1 by Behzad Akbari Fall 2008 In the Name of the Most High Network Management Applications

2 Network and Systems Management

3 Management Applications OSI Model Configuration Fault Performance Security Accounting Reports Service Level Management Policy-based management

4 Configuration Management Inventory Management Equipment Facilities Network Topology

5 Manual Auto-discovery by NMS using Broadcast ping ARP table in devices Mapping of network Layout Layering Views Physical Logical

6 Network Topology Discovery

7 Discovery In a Network What to be discovered in a network ?  Node Discovery The network devices in each network segment  Network Discovery The topology of networks of interest  Service Discovery The network services provided Network Topology Discovery Network Topology Discovery  Network Discovery + Node Discovery

8 Node Discovery  Given an IP Address, find the nodes in the same network. Two Major Approaches:  Use Ping to query the possible IP addresses.  Use SNMP to retrieve the ARP Cache of a known node.

9 Use ICMP ECHO Eg: IP address: Subnet mask: All possible addresses:  ~ For each of the above addresses, use ICMP ECHO to inquire the address If a node replies (ICMP ECHO Reply), then it is found. Broadcast Ping

10 Use SNMP Find a node which supports SNMP  The given node, default gateway, or router  Or try a node arbitrarily ipNetToMediaTable Query the ipNetToMediaTable in MIB-II IP group (ARP Cache) ipNetToMediaIfIndex ipNetToMediaNetAddress 1 00:80:43:5F:12:9A dynamic(3) 200:80:51:F3:11:DE dynamic(3) ipNetToMediaPhysAddressipNetToMediaType

11 Network Discovery  Find the networks of interest with their interconnections Key Issue:  Given a network, what are the networks directly connected with it ? Major Approach  Use SNMP to retrieve the routing table of a router.

12 Default Router Routing table

13 Service Discovery Given a node, find out the network services provided by the node. Recall that each network service will use a dedicated TCP/UDP port. Standard TCP/UDP Ports: 0 ~ 1023 Two Approaches  Use TCP Connection Polling (Port Scan)  Use SNMP

14 Use SNMP If the node supports SNMP tcpConnTable  Use SNMP to query tcpConnTable udpTable  Use SNMP to query udpTable tcpConnRemPort listen(2) established(5) tcpConnState tcpConnLocalAddress tcpConnLocalPort tcpConnRemAddress udpLocalPort udpLocalAddress

15 Use TCP Connection Polling First specify the TCP services (i.e., TCP port numbers) to be discovered. For each TCP service to be discovered, use a TCP connection to try to connect to the corresponding TCP port of the node. If the connection is successfully established, then the service is found. Note that it is difficult to discover the UDP services following the same way.

16 Mapping of network

17 Traditional LAN Configuration Physical Logical

18 Virtual LAN Configuration Physical Logical

19 Fault Management Fault is a failure of a network component Results in loss of connectivity Fault management involves: Fault detection Polling Traps: linkDown, egpNeighborLoss Fault location Detect all components failed and trace down the tree topology to the source Fault isolation by network and SNMP tools Use artificial intelligence / correlation techniques Restoration of service Identification of root cause of the problem Problem resolution

20 Performance Management Tools Protocol analyzers RMON MRTG Performance Metrics Data Monitoring Problem Isolation Performance Statistics

21 Performance Metrics Macro-level Throughput Response time Availability Reliability Micro-level Bandwidth Utilization Error rate Peak load Average load

22 Performance Statistics Traffic statistics Error statistics Used in QoS tracking Performance tuning Validation of SLA (Service Level Agreement) Trend analysis Facility planning Functional accounting

23 Event Correlation Techniques Basic elements Detection and filtering of events Correlation of observed events using AI Localize the source of the problem Identify the cause of the problem Techniques Rule-based reasoning Model-based reasoning Case-based reasoning Codebook correlation model State transition graph model Finite state machine model

24 Security Management Security threats Policies and Procedures Resources to prevent security breaches Firewalls Cryptography Authentication and Authorization Client/Server authentication system Message transfer security Network protection security

25 Security Threats Modification of informationModification of information: Contents modified by unauthorized user, does not include address change MasqueradeMasquerade: change of originating address by unauthorized user Message Stream ModificationMessage Stream Modification: Fragments of message altered by an unauthorized user to modify the meaning of the message DisclosureDisclosure Eavesdropping Disclosure does not require interception of message Denial of service and traffic analysis are not considered as threats.

26 Security Threats

27 Polices and Procedures

28 Secured Communication Network Firewall secures traffic in and out of Network A Security breach could occur by intercepting the message going from B to A, even if B has permission to access Network A Most systems implement authentication with user id and password Authorization is by establishment of accounts No Security Breaches ?

29 Firewalls Protects a network from external attacks Controls traffic in and out of a secure network Could be implemented in a router, gateway, or a special host Benefits Reduces risks of access to hosts Controlled access Eliminates annoyance to the users Protects privacy Hierarchical implementation of policy and and technology

30 Packet Filtering Firewall

31 Packet Filtering Uses protocol specific criteria at DLC, network, and transport layers Implemented in routers - called screening router or packet filtering routers Filtering parameters: Source and/or destination IP address Source and/or destination TCP/UDP port address, such as ftp port 21 Multistage screening - address and protocol Works best when rules are simple

32 Application Level Gateway DMZ (De-Militarized Zone)

33 Authentication Server

34 Authentication Server Architecture of Novell LAN Authentication server does not issue ticket Login and password not sent from client workstation User sends id to central authentication server Authentication server acts as proxy agent to the client and authenticates the user with the application server Process transparent to the user

35 Accounting Management Least developed Usage of resources Hidden cost of IT usage (libraries) Functional accounting Business application

36 Report Management

37

38 Policy-Based Management

39 Policy-Based Management Domain space consists of objects (alarms with attributes) Rule space consists of rules (if-then) Policy Driver controls action to be taken Distinction between policy and rule; policy assigns responsibility and accountability Action Space implements actions

40 Service Level Management SLA management of service equivalent to QoS of network SLA defines Identification of services and characteristics Negotiation of SLA Deployment of agents to monitor and control Generation of reports SLA characteristics Service parameters Service levels Component parameters Component-to-service mappings