Network Management and Initialization - PowerPoint PPT Presentation

1 / 55
About This Presentation
Title:

Network Management and Initialization

Description:

Network Management and Initialization Based on Computer Networks and Internets, Comer – PowerPoint PPT presentation

Number of Views:100
Avg rating:3.0/5.0
Slides: 56
Provided by: blum7
Category:

less

Transcript and Presenter's Notes

Title: Network Management and Initialization


1
Network Management and Initialization
  • Based on Computer Networks and Internets, Comer

2
Network management What is it?
  • A network manager is responsible for monitoring
    and controlling the hardware and software that
    make up a network.
  • The network manager works to repair the network
    when it goes down.
  • The network manager also attempts to tune and
    tweak the network so that it operates more
    efficiently.
  • There is a variety of software and hardware to
    help network managers in their work.

3
Network management
  • Network management can include
  • Security Making sure that the network is
    protected from hackers, viruses, denial of
    service (DoS) attacks, etc.
  • Performance Making sure the bandwidth is used to
    the fullest, eliminating bottlenecks, etc.
  • Reliability Making sure the network is up and
    running as much as possible.
  • Anticipate to Avoid

4
Difficulty of Network Management
  • Some failures, like a cut cable, while
    catastrophic are easy to detect.
  • Intermittent or partial failures can be more
    difficult to find because TCP (with its
    retransmission procedure) is designed to hide
    (work in spite of) these problems.
  • However, retransmission uses bandwidth that could
    be used for other traffic if the error did not
    occur.
  • A good network manager will root out such
    problems before they become more severe.

5
SNMP
PDU UDP
  • Simple Network Management Protocol is a set of
    rules for exchanging messages that allow a
    network manager to monitor and control network
    hosts/nodes.
  • The messages are called Protocol Data Units
    (PDUs) and are sent using User Datagram Protocol
    (UDP).
  • SNMP is part of TCP/IP and as with many other
    application layers services it is a separate
    install.
  • The term manager refers not only to the person
    overseeing the network but also to special
    software used.

6
Uses UDP
7
Vocabulary change
  • SNMP follows the standard client-server paradigm
    a client requests and a server
    responds/replies.
  • But the situation is somewhat unusual in that
    there are more servers than clients in this case
    and the clients machine is probably the better
    machine.
  • The SNMP client runs on the managers computer
    and is called the manager.
  • The SNMP server runs on various hosts and
    is called the agent.

8
Vocabulary change II
  • Client is to server as manager is to agent, i.e.
    the manager requests information from the agent,
    the manager initiates.

Client
Server
Manager
Agent
9
A community
  • The manager (a person) organizes the computers
    into groups for management purposes, these are
    called communities.
  • A computer can belong to more than one community.
  • The manager (software) requests information
    (network statistics, such as how many packets
    required retransmission) from the agents in its
    community.
  • The manager can set parameters on the agents and
    thus change delivery routes, configure network
    interfaces, etc.

10
Fetch and Store
  • The S in SNMP is simple because it has a small
    set of commands.
  • The manager can request a value from an agent a
    fetch.
  • the agent receives the request, retrieves
    information from an MIB (management information
    base) and sends it to the manager.
  • The manager can request an agent to set a
    parameter to a particular value a store.
  • Certain parameter values are interpreted by the
    agents as a command and cause them to initiate a
    sequence of events, such as a reboot.

11
MIB
  • The information (and procedures) accessed by SNMP
    are stored in the Management Information Base
    (MIB).
  • The SNMP specifies a few simple messages. The
    complexity and flexibility (how to handle new
    software or hardware) is in MIB.
  • A separate standard defines MIB variables and the
    meaning of the operations on each variable.

12
SNMP Messages
  • Get The simplest SNMP request message. A manager
    sends a get message requesting a single MIB entry
    (e.g., the amount of free drive space) the agent
    responds with the entry provided the manager
    belongs to the same community as the agent.

13
SNMP Messages
  • Get-next A type of request message that can be
    used to browse the entire collection of
    management objects. When a manager sends a
    get-next request for a particular object, the
    agent replies with the identity and value of the
    object which follows the object in the request
    message.
  • Get-next is useful for accessing tables, such as
    internal IP route tables.

14
SNMP Messages
  • Getbulk Requests that the data packets sent by
    the agent be as large as possible. This minimizes
    the number of protocol exchanges required.
  • The maximum message size should not be larger
    than the path MTU.
  • Set If the manager has write privileges, this
    message is used to update an agents MIB value.

15
SNMP Messages
  • Trap Typically the manager (client) requests and
    the agent (server) responds. However, some
    situations require the agent to initiate an
    interaction. A trap is an unsolicited message
    sent by an agent to a manager when certain
    predefined conditions occur in the agent.
  • The manager that receives a trap message is known
    as a trap destination. There may be more than one
    manager.
  • E.g., a trap might be sent if a host is about to
    go down.
  • E.g. a trap might be sent if a manager without
    permission contacts an agent.

16
SNMP Help
17
SNMP Help
18
SNMP Help
19
SNMP Help
20
Scenario from Help
  • The management system (Host A), sends an SNMP
    datagram to the agent (Host B), using the agent's
    host name, IP address or IPX address.
  • The SNMP agent receives the datagram and verifies
    the community name to which the management system
    belongs.
  • If it is a valid community name, the agent
    retrieves the data requested from the appropriate
    SNMP subagent. The SNMP agent returns the
    datagram to the management system with the
    requested information.
  • If the community name is incorrect, the agent
    sends an "authentication failure" trap to its
    trap destinations (Hosts C and D).

21
And now for something completely different
22
DHCP
  • Dynamic Host Configuration Protocol does not
    require an administrator to add an entry for a
    computer into the database.
  • Instead DHCP is plug-and-play networking. The
    computer runs a client to
  • obtain configuration info from DHCP
  • obtain a permanent address if the computer is
    nonmobile.

23
DHCP
  • DHCP uses permanent address that are assigned to
    server computers and a pool of addresses that are
    allocated on demand.
  • Based on the computers entry in the servers
    database, the DHCP decides the type of address to
    assign.
  • For dynamic addresses, the computers IP may
    change with each boot.
  • This challenges internet connections. (Recall
    dynamic DNS.)

24
DHCP Considerations
  • When a system reboots, there is a flood of DHCP
    requests. This is handled by using a random wait
    time before transmitting an address request.
  • Caching allows the computer to save the DHCP
    servers address in a cache on a permanent
    storage, and use the cache information on reboot
    once it has been validated.

25
Lease
  • DHCP uses the concept of a "lease" or amount of
    time that a given IP address will be valid for a
    computer.
  • The lease time can vary depending on how long a
    user is likely to require the Internet connection
    at a particular location.
  • It's especially useful in education and other
    environments where users change frequently. Using
    very short leases, DHCP can dynamically
    reconfigure networks in which there are more
    computers than there are available IP addresses

26
APIPA
  • Automatic Private IP Addressing, a feature of the
    Windows 98 and Windows 2000
  • If a DHCP client finds no DHCP server when it
    boots, it uses APIPA to automatically configure
    itself with an IP address from a range that has
    been reserved especially for Microsoft.
  • The IP address range is 169.254.0.1 through
    169.254.255.254. The client also configures
    itself with a default class B subnet mask of
    255.255.0.0. A client uses the self-configured IP
    address until a DHCP server becomes available.

27
Network Security
  • Based on Computer Networks and Internets, Comer

28
Security Policy
  • Information must be seen as part of a companys
    assets and thus worth securing.
  • On the other hand, if the information is not
    accessible to an appropriate set of people, it is
    worthless.
  • Thus security and accessibility must be balanced.
    There is no ideal blend that is right for all
    companies.
  • An important step toward securing a network is to
    develop a security policy.

29
Security policy
  • A security policy is a written document stating
    how a company intends to protect its information.
  • While written, it must be flexible so it can
    adapt to changes in technology and so forth.
  • A security policy might include
  • A description of who has access to what
    information and for what use.
  • A description of security measurements and
    penalties for the violation thereof.
  • An evaluation procedure.
  • A policy for educating users.

30
Security Aspects
  • Some aspects of data security to address are
  • Integrity the data should be protected from
    corruption (accidental or intentional).
  • Availability the data should be readily
    accessible by designated users.
  • Confidentiality the data should not be
    accessible by undesignated users.
  • Privacy in some situations it is the users
    data that requires protecting.

31
Protecting Data from Accidental Corruption
  • Checksum, CRC and parity are used to ensure
    integrity during transmission, similar approaches
    can be used on information in storage.
  • A backup scheme can be seen as protecting data
    integrity.
  • A RAID (Redundant Array of Independent/
    Inexpensive Disks) scheme protects integrity
    while maintaining availability.
  • Protect hardware from power surges, water damage,
    etc.

32
Protecting Data from Intentional Corruption
  • Authenticate users before giving them access to
    information.
  • Restrict access to hardware, computers, servers,
    hubs, etc.
  • Protect the network against viruses and hacker
    attacks.
  • Have a recovery plan.

33
Data Availability/User Privacy
  • The whole reason for a network is sharing
    information and resources.
  • Data and resources must be accessible to
    authenticated users.
  • Protecting system data and resources should not
    violate the users privacy rights or at least the
    users level of privacy should be acknowledged.

34
Audit trail
  • One mechanism for tracking security is an audit
    trail. The term comes from accounting where it
    means the set of paperwork used to validate or
    invalidate an accounting procedure.
  • Any logging of activity (paper or electronic) is
    known as an audit trail. One can track
  • The information a user accesses or attempts to
    access
  • Businesses maintain an audit trail for customer
    transactions.
  • Some ISPs and chat rooms maintain logs of users.
  • Etc.

35
Authorization and Authentication
  • Authorization is the setting of users
    permissions
  • Can a user read a file? Edit a file? Delete a
    file? Etc.
  • Space and/or time limits on access, e.g. a user
    has so much space on a drive
  • Location limits, certain information can only be
    accessed from certain locations
  • Authentication is the attempt to ensure that the
    user is who he or she claims to be
  • Username and password
  • Biometric devices
  • Possessed object

36
Sniffing Passwords
  • The problem with the username/password approach
    to authentication in networks is that the
    password information must be sent over the
    network where it can be read by a sniffer
    (computer with MAC card in promiscuous mode).
  • The best defense here is to encrypt the
    communication. The password packet can still be
    sniffed but it is unintelligible to the hacker.

37
Cryptography
  • One way to secure data, be it in storage or in
    transit, is encryption.
  • Encryption coverts information in its usual
    readable form (called plaintext) to information
    in an encoded, unreadable form (called
    cyphertext).
  • PGP (Pretty Good Privacy) program a good
    encrypter that works with most email systems.

38
Encryption
  • The data is stored or transmitted in binary
    (numerical) form.
  • To encrypt data one applies some mathematical
    operation to it.
  • The mathematical operation should have an inverse
    so that one can recover the original data
    (decrypt the message).
  • The mathematical operation often has a parameter
    (known as a key in encryption) which specifies
    the precise operation within a family of
    operations.

39
Caesar Shift Example
  • The Caesar shift is an early form of encryption.
  • The mathematical operation is addition.
  • The key (parameter) is the amount added, e.g. 3
  • CAT ? FDW (ASCII for C 3 is ASCII for F)
  • The inverse operation is subtraction which uses
    the same key.
  • FDW ? CAT (ASCII for F - 3 is ASCII for C)

40
Public Key Encryption
  • In some cases, the parameters for the
    mathematical operation and its inverse are not
    the same. Then one is said to have two keys.
  • For purposes of encryption, it is ideal if
    knowledge of one of the parameters does not
    (easily) lead to knowledge of the other.
  • Such a mathematical operation is the basis for
    public key encryption.

41
Public Key/Private Key
  • A user is assigned two keys (a private key and a
    public key).
  • The private key should be known only to the user.
  • The public key is published along with the users
    name.
  • Someone can send the user a private message by
    using the users public key to encrypt, then the
    user is the only person (presumably) who can
    decrypt the message.

42
Digital signature
  • Use this process in reverse.
  • The user encrypts the message with his or her
    private key.
  • Anyone with the users public key can decrypt it.
  • BUT since the users public key decoded the
    message, the message must have come from the user
  • This does not give privacy but authentication.

43
Double Key Encryption
  • To have a private and authenticated transaction
    use two keys.
  • Mary encrypts a message with Johns public key
    and then does a second encryption using her
    private key.
  • The message must be decrypted using Marys public
    key (authenticated we know its from Mary) and
    further decrypted using Johns private key
    (private only John can do this).

44
Firewalls
  • A firewall guards the perimeter of a network, all
    traffic flows through and is examined by the
    firewall.
  • The earliest firewalls performed a packet
    filtering service.
  • If sending packets is analogous to sending mail
    then a having a firewall is analogous to having
    the mail censored.
  • Certain packets are not allowed in based on their
    content or source certain packets are not
    allowed in based on their content or destination.

45
Firewall
  • A firewall can help centralize part of a
    networks security effort.
  • A firewall can prevent
  • outsiders from probing all computers in an
    organization
  • flooding the network with unwanted traffic
  • attacking a computer by causing it to crash.

46
Firewall Fig. 40.1
47
Packet filter
48
Firewall
  • The firewall working closely with the router, it
    examines each packet to determine whether or not
    to forward it.
  • The filtering may be based on any number of
    criteria
  • Source or destination IP address
  • Allow only certain addresses or rule out certain
    addresses
  • Direction
  • Service type (FTP, SMTP, telnet, etc., identified
    by port number)
  • Time

49
Firewall
  • A firewall can also maintain an audit trail (log
    file).
  • A firewall can be trained to look for virus
    signatures.
  • The firewall can scan for tokens or tickets which
    authenticate users.
  • A pair of firewalls can agree on an encryption
    scheme, for instance if two private networks are
    connected by a public line (a virtual private
    network).

50
Tunneling
  • If one encrypted an entire packet it could not be
    delivered.
  • But if one encrypts only the data then there are
    all those fields supplying information about the
    source, destination, etc.
  • One can encrypt an entire packet and then place
    it in another packet (encapsulate it).
  • The destination of this outer packet must then
    decrypt the original packet and forward it, but
    by then it has presumably reached a private,
    secure network.

51
Tunneling
52
Proxy server
  • A proxy is somebody who is authorized to stand in
    for somebody else.
  • A proxy server stands in for the client on a
    private network in that when the client makes a
    request of a server outside the network, the
    request is made of the proxy server, the proxy
    server then makes the request of the destination
    that is it stands in for the client.
  • The reply is then passed from the proxy to
    original client.
  • This way the destination does not learn the
    address of the true client, only that of the
    proxy.

53
Caching too
  • The proxy server hides the private networks
    addresses.
  • Another benefit of a proxy is that it can cache
    results for the entire network. Like any host
    client, it checks its cache before requesting
    something. But the proxy had made the requests
    for all of the computers on the network.

54
Proxy server
55
Other References
  • http//www.webopedia.com
  • http//www.whatis.com
  • Computer Dictionary, Shnier
  • Microsoft 2000 help
Write a Comment
User Comments (0)
About PowerShow.com