Network Management: a high level view

1
Network Management a high level view

• Network management
• manage network resources usage, access,
  add/delete/repair/configure ..
• Network management tasks
• identify and repair fault conditions
• monitor performance and usage
• track component inventories
• span geographic length of internetwork
• support multiple technologies and protocols
• The need for network management systems
• in early single-host computing environments,
  network management was relatively straight
  forward
• current internetworks are much more complicated
  location of sites, protocols, security, uses of
  data, ..

2
Standards Models for NM

• Two network management standards evolved in the
  mid 1980s
• Common Management Information Service/Protocol
  CMIS/CMIP
• Simple Gateway/Network Management Protocol
  SGMP/SNMP
• CMIS/CMIP was defined by the ISO to support the
  five areas of network management defined by the
  CCITT.
• In 1988, the Internet Activities Board IAB
  committee proposed SNMP as the short-term
  solution for network management.
• Since then, the simple structure and good
  performance of SNMP has make it popular around
  the world. It is likely that SNMP will be a
  long-term solution.

3
ISO Network Management Model

• ISO has defined 5 areas of network management
  issues in the ISO Network Management Model.
• The model help defining activities, concerns and
  targets related to network management.
• The model does not define the actual
  implementation of a network management system.
• Commercial systems may provide network management
  services included in one or more areas of this
  ISO model, but not necessarily all 5 areas.

Security
Accounting
Fault
Performance
Configuration
4
Configuration Fault Management

• Configuration Management
• The process of obtaining information from the
  network and setting up devices accordingly.
  Allows centralized control over the configuration
  of devices.
• From a single management station, network
  engineers can determine and set a variety of
  hardware and software components routers, hubs,
  etc..
• Fault Management
• The process of detecting, isolating and
  correcting network failures. Goal quick
  recovery from failure.
• Includes the hardware, software and procedures
  that network engineers use to diagnosis, test and
  repair network failures.
• Most fault handling system also alert engineers
  of the fault occurrence.

5
Security Management

• Concerned with protecting network resources and
  sensitive information data.
• Mainly involve controlling/limiting access to
• hosts and network devices,
• particular applications on a given device,
• particular protocols traversing the network.
• Also includes
• identify security risks their consequences
• implement secure network design and equipment
• administrate user groups and passwords
• usage log, report of violations and alarms

6
Performance Accounting

• Performance Management
• The process of collecting and analyzing
  performance indicators, e.g. throughput, delay.
• Identifying bottlenecks, evaluating trends and
  making predictions of future performance.
• Accounting Management
• The process of measuring resource utilization on
  the network. Quite similar to performance
  management.
• Data can be used to determine costs, bill the
  users and checking quotas.
• Allows management people to properly allocate
  resources, and optionally, bill users for their
  consumption of those resources.

7
Network Management Systems

• A typical model of network management systems
  consists of
• a network management station -- the central
  controller
• the managed nodes -- network devices like routers
  and gateways which interconnect sub-networks
• a protocol for communications, such as SNMP,
  between network devices and the controller, and
• a set of parameters to be monitored and controlled

Network Devices
Management Station
SNMP
write
request
MIB
read
replies, trap
8
Network Management Station

• a powerful PC or workstation, normally dedicated
  for continuous use of network management
• should be installed with a network management
  platform (protocol) such as HP OpenView, SUN
  SuNet Manager, IBM NetView.
• normally, network management application tools
  are also required, such as CiscoWorks

Network Management Platform and Applications
9
NM Platform Applications

• Network management platform
• it is the platform for network management,
  provides a user interface for mapping network
  applications and devices
• services include detect network devices and
  generate network layout automatically alarms -
  do polling and trapping SNMP manager - obtain
  and change device settings.
• Network management application tools
• uses services of the underlying protocol and
  provides more user friendly tools, such as a
  virtual image of the front panel of a router.
• Very often, a commercial NM application, such as
  CiscoWorks, is integrated with a NM platform.

10
CiscoWorks for Windows (for ref.)

• Configuration Builder -- spreadsheet model,
  reduces the complexity of building configuration
  files
• Health Monitor -- utilization, real-time and
  historical statistics graphs
• CiscoView -- device physical view (virtual),
  status of interface ports indicated with
  different colour, point click to select the
  desired interface.
• Show Commands -- simplifies procedure to check
  devices configuration, status and traffic
  information.

11
Network Management Interactions

• Polling
• network management station NMS queries each
  network devices ND periodically, so, consumes
  more bandwidth.
• NMS sends request message to NDs to get status
  information or set operation parameters (MIB
  variables)
• network devices return reply message carrying
  status information (MIB variables)
• Logging
• Traps -- network devices generate warning
  messages when a critical threshold is reached
• NMS log/record alarm messages and alert the
  network engineers
• event-triggered, so, consumes little bandwidth

request
replies
trap
12
Management Information Base MIB

• MIB is a hierarchical database of information on
  the managed nodes (network devices).
• MIB defines the structure and a set of variables
  that will exist on each managed nodes.
• Variables in the database are defined by ISO,
  CCITT (ITU), and individual vendors. MIB 1
  specifications are defined in RFC 1066. MIB 2 in
  RFC1213.
• Each variable is assigned a object identifier.
  For example, sysUpTime is referenced as
  1.3.6.1.2.1.1.3.0.

13
Security Access Control

• Standard Access Lists - permit/deny access
  to/from
• a network,
• a specific sub-network, or
• a specific host terminal
• Extended Access Lists - filter packets according
  to the IP address as well as the
  protocol/applications.
• e.g. permit e-mail, but deny FTP and Telnet
  applications.

14
Security access control

• Terminal A can receive data from B and D.
• Terminal A can not receive data from C and the
  Internet

36.48.0.3
36.51.0.0
36.48.0.0
E0
36.0.0.0
access-list 2 permit 36.0.0.0 0.255.255.255
access-list 2 deny 36.48.0.0 0.0.255.255
access-list 2 permit 36.48.0.3 ! (explicit deny
all others) interface ethernet 0 ip
access-group 2
15
Security access control

• For example to deny FTP Telnet but permit
  e-mail applications.
• 23, 21 and 25 refers to the port no. for Telnet,
  FTP and E-mail applications with the TCP.
• first address following tcp is the source
  address
• second IP address is the destination address

access-list 1 deny tcp 138.100.4.0 0.0.0.255
0.0.0.0 255.255.255.255 eq 23 access-list 1
deny tcp 138.100.4.0 0.0.0.255 0.0.0.0
255.255.255.255 eq 21 access-list 1 permit tcp
138.100.4.0 0.0.0.255 0.0.0.0 255.255.255.255
eq 25 interface ethernet 0 ip access-group 1
16
Security firewalls

• Packet filters -- routers implemented with access
  lists.
• a single router can be used to filter both
  incoming and outgoing packets, but this may not
  be safe enough to protect the network from virus,
  hackers, junk mail, ..
• Encryption can help protecting data in transit,
  but cant keep away hackers.
• Firewalls -- same concept as the protection of
  castles in the old days
• a typical implementation has two routers and an
  application gateway in between
• the routers acts as incoming and outgoing filters
• the gateway may further checks the data content
  of the packets