Network Information and Management Infrastructure

1
Network Information and Management Infrastructure

• Igor Mandrichenko, Eileen Berman, Phil DeMar,
  Maxim Grigoriev, Joe Klemencic, Donna Lamore,
  Mark Leininger, Don Petravick, Vladimir
  Podstavkov, Randy Reitz
• Fermi National Accelerator Laboratory

2
Challenges of FNAL LAN management

• Specifics of FNAL network
• Large
• Open, dynamic
• Exposed
• Successful network and network security
  management requires coordinated cooperation of
  key players
• Data Communications
• Computer Security
• Users
• Desktop support

3
What is NIMI ?

• NIMI stands for Network Information and
  Management Infrastructure
• Hardware 2 Linux servers
• Database with quasi-real time network status data
• PostgreSQL
• Network Data Collector
• Data access and application building framework
• Python as programming language
• PostgreSQL as the database solution
• (Kerberized) SOAP as middleware communication
  mechanism
• Kerberos, X509 as authentication mechanisms
• Zope as Web interface development tool

4
Big Picture
5
NIMI Database

• PostgreSQL based
• Stores network state quasi-realtime data
• Uses PostgreSQL backup functionality to make
  backup in 3 locations
• Another disk on the same server
• Backup NIMI DB server
• FNAL CD Backup Server
• Data is kept since March 2004
• lt 5GB on disk

6
NIMI Collector

• Collects network state information from network
  devices
• Stores data in NIMI Database and makes it
  available to applications
• Information collected
• DHCP leases (quasi-realtime)
• ARP tables (periodic polls)
• VPN sessions (periodic polls)
• Switch forwarding tables (periodic polls)

7
NIMI-Based Applications

• Network Inventory
• Up-to-date inventory of network devices and
  services
• Scanners
• Configuration problems
• Software version monitoring
• Vulnerabilities
• TIssue
• Computer Security Issue Tracking workflow system
• Fed by scanners

8
Network Inventory

• Provides up-to-date information about network
  devices present on the LAN
• New node discovery
• Periodic subnet pings (every 2 minutes)
• ARP tables (delayed up to 15 minutes)
• Uses ping scans and ARP tables data for node
  discovery
• Collects information about OS version and
  services found on each computer
• Most of new nodes scanned within 5 minutes
• Helps optimize efficiency of other Scanners

9
Scanners

• Run on Scanner Farm
• Use data from Inventory Scanner to scan new nodes
  within 10-20 minutes of their arrival, and then
  re-scan them in lazy manner as they stay online
• Three areas
• Vulnerabilities (Vulnerability Scanner)
• System misconfiguration
• Outdated software
• Vulnerability Scanner
• Uses nmap to detect vulnerabilities
• Scanners supply events for TIssue

10
TIssue

• Workflow engine used to keep track of security
  vulnerabilities and network-related issues
• Provides flexible abstract interface to plug in
  Detectors (e.g. Scanners)
• Keeps track of events in detector-independent way
• Communicates with machine administrators via
  e-mail and web interface
• Requests blocks of network addresses as the
  enforcement tool
• Zope-based web GUI uses X509 certificates as the
  authentication mechanism

11
Advantages of using NIMI

• Common data storage easily available to
  applications
• Simple modular design of the system
• Collector deals with variety of vendor-specific
  network data
• Central database
• APIs
• Middleware
• Carefully chosen set of software tools covering
  all areas of application development
• PostgreSQL
• Python
• SOAP
• Zope
• Kerberos, X509

12
NIMI Success Story

• Recent computer security related events have
  demonstrated that applications such as TIssue and
  Inventory Scanner are very reliable, powerful and
  useful computer security and network management
  tools
• NIMI provides building blocks for rapid
  development of applications like these
• We continue new application development using
  NIMI as the framework