NETWORK CONTROL The Fourth Meeting
2 Table of Contents Introduction Configuration Control Security Control
3 Introduction Network control is concerned with modifying parameters in and causing actions to be taken by the end systems, intermediate systems, and subnetworks that make up the network to be managed All five functional areas of Network Management involve monitoring and control but configuration and security are more concerned with control Issues in network control what to control? define what is to be controlled how to control? how to cause actions to be performed
4 Configuration Management 1.Define Configuration Information 2.Configuration Monitoring Examine values and relationships Report on configuration status 3. Configuration Control may be required as a result of monitoring or event reports Initialize and terminate network operations Set and modify attribute values Define and modify relationships
5 Define Configuration Information Includes the nature and status of managed resources specification and attributes of resources Network Resources physical resources end systems, routers, bridges, switches, modems, etc. logical resources TCP connections, timers, counters, virtual circuits, etc. Attributes name, address, ID number, states, operational characteristics, # of connections, etc. Control function should be able to define new classes and attributes (mostly done off-line) define the type and range of attribute values
6 Set and Modify Attribute Values when requesting agents to perform set and modify the manager must be authorized some attributes cannot be modified (e.g., # of physical ports) Modification categories MIB update only does not require the agent to perform any other action e.g., update of static configuration information MIB update plus resource modification requires the agent to modify the resource itself e.g., changing the state of a physical port to “disabled” MIB update plus action perform actions as a side effect of set operation SNMP takes this approach
7 Define and Modify Relationships A relationship describes an association, connection, or condition that exists between network resources topology hierarchy containment physical or logical connections management domain Configuration control should allow on-line modification of resources without taking all or part of network down
8 Security Management What should be secured in networks? information security computer security network security Security Requirements Secrecy making information accessible to only authorized users includes the hiding of the existence of information Integrity making information modifiable to only authorized users Availability making resources available to only authorized users
9 Security Threats Interruption destroyed or becomes unavailable or unusable threat to “availability” Interception an unauthorized party gains access threat to “secrecy” Modification an unauthorized party makes modification threat to “integrity” Fabrication an unauthorized party inserts false information Masquerade an entity pretends to be a different entity
10 Types of Security Threats Information source information destination (a) Normal flow (b) Interruption (c) Interception (d) Modification (e) Fabrication
11 Security Threats and Network Assets.... Data Communication Lines hardware Software Masquerade Modification Interception (capture, analysis) Interruption (loss) Masquerade Modification Interception (capture, analysis) Interruption (loss) Modification Interception Interruption (deletion) Interruption (theft, denial of service)
12 Security Management Functions Maintain Security Information event logging, monitoring usage of security-related resources receiving notification and reporting security violations maintaining and examining security logs maintaining backup copies of security-related files Control Resource Access Service use access control (authentication and authorization) security codes (e.g., passwords) routing tables, accounting tables, etc. Control the Encryption Process must be able to encrypt messages between managers & agents specify encryption algorithms
13 Summary Network control is concerned with setting and changing parameters of various parts of network resources as consequences of network monitoring and analysis Configuration control and security control are two essential aspects of network control
THE BASIC INGREDIENTS OF NETWORK MANAGEMENT
Basic Components of Network Management
The Network Device The first main component in network management consists of the device that must be managed In network management parlance, we also call the managed devices network elements (NEs). To be properly managed, they must participate in the management process
Management Agent To be managed, a network element must offer a management interface through which a managing system can communicate with the network element for management purposes. For example, the management interface allows the managing system to send a request to the network element. This could be, for example, a request to configure a sub interface, to retrieve statistical data about the utilization of a port, or to obtain information about the status of a connection.
Manager-Agent Communication Manager and agent are important terms in network management parlance. They refer to the systems that manage (manager) and the systems that are managed (agent). Client/server is another well-known asymmetric communication relationship that the reader might already be familiar with; therefore, a few words on the relationship between manager/agent and client/server are in order.
Manager/Agent Versus Client/Server Network elements must provide a piece of software that implements the management interface. This software effectively provides the intermediary between external manager and managed device. We refer to this software generally as the management agent. In fact, this means that we are slightly overloading the term agent. Agent is used to refer both to the agent role that a network element plays in network management and to the software component, called the management agent, that allows the network element to play that role, that provides the management interface, and that represents the managed device to the manager.
Manager/Agent Versus Client/Server The management agent conceptually consists of three main parts: a management interface, a Management Information Base, and the core agent logic The management interface handles management communication. The Management Information Base (MIB) is a conceptual data store that contains a management view of the device being managed. The conceptual data contained in this data store constitutes the management information. The core agent logic translates between the operation of the management interface, the MIB, and the actual device. For example, it translates the request to “retrieve a counter” into an internal operation that reads out a device hardware register that contains the desired information.
Anatomy of a Management Agent
Management Information, MOs, MIBs, and Real Resources Management information that is provided by a management agent provides an abstraction of these real-world aspects for management purposes. We refer to a chunk of management information that exposes one of these real-world aspects as a managed object (MO). An MO could represent a device fan along with its operational state, a port on a line card along with a set of statistical data, or a firewall rule. As you shall see later, many management protocols, including the Simple Network Management Protocol (SNMP), use their own flavor of MO, but for now, we refer to an MO in its more general. An “MO” could thus be a MIB object in SNMP, a parameter in a command- line interface (CLI) command, or an element of an XML document in a web- based management interface.
Different Abstractions of the Same Real Resource
Basic Parts of Network Management
The Management System Management systems provide network providers with the tools to manage the network. These tools include applications to monitor the network, service provisioning systems, craft terminals, and so forth.
A Management Hierarchy
The MIB Always Resides with the Agent
Connecting a Craft Terminal to a Managed Device
Dedicated Versus Shared Management and Production Networks
The advantages of using a dedicated management network are numerous: Reliability—With a dedicated management network, management traffic is carried independently of traffic over the production network, making management significantly more reliable. Interference avoidance—When carried over the production network, management traffic competes with other networking traffic. Ease of network planning—Avoiding interference as described in the previous bullet requires careful network planning that takes into account the effects of unpredictable network management traffic. Security—A dedicated management network is harder to attack and easier to secure. End users and subscribers will never come into contact with it; its devices are on a completely separate network.
There are a variety of reasons not to use a dedicated management network and to use management communication exchanges over a shared network Cost and overhead—Despite its advantages, a dedicated management network requires a separate network to be built. No reasonable alternative—In quite a few cases, a shared network might realistically be the only option.
A good organizational structure and clear network management responsibilities, many other things need to be considered to be able to run the network smoothly Establishment of process and operational policies, documentation of operational procedures—This helps make management of the network consistent and efficient, and facilitates meeting a consistently high standard of operations. Collection of audit trails—Automatically logging the activities of operations support staff— who initiated what action, at what time Network documentation—Make sure not just your procedures and policies, but also your network itself is well documented Reliable backup and restore procedures—This provides your network operations with an invaluable lifeline that lets you bring the network back up in case of disasters and emergencies. Security emphasis—Security threats in networking have received a lot of attention in recent years. The most significant threat to your network might not be hackers from the outside, but disgruntled employees on the inside.