network management cod 06103 with richard rajabu mbeya university of science and technology
TRANSCRIPT
NETWORK MANAGEMENTCOD 06103
With RICHARD RAJABU
MBEYA UNIVERSITY OF SCIENCE AND TECHNOLOGY
WELLCOME BACK
• Any idea of what we are going to learn?• What do you expect to gain from this course?• What do you expect from me?
Our course outline
1. Overview of the issues of network management2. Use of passwords and access control
mechanisms3. Domain names and name services4. Issues for Internet service providers5. security issues and firewalls6. Quality of service issues: Performance,failure
recovery
Our goals
• Explain the issues for network management arising from a range of security threats, including viruses, worms, Trojan horses, and denial-of-service attacks
• Developing a strategy for ensuring appropriate levels of security in a system designed for a particular purpose.
• Implementation of a network firewall
MANAGEMENT
• Refers to the ability to ConfigureControlOperateDiagnose equipment
Check it out
• Find out about the MIST networkIs it a LAN/WAN or MANWho designed it?How it’s accessing the InternetHow files and other resources are sharedHow is it securedWhat equipments it usesHow faults are identifiedHow is it repaired
NETWORK MANAGEMENT
• The FCAPSFault managementConfiguration managementAccounting managementPerformance managementSecurity management
configuration management
• A configuration can beA description of a distributed system based on
the physical and geographical location of resources including how these resources are actually interconnected and information about their logical relationship
The process of configuration as an activity or as a manipulation of the structure of distributed systems, therefore,
setting and changing the parameters that control the normal operation of a system and establishing the system environment required for this normal operation.
• The result of a configuration process, therefore, the generated system in the sense of a set of certain parameter values that are characteristic for the normal operation of a resource.
Distributed system?
• A distributed system consists of a collection of autonomous computers, connected through a network and
distribution middleware, which enables computers to coordinate their activities and to share the resources of the system, so that users perceive the system as a single, integrated computing facility
Generally
• Configuration is an adaptation of systems to operating environments and it includes
• installing new software • expanding old software • attaching devices• making changes to network topology or to traffic load
• Although configuration also encompasses aspects of physical installation, it is usually carried out through a software-controlled generation and setting of parameters
• Function selection parameters; • authorization parameters;• protocol parameters (message lengths, windows, timers, priorities);• attachment parameters (type and class of device, procedure, bit rate, parity); • entries in routing tables, • name servers, • directories,• as well as filter parameters for bridges (addresses, types of protocols,
integration);• spanning tree parameters for a bridge (priority of bridge or port); • parameters for the connecting paths of routers (interfaces, speed, flow-
control procedures), maximum file size, computing times, and services allowed
Evaluation criteria for configuration tools
• Location configuration: A configuration can take place on
• a component for the component itself, • on each component for any other component, • at a selected station for a specific component (element
management system), or • at a selected station (network management system) for
all components.
• Storage of configuration: NVRAM or the Hard disk, EPROMs, boot server
• Validity of configuration: static configuration interruption to ops, dynamic configuration ops not interrupted – Thus, the events that signal the validity of new
operating parameters can be – the reloading of a component, – the restart of a component, or – the restart of one of the affected component ports
• User interface of the configurator: The quality of a user interface depends on, on one hand, to what extent individual parameters can quickly be changed and, on the other hand, to what extent the network administrator can be relieved of dealing with the individual parameters of a large number of devices.
Tools for config management
• Configuration management therefore encompasses – setting parameters, – defining threshold values, – setting filters, – allocating names to managed objects (loading
configuration data, if necessary), – providing documentation of configuration changes,
and – actively changing configurations.
Thus the tools are• Auto-topology and auto-discovery, thus the ability to
extrapolate a description of a configuration from the concrete actual system environment
• Systems for documenting descriptions of configurations, master databases.
• Tools for generating network maps for the visualization of configuration data.
• Tools for activating backup systems to detach missing components and so forth.
• Tools for setting and invoking configuration parameters and system status.
• Tools for software distribution and licensing control.• Tools for supervising and controlling authorization.
Fault management
• A fault can be defined as a deviation from the set operating goals, system functions, or services.
• Faults are target/performance deviations in the behavior of resources.
• Fault management comprises reactive and proactive measures.
• Fault management deals with the detection, isolation, and elimination of abnormal system behavior.
• Fault management in computer networks and distributed systems is more difficult for a variety of reasons– the large number of components involved,– the wide physical distribution of the resources,– the heterogeneity of the hardware and software
components, and – the different domains components fall under (e.g.,
personnel of different organizational units).
• Messages about faults are usually conveyed by the components themselves or by the users of the system
• Some of the sources of faults are– Data transmission paths (e.g., transceiver cable, twisted-
pair cable, optical fiber, leased lines, virtual channels), – network components (e.g., transceivers, repeaters,
bridges, star couplers, server computers, data terminals), – end systems, – software for components,– inadequate interface descriptions (indirectly), – or even incorrect operation
Fault management tasks
• The function of fault management is to detect and correct faults quickly to ensure that a high level of availability of a distributed system and the services it provides is maintained.
• The tasks include• Monitoring network and system state.• Responding and reacting to alarms.• Diagnosing fault causes (i.e. fault isolation and
root-cause analysis).• Establishing error propagation.• Introducing and checking error recovery
measures (i.e. testing and verification).• Operating trouble ticket systems.• Providing assistance to users (user help desk).
Aids for fault analysis• Self-identification of system components.• Separate testability of components.• Trace facility (i.e. keeping records of switched message
traffic or labeling messages for the purpose of traceability or special compatibility reports).
• Error logs.• Message echoes at all protocol layers (i.e. at transmission
links and on an end-to-end basis), such as “heartbeat” or “keep alive” messages that detect failure.
• Retrieval possibilities for memory dumps.• Measures for purposely generating errors in defined
system environments.
• Start possibilities (which can also be initiated and monitored centrally) for self test routines and the transmission of test texts to specific ports (loop test, remote test, problem file) as well as reachability tests such as ICMP packets for ping and trace route analysis of network reachability.
• Setting options for threshold values.• Triggering of planned resets and restarts (directed to
specific ports, port groups, and components).
• Availability of special test systems (e.g. oscilloscopes, time-domain reflectometers, interface checkers, protocol analyzers, hardware monitors for line supervision).
• Support of filter mechanisms for fault messages or alarms and event correlation for reducing the number of relevant events and for root-cause analysis.
• Interfaces of fault management tools to trouble ticket systems and help desks (e.g. for automated propagation of fault notifications and corrections).
Performance management
• Its objectives want the system to perform well• The first problem that has to be resolved by
performance management is the definition of quality of service (QoS)
• The starting point for performance management is the guarantee of quality of service
QoS
• Is the ability to provide different priority to different applications, users, or data flows, or to guarantee a certain level of performance to a data flow.
• Its importance increases as more customer–provider relationships are involved in the implementation of corporate networks or distributed systems.
• Performance management therefore encompasses all the measures required for ensuring that the quality of service conforms to the service level agreement.
• Establishing QoS parameters and metrics.• Monitoring all resources for performance
bottlenecks and threshold crossings.• Carrying out measurements and trend
analysis to predict failure before it occurs.• Evaluating history logs (i.e., records on
system activity, error files).
• Processing measurement data and compiling performance reports.
• Carrying out performance and capacity planning. This entails
• providing analytical or simulative prediction models that are used to check the results of new applications
• tuning measures• configuration changes
• Monitors • protocol analyzers • statistics packets • report generators • and modeling tools are some of the typical
tool functionalities in this area.
Accounting management
• User administration• name and address administration
• including the related directory services, • authorization granting the right to use resources • the accounting services
• Accounting management includes • compiling usage data (resource usage or
service usage accounting based on monitoring and metering)
• defining accountable units• keeping settlement accounts and accounting
logs • allocating costs to these accounts
• assigning and monitoring quotas• maintaining statistics on usage• and lastly, defining accounting policies and
tariffs, which leads to billing and charging.
Security management
• Management of security in a distributed system
• It requires threat analysis• Which resources are worth protecting?• Typical threats are created by
• Passive attacks: eavesdropping on information; producing a user profile or an undesirable traffic flow analysis or theft of information (passwords, etc.).
• Active attacks: • masquerades (i.e., users pretending to be someone else, or
spoofing); • manipulating message sequences by changing the sequence, • inadmissible repeating, • giving priority to or delaying messages;• modifying messages;• manipulating resources through overloading,• reconfiguration, • Reprogramming
• unauthorized access, viruses, Trojan horses, denial-of-service attacks.
• Malfunctioning of resources.• Faulty or inappropriate behavior and incorrect
response operation
Tasks
• Conducting threat analyses.• Defining and enforcing security policies.• Checking identity (authentication based on
signatures, notarization, or certification)• Carrying out and enforcing access controls.
• Guaranteeing confidentiality (encryption).• Ensuring data integrity (message
authentication).• Monitoring systems to prevent threats to
security.• Reporting on security status and violations or
attempted violations
IP NETWORK MANAGEMENT
CONTENTS
What is an IP networkBenefits of network managementTechniques for the collection of operational
statistics and the motivation to do soCompare benefits of proprietary configuration
methods with standardized approachesIntroduction to some of the standardized
management models
IP network?
Benefits of network management
Ability to provision new services
Choosing a configuration method
There are many ways to configure devices, from automatic configuration protocols such as BOOTP and DHCP, through command line interface and configuration files, to graphical user interfaces.
Command line interface
The easiest management tool for a manufacturer of network equipment to write
sometimes known as a craft interface (CI).
The commands have specific syntaxes and are very specific to the hardware being managed.
The CLI requires that the operator be present at a terminal directly attached to the device being managed.
telnet can ease things
Command-based configuration files have the advantages that
They can be inspected and understood by an operator,
They can be edited so that new configuration is automatically picked up on reboot, and
They are more easily proofed against software version upgrades.
And also
It is easily able to give a very fine level of control over a device and allows a user to examine every last detail of the device’s operation
Debug commands are rarely available in any other form.
Graphical User Interfaces
Graphical user interfaces (GUIs) are a more user-friendly configuration tool
The biggest benefit to a GUI is the way in which data retrieved from devices can be displayed.
The GUI can provide graphical representations of information, tracking data against time or mapping resources in physical space.
Remote GUI access can be achieved in a variety of ways, including through the X/Open remote console protocols
The GUI can be implemented “over the top of” the CLI so that all commands issued at the GUI are mapped to CLI commands that are sent to the managed device using telnet.
How d’ you store it?
It is worth noting that despite the user-friendly aspects of a GUI,
• An experienced network operator or field engineer will often prefer to use the CLI. – The CLI gives access to a finer level of control and a
greater amount of information than the GUI, even if that information is not always formatted in the most readable way.
– Further, many engineers claim that they can operate with the CLI much faster than they can handle a GUI.
Standardized Data Representations and Access
Network managers dream of having a single application that they can use to manage their entire network.
One approach to building the global network management tool is to incorporate modules designed to talk to each of the individual components and map these to a common display and control component.
The Writer has to pay the price
One easier way to produce a global management tool is
to make the individual vendors responsible for the modules that manage all of their devices
and to make those modules distinct (usually running on separate computers) with a northbound interface to the global application.
Use of an OSS (operation support systems) allows the operator to utilize sophisticated provisioning and accounting services, and the OSS uses a scripting language such as TL1(Transaction language 1) to pass CLI-like commands on to the NMS.
The NMS is the global management application that communicates to many element management systems (EMSs), each of which is responsible for managing a collection of devices of the same type.
Example of OSSs
TIRKS (Trunks Integrated Record Keeping System) by telcordia technologies
EMSs are supplied by vendorsAs shown in the figure, the operator may have
access to the EMSs where he or she uses proprietary CLIs and GUIs to control the devices.
There must be a channel for comm between NMS or OSS and EMS
popularly referred to as a northbound interface to the EMS
comm between NMS or OSS and EMS
There are two requirements for this communication
(1)the messages must be understood universally (there must be a common communications protocol)
(2) the data must be comprehensible (there must be a common data format).
The popular standard for NMS to EMS communications is the Common Object Request Broker Architecture
How do you choose?
Protocols and technique may dictateWhich protocols and techniques are supported
by the device?
the benefits of a consolidated management system dictate the use of a standardized technique.
» There are many advantages of using a standardized management protocol
» But, more detail and flexibility will often be present through proprietary configuration interfaces than are available through standards.
Management information base
One problem in the management of networks is deciding how the statistics and configuration data should be represented.
Each device (switch, router, host, etc.) will have different configuration requirements and internal data structures according to its implementation.
Each network management tool will have different commands and management screens displaying and requiring subtly different pieces of information.
nevertheless
Any two devices that perform the same function in the network (e.g., two OSPF routers) require substantially the same configuration to enable them to operate their IP-based protocols.
For each protocol that it develops, the IETF (Internet Engineering Task Force) produces a standard set of operational configuration and statistics information necessary for successful configuration and management of a device that runs the protocol.
The MIB is an ordered, structured view of all of the information in all networks, all at the same time.• A virtual database used for managing the entities in a
communication networkThe secret to meeting this aim lies in the way that data values
(or objects) are given unique object identifiers (OIDs) in a hierarchical and somewhat long-winded way.
SNMP
Simple Network Management ProtocolProvide a mechanism for the management stations
to create, write, read and delete management data (MIB objects)
After management stations and managed devices have a common view of management data.
Application level protocol that can use any transport mechanism.
Most often used with UDP using port 161TCP is occasionally chosen when a management
application does not handle lost messages.
How it operates
SNMP is a client-server protocol.Management agents connect to the managed
devices and issue requests. Managed devices return responses.Basic requests are GET and SET to read and
write to an individual MIB object identified by its OID
Manager: one or more administrative computersHave the task of monitoring or managing a group of
hosts or devices on a computer network.
Each managed system executes, at all times, a software component called an agent which reports information via SNMP to the manager.
An SNMP-managed network consists of three key components:Managed deviceAgent — software which runs on managed devicesNetwork management system (NMS) — software
which runs on the manager
An agent is a network-management software module that resides on a managed device.
An agent has local knowledge of management information and translates that information to or from an SNMP specific form.
A network management system (NMS) executes applications that monitor and control managed devices.
SNMP allows multiple objects within a single MIB row to be read or written in a single request.
– a single GET or SET command can operate on multiple objects within a single row.
– GET-BULK command allows a management station to read multiple rows from a table
Row creation and deletion are also handledSNMP message called a TRAP (sometimes known as
a notification) maybe issued by the managed device to report a specific event (e.g., the crossing of a threshold).
Versions and security
MIB data are encoded for transmission using the Basic Encoding Rules (BER) from the ASN.1 specification in the international standard ISO 8825.
BER is also used for encoding SNMP messages, with the added advantage that the messages can be specified using the ASN.1 text notation.
SNMP messages are built from an SNMP header and an SNMP protocol data unit (PDU).
The header is quite short and contains a protocol version number.
The PDU contains the request and any data.
SNMPv1:too simple in many respects
SNMPv2:Started as an experimental protocolLike v1, has considerable security concernsi.e no control to who can perform SNMP operations
SNMPv3:includes application-level cryptographic
authentication to enable individual users to be authenticated.
SNMPv3 differs from SNMPv2 in the message header only
Choosing the version depends on the deviceMany older devices support SNMPv1 or
SNMPv2
EXTENSIBLE MARKUP LANGUAGEXML
Subset of the Standard Generalized Markup Language (SGML) specified in ISO 8879.
XML documents look similar to HTML butXML document specifications include strict
definitions of the data type in each field of an object.
Hence suitable for databases
XML provides encoding rules for commands that are used to transfer and update data objects
The collection of tags in an XML document is referred to as the markup data
give instructions on the interpretation of individual data elements
define how the elements are associateddescribe the purpose of the entire document
and its applicability.
Didn’t tell you this
XML is neither a communications protocol, nor tied to use within the Internet, but its applicability and increasing popularity as a configuration and management tool for Internet devices makes it worthy of further examination.
Extensibility and Domains of Applicability
XML elements can be defined as they are needed to fulfill the needs of specific document uses.
Network management is one of the domainssubdomains might be defined for the
management of a type of network element (e.g., a router)
XML Remote Procedure Calls
XML is a data encoding technique that can be used to represent data and data requests that are transmitted between components on a single node or across a network.
It does not define what data should be transferred.
nor does it define how the XML documents should be exchanged.
XML documents may be transferred using any data or file transfer process
FTPHTTP
SOAP: lightweight protocol for exchange of XML documents over an underlying transport protocol.
XML Applicability to Network Management
Easy development of Web-based management applications that can read and write network configuration information from and to remote devices.
Simple to use
It’s encoding method introduce too much overhead
But this is overcome by compression algorithms
CORBA (COMMON OBJECT REQUEST BROKER ARCHITECTURE)
Distributed management architectureTakes an object-oriented approach to
managementDeveloped by the Object Management Group
(OMG)
Each managed object (e.g., a device, a line card, or a connection) is represented in CORBA by a CORBA object.
The object is defined by an object interfaceObject interface :
indicates the accessible fields within an object, the operations that can be performed on the
object, and the relationship between the object and
other objects.
It’s a client server architectureClient = management agent that performs
operations on objects that are controlled by the server
Client and server are connected by ORB
This architectureProtects the client from knowledge of the
location of the server for each objectAllows local and remote objects to be managed
in a uniform way.
Choosing a config protocolNot a simple taskXML:Easy to extend, readable by human, easy for a
program to parse but has overhead.CORBA:Favorite of the larger service providers, popular
with object oriented programmersSNMP:Well established
Choosing to collect stats
Stats provide a constant monitoring of the status of links and nodes.
SNMP: Provides notifications on key eventsgives access to counters that provide basic statistical
information about the traffic flows through a specific interface or device,
Collecting stats creates additional trafficShould be done in a very structured wayAnd SNMP is request-response based
solution
Create multiple collection points and the central collection point.
Solution
Stats are forBillingFault detectionLong term planningService maintenance
So they can be filtered
Thermometer Provide a clear definition of network
managementWhat is the relationship between fault and
quality of serviceWhat is the main purpose of SNMP, CORBA and
XMLDiscuss the use of XML in network managementDiscuss the four main uses of statistics in
network management
NETWORK SECURITY MANAGEMENT
Pau Peter Computer Eng. Mbeya University of Science & Technology
RISK ANALYSIS
Before spending time and money on network security, you should examine your network’s security risks.
Consider the effect that a loss or breach of data, programs, or access would have on your network
Network security risks differ from organization to organization
Fundamental questions
What is at risk? What will I lose if it´s stolen, damaged or
eradicated(erased)?
Security audit
Conducted to assess security risk Thorough examination of each aspect of the
network to determine how it might be compromised.
Performed at least annually Rate the severity of the potential effect Rate it´s likelihood
May hire a third party
Security risks
Need to know how to recognize threats that your network could suffer.
A breach may result from a number of sources
More notably People Transmission and hardware Protocol and software Internet access
Risks associated with people
By some estimates, human errors, ignorance, and omissions cause more than half of all security breaches sustained by networks
Social engineering
An intruder asks a user for his/her password Might pose as a technical support analyst Phishing: a person attempts to collect access
or authentication information by posing as someone who needs that information
Other risks Intruders or attackers using social engineering or
snooping to obtain user passwords An administrator incorrectly creating or configuring
user IDs, groups, and their associated rights on a file server, resulting in file and logon access vulnerabilities
Network administrators overlooking security flaws in topology or hardware configuration
Network administrators overlooking security flaws in the operating system or application configuration
Lack of proper documentation and communication of security policies, leading to deliberate or inadvertent misuse of files or network access
Dishonest or disgruntled employees abusing their file and access rights
An unused computer or terminal being left logged on to the network, thereby providing an entry point for an intruder
Users or administrators choosing easy-to-guess passwords
Authorized staff leaving computer room doors open or unlocked, allowing unauthorized individuals to enter
Staff discarding disks or backup tapes in public waste containers
Administrators neglecting to remove access and file rights for employees who have left the organization
Users writing their passwords on paper, then placing the paper in an easily accessible place (for example, taping it to their monitor or keyboard)
Risks associated with transmission hardware
Risks inherent in the Physical, Data Link, and Network layers of the OSI model.
At these levels, security breaches require more technical sophistication than those that take advantage of human errors. To eavesdrop on transmissions passing through a
switch, an intruder must use a device such as a protocol analyzer, connected to one of the switch’s ports.
Transmissions can be intercepted Man-in-the-middle attack: a person redirects
or captures secure transmissions as they occur.
A hacker gains control of an access point at a café that offers free Wi-Fi Internet access.
She could intercept transmissions between café visitors and the access point, and, for instance, learn users’ passwords or even supply users with a phony(fake) Web site that looks valid but presents click-able options capable of harming their systems.
Risks Associated with Internet Access
Although the Internet has brought computer crime, such as hacking, to the public’s attention,network security is more often compromised “from the inside” than from external sources.
Even the most popular Web browsers sometimes contain bugs that permit scripts to access their systems while they’re connected to the Internet, potentially for the purpose of causing damage
http://www.positioniseverything.net/explorer/ienondisappearcontentbugPIE/index.htm
By keeping software current, staying abreast of emerging security threats, and designing your Internet access wisely, users can prevent most of these threats.
Common Internet-related security issues include the following:
A firewall may not provide adequate protection if it is configured improperly.
it may allow outsiders to obtain internal IP addresses
IP spoofing When a user Telnets or FTPs to your site over
the Internet, her user ID and password are transmitted in plain text—that is, unencrypted.
Hackers may obtain information about your user ID from newsgroups, mailing lists,or forms you have filled out on the Web.
While users remain logged on to Internet chat sessions, they may be vulnerable to other Internet users who might send commands to their machines that cause the screen to fill with garbage characters and require them to terminate their chat sessions. This type of attack is called flashing.
After gaining access to your system through the Internet, a hacker may launch denial-of-service attacks.
DoS attack: Is an attempt to make a computer or network
resource unavailable to its intended users.• A hacker could create a looping program that sends
thousands of e-mail messages to your system per minute
Smurf attack:occurs when a hacker issues a flood of broadcast ping messages.
Security policy
Minimize the risk of break-ins by communicating with and managing the users in your organization via a thoroughly planned security policy
A security policy: identifies your security goals, risks, levels of authority, designated security coordinator and team members, responsibilities for each team member, and responsibilities for each employee.
A security policy comes after identifying the goals of security to your organization
Typical goals
Ensure that authorized users have appropriate access to the resources they need.
Prevent unauthorized users from gaining access to the network, systems, programs, or data.
Protect sensitive data from unauthorized access, both from within and from outside the organization.
Prevent accidental damage to hardware or software.
Prevent intentional damage to hardware or software.
Create an environment in which the network and systems can withstand and, if necessary, quickly respond to and recover from any type of threat.
Communicate each employee’s responsibilities with respect to maintaining data integrity and system security.
After defining the goals of your security policy, you can devise a strategy to attain them.
You might form a committee composed of managers and interested parties from a variety of departments, in addition to your network administrators.
Remember that you need to gather as much support as you can.
This committee can assign a security coordinator, who will then drive the creation of a security policy.
Do not let it sound as your thing
A security policy must address an organization’s specific risks.
From a proper audit
Security Policy Content
Subheadings for the policy outline might include the following:
Password policy; Software installation policy; Confidential and sensitive data policy; Network access policy; E-mail use policy; Internet use policy; Modem use policy; Remote access policy; Policies for connecting to remote locations, the Internet, and
customers’ and vendors’ networks; Policies for use of laptops and loaner machines; and Computer room access policy.
The security policy should explain to users what they can and cannot do and how these measures protect the network’s security.
A security policy should also define what confidential means to the organization
NEXTPhysical security and firewalls
NETWORK SECURITY2
Physical security
An important element in network security is restricting physical access to its components.
Think of all the points at which your systems or data could be compromised switches in a wiring closet, an unattended workstation at someone’s desk, an equipment room or entrance facility where
your leased line to the Internet terminates, a storage room for archived data and backup tapes.
Locks may be either physical or electronic. Electronic access badges. Bio-recognition access, Closed-circuit TV systems
Security in Network Design
Breaches may still occur due to poor LAN or WAN design.
The optimal way to prevent external security breaches from affecting your LAN is not to connect your LAN to the outside world at all!!!!
Router Access Lists A router’s main function is to examine packets
and determine where to direct them based on their Network layer addressing information
An ACL instructs the router to permit or deny traffic according to one or more of the following variables:
Network layer protocol (for example, IP or ICMP) Transport layer protocol (for example, TCP or
UDP) Source IP address Source netmask Destination IP address Destination netmask TCP or UDP port number
If a packet’s characteristics match a variable that’s flagged as “deny” in the ACL, the router drops the packet. Otherwise, it forwards the packet.
If a router contains several interfaces, each interface can be assigned a separate ACL.
Router interface
Intrusion Detection and Prevention
A network administrator might use techniques to monitor and flag any unauthorized attempt to access an organization’s secured network resources using an IDS (intrusion detection system)
An IDS exists as software running on a dedicated IDS device or on another device, such as a server or switch, that also performs other functions.
Major vendors of networking hardware, such as Cisco, HP, Juniper Networks, and Lucent sell IDS devices.
Examples of popular open-source IDS software, which can run on virtually any network connected machine, include TripWire and Snort.
IDS monitors traffic IDS software can be configured to detect
many types of suspicious traffic patterns, including those typical of denial-of-service or smurf attacks,
Its sensors are installed at the edges of the network
It has drawbacks
Logging of false positives e.g multiple logon attempts of a legitimate
user To continue to guard against new threats, IDS
software must be updated and rules of detection re evaluated regularly.
Together with IDS
An IPS (intrusion-prevention system) can react when alerted to suspicious activity logged by IDS.
If a hacker’s attempt to flood the network with traffic is detected, the IPS can detect the threat and prevent that traffic, based on its originating IP address, from flowing to the network.
Many vendors sell devices that integrate both IDS and IPS functions.
As with an IDS, an IPS must be carefully configured to avoid an abundance of false alarms
FIREWALLS
A firewall is a specialized device, or a computer installed with specialized software, that selectively filters or blocks traffic between networks
typically involves a combination of hardware and software
may reside between two interconnected private networks OR between private network and public network (the Internet )
Exist in two categoriesNetwork based: protects an entire networkHost based: protects a single host in which they
are installed
A firewall
Different forms of firewalls
Packet-filtering firewall:A router that examines the header of every packet of data it receives aka screening firewalls.Nearly all routers can be configured to act as packet-filtering firewall Can block traffic attempting to exit a LAN.
To stop worms from spreading.
Some common criteria a packet-filtering firewall might use to accept or deny traffic include the following
Source and destination IP addressesSource and destination ports (for example, ports
that supply TCP/UDP connections, FTP, Telnet, ARP, ICMP, and so on)
Flags set in the IP header (for example, SYN or ACK)
Transmissions that use the UDP or ICMP protocols
A packet’s status as the first packet in a new data stream or a subsequent packet
A packet’s status as inbound to or outbound from your private network
Different forms of firewalls(contd)
Content-filtering firewalls:•Can block designated types of traffic based on application data contained within packets.
Stateful firewall:Monitor a data stream from end to end
i.e view it
Performs slowly Stateless firewall:Simply examine each packet individuallyPerforms fasterNot sophisticated
A firewall can help in setting up a VPNA firewall has to be tailored according to needs
Weakness
They cannot distinguish between a user who is trying to breach the firewall and a user who is authorized to do so.
operate at the Network layer of the OSI model
Proxy Servers
PFF + PROXY SERVICE= ENHACED SECURITYTransport and network layers A proxy service is a software application on a
network host that acts as an intermediary between the external and internal networks, screening all incoming and outgoing traffic
The network host that runs the proxy service is known as a proxy server.
Application layer gateway, an application gateway, or simply, a proxy
Where does a proxy reside in a network?
Questions ?
NETWORK SECURITY
ENCRYPTION
ENCRYPTION
The use of an algorithm to scramble data into a format that can be read only by reversing the algorithm—that is, by decrypting the data.
The purpose of encryption is to keep information private.
Exists in many formsThe last line of defense
ASSURANCES OF ENCRYPTION
Data was not modified after the sender transmitted it and before the receiver picked it up.
Data can only be viewed by its intended recipient (or at its intended destination).
All of the data received at the intended destination was truly issued by the stated sender and not forged by an intruder
AREAS OF APPLICATION
Encryption can protect: Data stored on a medium, such as a hard disk, or Data In transit over a communications channel.
TYPES OF ENCRYPTION
Key Encryption:DATA + KEY = CIPHERTEXTKEY: Random sequence of characters weaved
into the original data bitsHello! + 0FD3E97A= ?The more the bits of the key the harder it is to
crackSusceptible to brute force attack
Categories of key encryption:Public key encryption:Data is encrypted using two keys
one key known only to the user(private)One key is public associated to the user
aka asymmetric encryption
Private key encryption:Data is encrypted using a single key that only
the sender and the receiver know. aka symmetric encryption
PGP(Pretty Good Privacy)Public key encryption systemVerify the authenticity of an e-mail sender and
encrypt e-mail data in transmissionCan also be used to encrypt data on storage
devices
SSL (Secure Sockets Layer)Is a method of encrypting TCP/IP transmissionsThe most recent versions of Web browsers, such
as Firefox and Internet Explorer, include SSL client support in their software.
HTTPS (which stands for HTTP over Secure Sockets Layer or HTTP Secure)HTTPTCP/IP PORT 80, HTTPSTCP/IP PORT 443
SSH (Secure Shell)Secure telnetProvides security for establishing
connection(authenticating) and transmitting data
Guards against IP spoofing and DNS spoofing
DNS spoofing A security attack in which an outsider forges name server records to falsify his host’s identity.
IP spoofing A security attack in which an outsider obtains internal IP addresses, then uses those addresses to pretend that he has authority to access a private network from the Internet.
SCP (Secure CoPy) and SFTP (Secure File Transfer Protocol)
An extension to OpenSSHAllows you to copy files from one host to
another securely.SCP replaces insecure file copy protocols such as
FTP
IPSec (Internet Protocol Security)Defines encryption, authentication, and key
management for TCP/IP transmissionsIt is an enhancement to IPv4 and is native to the
newer IPv6 standardEncrypts data by adding security information to
the header of all IP packets.Operates at the Network layer (Layer 3) of the
OSI model.
In addition there are authentication protocols such as
RADIUS (Remote Authentication Dial-In User Service)
PAP (Password Authentication Protocol)CHAP (Challenge Handshake Authentication
Protocol)EAP (Extensible Authentication Protocol)802.1x (EAPoL)-EAP over LANKerberos
A wireless network provide many other new challenges
Highly susceptible to eavesdropping
WEP (Wired Equivalent Privacy)Uses keys both to authenticate network clients
and to encrypt data in transit.
IEEE 802.11i and WPA (Wi-Fi Protected Access)WEP’s improvement
HOME WORKAnalyze the differences and similarities between
viruses, worms and Trojan horses
FAULT AND PERFORMANCE MANAGEMENT
What is fault and performance managementIssues on fault managementIssues on performance management
Performance management: monitoring how well links and devices are keeping up with the demands placed on them
Fault management: the detection and signaling of device, link, or component faults.
Can you figure out their connection?
software
Tivoli NetView- from IBMCiscoWorksAll rely on a similar architecture
At least one network management console (which may be a server or workstation, depending on the size of the network) collects data from multiple networked devices at regular intervals, in a process called polling.
Each managed device runs a network management agent, a software routine that collects information about the device’s operation and provides it to the network management application running on the console.
A managed device may contain several objects that can be managed, including components such as processor, memory, hard disk, NIC, or intangibles such as performance or utilization.For example, on a server, an agent can measure
how many users are connected to the server or what percentage of the processor’s resources are used at any time.
Agents communicate information about managed devices via any one of several Application layer protocols.Most agents use SNMP
After data is collected, the network management application can present an administrator with several ways to view and analyze the data.
In the form of a map
Because of their flexibility, sophisticated network management applications are also challenging to configure and fine-tune
You have to be careful to collect only useful data and not an excessive amount of routine information.
Choose only significant moments to collect data
MRTG (MultiRouter Traffic Grapher)A command-line utility that uses SNMP to poll
devices, collects data in a log file, then generates HTML-based views of the data.
Freely distributed softwareCan be used with UNIX, Linux, and Windows
operating systems and can collect and graph data from any type of device that uses SNMP.
System and Event Logs
Virtually every condition recognized by an operating system can be recorded on your computer.
Records of such activity are kept in a log
In addition to predefined events, developers can customize logs by defining conditions under which new entries are created
On Windows-based computers, including those running Windows Vista or Windows Server 2008, such a log is known as an event log and can be easily viewed with the GUI Event Viewer application.
Similar information is routinely recorded by computers running Linux or UNIX in a system log.
Newer versions of Linux typically write their system logs to the file /var/log/messages, while older versions of UNIX often write to a system log in the file /var/logs/syslog
To find out where various logs are kept on your UNIX or Linux system, view the /etc/syslog.conf file OR /etc/rsyslog.conf file.
Much of the information collected in event logs and syslog files does not point to a problem, even if it is marked with a warningUsing these logs for fault management requires
thoughtful data filtering and sorting.
Traffic shaping
A performance management techniqueInvolves:Manipulating certain characteristics of
packets, data streams, or connections to manage the type and amount of traffic traversing a network or interface at any moment.
Delaying less important traffic, increasing the priority of more important traffic,
limiting the volume of traffic flowing in or out of an interface during a specified time period, or
limiting the momentary throughput rate for an interface.
Its goals are to assure timely delivery of the most important traffic while offering the best possible performance for all users.
Caching
The local storage of frequently needed files that would otherwise be obtained from an external source.
Web caching: Web pages are stored locally, either on a host or network, and then delivered to requesters.
cache engine: a network device devoted to storage and delivery of frequently requested files.
Review questions
Discuss advantages of documenting all of network aspects
What are advantages of caching to an ISP
