Chapter 13 Network Management Applications

1
Chapter 13Network Management Applications
2
Network and Systems Management
3
Management Applications

• OSI Model
• Configuration
• Fault
• Performance
• Security
• Accounting
• Reports
• Service Level Management
• Policy-based management

4
Configuration Management

• Network Provisioning
• Inventory Management
• Equipment
• Facilities
• Network Topology
• Database Considerations

5
Network Provisioning

• Network Provisioning
• Provisioning of network resources
• Design
• Installation and maintenance
• Circuit-switched network
• Packet-switched network, configuration for
• Protocol
• Performance
• QoS
• ATM networks

6
Network Topology

• Manual
• Auto-discovery by NMS using
• Broadcast ping
• ARP table in devices
• Mapping of network
• Layout
• Layering
• Views
• Physical
• Logical

7
Network Topology Discovery
163.25.145.0
163.25.146.0
140.112.8.0
140.112.6.0
163.25.146.128
163.25.147.0
140.112.5.0
192.168.12.0
192.168.13.0
8
Discovery In a Network

• What to be discovered in a network ?
• Node Discovery
• The network devices in each network segment
• Network Discovery
• The topology of networks of interest
• Service Discovery
• The network services provided
• Network Topology Discovery
• Network Discovery Node Discovery

9
Node Discovery

• Node Discovery
• Given an IP Address, find the nodes in the same
  network.
• Two Major Approaches
• Use Ping to query the possible IP addresses.
• Use SNMP to retrieve the ARP Cache of a known
  node.

10
Use ICMP ECHO

• Eg IP address 163.25.147.12
• Subnet mask 255.255.255.0
• All possible addresses
• 163.25.147.1 163.25.147.254
• For each of the above addresses, use ICMP ECHO to
  inquire the address
• If a node replies (ICMP ECHO Reply), then it is
  found.
• Broadcast Ping

11
Use SNMP

• Find a node which supports SNMP
• The given node, default gateway, or router
• Or try a node arbitrarily
• Query the ipNetToMediaTable in MIB-II IP group
  (ARP Cache)

ipNetToMediaPhysAddress
ipNetToMediaType
ipNetToMediaIfIndex
ipNetToMediaNetAddress
1 0080435F129A 163.25.147.10
dynamic(3) 2 008051F311DE 163.25.147.11
dynamic(3)
12
Network Discovery

• Network Discovery
• Find the networks of interest with their
  interconnections
• Key Issue
• Given a network, what are the networks directly
  connected with it ?
• Major Approach
• Use SNMP to retrieve the routing table of a
  router.

13
(No Transcript)
14
(No Transcript)
15
Service Discovery

• Given a node, find out the network services
  provided by the node.
• Recall that each network service will use a
  dedicated TCP/UDP port.
• Standard TCP/UDP Ports 0 1023
• Two Approaches
• Use TCP Connection Polling (Port Scan)
• Use SNMP

16
Use SNMP

• If the node supports SNMP
• Use SNMP to query tcpConnTable
• Use SNMP to query udpTable

17
Use TCP Connection Polling

• First specify the TCP services (i.e., TCP port
  numbers) to be discovered.
• For each TCP service to be discovered, use a TCP
  connection to try to connect to the corresponding
  TCP port of the node.
• If the connection is successfully established,
  then the service is found.
• Note that it is difficult to discover the UDP
  services following the same way.

18
Mapping of network
19
Traditional LAN Configuration
Physical
Logical
20
Virtual LAN Configuration
Physical
Logical
21
Fault Management

• Fault is a failure of a network component
• Results in loss of connectivity
• Fault management involves
• Fault detection
• Polling
• Traps linkDown, egpNeighborLoss
• Fault location
• Detect all components failed and trace down
  the tree topology to the source
• Fault isolation by network and SNMP tools
• Use artificial intelligence / correlation
  techniques
• Restoration of service
• Identification of root cause of the problem
• Problem resolution

22
Performance Management

• Tools
• Protocol analyzers
• RMON
• MRTG
• Performance Metrics
• Data Monitoring
• Problem Isolation
• Performance Statistics

23
Performance Metrics

• Macro-level
• Throughput
• Response time
• Availability
• Reliability
• Micro-level
• Bandwidth
• Utilization
• Error rate
• Peak load
• Average load

24
Traffic Flow MeasurementNetwork Characterization
Four levels defined by IETF (RFC 2063)
25
Network Flow Measurements

• Three measurement entities
• Meters gather data and build tables
• Meter readers collect data from meters
• Managers oversee the operation
• Meter MIB (RFC 2064)
• NetraMet - an implementation(RFC 2123)

26
Data Monitoring and Problem Isolation

• Data monitoring
• Normal behavior
• Abnormal behavior (e.g., excessive collisions,
  high packet loss, etc)
• Set up traps (e.g., parameters in alarm group
  in RMON on object identifier of interest)
• Set up alarms for criticality
• Manual and automatic clearing of alarms
• Problem isolation
• Manual mode using network and SNMP tools
• Problems in multiple components needs
  tracking down the topology
• Automated mode using correlation technology

27
Performance Statistics

• Traffic statistics
• Error statistics
• Used in
• QoS tracking
• Performance tuning
• Validation of SLA (Service Level Agreement)
• Trend analysis
• Facility planning
• Functional accounting

28
Event Correlation Techniques

• Basic elements
• Detection and filtering of events
• Correlation of observed events using AI
• Localize the source of the problem
• Identify the cause of the problem
• Techniques
• Rule-based reasoning
• Model-based reasoning
• Case-based reasoning
• Codebook correlation model
• State transition graph model
• Finite state machine model

29
Rule-Based Reasoning
30
Rule-Based Reasoning

• Knowledge base contains expert knowledge
  onproblem symptoms and actions to be taken if
  ? then condition ? action
• Working memory contains topological and
  stateinformation of the network recognizes
  system going into faulty state
• Inference engine in cooperation with knowledge
  base decides on the action to be taken
• Knowledge executes the action

31
Rule-Based Reasoning

• Rule-based paradigm is an iterative process
• RBR is brittle if no precedence exists
• An exponential growth in knowledge base poses
  problem in scalability
• Problem with instability if packet loss lt
  10 alarm green if packet loss gt 10 lt
  15 alarm yellow if packet loss gt 15 alarm
  red
• Solution using fuzzy logic

32
Configuration for RBR Example
33
RBR Example
34
Model-Based Reasoning
35
Model-Based Reasoning

• Object-oriented model
• Model is a representation of the component it
  models
• Model has attributes and relations to other
  models
• Relationship between objects reflected in a
  similar relationship between models

36
MBR Event Correlator
Example
Hub 1 fails
Recognized by Hub 1 model
Hub 1 model queries router model
Router model declares no failure
Router model declares failure
Hub 1 model declares Failure
Hub 1 model declares NO failure
37
Case-Based Reasoning
38
Case-Based Reasoning

• Unit of knowledge
• RBR rule
• CBR case
• CBR based on the case experienced before
  extend to the current situation by adaptation
• Three adaptation schemes
• Parameterized adaptation
• Abstraction / re-specialization adaptation
• Critic-based adaptation

39
CBR Parameterized Adaption
40
CBR Abstraction / Re-specialization
41
CBR Critic-Based Adaptation

• Human expertise introduces a new case

42
CBR-Based CRITTER
43
Codebook Correlation ModelGeneric Architecture
44
Codebook Correlation Model

• Yemini, et.al. proposed this model
• Monitors capture alarm events
• Configuration model contains the configuration of
  the network
• Event model represents events and their
  causalrelationships
• Correlator correlates alarm events with event
  model and determines the problem that caused the
  events

45
Codebook Approach

• Correlation algorithms based upon coding
  approach to event correlation
• Problem events viewed as messages generated by
  a system and encoded in sets of alarms
• Correlator decodes the problem messages to
  identify the problems

46
Two phases of Codebook Approaches

• Codebook selection phase Problems to be
  monitored identified and the symptoms
  theygenerate are associated with the
  problem.This generates codebook (problem-symptom
• matrix)
• 2. Correlator compares alarm events with codebook
  and identifies the problem.

47
Causality Graph
48
Labeled Causality Graph

• Ps are problems and Ss are symptoms
• P1 causes S1 and S2
• Note directed edge from S1 to S2 removed S2
  is caused directly or indirectly (via S1) by P1
• S2 could also be caused by either P2 or P3

49
Codebook

• Codebook is problem-symptom matrix
• It is derived from causality graph after
  removing directed edges of propagation of
  symptoms
• Number of symptoms gt number of problems
• 2 rows are adequate to identify uniquely 3
  problems

50
Correlation Matrix

• Correlation matrix is a reduced codebook

51
Correlation Graph
52
State Transition Model
53
State Transition Model Example
54
State Transition Graph
55
Finite State Machine Model
56
Finite State Machine Model

• Finite state machine model is a passive system
  state transition graph model is an active system
• An observer agent is present in each node and
  reports abnormalities, such as a Web agent
• A central system correlates events reported by
  the agents
• Failure is detected by a node entering an
  illegal state

57
Security Management

• Security threats
• Policies and Procedures
• Resources to prevent security breaches
• Firewalls
• Cryptography
• Authentication and Authorization
• Client/Server authentication system
• Message transfer security
• Network protection security

58
Security Threats

• Modification of information Contents modified by
  unauthorized user, does not include address
  change
• Masquerade change of originating address
  byunauthorized user
• Message Stream Modification Fragments of message
  altered by an unauthorized user to modify the
  meaning of the message
• Disclosure
• Eavesdropping
• Disclosure does not require interception of
  message
• Denial of service and traffic analysis are not
  considered as threats.

59
Security Threats
60
Polices and Procedures
61
Secured Communication Network
No Security Breaches ?

• Firewall secures traffic in and out of Network A
• Security breach could occur by intercepting the
  message going from B to A, even if B has
  permission to access Network A
• Most systems implement authentication with user
  id and password
• Authorization is by establishment of accounts

62
Firewalls

• Protects a network from external attacks
• Controls traffic in and out of a secure network
• Could be implemented in a router, gateway, or a
  special host
• Benefits
• Reduces risks of access to hosts
• Controlled access
• Eliminates annoyance to the users
• Protects privacy
• Hierarchical implementation of policy and and
  technology

63
Packet Filtering Firewall
64
Packet Filtering

• Uses protocol specific criteria at DLC, network,
  and transport layers
• Implemented in routers - called screening router
  or packet filtering routers
• Filtering parameters
• Source and/or destination IP address
• Source and/or destination TCP/UDP port
  address, such as ftp port 21
• Multistage screening - address and protocol
• Works best when rules are simple

65
Application Level Gateway
DMZ (De-Militarized Zone)
66
Cryptography

• Secure communication requires
• Integrity protection ensuring that the message
  is not tampered with
• Authentication validation ensures the
  originator identification
• Security threats
• Modification of information
• Masquerade
• Message stream modification
• Disclosure
• Hardware and software solutions
• Most secure communication is software based

67
???????

• ??? (Confidentiality)
• ??? (Authentication)
• ??? (Integrity)
• ????? (Non-repudiation)
• ???? (Access control)
• ??? (Availability)

68
Encryption
Network
atek49ffdlffffe ffdsfsfsff
atek49ffdlffffe ffdsfsfsff
decryption
encryption
ciphertext
ciphertext
Dear John I am happy to know ...
Dear John I am happy to know ...
plaintext
plaintext
69
Cryptography / Encryption

• Encryption
• Encode, Scramble, or Encipher the plaintext
  information to be sent.
• Encryption Algorithm
• The method performed in encryption.
• Encryption Key
• A stream of bits that control the encryption
  algorithm.
• Plaintext
• The text which is to be encrypted.
• Ciphertext
• the text after encryption is performed.

70
Encryption
Encryption Algorithm
Encryption Key
?
Ciphertext
atek49ffdlffffe ffdsfsfsff
Plaintext
Dear John I am happy to know ...
71
Decryption
Decryption Algorithm
Decryption Key
?
Plaintext
Dear John I am happy to know ...
Ciphertext
atek49ffdlffffe ffdsfsfsff
72
Encryption / Decryption
73
Encryption Techniques

• Private Key Encryption
• Encryption Key Decryption Key
• Also called Symmetric-Key Encryption, Secret-Key
  Encryption, or Conventional Cryptography.
• Public Key Encryption
• Encryption Key ? Decryption Key
• Also called Asymmetric Encryption

74
Private Key Encryption - DES (Data Encryption
Standard)

• Adopted by U.S. Federal Government.
• Both the sender and receiver must know the same
  secret key code to encrypt and decrypt messages
  with DES
• Operates on 64-bit blocks with a 56-bit key
• DES is a fast encryption scheme and works well
  for bulk encryption.
• Issues
• How to deliver the key to the sender safely?

75
Symmetric Key in DES
76
Other Symmetric Key Encryption Techniques

• 3DES
• Triple DES
• RC2, RC4
• IDEA
• International Data Encryption Algorithm

77
Key Size Matters!
Centuries Decades Years Hours
168-bits
Triple-DES (recommended for commercial
corporate information)
Information Lifetime
56-bits
40-bits
100s 10K 1M 10M
100M Budget ()
78
Public Key Encryption RSA

• The public key is disseminated as widely as
  possible. The secrete key is only known by the
  receiver.
• Named after its inventors Ron Rivest, Adi Shamir,
  and Leonard Adleman
• RSA is well established as a de facto standard
• RSA is fine for encrypting small messages

79
Asymmetric Key in RSA
80
Key Length
Average Time for Exhaustive Key Search
9
32
32 Bits 2 4.3 X 10
56
16
Number of Possible Key
56 Bits 2 7.2 X 10
Symmetric Cipher (Conventional)
Asymmetric (RSA/D-H)
128
38
128 Bits 2 3.4 X 10
40 Bits 274 Bits
56 Bits 384 Bits 64
Bits 512 Bits 80
Bits 1024 Bits 96 Bits
1536 Bits 112 Bits
2048 Bits 120 Bits
2560 Bits 128 Bits
3072 Bits 192 Bits
10240 Bits
31
32 Bits gt 2 usec 36 min
Time required at 1 Encryption/uSEC
127
24
128 Bits gt 2 usec 5X10 Years
32 Bits gt 2 millsec
Time required at 10 Encryption/uSEC
56 Bits gt 10 Hours
Performance
6
18
128 Bits gt 5X10 Years
30200 1
81
Hybrid Encryption Technology PGP (Pretty Good
Privacy)

• Hybrid Encryption Technique
• First compresses the plaintext.
• Then creates a session key, which is a
  one-time-only secret key.
• Using the session key, apply a fast conventional
  encryption algorithm to encrypt the plaintext.
• The session key is then encrypted to the
  recipients public key.
• This public key-encrypted session key is
  transmitted along with the ciphertext to the
  recipient.

82
PGP Encryption
83
PGP Decryption

• The recipient uses its private key to recover the
  temporary session key
• Use the session key to decrypt the
  conventionally-encrypted ciphertext.

84
PGP Decryption
85
Message Digest

• Message digest is a cryptographic hash
  algorithm added to a message
• One-way function
• Analogy with CRC
• If the message is tampered with the message
  digest at the receiving end fails to validate
• MD5 (used in SNMPv3) commonly used MD
• MD5 takes a message of arbitrary length
  (32-Byte) blocks and generates 128-bit message
  digest
• SHS (Secured Hash Standard) message digest
  proposed by NIST handles 264 bits and generates
  160-bit output

86
Digital Signatures

• Digital signatures enable the recipient of
  information to verify the authenticity of the
  informations origin, and also verify that the
  information is intact.
• Public key digital signatures provide
• authentication
• data integrity
• non-repudiation
• Technique public key cryptography
• Signature created using private key and validated
  using public key

87
Simple Digital Signatures
88
Secure Digital Signatures
89
Authentication and Authorization

• Authentication verifies user identification
• Client/server environment
• Host/User Authentication
• Ticket-granting system
• Authentication server system
• Cryptographic authentication
• Messaging environment
• e-mail
• e-commerce
• Authorization grants access to information
• Read, read-write, no-access
• Indefinite period, finite period, one-time use

90
Host Authentication

• Allow access to a service based on a source host
  identifier, e.g. network address.
• Issues
• A host can change its network address.
• Different users in the same host have the same
  authority.

91
User Authentication

• Enable service to identify each user before
  allowing that user access.
• Password Mechanism
• Generally, passwords are transferred on the
  network without any encryption.
• Use encrypted passwords.
• Users tend to make passwords easy to remember.
• If the passwords are not common words, users will
  write them down.
• Host Authentication User Authentication

92
Ticket-granting system
93
Ticket-granting system

• Used in client/server authentication system
• Kerberos developed by MIT
• Steps
• User logs on to client workstation
• Login request sent to authentication server
• Auth. Server checks ACL, grants encrypted ticket
  to client
• Client obtains from TGS service-granting ticket
  and session key
• Appl. Server validates ticket and session key,
  and then provides service

94
Authentication Server
95
Authentication Server

• Architecture of Novell LAN
• Authentication server does not issue ticket
• Login and password not sent from client
  workstation
• User sends id to central authentication server
• Authentication server acts as proxy agent to the
  client and authenticates the user with the
  application server
• Process transparent to the user

96
Message Transfer Security

• Messaging one-way communication
• Secure message needs to be authenticated and
  secured
• Three secure mail systems
• Privacy Enhanced Mail (PEM)
• Pretty Good Privacy (PGP)
• X-400 OSI specifications that define
  framework not implementation specific

97
Privacy Enhanced Mail

• Developed by IETF (RFC 1421 - 1424)
• End-to-end cryptography
• Provides
• Confidentiality
• Authentication
• Message integrity assurance
• Nonrepudiation of origin
• Data encryption key (DEK) could be secret or
  public key-based originator and receiver agreed
  upon method
• PEM processes based on cryptography and message
  encoding
• MIC-CLEAR (Message Integrity Code-CLEAR)
• MIC-ONLY
• ENCRYPTED

98
PEM Processes
DEK Data Encryption Key IK Interexchange
Key MIC Message Integrity Code
99
Use of PGP in E-mail
100
SNMPv3 Security
101
SNMPv3 Security

• Authentication key equivalent to DEK in PEM or
  private key in PGP
• Authentication key generated using user password
  and SNMP engine id
• Authentication key may be used to encrypt
  message
• USM prepares the whole message including
  scoped PDU
• HMAC, equivalent of signature in PEM and PGP,
  generated using authentication key and the whole
  message
• Authentication module provided with
  authentication key and HMAC to process incoming
  message

102
Virus Attacks

• Executable programs that make copies and insert
  them into other programs
• Attacks hosts and routers
• Attack infects boot track, compromises cpu,
  floods network traffic, etc.
• Prevention is by identifying the pattern of the
  virus and implementing protection in virus
  checkers

103
Accounting Management

• Least developed
• Usage of resources
• Hidden cost of IT usage (libraries)
• Functional accounting
• Business application

104
Report Management
105
(No Transcript)
106
Policy-Based Management
107
Policy-Based Management

• Domain space consists of objects (alarms with
  attributes)
• Rule space consists of rules (if-then)
• Policy Driver controls action to be taken
• Distinction between policy and rule policy
  assigns responsibility and accountability
• Action Space implements actions

108
Service Level Management

• SLA management of service equivalent to QoS of
  network
• SLA defines
• Identification of services and characteristics
• Negotiation of SLA
• Deployment of agents to monitor and control
• Generation of reports
• SLA characteristics
• Service parameters
• Service levels
• Component parameters
• Component-to-service mappings