Chapter 9

INFO 331 Chapter 9 1

INFO 331Computer Networking

Technology II

Chapter 9

Network Management

Glenn Booker


Network Management History

Network management didn’t exist in its current form until the 1980’s From the ’40s to ’70s, networks were typically

very homogeneous (proprietary-only), so network management tools were specific to that insular environment, if used at all

The advent of the PC and Macintosh made networks get much more heterogeneous, and increased the complexity of network management


Network Management

A network typically consists of many unrelated types of equipment, which are all supposed to work together in perfect harmony, in spite of the myriad protocols, operating systems, interfaces, etc. involved Servers and workstations Routers, switches, and hubs Wireless access points and hosts Firewalls


Network Management

In order to manage this mess, there is often a Network Operations Center (NOC) to coordinate maintenance, upgrades, monitoring, optimization (if you have time), repairs, etc. Akin to a pilot’s cockpit, or the control room

for a power station, or the mixing board at a concert


Network Management

We need to know What to monitor

What is worth focusing your attention on? How to analyze what we see How to respond to changing conditions

(fix problems) How to proactively manage the system

(prevent problems)


Typical Problems

Even a simple network can have challenges which help motivate the need for network management

Detect interface card failure at a host or router The host or router might report the interface

failure to the NOC Better, network monitoring might reveal imminent

failure, so the card is replaced before failure


Typical Problems

Monitor traffic to guide resource deployment Traffic patterns or congestion monitoring can

show which parts of the network are most used This could lead to improved usage of servers,

simplifying physical layout or improving the speed

of high traffic LAN segments, or make good upgrade decisions


Typical Problems

Detect rapid routing changes Routing can become unstable, causing rapid

changes in routing tables (route flapping) The network admin would like to know this is

happening before something crashes as a result! Host is down

Network monitoring could detect a system down before the user notices it


Typical Problems

Monitor SLAs Service Level Agreements (SLAs) are contracts

to guarantee specific services, such as Internet service, in terms of availability, throughput, latency, and other agreed-upon measures Major ISPs (tier 1) can provide SLAs to major

business customers If you pay for this service, it’s nice to know if they

are really providing what you paid for!

Not this SLA!

Image from www.answers.com/topic/symbionese-liberation-army


Typical Problems

Intrusion detection The network admin can look for traffic from

odd sources, destined for unusual ports, lots of SYN packets, and other security threats we recently covered

This can lead to refinement of filters & firewalls


ISO Network Management

ISO has produced guidance on the types of network management activities ISO network management (ISO/IEC 10733:1998) ISO network security (ISO/IEC TR 13335,

ISO/IEC 18026:2007 and ISO/IEC 18028-1:2006) See Global IHS for buying ISO standards

Cisco overview white paper (free, unlike ISO standards, and summarized herein thru slide 32)



ISO identifies five areas of network management:

Fault Management Detect, isolate, notify, and correct faults

encountered in the network Configuration Management

Configuration aspects of network devices such as configuration file management, inventory management, and software management



Performance Management Monitor and measure various aspects of

performance so that overall performance can be maintained at an acceptable level

Security Management Provide access to network devices and

corporate resources to authorized individuals Accounting Management

Usage information of network resources


Fault Management

This is the main focus of network management for most organizations

Faults are errors or problems in the network Often a shorter term perspective than

performance management Hence fast detection of problems is critical,

often via color-coded graphical network maps


Fault Management

Typically want a network management platform to do: Network discovery and topology mapping Event handler Performance data collection and presentation Management data browsing

Network management platforms include HP OpenView, Aprisma Spectrum, and Sun Solstice


Fault Management

Devices can send SNMP traps (RFC 3410) of events which change their status

These events are logged, such as in a Management Information Base (MIB)

Platforms can be geographically located, and communicate with each other to centralize network monitoring Web interfaces on devices can allow remote

management and configuration


Fault Management

Equipment vendors often use different management systems They can communicate using CORBA or CIM

standards to exchange management data Troubleshooting a network often uses TFTP

and syslog servers The trivial FTP (TFTP) server stores configuration

files; routers and switches can send system log (syslog) messages to the syslog server


Fault Management

Faults can be detected with SNMP trap events, SNMP polling, remote monitoring (RMON, RFC 2819) and syslog messages Module changing to up or down state Chassis alarms for hardware failures (fans,

memory, voltage levels, temperature, etc.) Responses can be just notification and logging of

the event, or shutdown of that device, e.g. temps can be defined for warning, critical, or shutdown


Fault Management

Fault detection can also be done at the protocol or interface levels Such as a router interface failure

A management station polls the device to determine status or measure something (CPU usage, buffer failure, I/O drops, etc.), and flags it with an RMON alarm when the measure exceeds some threshold value


Configuration Management

Configuration management (CM) tracks what equipment and software is in the network

Can assess which elements are causing trouble, or which vendors are preferred What if a vendor recalls a certain device?

Do you have any of them? Where? Whose routers or switches are most reliable? Where do you send a service vendor to replace

a dead router?



CM data includes Make, model, version, serial number of equipment Software versions and licenses Physical location of hardware

Site, building, room, rack number, etc. Contact info for equipment owners and

service vendors Naming conventions are often used to keep

names meaningful, not just yoda.drexel.edu



CM also includes file management Changes to device configuration files should be

carefully controlled, so that older versions can be used if the new ones don’t work

A change audit log can help track changes, and who made them

Inventory management is based on the ability to discover what devices exist, and their configuration information



Software management can include the automation of software upgrades across devices Download new software images, verify

compatibility with hardware, back up existing software, then load new software

Large sites may script the process and run during low activity times


Performance Management

The same SNMP methods to capture fault data can be used for performance data, such as queue drops, ignored packets, etc. These can be used to assess SLA compliance

On a larger scale, WAN protocols (frame relay, ATM, ISDN) can also collect performance data



Performance management tools include Concord Network Health InfoVista VistaView SAS IT Service Vision Trinagy TREND

These all collect, store, and analyze data from around one’s enterprise, and typically use web-based interfaces to allow access to it from anywhere



Increased network traffic has led to more attention to user and application traffic RFC 4502 (replacing RFCs 2021 and 3273)

defines how RMON can be used to analyze applications and the network layer, not just lower layer (e.g. MAC) protocols

Many other performance monitoring tools exist, e.g. Cisco NetFlow


Security Management

Security management covers controlling access to the network and its resources Can include monitoring user login, refusing

access to failed login attempts, as well as either intentional or unintentional sabotage

Security management starts with good policies and procedures The minimum security settings for routers,

switches, and hosts is important to define


Security Management

Methods for control of security at the device level (router) include Access control lists (ACLs) and what they are

permitted to do User ID’s and passwords Terminal Access Controller Access Control

System (TACACS) TACACS (RFC 1492) is a security protocol

between devices and a TACACS server


Security Management

A refinement of TACACS is TACACS+, which gives more detailed control over who can access a given device It separates the Authentication (verify user),

Authorization (control remote access to device), and Accounting functions (collect security information for network management) (AAA)

In Cisco’s world, commands starting aaa, tacacs-

server, set authentication, set authorization, and set accounting manage these functions


Security Management

In SNMP, configuration changes can be made to routers and switches just like from a command line Hence strong SNMP passwords are critical! SNMP management hosts (managing entities in

Kurose) should have static IP, and sole SNMP rights with network devices (managed devices) according to a specific Access Control List (ACL)


Security Management

SNMP can set router security: Privilege Level = RO (read only) or = RW (read

and write); only RW can change router settings Access Control List (ACL) can be set to only allow

specific hosts to request router management info ACL control over interfaces can help prevent spoofing

View – controls what router data can be viewed SNMPv3 provides secure exchange of data

Switches can restrict Telnet and SNMP via an IP Permit List


Accounting Management

Accounting management measures utilization of the network so that specific groups or users can be billed correctly for snarfing up resources Yes, it’s about money Data can be collected using various tools, such

as NetFlow, IP Accounting, Evident Software This can also be used to measure how well

SLAs are being followed or not


Network Management Infrastructure

Network management is like the CEO of an organization getting status reports from middle managers, and they get status from first line managers The CEO has to make decisions about the entire

company based on this data Corrective action may be needed, based on good or

bad results obtained The CEO of General Motors may build new plants, or

shut others down



Network management establishes managers (called managing entities, often located in a NOC) who are allowed (via an ACL) to talk to network devices (managed devices, such as servers or routers) Each managed device has a network

management agent, who collects the desired data Each managed device has one or more managed

objects (such as network cards, memory chips, etc.)



NOC

Managing entity A

Managing entity B

Managed device O

Managed device M

Managed device N

Managed device L

Agent(Data)

Agent(Data)

Agent(Data)

Agent(Data)

Network management protocol



Descriptions of all managed objects, and the devices they belong to, are collected in the Management Information Base (MIB) The MIB is a database of managed object data

Managed devices communicate with managing entities using a network management protocol Devices don’t generally talk to each other,

but managing entities can



The network management protocol doesn’t manage the network per se – it just provides a means for the network admin to do so

Managed device (host, server, router, printer, etc.)

Network mgmt Agent

Managed object 1

Managed object 2

To managing

entity


Network Management Standards

The architecture just described applies to most any network management approach

Many specific standards have been developed The OSI CMISE/CMIP standards, used in

telecommunications In the Internet, SNMP (Simple Network

Management Protocol, RFC 3410) We’ll focus on the latter


SNMP isn’t Simple!

It was derived from SGMP (1987) Key goals of network management include

What is being monitored? How much control does the network admin have? What is the form of data reported and

exchanged? What is the communication protocol for

exchange of data?


SNMP

To address these goals, SNMP has four modular parts Network management objects, called MIB objects

The MIB tracks MIB objects A MIB object might be a kind of data (datagrams

discarded, description of a router, status of an object, routing path to a destination, etc.)

MIB objects can be grouped into MIB modules


SNMP

A data definition language, SMI (Structure of Management Information) SMI defines what an object is, what data types exist,

and rules for writing and changing management information

A protocol, SNMP, for the exchange of information and commands between manager-agent and manager-manager (between two managing entities)

Security and administrative capabilities


SMI

SMI is defined by RFCs 2578, 2579, and 2580 (1999)

SMI has three levels of structure Base data types Managed objects Managed modules

SMI Modules

SMI Objects

SMI Base Data Types

[SMI is part of MIB, so a SMI object is the same as a MIB managed object.]


SMI

SMI Base Data Types are an extension on the ASN.1 structure (Abstract Syntax Notation One, ISO X.680:1998)

There are eleven basic data types (p. 769) Signed and unsigned (>0) integers, IP addresses,

counters, time in 1/100 second counts, etc. Most important is the OBJECT IDENTIFIER type,

which allows definition of an SMI object as some ordered collection of other data types


SMI

The OBJECT IDENTIFIER is like a struct in C Here, it names an Object

To create a managed object, the OBJECT-TYPE construct is used Over 10,000 object-types have been defined –

these are the heart of data that can be collected for network management

[Analogy: OBJECT IDENTIFIER defines the class, OBJECT-TYPE instantiates the object]


SMI Objects

An object-type includes four fields Syntax – is the data type of the object Max-access – is whether the object can be read,

written, created, etc. Status – is whether the object is current, obsolete,

or deprecated Description – gives a definition of the object


SMI Modules

The MODULE-IDENTITY construct creates a module from related objects Fields include when it was last updated, the

organization who did so, contact info for them, a description of the module, a revision entry, and description of the revision

The end of the MODULE-IDENTITY gives the ASN.1 code for the type of information in the module (many are MIB-2)


SMI Modules

There are other kinds of modules NOTIFICATION-TYPE for making SNMP-Trap

and information request messages MODULE-COMPLIANCE for defining managed

objects that an agent must implement AGENT-CAPABILITIES defines what agents can

do with respect to object and event notification definitions


MIB

The Management Information Base (MIB) stores a current description of the network

Data is collected from agents in each device about the objects in that device

There are over 100 standard MIB modules, plus many more vendor-defined

To identify these modules, the IETF borrowed a convention from ISO – the ASN.1 structure


MIB

The ASN.1 object identifier tree structure gives a number (1.3.6.1.2.45) to every object within ISO, ITU-T, or joint ISO/ITU-T control

We care about stuff under 1.3.6.1.2.1 ISO (1)

ISO identified organization (3) US DoD (6)

Internet (1) Management (2) (ran out of indents!) MIB-2 (1)


MIB

Under the MIB-2 category, we have 16 choices, including System (1) Interface (2) Address translation (3) Lots of protocols (ip, icmp, tcp, udp, etc.) Transmission (10) SNMP (11) RMON (16)

Apologies to http://www.sptimes.com/2002/07/08/Xpress/Letdown_aside___MIB_I.shtml


MIB

The excerpts in the text are from MIB-2 / system (Table 9.2, p. 774) MIB-2 / udp (Table 9.3)

What was the point of all this? This gives the organization of all existing MIB

modules – e.g. so if you want to know what TCP information is readily available, you can find what has already been predefined

This keeps you from reinventing the wheel!


MIB

For a current list of known MIB modules, see the Internet Official Protocol Standards, RFC 5000 Put “-MIB” after a protocol, and search for it

RSVP-MIB or RMON-MIB or OSPF-MIB, etc. Or search for “using SMIv2”, the current version

of SMI, to find RFC names which define MIBs


SNMP Protocol Operations

The purpose of SNMP is to exchange MIB information between agents and managing entities, or between two managing entities

Much of SNMP works on request-response mode – the managing entity requests data, and the agent responds with that data

Problems or exceptions are reported with a trap message – they go just from agent to managing entity


SNMP Message Types

SNMP messages are called PDUs (protocol data units) (RFC 3416)

There are seven types of PDUs (p. 776) From manager (managing entity) to agent there

are three kinds of GetRequest (to read agent data), plus SetRequest (to set the value of agent data)

From agent to manager there is the SNMPv2-Trap PDU to report exceptions (RFC 3418)


SNMP Message Types

From manager to manager there is an InformRequest message to pass on MIB data

And finally, most messages are responded to using a … Response message

We’re not going to dwell on the format of a PDU message – it’s up to 484 octets long

PDU messages should be sent over UDP, per RFCs 3417 and 4789 Also possible to send over AppleTalk, IPX, etc.


SNMP Message Types

SNMP listens on port 161 normally; port 162 for trap messages

Hence the sender needs to determine if a Response was received or not RFCs are vague on retransmission policies

SNMP is described across many RFCs The best place to start looking is RFC 3416,

which summarizes the SNMP Management Framework


Security and Administration

This is a key area of improvement in SNMPv3 over SNMPv2

Managing entities run SNMP applications, which typically have A command generator (create Get messages) A notification receiver (to catch traps) A proxy forwarder (forwards requests,

notifications, and responses)


Security and Administration

Agents have A command responder (answers Get messages,

and applies Set requests) A notification originator (create traps)

Any kind of PDU is created by the SNMP application, then has a security/message header applied An SNMP message consists of (the

security/message header) plus (the PDU)


SNMP Message Header

The header consists of SNMP version number A message ID Message size info If the message is encrypted, then the type

of encryption is added, per RFC 3411 The SNMP message is passed to the

transport protocol (probably UDP)


SNMP Message Header

Quote from RFC 3411, “This architecture recognizes three levels of security: without authentication and without privacy

(noAuthNoPriv) with authentication but without privacy

(authNoPriv) with authentication and with privacy (authPriv)”


SNMP Security

Since SNMP can change settings (Set Request message), security is very important

RFC 3414 describes the user-based security approach User name, which has a password, key value,

and/or defined access privileges Encryption (privacy) is done with DES

symmetric encryption in Cipher Block Chaining mode


SNMP Security

Authentication uses HMAC (RFC 2104) Take the PDU message, m, and a shared secret

key, K (can be a different symmetric key than used for encryption)

Compute a Message Integrity Code (MIC) over the message AND the key K

Transmit m and MIC(m,K) Receiver also computes MIC(m,K) and compares

it to what was received


SNMP Security

SNMP provides protection against playback attacks by keeping a counter in the receiver

Acts like a nonce Actually tracks time since last reboot of receiver

and number of reboots since network management software was loaded – RFC 3414

If counter in a received message is close enough to the actual value, treat the message as a nonreplay (new) message


SNMP Security

Provides view-based access control (RFC 3415) by mapping which information can be viewed by which users, or set by them In contrast with RBAC (role-based) or OBAC

(organization-based) access control approaches Tracks this info in a Local Configuration

Datastore (LCD), parts of which are managed objects (which can be managed via SNMP)


ASN.1

We saw earlier that MIB variables are tied to the ISO standard ASN.1 It’s connected to XML and Bluetooth as well,

so it’s worth not ignoring It’s defined by ITU-T X.680 to X.683 and

ISO/IEC 8824 Purpose is to describe data exchanged

between two communicating applications So it’s kind of a middleware for data exchange


ASN.1

Without ASN.1, it would be easy to define dozens of logical approaches for describing the contents of a data file, and storing it ASN.1 gets everyone to agree on how to do so

Part of its need comes from the little-endian vs. big-endian problem Little-endian architecture stores the least

significant bit of integers first Intel and DEC/Compaq Alpha CPUs are little-endian


ASN.1

Big-endian stores the most significant bit first Sun and Motorola processors are big-endian

SMI and ASN.1 offer a presentation service to translate between different machine-specific formats This resolves the order in which bytes are sent,

so that something sent in ASN.1 format from an Intel chip can be read correctly by a Sun chip


ASN.1

ASN.1 provides its own defined data types, much like SMI (slide 43) Are used to create structured data types

ASN.1 also provides various types of encoding rules The Basic Encoding Rules (BER) tell how to send

data over the network (as in, byte by byte), using the Type of data, its Length, and Value (TLV) Data can be text, audio, video, etc.


ASN.1

Other type of encoding rules include Packed Encoding Rules (PER) – for efficient

binary encoding Distinguished Encoding Rules (DER) – canonical

encoding for digital signatures XML encoding rules (XER)


Summary

So in wrapping up, we’ve covered the ISO outline of network management Fault, Configuration, Performance, Security, and

Accounting Management Seen network management infrastructure

elements and how they work in SNMP SMI to define data types, objects, and modules MIB to collect object data across the network ASN.1 communicates across hardware platforms

Chapter 9

Documents

network monitoring

network admin

network management tools

simple network

iso network security

systemprevent problems

conditionsfix problems

iso standa