www.ischool.drexel.edu info 331 computer networking technology ii chapter 9 network management dr....

www.ischool.drexel.edu

INFO 331Computer Networking

Technology II Chapter 9

Network Management

Dr. Jennifer Booker

1INFO 331 chapter 9


Network Management History

• Network management didn’t exist in its current form until the 1980’s– From the ’40s to ’70s, networks were typically

very homogeneous (proprietary-only), so network management tools were specific to that insular environment, if used at all

– The advent of the PC and Macintosh made networks get much more heterogeneous, and increased the complexity of network management

2INFO 331 chapter 9


Network Management

• A network typically consists of many unrelated types of equipment, which are all supposed to work together in perfect harmony, in spite of the myriad protocols, operating systems, interfaces, etc. involved– Servers and workstations– Routers, switches, and hubs– Wireless access points and hosts– Firewalls

3INFO 331 chapter 9


Network Management

• In order to manage this mess, there is often a Network Operations Center (NOC) to coordinate maintenance, upgrades, monitoring, optimization (if you have time), repairs, etc.– Akin to a pilot’s cockpit, or the control room

for a power station, or the mixing board at a concert

4INFO 331 chapter 9


Network Management

• We need to know– What to monitor

• What is worth focusing your attention on?

– How to analyze what we see– How to respond to changing conditions

(fix problems)– How to proactively manage the system

(prevent problems)

5INFO 331 chapter 9


Typical Problems

• Even a simple network can have challenges which help motivate the need for network management

• Detect interface card failure at a host or router– The host or router might report the

interface failure to the NOC– Better, network monitoring might reveal

imminent failure, so the card is replaced before failure

6INFO 331 chapter 9


Typical Problems

• Monitor traffic to guide resource deployment– Traffic patterns or congestion monitoring

can show which parts of the network are most used

– This could lead to improved usage of servers, simplifying physical layout or improving the speed of high traffic LAN segments, or make good upgrade decisions

7INFO 331 chapter 9


Typical Problems

• Detect rapid routing changes– Routing can become unstable, causing rapid

changes in routing tables (route flapping)– The network admin would like to know this

is happening before something crashes as a result!

• Host is down– Network monitoring could detect a system

down before the user notices it

8INFO 331 chapter 9


Typical Problems

• Monitor SLAs– Service Level Agreements (SLAs) are

contracts to guarantee specific services, such as Internet service, in terms of availability, throughput, latency, and other agreed-upon measures

• Major ISPs (tier 1) can provide SLAs to major business customers

– If you pay for this service, it’s nice to know if they are really providing what you paid for!

Not this SLA!

Image from www.answers.com/topic/symbionese-liberation-army

9INFO 331 chapter 9


Typical Problems

• Intrusion detection– The network admin can look for traffic from

odd sources, destined for unusual ports, lots of SYN packets, and other security threats we

recently covered– This can lead to refinement of filters &

firewalls

10INFO 331 chapter 9


ISO Network Management

• ISO has produced guidance on the types of network management activities– ISO network management (

ISO/IEC 10733:1998)– ISO security management (

ISO/IEC TR 13335:2004, ISO/IEC 18026:2009 and ISO/IEC 18028-1:2006)

• See Global IHS for buying ISO standards




• Cisco overview white paper (free, unlike ISO standards, and summarized herein thru

slide 35)

• ISO identifies five areas of network management– Fault, configuration, performance, security,

and accounting management




• Fault Management– Detect, isolate, notify, and correct faults

encountered in the network

• Configuration Management– Configuration aspects of network devices

such as configuration file management, inventory management, and software management




• Performance Management– Monitor and measure various aspects of

performance so that overall performance can be maintained at an acceptable level

• Security Management– Provide access to network devices and

corporate resources to authorized individuals

• Accounting Management– Usage information of network resources



Fault Management

• This is the main focus of network management for most organizations

• Faults are errors or problems in the network– Often a shorter term perspective than

performance management

• Hence fast detection of problems is critical, often via color-coded graphical network maps



Fault Management

• Typically want a network management platform to do:– Network discovery and topology mapping– Event handler – Performance data collection and presentation– Management data browsing

• Network management platforms include HP OpenView, Aprisma Spectrum, and Sun Solstice



Fault Management

• Devices can send SNMP traps (RFC 3410) of events which change their status

• These events are logged, such as in a Management Information Base (MIB)

• Platforms can be geographically located, and communicate with each other to centralize network monitoring– Web interfaces on devices can allow remote

management and configuration



Fault Management

• Equipment vendors often use different management systems– They can communicate using CORBA or CIM

standards to exchange management data

• Troubleshooting a network often uses TFTP and syslog servers– The trivial FTP (TFTP) server stores

configuration files; routers and switches can send system log (syslog) messages to the syslog server



Fault Management

• Faults can be detected with SNMP trap events, SNMP polling, remote monitoring (RMON, RFC 2819) and syslog messages– Module changing to up or down state– Chassis alarms for hardware failures (fans,

memory, voltage levels, temperature, etc.)– Responses can be just notification and

logging of the event, or shutdown of that device, e.g. temps can be defined for warning, critical, or shutdown



Fault Management

• Fault detection can also be done at the protocol or interface levels– Such as a router interface failure

• A management station polls the device to determine status or measure something (CPU usage, buffer failure, I/O drops, etc.), and flags it with an RMON alarm when the measure exceeds some threshold value



Configuration Management

• Configuration management (CM) tracks equipment and software in the network

• Can assess which elements are causing trouble, or which vendors are preferred– What if a vendor recalls a certain device?

Do you have any of them? Where?– Whose routers or switches are most reliable?– Where do you send a service vendor to

replace a dead router?




• CM data includes– Make, model, version, serial number of equipment– Software versions and licenses– Physical location of hardware

• Site, building, room, rack number, etc.

– Contact info for equipment owners and service vendors

• Naming conventions are often used to keep names meaningful, not just yoda.drexel.edu




• CM also includes file management– Changes to device configuration files should

be carefully controlled, so that older versions can be used if the new ones don’t work

– A change audit log can help track changes, and who made them

• Inventory management is based on the ability to discover what devices exist, and their configuration information




• Software management can include the automation of software upgrades across devices– Download new software images, verify

compatibility with hardware, back up existing software, then load new software

– Large sites may script the process and run during low activity times



Performance Management

• The same SNMP methods to capture fault data can be used for performance data, such as queue drops, ignored packets, etc.– These can be used to assess SLA

compliance

• On a larger scale, WAN protocols (frame relay, ATM, ISDN) can also collect performance data




• Performance management tools include– Concord Network Health– InfoVista VistaView– SAS IT Service Vision– Trinagy TREND

• These all collect, store, and analyze data from around one’s enterprise, and typically use web-based interfaces to allow access to it from anywhere




• Increased network traffic has led to more attention to user and application traffic– RFC 4502 (replacing RFCs 2021 and 3273)

defines how RMON can be used to analyze applications and the network layer, not just lower layer (e.g. MAC) protocols

– Many other performance monitoring tools exist, e.g. Cisco NetFlow



Security Management

• Security management covers controlling access to the network and its resources– Can include monitoring user login, refusing

access to failed login attempts, as well as either intentional or unintentional sabotage

• Security management starts with good policies and procedures– The minimum security settings for routers,

switches, and hosts is important to define



Security Management

• Methods for control of security at the device level (router) include– Access control lists (ACLs) and what they

are permitted to do– User ID’s and passwords– Terminal Access Controller Access Control

System (TACACS)

• TACACS (RFC 1492) is a security protocol between devices and a TACACS server



Security Management

• A refinement of TACACS is TACACS+, which gives more detailed control over who can access a given device– It separates the Authentication (verify user),

Authorization (control remote access to device), and Accounting functions (collect security information for network management) (AAA)



Security Management

• In Cisco’s world, AAA functions are managed with commands such as – aaa– tacacs-server– set authentication – set authorization– set accounting



Security Management

• In SNMP, configuration changes can be made to routers and switches just like from a command line– Hence strong SNMP passwords are critical!– SNMP management hosts (‘managing entities’

in Kurose) should have static IP, and sole SNMP rights with network devices (managed devices) according to a specific Access Control List (ACL)



Security Management

• SNMP can set router security:– Privilege Level = RO (read only) or = RW

(read and write); only RW can change router settings

– Access Control List (ACL) can be set to only allow specific hosts to request router management info; ACL control over interfaces can help prevent spoofing



Security Management

– View – controls what router data can be viewed

– SNMPv3 provides secure exchange of data

• Switches can restrict Telnet and SNMP via an IP Permit List



Accounting Management

• Accounting management measures utilization of the network so that specific groups or users can be billed correctly for snarfing up resources– Yes, it’s all about money– Data can be collected using various tools,

such as NetFlow, IP Accounting, Evident Software

• This can also be used to measure how well SLAs are being followed or not



Other aspects of net mgmt

• So network management is a huge field

• We’ll focus on basic infrastructure issues– Omit service management, network

administration, provisioning, and sizing networks (see TINA and TMN standards)



Network Management Infrastructure

• Network management is like the CEO of an organization getting status reports from middle managers, and they get status from first line managers– The CEO has to make decisions about the

entire company based on this data• Corrective action may be needed, based on good

or bad results obtained• The CEO of General Motors may build new plants,

or shut others down




• Network management establishes managers (called managing entities, often located in a NOC) who are allowed (via an ACL) to talk to network devices (managed devices, such as servers or routers)– Each managed device has a network management

agent, who collects the desired data– Each managed device has one or more managed

objects (such as network cards, memory chips, etc.)



Network Management InfrastructureNOC

Managing entity A

Managing entity B

Managed device O

Managed device M

Managed device N

Managed device L

Agent(Data)

Agent(Data)

Agent(Data)

Agent(Data)

Network management protocol




• Descriptions of all managed objects, and the devices they belong to, are collected in the Management Information Base (MIB)– A MIB is a database of managed object data

• Managed devices communicate with managing entities using a network management protocol– Devices don’t generally talk to each other,

but managing entities can




• The network management protocol doesn’t manage the network per se – it just provides a means for the network admin to do so

Managed device (host, server, router, printer, etc.)

Network mgmt Agent

Managed object 1

Managed object 2

To managing

entity



Network Management Standards

• The architecture just described applies to most any network management approach

• Many specific standards have been developed– The OSI CMISE/CMIP standards, used in

telecommunications– In the Internet, SNMP (Simple Network

Management Protocol, RFCs 3411-3418)• We’ll focus on SNMP



SNMP isn’t Simple!

• Derived from SGMP (RFC 1028, 1987)

• Key goals of network management include– What is being monitored?– What form of control does the network

administrator have?– What is the form of data reported and

exchanged?– What is the communication protocol for the

exchange of data?43INFO 331 chapter 9


SNMP

• To address these goals, SNMP has four modular parts– Network management objects, called MIB

objects• The MIB tracks MIB objects• A MIB object might be a kind of data (datagrams

discarded, description of a router, status of an object, routing path to a destination, etc.)

• MIB objects can be grouped into MIB modules



SNMP

– A data definition language, SMI (Structure of Management Information)

• SMI defines what an object is, what data types exist, and rules for writing and changing management information

– A protocol, SNMP, for the exchange of information and commands between manager-agent and manager-manager (between two managing entities)

– Security and administrative capabilities



SMI

• SMI is defined by RFCs 2578-2580 (1999)

• SMI has three levels of structure– Base data types– Managed objects– Managed modules

SMI Modules

SMI Objects

SMI Base Data Types

[SMI is part of MIB, so a SMI object is the same as a MIB managed object.]



SMI

• SMI Base Data Types are an extension on the ASN.1 structure (Abstract Syntax Notation One, ISO/IEC 8824:2008)

• There are eleven basic data types (p. 767)– Signed and unsigned (>0) integers, IP addresses,

counters, time in 1/100 second counts, etc.– Most important is the OBJECT IDENTIFIER type,

which allows definition of an SMI object as some ordered collection of other data types



SMI

– The OBJECT IDENTIFIER is like a struct in C– Here, it names an Object

• To create a managed object, the OBJECT-TYPE construct is used– Over 10,000 object-types have been defined

– these are the heart of data that can be collected for network management

– Analogy: OBJECT IDENTIFIER defines the class, OBJECT-TYPE instantiates the object



SMI Objects

• An object-type includes four fields– SYNTAX – is the data type of the object, e.g.

‘Counter32’– MAX-ACCESS – is whether the object can be

read, written, created, e.g. ‘read-only’– STATUS – is whether the object is current,

obsolete, or deprecated, e.g. ‘current’– DESCRIPTION – gives a definition of the

object, which is a long text narrative



SMI Modules

• The MODULE-IDENTITY construct creates a module from related objects– Fields include when it was last updated, the

organization who did so, contact info for them, a description of the module, a revision entry, and description of the revision

• The end of the MODULE-IDENTITY gives the ASN.1 code for the type of information in the module (often MIB-2)



SMI Modules

• For examples, these MIB modules (MODULE-IDENTITY) are defined– For IP and ICMP in RFC 4293– For TCP in RFC 4022– For UDP in RFC 4133– For RMON (remote monitoring) in RFC 4502



SMI Modules

• There are other kinds of modules– NOTIFICATION-TYPE for making SNMP-Trap

and information request messages– MODULE-COMPLIANCE for defining

managed objects that an agent must implement

– AGENT-CAPABILITIES defines what agents can do with respect to object and event notification definitions



MIB

• The Management Information Base (MIB) stores a current description of the network

• Data is collected from agents in each device about the objects in that device

• There are over 200 standard MIB modules, plus many more vendor-defined

• To identify these modules, the IETF borrowed a convention from ISO – the ASN.1 structure



MIB

• The ASN.1 object identifier tree structure gives a number (e.g. 1.3.6.1.2.45) to every object within ISO, ITU-T, or joint ISO/ITU-T control

• We care about stuff under 1.3.6.1.2.1– ISO (1)

• ISO identified organization (3)– US DoD (6)

» Internet (1)

» Management (2) (ran out of indents!)

» MIB-2 (1)



MIB

• Under the MIB-2 category, we have 16 choices, including– System (1)– Interface (2)– Address translation (3)– Lots of protocols (ip, icmp, tcp, udp, etc.)– Transmission (10)– SNMP (11)– RMON (16) Apologies to http://www.sptimes.com/2002/07/08/Xpress/Letdown_aside___MIB_I.shtml



MIB

• The excerpts in the text are from – MIB-2 / system (Table 9.2, p. 772)– MIB-2 / UDP (Table 9.3, p. 773)

• What was the point of all this? – This gives the organization of all existing MIB

modules – e.g. so if you want to know what TCP information is readily available, you can find what has already been predefined

– This keeps you from reinventing the wheel!56INFO 331 chapter 9


SNMP Protocol Operations

• The purpose of SNMP is to exchange MIB information between agents and managing entities, or between two managing entities

• Much of SNMP works on request-response mode – the managing entity requests data, and the agent responds with that data

• Problems or exceptions are reported with a trap message – they go just from agent to managing entity



SNMP Message Types

• SNMP messages are called PDUs (protocol data units) (RFC 3416)

• There are seven types of PDUs (p. 790)– From manager (managing entity) to agent

there are three kinds of GetRequest (to read agent data), plus SetRequest (to set the value of agent data)

– From agent to manager there is the SNMPv2-Trap PDU to report exceptions (RFC 3418)



SNMP Message Types

– From manager to manager there is an InformRequest message to pass on MIB data

– And finally, most messages are responded to using a … Response message

• We’re not going to dwell on the format of a PDU message – it’s up to 484 octets long

• PDU messages should be sent over UDP, per RFCs 3417 and 4789– Also possible to send over AppleTalk, IPX, …



SNMP Message Types

– SNMP listens on port 161 normally; port 162 for trap messages

• Hence the sender needs to determine if a Response was received or not– RFCs are vague on retransmission policies

• SNMP is described across many RFCs– The best place to start looking is RFC 3416,

which summarizes the SNMP Management Framework



Security and Administration

• This is a key area of improvement in SNMPv3 over SNMPv2

• Managing entities run SNMP applications, which typically have– A command generator (create Get messages)– A notification receiver (to catch traps)– A proxy forwarder (forwards requests,

notifications, and responses)



Security and Administration

• Agents have – A command responder (answers Get

messages, and applies Set requests)– A notification originator (create traps)

• Any kind of PDU is created by the SNMP application, then has a security/message header applied– An SNMP message consists of (the

security/message header) plus (the PDU)62INFO 331 chapter 9


SNMP Message Header

• The header consists of– SNMP version number– A message ID– Message size info– If the message is encrypted, then the type

of encryption is added, per RFC 3411

• The SNMP message is passed to the transport protocol (probably UDP)



SNMP Message Header

• From RFC 3411, “This architecture recognizes three levels of security:– without authentication and without privacy

(noAuthNoPriv)– with authentication but without privacy

(authNoPriv)– with authentication and with privacy

(authPriv)”



SNMP Security

• Since SNMP can change settings (Set Request message), security is very important

• RFC 3414 describes the user-based security approach– User name, which has a password, key value, and/or

defined access privileges

• Encryption (privacy) is done with DES symmetric encryption in Cipher Block Chaining mode



SNMP Security

• Authentication uses HMAC (RFC 2104) – Take the PDU message, m, and a shared

secret key, K (can be a different symmetric key than used for encryption)

– Compute a Message Integrity Code (MIC) over the message AND the key K

– Transmit m and MIC(m,K)– Receiver also computes MIC(m,K) and

compares it to what was received



SNMP Security

• SNMP provides protection against playback attacks by keeping a counter in the receiver



SNMP Security

• The counter acts like a nonce– Actually tracks time since last reboot of

receiver and number of reboots since network management software was loaded (RFC 3414)

• If counter in a received message is close enough to the actual value, treat the message as a nonreplay (new) message



SNMP Security

• Provides view-based access control (RFC 3415) by mapping which information can be viewed by which users, or set by them– In contrast with RBAC (role-based) or OBAC

(organization-based) access control approaches

• Tracks this info in a Local Configuration Datastore (LCD), parts of which are managed objects (which can be managed via SNMP)



ASN.1

• We saw earlier that MIB variables are tied to the ISO standard ASN.1– It’s connected to XML and Bluetooth as well,

so it’s worth not ignoring

• It’s defined by ITU-T X.680 to X.683 and ISO/IEC 8824

• Purpose is to describe data exchanged between two communicating applications– So it’s kind of a middleware for data exchange



ASN.1

• Without ASN.1, it would be easy to define dozens of logical approaches for describing the contents of a data file, and storing it– ASN.1 gets everyone to agree how to do so

• ASN.1 tries to identify every possible standardized object – no small goal!



ASN.1

• Part of its need comes from the little-endian vs. big-endian problem– Little-endian architecture stores the least

significant bit of integers first• Intel and DEC/Compaq Alpha CPUs are

little-endian

– Big-endian stores the most significant bit first • Sun and Motorola processors are big-endian



ASN.1

• SMI and ASN.1 offer a presentation service to translate between different machine-specific formats– This resolves the order in which bytes are

sent, so that something sent in ASN.1 format from an Intel chip can be read correctly by a Sun chip



ASN.1

• ASN.1 provides its own defined data types (p. 798), much like SMI (slide 47)– Are used to create structured data types

• ASN.1 also provides various types of encoding rules– The Basic Encoding Rules (BER) tell how to

send data over the network (as in, byte by byte), using the Type of data, its Length, and Value (TLV)

• Data can be text, audio, video, etc.



ASN.1

• Other type of encoding rules include– Packed Encoding Rules (PER) – for efficient

binary encoding– Distinguished Encoding Rules (DER) –

canonical encoding for digital signatures– XML encoding rules (XER)



Summary

• So in wrapping up, we’ve covered the ISO outline of network management– Fault, Configuration, Performance, Security, and

Accounting Management

• Seen network management infrastructure elements and how they work in SNMP– SMI to define data types, objects, and modules– MIB to collect object data across the network– ASN.1 communicates across hardware platforms


www.ischool.drexel.edu info 331 computer networking technology ii chapter 9 network management dr....

Documents