Network Management

• All networks, whether large or small, benefit from some form of management. Network management involves configuring, monitoring, and possibly reconfiguring components in a network with the goal of providing optimal performance, minimal downtime, proper security, and flexibility.

• This type of management is generally accomplished by using a network management system, which contains a software bundle designed to improve the overall performance and reliability of a system.

• In a small network, network management systems might be used to identify users who present security hazards or to end misconfigured systems.

• The most common computer network management system currently implemented is the Simple Network Management Protocol (SNMP), which was originally intended to be a short term solution to the network management issue.

• There is an OSI-based network management system called Common Management Information Protocol (CMIP).

• network management system be based on standards so that interoperability is also ensured

NETWORK MANAGEMENT OVERVIEWNetwork management involves monitoring and controlling a networking system so that it operates as intended. It also provides a means to configure the system while still meeting or exceeding design specifications.

The functions performed by a network management system can be categorized into the following five areas:

1. Fault management refers to the detection, isolation, and resolution of network problems.2. Configuration management refers to the process of initially configuring a network and then adjusting it in response to changing network requirements.3. Accounting management involves tracking the usage of network resources.4.Performance management involves monitoring network utilization, end-to-end response time, and other performance measures at various points in a network.5.Security management refers to the process of making the network secure.

A network contains a number of managed devices such as routers,bridges, switches, and hosts. Network management essentially involves monitor-ing and/or altering the con®guration of such devices. An agent is a part of a network management system that resides in a managed device.

A network management station provides a text or graphical view of the entire network (or one of its components). This view is provided by way of a management application or manager that resides on the station.

The Following figure shows portion of a departmental network to illustrate how the network management concepts might apply

Each host contains an agent that collects management information pertaining to the host. Similarly, the router also contains its own agent. The manager in the management station can poll a particular agent to obtain specific management information, which for example, can be the number of packet losses in the router.

Network management system may operate in a centralized or distributed manner or include both types of computing.

SIMPLE NETWORK MANAGEMENT PROTOCOL (SNMP)In the early days of the Internet, the Internet Activities Board recognized the need for a management framework by which to manage TCP/IP implementa-tions. The framework consists of three components:1. A conceptual framework that de®nes the rules for describing management information, known as the Structure of Management Information (SMI).2. A virtual database containing information about the managed device known as the Management Information Base (MIB).3. A protocol for communication between a manager and an agent of a managed device, known as Simple Network Management Protocol (SNMP).

• SNMP is an application layer protocol that is used to read and write vari-ables in an agent's MIB.• The most current version is SNMPv3.• SNMP is based on an asynchronous request-response protocol enhanced with trap-directed

polling• An SNMP manager sends messages to an agent via UDP destination port 161, while an agent

sends trap messages to a manager via UDP destination port 162.• The messages (PDUs) exchanged via SNMP consist of a header and a data part.• The header contains a version ®eld, a community name ®eld, and a PDU type field.

SNMP provdes three ways to access management information.

1. Request/response interaction in which a manager sends a request to an agent and the agent responds

to the request.2 .Request/response interaction in which a manager sends a request to another manager and the latter responds to the request.3. Unconfirmed interaction in which an agent sends an unsolicited Trap-PDU to a manager.

A typical interaction between a manager and agent would proceed as follows. The manager issues some form of get request that contains a unique request-id to match the response with the request, a zero-valued error status/error index, and one or more variable bindings. The agent issues a response containing the same request-id, a zero-valued error status if there is no error, and the same variable bindings.

If an exception occurs for one or more of the variables, then the particularerror status for each relevant variable is returned as well.

Version 3 of SNMP was formally documented in early 1998 [RFC 2271]. It presents a more complex framework for message exchange, the complexity being required both for extensibility and for security reasons. The security system contains a user-based security model, as well as other security models that may be implemented.

The model uses the MD5 encryption scheme for verifying user keys, a SHA message digest algorithm (HMAC-SHA-96) to verify message integrity and to verify the user on whose behalf the message was generated, and a CBC-DES symmetric encryption protocol for privacy. See [RFC 2274] for further information on the user-based securitymodel.

STRUCTURE OF MANAGEMENT INFORMATION The Structure of Management Information (SMI) de®nes the rules for describing managed objects. In the SNMP framework managed objects reside in a virtual database called the Management Information Base (MIB). Several data types are allowed in SMI. The primitive data types consist of IN T E G E R, O C T E T S T R IN G, N U L L, and O B J E C T ID E N T IF IE R. A dditional user-de® ned data types are application speci®c. Primitive data types are written in uppercase, while user-de®ned data types start with an uppercase letter but contain at least one character other than an uppercase letter. Table B.2 lists some of the data types permitted in SMI. An O B J E C T ID E N T IF IE R is represented as a sequence of nonnegative integers where each integer corresponds to a particular node in the tree. This data type provides a means for identifying a managed object and relating its place in the object hierarchy.

The internet (1) subtree itself has six subtrees:

The directory (1) subtree is reserved for future use describing how OSI direc-tory may be used in the Internet.The mgmt (2) subtree is used to identify ``standard'' objects that are registered by the Internet Assigned Numbers Authority (IANA).The experimental (3) subtree is for objects being used experimentally by work-ing groups of the IETF. If the object becomes a standard, then it must move to the mgmt (2) subtree.The private (4) subtree is for objects de®ned by a single party, usually a vendor.It has a subtree enterprise (1), which allows companies to register their network objects.The security (5) subtree is for objects related to security. The snmpv2 (6) subtree is reserved for housekeeping purposes for SNMPv2.This subtree includes object information for transport domains, transport proxies, and module identities

Object definitions are generally packaged into information modules. Three types of information modules are defined using the SMI:

• MIB modules, which serve to group dentitions of interrelated objects.• Compliance statements for MIB modules. These define a set of requirements that managed

nodes must meet with respect to one or more MIB modules.• Capability statements for agent implementations. These specify the degree to which a managed

node is able to implement objects that are defined in a MIB module.

MANAGEMENT INFORMATION BASE

The Management Information Base (MIB) is a virtual database used to define the

Functional and operational aspects of network devices. The information provided by the MIB represents the common view and structure of management capabilities that are shared between the management station and device's agent.

Each definition of a particular object contains the following information about the object: its name, the data type, a human-readable description, the type of access (read/write), and an object identifier.

REMOTE NETWORK MONITORING

• An additional set of modules, known as Remote Network Monitoring (RMON), was developed in

1995.• These are considered to be not only an extension of the mib-2 but also an improvement. These

are considered to be not only an extension of the mib-2 but also an improvement.• RMON uses a technique called remote management to obtain monitoring data. In this approach a

network monitor (often called a probe) collects the data from the device.• The probe may stand alone or be embedded within the managed device. Management

applications communicate with an RMON agent in the probe by using SNMP.• RMON also provides for a higher level of standardization of the information collected.• RMON is included as a subtree of mib-2 (rmon (16)).• RMON focuses on network management at layer 2 (data link).

Security ProtocolsTo provide certain services, some communication protocols need to process the information they transmit and receive. . For example, protocols that provide reliable communication service encode the transmitted information to detect when transmission errors have occurred so that they can initiate corrective action.

SECURITY AND CRYPTOGRAPHIC ALGORITHMS

Public communication networks traditionally have not been secure in the sense of providing high levels of

security for the information that is transmitted.

Information transmitted over the network is not secure and can be observed and recorded by

eavesdroppers. This information can be replayed in attempts to access the server.Imposters can attempt to gain unauthorized access to a server, for example, a b$ank account or a database of personal records.An attacker can also ¯ood a server with requests, overloading the server resources and resulting in a denial of service to legitimate clients.An imposter can impersonate a legitimate server and gain sensitive information from a client, for example, a bank account number and associated user pass-word.

These threats give rise to one or more of the following security requirements for information that is transmitted over a network:Privacy or con®dentiality: The information should be readable only by the intended recipient.Integrity: The recipient can con®rm that a message has not been altered during transmission.Authentication: It is possible to verify that the sender or receiver is who he or she claims to be.Nonrepudiation: The sender cannot deny having sent a given message.

The need for security in communications is in fact also not new. This need has existed in military communications for thousands of years. It should not be surprising then that the approaches developed by the military form the basis for providing security in modern networks.

One feature that is new in the threats faced in computer networks is the speed with which break-in attempts can be made from a distance by using a network. Because the threats are implemented on computers, very high attempt rates are possible.

Applications of Cryptography to SecurityThe science and art of manipulating messages to make them secure is called cryptography. An original message to be transformed is called the plaintext, and the resulting message after the transformation is called the ciphertext. The process of converting the plaintext into ciphertext is called encryption. The reverse process is called decryption. The algorithm used for encryption and decryption is often called a cipher. Typically, encryption and decryption require the use of a secret key. The objective is to design an encryption technique so that it would be very dif®cult if not impossible for an unauthorized party to under- stand the contents of the ciphertext. A user can recover the original message only by decrypting the ciphertext using the secret key. substitution ciphers are a common technique for altering messages in games and puzzles. Each letter of the alphabet is mapped into another letter. The ciphertext is obtained by applying the substitution defined by the mapping to the plaintext. Transposition ciphers are another type of encryption scheme. Here the order in which the letters of the message appear is altered. For example, the letters may be written into an array in one order and read out in a different order. If the receiver knows the appropriate manner in which the reading and writing is done, then it can decipher the message. Substitution and transposition techniques are easily broken.

SECRET KEY CRYPTOGRAPHY

Figure 11.2 depicts a secret key cryptographic system where a sender converts the plaintext P into

ciphertext C ˆ EK …P† before transmitting the original message over an insecure channel. The sender

uses a secret key K for the encryption. When the receiver receives the ciphertext C, the receiver recovers

the plaintext by performing decryption DK …C†, using the same key K . It is the sharing of a secret, that

is, the key, that enables the transmitter and receiver to communicate.Symbolically, we can write P ˆ DK …

EK …P††. Secret key cryptography is also referred to as symmetric key cryptography.

The selection of the cryptographic method must meet several requirements. First of all, the method should be easy to implement, and it should be deployable on large scale.

Clearly, secret key cryptography addresses the privacy requirement. A mes- sage that needs to be kept con®dential is encrypted prior to transmission, and any eavesdropper that manages to gain access to the ciphertext will be unable to access the contents of the plaintext message. The Data Encryption Standard(DES) is a well-known example of a secret key system.

A traditional method of authentication involves demonstrating possession of a secret. For example, in a military setting a messenger might be con®rmed to be authentic if he or she can produce the correct answer to the speci®c question. A similar procedure can be used over a network, using secret key cryptography.

CRYPTOGRAPHIC CHECKSUMS AND HASHES

The usual approach to providing integrity is to transmit a cryptographic check-sum or hash along with the unencrypted message. The transmitter and receiver share a secret key that allows them to calculate

the checksum that consists of a ®xed number of bits. To ascertain integrity, the receiver calculates the checksum of the received message and compares it to the received checksum. If the check-sums agree,

the message is accepted.

A cryptographic checksum must be designed so that it is one way in that it is extremely dif®cult to ®nd a message that produced a given checksum.Furthermore, given a message, ®nding another message that would produce the same checksum should also be extremely dif®cult. In general the checksum is much shorter than the transmitted message. However, the cryptographic checksum cannot be too short.

The message digest 5 (MD5) algorithm is an example of a hash algorithm. The MD5 algorithm begins by taking a message of arbitrary length and padding it into a multiple of 512 bits. A buffer of 128 bits is then initialized to a given value. At each step the algorithm modi®es the content of the buffer according to the next 512-bit block. When the process is completed, the buffer holds the 128- bit ``hash'' code. The MD5 algorithm itself does not require a key.

The keyed MD5, which combines a secret key with the MD5 algorithm, is widely used to produce a cryptographic checksum. First the message is padded to a multiple of 512 bits. The secret key is also

padded to 512 bits and attached to the front and back of the padded message. The MD5 algorithm then computes the hash code.

A general method for improving the strength of a given hash function is to use the hashed message authentication code (HMAC) method. Using MD5 as an example, HMAC works as follows. First, the shared secret is padded with zeros to 512 bits. The result is XORed with ipad, which consists of 64 repetitions of00110110. Second, the message is padded to a multiple of 512 bits. Third, the concatenation of the blocks in the ®rst two steps is applied to the MD5 algorithm to obtain a 128-bit hash. The hash is padded to 512 bits. Fourth, the shared secret is padded with zeros to 512 bits, and the result is XORed with opad, which consists of 64 repetitions of 01011010. Fifth, the blocks in the previous two stepsare applied to the MD5 algorithm to produce the ®nal 128-bit hash. The general HMAC procedure involves adjusting the block size (512 bits for MD5) and the hash size (128 bits for MD5) to the particular hash function. For example, SHA- 1 works with a block size of 512 and a hash size of 160 bits.

PUBLIC KEY CRYPTOGRAPHY

Unlike secret key cryptography, keys are not shared between senders and recei- vers in public key

cryptography (sometimes also referred to as asymmetric cryp- tography). Public key cryptography was

invented in 1975 by Dif®e and Hellman. It relies on two different keys, a public key and a private key. A

sender encrypts the plaintext by using a public key, and a receiver decrypts the ciphertext by using a

private key, as illustrated in Figure 11.4. Symbolically, a public key cryptographic system can be

expressed as P ˆ DK 2…EK 1…P††, where K 1 is the public key and K 2 is the private key. In some systems

the encryption and decryp- tion process can be applied in the reverse order such as P ˆ EK 1…DK 2…P††.

One important requirement for public key cryptography is that it must not be possi- ble to determine K 2

from K 1. In general the public key is small, and the private key is large. The best-known example of

public key cryptography is the one developed by Rivest, Shamir, and Adleman, known as RSA.2

Public key cryptography can also be used to produce a digital signature. To sign a message the transmitter ®rst produces a no cryptographic checksum or hash of the message. The transmitter then encrypts the checksum or hash using its private key to produce the signature. No one else can create such a signature. The transmitter then sends the message and the signature to the receiver.