machine –An attacker may transmit syslog messages to a collector.

Security consideration (2) Sequenced delivery Sequenced delivery –the syslog process and protocol do not ensure ordered delivery. Reliable delivery Reliable delivery –no mechanism within either the syslog process or the protocol to ensure delivery –May be maliciously intercepted or discarded Message Integrity Message Integrity –syslog messages may be damaged in transit or an attacker may maliciously modify them.

Security consideration (3) Message observation Message observation –No mechanisms to provide confidentiality of the messages in transit. (clear-text messages) Message Prioritization & Differentiation Message Prioritization & Differentiation –No mechanism relating to priority message –Critical message and non critical message can be treated as equal in term of reception

Security consideration (4) Misconfiguration Misconfiguration –The syslog message may go to untended receiver Load Considerations Load Considerations –An attacker may perform a Denial of Service attack by filling the disk of the collector with false messages.

syslog deployment (1) Two roles are distinguished Two roles are distinguished –syslog sender (management agent) –syslog receiver (management manager) Syslog receiver (1) Syslog receiver (1) –Device itself writing the messages to a local log file use circular log file for a limit size use circular log file for a limit size Log files are created with a certain capacity Log files are created with a certain capacity

syslog deployment (2) Circular log file

syslog deployment (3) syslog receiver (con’t) syslog receiver (con’t) –Centralized logging host Receiving messages from several devices and logging those messages Receiving messages from several devices and logging those messages Applications access this logging host instead of individual devices Applications access this logging host instead of individual devices It often function as a syslog relay, forwarding syslog messages to various apps. It often function as a syslog relay, forwarding syslog messages to various apps.

syslog deployment (4) Logging host syslog relay

Netconf (1) Netconf is a network management protocol developed in the IETF by the Netconf working group. Netconf is a network management protocol developed in the IETF by the Netconf working group.network managementIETFnetwork managementIETF It was published as RFC It was published as RFC The NETCONF protocol provides mechanisms to install, manipulate, and delete the configuration of network devices. The NETCONF protocol provides mechanisms to install, manipulate, and delete the configuration of network devices. It also can perform some monitoring functions. It also can perform some monitoring functions.

Netconf (2) It uses an Extensible Markup Language (XML) based data encoding for the configuration data as well as the protocol messages. It uses an Extensible Markup Language (XML) based data encoding for the configuration data as well as the protocol messages.Extensible Markup LanguageExtensible Markup Language The NETCONF protocol operations are realized on top of a simple Remote Procedure Call (RPC) layer. The NETCONF protocol operations are realized on top of a simple Remote Procedure Call (RPC) layer.

Netconf Datastore (1) The configuration information of devices can be thought of and handle as being contained in a datastore (like a file) The configuration information of devices can be thought of and handle as being contained in a datastore (like a file) The datastore resembles a MIB. The datastore resembles a MIB. Netconf provides the operations to manage those datastores. Netconf provides the operations to manage those datastores. –SNMP targets the individual managed object in side MIB –Netconf targets the MIB as a whole or portion

Netconf Datastore (2) A hierarchical datastore in Netconf

Netconf Datastore (3) Management operations can be applied to individual subtrees Management operations can be applied to individual subtrees This capability feature is called as subtree filtering This capability feature is called as subtree filtering

Netconf and XML (1) Netconf uses XML as encoding for its management operations Netconf uses XML as encoding for its management operations XML documents contain so-called tags to delimit different pieces of information XML documents contain so-called tags to delimit different pieces of information Tags are defined by users such as Tags are defined by users such

Netconf Architecture (1)

Netconf Architecture (2) Transport layer (using Netconf over) Transport layer (using Netconf over) –Secure Shell (SSH) RFC4742 –Block Extensible Exchange Protocol (BEEP) RFC4744 –Simple Object Access Protocol (SOAP) RFC4743 Remote Procedure Call layer Remote Procedure Call layer –Allow manager to invoke function on agent –rpc request / rpc reply

Netconf Architecture (3) The operation layer The operation layer –To manipulate configuration files –Get-config / Edit-config The content layer The content layer –Configuration data The management information will be transported and exchanged as XML documents The management information will be transported and exchanged as XML documents

Netconf Message Structure Fig 8-14 Fig 8-14

A netconf request (1) Ex 8-4 Ex 8-4

A netconf request (2) RPC tag RPC tag …. …. - frame the overall message Netconf operation – get-config Netconf operation – get-config … … … specifies the config being requested (running config) … specifies the config being requested (running config) … specifies the subtree within the config (all belongs in bgp) … specifies the subtree within the config (all belongs in bgp)

A netconf reply Ex 8-5 Ex 8-5

Management operations Get-config – to retrieve config file (default is running config) Get-config – to retrieve config file (default is running config) Get – to retrieve state information Get – to retrieve state information Edit-config – to modify or change a configuration Edit-config – to modify or change a configuration Copy-config – to copy new configuration Copy-config – to copy new configuration Delete-config – to remove a configuration Delete-config – to remove a configuration Lock and unlock – to protect configuration file Lock and unlock – to protect configuration file

Netflow protocol /IPFIX (1) RFC 3954 (Netflow V.9) RFC 3954 (Netflow V.9) RFC 5101 (IPFIX- aka. Netflow V.10) RFC 5101 (IPFIX- aka. Netflow V.10) Netflow was introduced by cisco to collect data about networking traffic from a device. Netflow was introduced by cisco to collect data about networking traffic from a device. –Who are the top “talker” in the network –How much traffic is being exchanged between two destination –How are links in the network being used –Where are the traffic bottlenecks in the network?

Netflow protocol /IPFIX (2) Netflow communicates statistical information about IP-based data traffic that flow over router Netflow communicates statistical information about IP-based data traffic that flow over router The statistics are provided on a per-flow basis The statistics are provided on a per-flow basis A flow consists of all traffic that belongs to the same communication context A flow consists of all traffic that belongs to the same communication context –A file–transfer application,all packets belong to the same transfer

Fig 8-15 Fig 8-15

Flow Identified by the following information Identified by the following information Source address/Source port Source address/Source port Destination address/Destination port Destination address/Destination port Protocol type (TCP or UDP) Protocol type (TCP or UDP) Type of service (TOS) Type of service (TOS) Input logical interface (same index in SNMP MIB) Input logical interface (same index in SNMP MIB) Flow record includes the keys that identify the flow as well as the time when flow started /stopped /how many packets were transported Flow record includes the keys that identify the flow as well as the time when flow started /stopped /how many packets were transported

Benefit Allow network managers to account for detailed network use by individual users Allow network managers to account for detailed network use by individual users –Charge based on actual traffic consumption Provide a wealth of data for traffic analysis, bottleneck and network planning Provide a wealth of data for traffic analysis, bottleneck and network planning Provide tool to spot and defend against attacks on a network Provide tool to spot and defend against attacks on a network

Netflow Protocol Netflow version5 is commonly used Netflow version5 is commonly used The newest version is RFC 3954 (version 9) The newest version is RFC 3954 (version 9) Flow information is exported from the router in User Datagram Protocol (UDP) or Stream Control Transmission Protocol (SCTP) packets and collected using a netflow collector. Flow information is exported from the router in User Datagram Protocol (UDP) or Stream Control Transmission Protocol (SCTP) packets and collected using a netflow collector.UDPSCTPUDPSCTP Juniper Networks provides a similar feature for its routers called Jflow. Juniper Networks provides a similar feature for its routers called Jflow. Juniper Networks Juniper Networks Huawei Technology routers also support the same technology, but call it NetStream Huawei Technology routers also support the same technology, but call it NetStream Huawei Technology Huawei Technology

Netflow packet structure

Packet structure Header Header –Sequence number of the packet –The number of flow records contained in the Netflow packet –The version number of the netflow protocol itself Flow record Flow record –keys to identify flow –Start/finish time –Statistical data

Finishing the flow No traffic has been detected on a flow for a certain time No traffic has been detected on a flow for a certain time A packet is detected at the app-protocol level that the data transfer supported by the flow has completed A packet is detected at the app-protocol level that the data transfer supported by the flow has completed If a flow has been going on for a long time (30 minutes),the router simply declare the flow ends and start a new one If a flow has been going on for a long time (30 minutes),the router simply declare the flow ends and start a new one

Management protocol positioning