Policy-based Management of Distributed PBX Systems



Similar documents
Web Services for Management Perl Library VMware ESX Server 3.5, VMware ESX Server 3i version 3.5, and VMware VirtualCenter 2.5

Hitachi HiCommand Storage Services Manager Software. Partner Beyond Technology

Lecture 19: Web Based Management

Introduction to VoIP Technology

SNMP, CMIP based Distributed Heterogeneous Network Management using WBEM Gateway Enabled Integration Approach

Integration of Voice over Internet Protocol Experiment in Computer Engineering Technology Curriculum

Integrating HP Insight Management WBEM (WMI) Providers for Windows with HP System Insight Manager

Genesys SIP Transforming Customer Service. Richard Barton Bill Mitchell Jim Kraeutler

WHY IP-PBX SYSTEMS ARE GOOD FOR BUSINESS

Mediatrix 3000 with Asterisk June 22, 2011

How To Select The Next Generation Telephone System ss

Heterogeneous Tools for Heterogeneous Network Management with WBEM

Migration from TDM to IP in Public Safety Environments: The Challenge for Voice Recording

Local Session Controller: Cisco s Solution for the U.S. Department of Defense Network of the Future

Management of VMware ESXi. on HP ProLiant Servers

Creating a New Database and a Table Owner in SQL Server 2005 for exchange@pam

4. H.323 Components. VOIP, Version 1.6e T.O.P. BusinessInteractive GmbH Page 1 of 19

Cisco Unified Intelligent Contact Management Enterprise 7.2

EPICenter Network Management Software

How to choose the right IP gateway for your VoIP migration strategy. Deployment note

November The Business Value of SIP Trunking

A dual redundant SIP service. White paper

VoIP Telephone system benefits:

White Paper. Requirements of Network Virtualization

Any to Any Connectivity Transparent Deployment Site Survivability

Integrating Telrex CallRex Call Recording Solution with the Cisco Unified Communications 500 Series for Small Business

Cisco UCS Central Software

Cloudvue Remote Desktop Client GUI User Guide

Configuration Guide. BlackBerry Enterprise Service 12. Version 12.0

Lab Testing Summary Report

Quick Installation Guide

Crystal Gears. Crystal Gears. Overview:

Chapter 17. Transport-Level Security

AND Recorder 5.4. Overview. Benefits. Datenblatt

VoIP for Radio Networks

Securing SIP Trunks APPLICATION NOTE.

Quest InTrust. Version 8.0. What's New. Active Directory Exchange Windows

[Asterisk IP Telephony Solutions]

Directory and File Transfer Services. Chapter 7

A M D DA S 1. 0 For the Manageability, Virtualization and Security of Embedded Solutions

CHAPTER 1 INTRODUCTION

FRAFOS GmbH Windscheidstr. 18 Ahoi Berlin Germany

QAME Support for Policy-Based Management of Country-wide Networks

RADIUS Authentication and Accounting

NexeTalk Telephone Interconnect

A Model-based Methodology for Developing Secure VoIP Systems

Network Virtualization for Large-Scale Data Centers

Microsoft Office Communications Server 2007 & Coyote Point Equalizer Deployment Guide DEPLOYMENT GUIDE

1 ABSTRACT 3 2 CORAL IP INFRASTRUCTURE 4

Implementing Cisco IOS Network Security v2.0 (IINS)

OfficeMaster Gate (Virtual) Enterprise Session Border Controller for Microsoft Lync Server. Quick Start Guide

Quick Setup Guide. Integration of Aastra MX-ONE / Aastra 700 and Microsoft Lync Server 2010

OVERVIEW. CEP Cluster Server is Ideal For: First-time users who want to make applications highly available

GR2000: a Gigabit Router for a Guaranteed Network

Voice over IP Basics for IT Technicians

EMC CENTERA VIRTUAL ARCHIVE

Configuration Guide. Independent T1 Timing. 6AOSCG A February 2012

Figure 1. Traditional PBX system based on TDM (Time Division Multiplexing).

SITEL Voice Architecture

Framework 8.1. External Authentication. Reference Manual

MuL SDN Controller HOWTO for pre-packaged VM

A Model for Access Control Management in Distributed Networks

EXPLOITING SIMILARITIES BETWEEN SIP AND RAS: THE ROLE OF THE RAS PROVIDER IN INTERNET TELEPHONY. Nick Marly, Dominique Chantrain, Jurgen Hofkens

Network Management Deployment Guide

Secure Web Appliance. SSL Intercept

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

Getting Started with PRTG Network Monitor 2012 Paessler AG

Contents Introduction Why Fax over IP? How Real-time Fax over IP works Implementation with MessagePlus/Open Summary. About this document

0DQDJLQJ#0XOWLVHUYLFH#1HWZRUNV

NetCrunch 6. AdRem. Network Monitoring Server. Document. Monitor. Manage

FRAFOS GmbH Windscheidstr. 18 Ahoi Berlin Germany

Atrium Discovery for Storage. solution white paper

Integrating Asterisk FreePBX with Lync Server 2010

WebRTC: Why and How? FRAFOS GmbH. FRAFOS GmbH Windscheidstr. 18 Ahoi Berlin Germany

IBM WebSphere Application Server Communications Enabled Applications

Lecture 5: Foundation of Network Management

Selecting the Right SIP Phone for Your IP PBX By Gary Audin May 5, 2014

Network Security. Chapter 9 Integrating Security Services into Communication Architectures

HP Insight Management Agents architecture for Windows servers

Andrew McRae Megadata Pty Ltd.

Contents. Specialty Answering Service. All rights reserved.

The Business Value of SIP Trunking

Active Management Services

Distributed Network Security

Integrate VoIP with your existing network

Buyer s Guide. 10 questions to ask. Essential information about your Voice over IP options

How to manage non-hp x86 Windows servers with HP SIM

A Heterogeneous Internetworking Model with Enhanced Management and Security Functions

The Experimental Practices of VoIP Based on the Commercial Softswitch Device

SOA REFERENCE ARCHITECTURE: SERVICE ORIENTED ARCHITECTURE

TimePictra Release 10.0

White paper. SIP An introduction

Transcription:

Policy-based Management of Distributed PBX Systems Category: Dangers of an Increasingly Networked World Rupert, Christian Year of Study: 2 nd year M.Sc. Information Systems Course Title: Research Project Securitas University: University of Applied Sciences Pforzheim Project Manager: Prof. Dr. Ing. Frank Niemann Positions: Program Director Information Technology, Head of Research Project Securitas

ABSTRACT The development of a policy-based management system, which is able to declare and enforce security-relevant policies for networks and systems, is part of a widespread research project by the University of Applied Sciences Pforzheim. By these measures, a security management can ensure an all-embracing protection of their security requirements. Especially nowadays, in heterogeneous IT landscapes, which become networked more and more, it is essential to provide a comprehensive management system, which covers up several management aspects. Here, the market offers a large number of proprietary solutions. The research laboratory developed a prototype on the basis of the open sourced Web- Based Enterprise Management (WBEM), specified by the Distributed Management Task Force (DMTF), which represents the managed system in a platform independent and object-orientated way. By using the Common Information Model (CIM), a represented system can be assigned with a security policy. The prototype determines the properties of an Asterisk PBX-System by using an implemented CIM-Provider, then compares the property values with the defined policies and executes countermeasures if necessary. The definition and enforcement of polices is done by several hierarchical levels. Present experiences showed the opportunities offered by WBEM but also a certain implementation effort.

TABLE OF CONTENTS 1 INTRODUCTION... 1 2 FUNDAMENTALS... 2 2.1 MANAGEMENT AND WBEM FUNDAMENTALS... 2 2.2 POLICY-BASED MANAGEMENT FUNDAMENTALS... 3 2.3 THE MANAGED NODE ASTERISK PBX... 4 2.3.1 Asterisk Fundamentals... 4 2.3.2 Asterisk Manager Interface... 5 3 ARCHITECTURE OF THE PROTOTYPE... 5 3.1 Asterisk in CIM... 7 3.2 Asterisk Provider... 8 4 POLICY BASED MANAGEMENT OF ASTERISK... 9 5 CONCLUSION... 10

LIST OF FIGURES Figure 1: Architektur WBEM... 2 Figure 2: Levels of Policy-based Management... 3 Figure 3: Policy Architecture... 3 Figure 4: CIM_Policy Information Model... 4 Figure 5: Asterisk Manager Interface - Telnet Connection... 5 Figure 6: Prototype Architecture... 6 Figure 7: Sample Asterisk Instance... 7 Figure 8: Flow chart Asterisk Provider... 8 Figure 9: Declaration of a simple policy... 9 Figure 10: Execution of a policy... 10 Figure 11: Sample Policy for Asterisk PBX... 10

1 INTRODUCTION The management of IP-based network elements is often realized using the de-facto standard SNMP (Simple Network Management Protocol) (IETF 1990). Since its publication in 1999, Web-based Enterprise Management (WBEM) (DMTF 1999) wasn t able to tie up to SNMP s popularity. However, WBEM offers some advantages in contrast to SNMP, which can be used for implementing a policy-based management. Hence, chapter 2 imparts a necessary basic knowledge concerning network and policy-based management. Furthermore, chapter 2 presents the Asterisk PBX- System, which needs to be monitored and controlled and can be seen as a proof of concept. Chapter 3 describes the prototype structure in the communication technology laboratory at the University Pforzheim, with the relevant elements for this paper. In addition, the designed information model is described, which represents the PBX-system and its information on an abstract level by means of properties and methods of a class. This information model is referred to as the Common Information Model (CIM) (DMTF 1999). The WBEM-server determines the actual configuration of the Asterisk PBX-System via a CIM-Provider, which addresses the manager interface of the Asterisk-PBX in defined intervals and thus updates the information model with the latest values. Parts of this information model are checked by policies regarding their correctness. Chapter 4 presents a conceptual solution for this idea. Finally, chapter 5 summarizes the achieved results and points out problems and limits of the prototype. 1

2 FUNDAMENTALS 2.1 MANAGEMENT AND WBEM FUNDAMENTALS The International Standard Organization s (ISO) FCAPS model addresses several management sub-areas. Security management is one of these sub-areas. Aim of all management approaches, regardless of a concrete use case, is a management application, which offers an access to a management platform. This platform establishes a connection to the managed resources. Both standards, SNMP and WBEM, make use of an information model in order to describe resources and their characteristics. The standards differ in their concrete representation of a managed element. SNMP represents elements in a hierarchical way, whereas WBEM by means of CIM uses an object-orientated approach. Therefore managed objects are represented by classes, with properties and methods. As usual in the object-orientated environment, the graphical representation is done by using the Unified Modeling Language (UML). Textual, CIM classes can be described with the so-called Managed Object Format (MOF). Furthermore, WBEM provides the opportunity to embed SNMP-managed devices in the model, whereby a smooth migration is possible. The basic architecture of management with WBEM is shown in the following figure. Figure 1: Architektur WBEM As shown in the figure 1, an operator machine is connecting with the management platform via different interfaces (Command Line-,Webserver-,SNMP-interface). The managed resource does not have to exist physically. Virtual resources, like processes of an operating system can also be managed. 2

2.2 POLICY-BASED MANAGEMENT FUNDAMENTALS Policy-based management follows the objective to link between policies on different hierarchical levels. Security-policies on highest level should be understandable for everyone and be defined technical independently. An example for a policy on highest level could be: Telephony has to be tap-proof For the highest level, the concrete technical implementation is irrelevant. Economical aspects are important. Process-orientated, this policy could be transferred to a more detailed and technical focused policy, which could be: VoIP-Telephony has to be encrypted with SRTP and TLS. Again, the technical aspect of encryption is mentioned, but without referring to a detailed implementation. With the highest level of details, a system policy defines how the policy is implemented on the managed device. Following definition would be possible: The installed version of the Asterisk PBX-System should be version 1.8 and encryption has to be enabled. This version is a requirement for native encryption of call-related data. The structuring of policies is shown in the following figure. Figure 2: Levels of Policy-based Management System policies can be enforced by an architecture, specified by the IETF and shown in figure 3. A Policy Management Tool offers the possibility to define policies, even for people without technical knowledge. A Repository represents the storage for defined policies. A Policy Decision Point evaluates the defined policies by checking if the managed resource is in a certain state. A Policy Enforcement Point enforces the defined policy and is the managed resource, which has access to its internal attributes. Figure 3: Policy Architecture 3

Within the CIM_Policy scheme, policies are represented as shown in figure 4. (DMTF Policy WG 2010) Figure 4: CIM_Policy Information Model The figure shows a ManagedElement class (e.g. an OS-process), which is linked up to a PolicySet class by an association. The PolicySet inherits its properties and methods from the Policy class. A Policy aggregates PolicyConditions and PolicyActions. Conditions represent the requirements, which have to be fulfilled in order to trigger a certain action. 2.3 THE MANAGED NODE ASTERISK PBX 2.3.1 Asterisk Fundamentals Asterisk is an open source software PBX-system. In contrast to ordinary PBXsystems, which combine hard- and software in one device, Asterisk can be installed on every standard personal computer. It covers up almost every functionality of an ordinary PBX-system and offers features, which are only supported by expensive and proprietary systems. Asterisk can be used with VoIP softphones in combination with VoIP providers (e.g. sipgate), without using VoIP hardware (e.g. hardphones). In order to connect to the public switched telephone network (PSTN), analog as well as digital interface cards from several manufactures can be used. One of the biggest advantages of Asterisk is the broad spectrum of technologies, which can be used to establish a connection to a Asterisk server. In consequence, Asterisk is able to link up PSTN- and VoIP-devices, while the implementation and usage of different protocols is transparent to the user. 4

2.3.2 Asterisk Manager Interface The Asterisk Manager Interface (AMI) offers an opportunity to control a Asterisk PBX-system and requesting information about the system over a TCP/IP-Stream. Beside special manager actions, the AMI supports the execution of Asterisk Command Line Interface (CLI) commands. The example in figure 5 shows the execution of CLI commands over a telnet connection. Figure 5: Asterisk Manager Interface - Telnet Connection The example shows the login of a user on the Asterisk AMI, reachable over IP 192.168.1.10 on port 5038, which is designated for AMI purposes. With the CLI command core show version the version of the current installation is shown. So after a successful login, several actions can follow e.g. restarting the system or requesting status for individual telephone channels. Thus the PBX-system gets controllable, which is a necessity for the CIM-Provider presented in Chapter 3.2. 3 ARCHITECTURE OF THE PROTOTYPE The following chapter explains the architecture of the prototype, in order to point out the interrelationship between individual components. Starting point is a user, who wants to determine certain properties of his Asterisk PBX. Avoiding the usage of the CLI to request information about the PBX, the CIM Navigator Yawn was installed on a web server. Yawn illustrates all managed resources and their current properties graphically. The WBEM Server distinguishes between so called intrinsic and extrinsic methods. Intrinsic methods simply refer to the internal representation of classes. Intrinsic methods are for example CreateClass, DeleteClass or EnumerateInstances. 5

EnumerateInstances lists up all instances of a class, in this case each Asterisk PBX- System managed by the WBEM server. Extrinsic methods on the contrary are implemented by the managed resource. These methods are for example Asterisk.ShowVersion() or Asterisk.Shutdown(). The following figure shows an overview of the prototype architecture. Figure 6: Prototype Architecture After receiving the operation (e.g. EnumerateInstances ) the CIM Object Manager (CIMON) requests a framework of the specific class. Now the class is known, but no concrete instance is available, yet. This is done by the Asterisk Provider. The Provider responsible for the Asterisk-Resource is implemented in C++. These provider sources are compiled to a dynamic library and added to the WBEM server (libasterisk.so). After receiving the request for enumerating the instances the provider sets all required properties by using the AMI with several Asterisk CLI commands (see Chapter 2.3.2). 6

3.1 Asterisk in CIM This chapter introduces the properties and methods of the information model, used by the Asterisk class. In order to assure a version independency, only some relevant basic parameters where modeled. Through these key attributes, several instances of the Asterisk class can be differentiated. The key attributes chosen are: IP, Port, User and Secret. The IP attribute distinguishes different Asterisk PBX-systems with help of their IP-address as a first step. This is done by the CIM provider, which checks if port 5038 is opened in a defined IP range. If the AMI uses another port than 5038, this can be controlled by the second key attribute, the Port. Figure 7: Sample Asterisk Instance If there s more than one user administering the PBXsystem, this can be checked by the key/value pair User/Secret. Figure 7 shows an example of an Asterisk Instance within the CIM Navigator Yawn. The instance respectively the PBX-system has the IP address 192.168.1.10 and is located in the laboratory network. Furthermore, information like the installed version, supported codes and the uptime of the Asterisk PBX are shown. 7

3.2 Asterisk Provider The central task was to implement the necessary CIM provider, which requests the information of the Asterisk PBX-system for the WBEM server. For this purpose the framework CIMPLE was used, which simplified and accelerated the development of the provider. The following flow chart explains the functionality of the CIM provider. According to this, after calling the function Enum_Instances a certain IP range is scanned for Asterisk PBX-systems. After locating a certain set of AMI actions is sent to the specific PBX-system. The responses are used to set the class properties. Figure 8: Flow chart Asterisk Provider 8

4 POLICY BASED MANAGEMENT OF ASTERISK The DMTF published the Common Information Model Simplified Policy Language (CIM-SPL) standard in 2009 (DMTF 2009), which provides a language for definition of policies that are based on CIM profiles. Through CIM-SPL, policy can be declared in a if-condition-then-action scheme. Base of every policy is the Policy Rule, consisting of the mentioned parts: Condition, Action/Decision, as well as additional information (e.g. an import or declarations). Multiple Policy Rules can be aggregated to a PolicyGroup, which also can be nested. The condition of a rule can be described by several operators and data types. If a defined policy is evaluated as True, a decision/action is triggered. For example, there might be the policy: The installed version of the specific Asterisk PBX-system has to be version 1.8. This statement would be the condition of a policy. This example can be extended with a decision/action, for example: -otherwise the PBX-system has to be shut down. To implement this policy, access is needed to the properties of the specific Asterisk instance, for which this policy should apply to. Furthermore, an extrinsic method is needed within the Asterisk instance, which is able to shut down the PBX-system remotely. The principle of this action chain is explained on the following simple example. The adjoining figure shows the structure of a CIM-SPL Policy. The class testelement is imported in order to get access to its attributes and methods. The strategy defines how the policy should be evaluated. A policy rule is applicable if its condition is evaluated as True. Within the strategy Execute_All_Applicable all conditions are evaluated and according to this, the assigned actions are triggered, even if another condition was evaluated True before. Figure 9: Declaration of a simple policy So, the evaluation process does not stop, after a first positive evaluation. Another strategy would be the Execute_First_Applicable strategy, where the evaluation stops after the first positive evaluation. The condition in figure 9 always evaluates as True so the following action is always triggered. As a result all instances of the class testelement and their properties s32 will be set to the value 4 if the policy is executed. 9

In order to execute this defined policy, the CIM-SPL Client Imperius by Apache was used. The execution of this policy is shown in the following figure. Figure 10: Execution of a policy A policy to evaluate the condition, as mentioned before: The used Asterisk PBX-system has to be the version 1.8 otherwise a shutdown has to be forced is shown in figure 11. At this point work is in progress. Test classes and instances can be combined with policies. The Asterisk class is not checkable by policies, yet. Figure 11: Sample Policy for Asterisk PBX When importing a class to a policy rule, the CIM operation EnumerateInstances is called. This process needs approximately 20 seconds, in order to scan the defined IP-range for PBX-systems, as well as setting the properties with their specific values. This seems to cause a timeout on the policy engine s side, which leads to an error. 5 CONCLUSION Finding an approach for Policy-based management was challenging. Several proprietary solutions exist, but they are often restricted to specific levels of the hierarchy, only supporting certain devices or they are hardly to extend. Often Policy Management is restricted to Group Policies. However, the heterogeneous IT landscapes require a high flexible management platform, managing more than just a role based data access. The object-orientated approach with WBEM and its options of inheritance, association, etc. enable a high re-usage of several components. Every resource, which comes with an interface and is addressable over a CIM provider using C++ is manageable. Even SNMP managed devices can be managed with WBEM. This high flexibility needs willingness for implementation and configuration effort, which must not be underestimated. The research project showed a proof of concept, while a productive solution is still missing, which is resulting by a missing management application for administrators. At this point, the need for a best practice method becomes obvious. 10

REFERENCES Apache Imperius, <http://incubator.apache.org/imperius/>. Dinger, J & Hartenstein, H 2008, Netzwerk- und IT-Sicherheitsmanagement, Universitätsverlag Karlsruhe, Karlsruhe. DMTF 1999, Common Information Model (CIM), <http://www.dmtf.org/standards/cim>. DMTF 1999, Web-Based Enterprise Management (WBEM), <http://www.dmtf.org/standards/wbem>. DMTF 2009, CIM Simplified Policy Language (CIM-SPL), <http://www.dmtf.org/sites/default/files/standards/documents/dsp0231_1.0.0.pdf>. DMTF Policy WG 2010, CIM Schema: Version 2.26.0, <http://dmtf.org/sites/default/files/cim/cim_schema_v2260/visio-cim_policy.pdf>. Hobbs, C 2004, A Practical Approach to WBEM/CIM Management, CRC Press Inc 2004, Boca Raton. IETF 1990, A Simple Network Management Protocol (SNMP), <http://www.ietf.org/rfc/rfc1157.txt?number=1157>. SimpleWBEM using CIMPLE 2006, <http://www.simplewbem.org/using_cimple2.pdf>. YAWN - Yet Another WBEM Navigator, <http://sourceforge.net/apps/mediawiki/pywbem/index.php?title=yawn>.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information