INFO 331 Computer Networking Technology II

1
INFO 331Computer Networking Technology II

• Chapter 9
• Network Management
• Glenn Booker

2
Network Management History

• Network management didnt exist in its current
  form until the 1980s
• From the 40s to 70s, networks were typically
  very homogeneous (proprietary-only), so network
  management tools were specific to that insular
  environment, if used at all
• The advent of the PC and Macintosh made networks
  get much more heterogeneous, and increased the
  complexity of network management

3
Network Management

• A network typically consists of many unrelated
  types of equipment, which are all supposed to
  work together in perfect harmony, in spite of the
  myriad protocols, operating systems, interfaces,
  etc. involved
• Servers and workstations
• Routers, switches, and hubs
• Wireless access points and hosts
• Firewalls

4
Network Management

• In order to manage this mess, there is often a
  Network Operations Center (NOC) to coordinate
  maintenance, upgrades, monitoring, optimization
  (if you have time), repairs, etc.
• Akin to a pilots cockpit, or the control room
  for a power station, or the mixing board at a
  concert

5
Network Management

• We need to know
• What to monitor
• What is worth focusing your attention on?
• How to analyze what we see
• How to respond to changing conditions (fix
  problems)
• How to proactively manage the system (prevent
  problems)

6
Typical Problems

• Even a simple network can have challenges which
  help motivate the need for network management
• Detect interface card failure at a host or
  router
• The host or router might report the interface
  failure to the NOC
• Better, network monitoring might reveal imminent
  failure, so the card is replaced before failure

7
Typical Problems

• Monitor traffic to guide resource deployment
• Traffic patterns or congestion monitoring can
  show which parts of the network are most used
• This could lead to improved usage of servers,
  simplifying physical layout or improving the
  speed of high traffic LAN segments, or make good
  upgrade decisions

8
Typical Problems

• Detect rapid routing changes
• Routing can become unstable, causing rapid
  changes in routing tables (route flapping)
• The network admin would like to know this is
  happening before something crashes as a result!
• Host is down
• Network monitoring could detect a system down
  before the user notices it

9
Typical Problems

• Monitor SLAs
• Service Level Agreements (SLAs) are contracts to
  guarantee specific services, such as Internet
  service, in terms of availability, throughput,
  latency, and other agreed-upon measures
• Major ISPs (tier 1) can provide SLAs to major
  business customers
• If you pay for this service, its nice to know if
  they are really providing what you paid for!

Image from www.answers.com/topic/symbionese-libera
tion-army
10
Typical Problems

• Intrusion detection
• The network admin can look for traffic from odd
  sources, destined for unusual ports, lots of SYN
  packets, and other security threats we recently
  covered
• This can lead to refinement of filters firewalls

11
ISO Network Management

• ISO has produced guidance on the types of network
  management activities
• ISO network management (ISO/IEC 107331998)
• ISO network security (ISO/IEC TR 133352004,
  ISO/IEC 180262009 and ISO/IEC 18028-12006)
• See Global IHS for buying ISO standards

12
ISO Network Management

• Cisco overview white paper (free, unlike ISO
  standards, and summarized herein thru slide 35)
• ISO identifies five areas of network management
• Fault, configuration, performance, security, and
  accounting management

13
ISO Network Management

• Fault Management
• Detect, isolate, notify, and correct faults
  encountered in the network
• Configuration Management
• Configuration aspects of network devices such as
  configuration file management, inventory
  management, and software management

14
ISO Network Management

• Performance Management
• Monitor and measure various aspects of
  performance so that overall performance can be
  maintained at an acceptable level
• Security Management
• Provide access to network devices and corporate
  resources to authorized individuals
• Accounting Management
• Usage information of network resources

15
Fault Management

• This is the main focus of network management for
  most organizations
• Faults are errors or problems in the network
• Often a shorter term perspective than performance
  management
• Hence fast detection of problems is critical,
  often via color-coded graphical network maps

16
Fault Management

• Typically want a network management platform to
  do
• Network discovery and topology mapping
• Event handler
• Performance data collection and presentation
• Management data browsing
• Network management platforms include HP
  OpenView, Aprisma Spectrum, and Sun Solstice

17
Fault Management

• Devices can send SNMP traps (RFC 3410) of events
  which change their status
• These events are logged, such as in a Management
  Information Base (MIB)
• Platforms can be geographically located, and
  communicate with each other to centralize network
  monitoring
• Web interfaces on devices can allow remote
  management and configuration

18
Fault Management

• Equipment vendors often use different management
  systems
• They can communicate using CORBA or CIM standards
  to exchange management data
• Troubleshooting a network often uses TFTP and
  syslog servers
• The trivial FTP (TFTP) server stores
  configuration files routers and switches can
  send system log (syslog) messages to the syslog
  server

19
Fault Management

• Faults can be detected with SNMP trap events,
  SNMP polling, remote monitoring (RMON, RFC 2819)
  and syslog messages
• Module changing to up or down state
• Chassis alarms for hardware failures (fans,
  memory, voltage levels, temperature, etc.)
• Responses can be just notification and logging of
  the event, or shutdown of that device, e.g. temps
  can be defined for warning, critical, or shutdown

20
Fault Management

• Fault detection can also be done at the protocol
  or interface levels
• Such as a router interface failure
• A management station polls the device to
  determine status or measure something (CPU usage,
  buffer failure, I/O drops, etc.), and flags it
  with an RMON alarm when the measure exceeds some
  threshold value

21
Configuration Management

• Configuration management (CM) tracks equipment
  and software in the network
• Can assess which elements are causing trouble, or
  which vendors are preferred
• What if a vendor recalls a certain device? Do
  you have any of them? Where?
• Whose routers or switches are most reliable?
• Where do you send a service vendor to replace a
  dead router?

22
Configuration Management

• CM data includes
• Make, model, version, serial number of equipment
• Software versions and licenses
• Physical location of hardware
• Site, building, room, rack number, etc.
• Contact info for equipment owners and service
  vendors
• Naming conventions are often used to keep names
  meaningful, not just yoda.drexel.edu

23
Configuration Management

• CM also includes file management
• Changes to device configuration files should be
  carefully controlled, so that older versions can
  be used if the new ones dont work
• A change audit log can help track changes, and
  who made them
• Inventory management is based on the ability to
  discover what devices exist, and their
  configuration information

24
Configuration Management

• Software management can include the automation of
  software upgrades across devices
• Download new software images, verify
  compatibility with hardware, back up existing
  software, then load new software
• Large sites may script the process and run
  during low activity times

25
Performance Management

• The same SNMP methods to capture fault data can
  be used for performance data, such as queue
  drops, ignored packets, etc.
• These can be used to assess SLA compliance
• On a larger scale, WAN protocols (frame relay,
  ATM, ISDN) can also collect performance data

26
Performance Management

• Performance management tools include
• Concord Network Health
• InfoVista VistaView
• SAS IT Service Vision
• Trinagy TREND
• These all collect, store, and analyze data from
  around ones enterprise, and typically use
  web-based interfaces to allow access to it
  from anywhere

27
Performance Management

• Increased network traffic has led to more
  attention to user and application traffic
• RFC 4502 (replacing RFCs 2021 and 3273) defines
  how RMON can be used to analyze applications and
  the network layer, not just lower layer (e.g.
  MAC) protocols
• Many other performance monitoring tools exist,
  e.g. Cisco NetFlow

28
Security Management

• Security management covers controlling access to
  the network and its resources
• Can include monitoring user login, refusing
  access to failed login attempts, as well as
  either intentional or unintentional sabotage
• Security management starts with good policies and
  procedures
• The minimum security settings for routers,
  switches, and hosts is important to define

29
Security Management

• Methods for control of security at the device
  level (router) include
• Access control lists (ACLs) and what they are
  permitted to do
• User IDs and passwords
• Terminal Access Controller Access Control System
  (TACACS)
• TACACS (RFC 1492) is a security protocol between
  devices and a TACACS server

30
Security Management

• A refinement of TACACS is TACACS, which gives
  more detailed control over who can access a given
  device
• It separates the Authentication (verify user),
  Authorization (control remote access to device),
  and Accounting functions (collect security
  information for network management) (AAA)

31
Security Management

• In Ciscos world, AAA functions are managed with
  commands such as
• aaa
• tacacs-server
• set authentication
• set authorization
• set accounting

32
Security Management

• In SNMP, configuration changes can be made to
  routers and switches just like from a command
  line
• Hence strong SNMP passwords are critical!
• SNMP management hosts (managing entities in
  Kurose) should have static IP, and sole SNMP
  rights with network devices (managed devices)
  according to a specific Access Control List (ACL)

33
Security Management

• SNMP can set router security
• Privilege Level RO (read only) or RW (read
  and write) only RW can change router settings
• Access Control List (ACL) can be set to only
  allow specific hosts to request router management
  info ACL control over interfaces can help
  prevent spoofing

34
Security Management

• View controls what router data can be viewed
• SNMPv3 provides secure exchange of data
• Switches can restrict Telnet and SNMP via an IP
  Permit List

35
Accounting Management

• Accounting management measures utilization of the
  network so that specific groups or users can be
  billed correctly for snarfing up resources
• Yes, its all about money
• Data can be collected using various tools, such
  as NetFlow, IP Accounting, Evident Software
• This can also be used to measure how well
  SLAs are being followed or not

36
Other aspects of net mgmt

• So network management is a huge field
• Well focus on basic infrastructure issues
• Omit service management, network administration,
  provisioning, and sizing networks (see TINA and
  TMN standards)

37
Network Management Infrastructure

• Network management is like the CEO of an
  organization getting status reports from middle
  managers, and they get status from first line
  managers
• The CEO has to make decisions about the entire
  company based on this data
• Corrective action may be needed, based on good or
  bad results obtained
• The CEO of General Motors may build new plants,
  or shut others down

38
Network Management Infrastructure

• Network management establishes managers (called
  managing entities, often located in a NOC) who
  are allowed (via an ACL) to talk to network
  devices (managed devices, such as servers or
  routers)
• Each managed device has a network management
  agent, who collects the desired data
• Each managed device has one or more managed
  objects (such as network cards, memory chips,
  etc.)

39
Network Management Infrastructure
40
Network Management Infrastructure

• Descriptions of all managed objects, and the
  devices they belong to, are collected in the
  Management Information Base (MIB)
• A MIB is a database of managed object data
• Managed devices communicate with managing
  entities using a network management protocol
• Devices dont generally talk to each other, but
  managing entities can

41
Network Management Infrastructure

• The network management protocol doesnt manage
  the network per se it just provides a means
  for the network admin to do so

42
Network Management Standards

• The architecture just described applies to most
  any network management approach
• Many specific standards have been developed
• The OSI CMISE/CMIP standards, used in
  telecommunications
• In the Internet, SNMP (Simple Network Management
  Protocol, RFCs 3411-3418)
• Well focus on SNMP

43
SNMP isnt Simple!

• Derived from SGMP (RFC 1028, 1987)
• Key goals of network management include
• What is being monitored?
• What form of control does the network
  administrator have?
• What is the form of data reported and exchanged?
• What is the communication protocol for
  theexchange of data?

44
SNMP

• To address these goals, SNMP has four modular
  parts
• Network management objects, called MIB objects
• The MIB tracks MIB objects
• A MIB object might be a kind of data (datagrams
  discarded, description of a router, status of an
  object, routing path to a destination, etc.)
• MIB objects can be grouped into MIB modules

45
SNMP

• A data definition language, SMI (Structure of
  Management Information)
• SMI defines what an object is, what data types
  exist, and rules for writing and changing
  management information
• A protocol, SNMP, for the exchange of information
  and commands between manager-agent and
  manager-manager (between two managing entities)
• Security and administrative capabilities

46
SMI

• SMI is defined by RFCs 2578-2580 (1999)
• SMI has three levels of structure
• Base data types
• Managed objects
• Managed modules

47
SMI

• SMI Base Data Types are an extension on the ASN.1
  structure (Abstract Syntax Notation One, ISO/IEC
  88242008)
• There are eleven basic data types (p. 783)
• Signed and unsigned (gt0) integers, IP addresses,
  counters, time in 1/100 second counts, etc.
• Most important is the OBJECT IDENTIFIER type,
  which allows definition of an SMI object as some
  ordered collection of other data types

48
SMI

• The OBJECT IDENTIFIER is like a struct in C
• Here, it names an Object
• To create a managed object, the OBJECT-TYPE
  construct is used
• Over 10,000 object-types have been defined
  these are the heart of data that can be collected
  for network management
• Analogy OBJECT IDENTIFIER defines the class,
  OBJECT-TYPE instantiates the object

49
SMI Objects

• An object-type includes four fields
• SYNTAX is the data type of the object, e.g.
  Counter32
• MAX-ACCESS is whether the object can be read,
  written, created, e.g. read-only
• STATUS is whether the object is current,
  obsolete, or deprecated, e.g. current
• DESCRIPTION gives a definition of the object,
  which is a long text narrative

50
SMI Modules

• The MODULE-IDENTITY construct creates a module
  from related objects
• Fields include when it was last updated, the
  organization who did so, contact info for them, a
  description of the module, a revision entry, and
  description of the revision
• The end of the MODULE-IDENTITY gives the ASN.1
  code for the type of information in the
  module (often MIB-2)

51
SMI Modules

• For examples, these MIB modules (MODULE-IDENTITY)
  are defined
• For IP and ICMP in RFC 4293
• For TCP in RFC 4022
• For UDP in RFC 4133
• For RMON (remote monitoring) in RFC 4502

52
SMI Modules

• There are other kinds of modules
• NOTIFICATION-TYPE for making SNMP-Trap and
  information request messages
• MODULE-COMPLIANCE for defining managed objects
  that an agent must implement
• AGENT-CAPABILITIES defines what agents can do
  with respect to object and event notification
  definitions

53
MIB

• The Management Information Base (MIB) stores a
  current description of the network
• Data is collected from agents in each device
  about the objects in that device
• There are over 200 standard MIB modules, plus
  many more vendor-defined
• To identify these modules, the IETF borrowed a
  convention from ISO the ASN.1 structure

54
MIB

• The ASN.1 object identifier tree structure gives
  a number (e.g. 1.3.6.1.2.45) to every object
  within ISO, ITU-T, or joint ISO/ITU-T control
• We care about stuff under 1.3.6.1.2.1
• ISO (1)
• ISO identified organization (3)
• US DoD (6)
• Internet (1)
• Management (2) (ran out of indents!)
• MIB-2 (1)

55
MIB

• Under the MIB-2 category, we have 16 choices,
  including
• System (1)
• Interface (2)
• Address translation (3)
• Lots of protocols (ip, icmp, tcp, udp, etc.)
• Transmission (10)
• SNMP (11)
• RMON (16)

Apologies to http//www.sptimes.com/2002/07/08/Xpr
ess/Letdown_aside___MIB_I.shtml
56
MIB

• The excerpts in the text are from
• MIB-2 / system (Table 9.2, p. 788)
• MIB-2 / UDP (Table 9.3)
• What was the point of all this?
• This gives the organization of all existing MIB
  modules e.g. so if you want to know what TCP
  information is readily available, you can find
  what has already been predefined
• This keeps you from redefining the wheel!

57
MIB

• For a current list of known MIB modules, see the
  Internet Official Protocol Standards, RFC 5000
• Put -MIB after a protocol, and search for it
• RSVP-MIB or RMON-MIB or OSPF-MIB, etc.
• Or search for using SMIv2, the current version
  of SMI, to find RFC names which define MIBs

58
SNMP Protocol Operations

• The purpose of SNMP is to exchange MIB
  information between agents and managing entities,
  or between two managing entities
• Much of SNMP works on request-response mode the
  managing entity requests data, and the agent
  responds with that data
• Problems or exceptions are reported with a trap
  message they go just from agent to managing
  entity

59
SNMP Message Types

• SNMP messages are called PDUs (protocol data
  units) (RFC 3416)
• There are seven types of PDUs (p. 790)
• From manager (managing entity) to agent there are
  three kinds of GetRequest (to read agent data),
  plus SetRequest (to set the value of agent data)
• From agent to manager there is the SNMPv2-Trap
  PDU to report exceptions (RFC 3418)

60
SNMP Message Types

• From manager to manager there is an InformRequest
  message to pass on MIB data
• And finally, most messages are responded to
  using a Response message
• Were not going to dwell on the format of a PDU
  message its up to 484 octets long
• PDU messages should be sent over UDP, per RFCs
  3417 and 4789
• Also possible to send over AppleTalk, IPX,

61
SNMP Message Types

• SNMP listens on port 161 normally port 162 for
  trap messages
• Hence the sender needs to determine if a
  Response was received or not
• RFCs are vague on retransmission policies
• SNMP is described across many RFCs
• The best place to start looking is RFC 3416,
  which summarizes the SNMP Management Framework

62
Security and Administration

• This is a key area of improvement in SNMPv3 over
  SNMPv2
• Managing entities run SNMP applications, which
  typically have
• A command generator (create Get messages)
• A notification receiver (to catch traps)
• A proxy forwarder (forwards requests,
  notifications, and responses)

63
Security and Administration

• Agents have
• A command responder (answers Get messages, and
  applies Set requests)
• A notification originator (create traps)
• Any kind of PDU is created by the SNMP
  application, then has a security/message header
  applied
• An SNMP message consists of (the security/message
  header) plus (the PDU)

64
SNMP Message Header

• The header consists of
• SNMP version number
• A message ID
• Message size info
• If the message is encrypted, then the type of
  encryption is added, per RFC 3411
• The SNMP message is passed to the transport
  protocol (probably UDP)

65
SNMP Message Header

• From RFC 3411, This architecture recognizes
  three levels of security
• without authentication and without privacy
  (noAuthNoPriv)
• with authentication but without privacy
  (authNoPriv)
• with authentication and with privacy (authPriv)

66
SNMP Security

• Since SNMP can change settings (Set Request
  message), security is very important
• RFC 3414 describes the user-based security
  approach
• User name, which has a password, key value,
  and/or defined access privileges
• Encryption (privacy) is done with DES symmetric
  encryption in Cipher Block Chaining mode

67
SNMP Security

• Authentication uses HMAC (RFC 2104)
• Take the PDU message, m, and a shared secret key,
  K (can be a different symmetric key than used for
  encryption)
• Compute a Message Integrity Code (MIC) over the
  message AND the key K
• Transmit m and MIC(m,K)
• Receiver also computes MIC(m,K) and compares it
  to what was received

68
SNMP Security

• SNMP provides protection against playback attacks
  by keeping a counter in the receiver

69
SNMP Security

• The counter acts like a nonce
• Actually tracks time since last reboot of
  receiver and number of reboots since network
  management software was loaded (RFC 3414)
• If counter in a received message is close enough
  to the actual value, treat the message as a
  nonreplay (new) message

70
SNMP Security

• Provides view-based access control (RFC 3415) by
  mapping which information can be viewed by which
  users, or set by them
• In contrast with RBAC (role-based) or OBAC
  (organization-based) access control approaches
• Tracks this info in a Local Configuration
  Datastore (LCD), parts of which are managed
  objects (which can be managed via SNMP)

71
ASN.1

• We saw earlier that MIB variables are tied to
  the ISO standard ASN.1
• Its connected to XML and Bluetooth as well, so
  its worth not ignoring
• Its defined by ITU-T X.680 to X.683 and ISO/IEC
  8824
• Purpose is to describe data exchanged between two
  communicating applications
• So its kind of a middleware for data exchange

72
ASN.1

• Without ASN.1, it would be easy to define dozens
  of logical approaches for describing the contents
  of a data file, and storing it
• ASN.1 gets everyone to agree how to do so
• ASN.1 tries to identify every possible
  standardized object no small goal!

73
ASN.1

• Part of its need comes from the little-endian vs.
  big-endian problem
• Little-endian architecture stores the least
  significant bit of integers first
• Intel and DEC/Compaq Alpha CPUs are
  little-endian
• Big-endian stores the most significant bit first
• Sun and Motorola processors are big-endian

74
ASN.1

• SMI and ASN.1 offer a presentation service to
  translate between different machine-specific
  formats
• This resolves the order in which bytes are sent,
  so that something sent in ASN.1 format from an
  Intel chip can be read correctly by a Sun chip

75
ASN.1

• ASN.1 provides its own defined data types (p.
  798), much like SMI (slide 47)
• Are used to create structured data types
• ASN.1 also provides various types of encoding
  rules
• The Basic Encoding Rules (BER) tell how to send
  data over the network (as in, byte by byte),
  using the Type of data, its Length, and Value
  (TLV)
• Data can be text, audio, video, etc.

76
ASN.1

• Other type of encoding rules include
• Packed Encoding Rules (PER) for efficient
  binary encoding
• Distinguished Encoding Rules (DER) canonical
  encoding for digital signatures
• XML encoding rules (XER)

77
Summary

• So in wrapping up, weve covered the ISO outline
  of network management
• Fault, Configuration, Performance, Security, and
  Accounting Management
• Seen network management infrastructure elements
  and how they work in SNMP
• SMI to define data types, objects, and modules
• MIB to collect object data across the network
• ASN.1 communicates across hardware platforms

78
References

• The text (5th edition) is consistently off in
  describing ASN.1 its based on ITU X.6802007,
  not ISO X.680
• The main source for ISO and ITU standards is
  global.ihs.com
• RFCs can be looked up here http//www.rfc-editor.o
  rg/rfcsearch.html