Mestrado em Engenharia de Redes de Comunicações TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 2008-2009 Gestão de Redes e Serviços, Segurança - Networks and Services Management, Security 1
Outline TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 2
Service Assurance process components Service Assurance process at the Network Operator targets the need to monitor and assure a high quality of the services delivered to the customers. The ambition is to move from reactivity to pro-activity, i.e. to detect and circumvent errors before they have had any impact on the service TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 3
Alarm Handling In a Network Operations Center (NOC), responsible for the supervision of a large network comprised of heterogeneous equipment and systems, the focal point for alarm handling is very important. Alarms are to be collected from various sources, transformed into a unified format, logged and presented to different operators depending on their defined responsibilities. The alarm console is often the tool to make a fast connection to an Element Manager to perform any required testing, diagnostic or bypass operation. The amount of alarms can be reduced by elimination of duplicates, applying correlation rules (to find primary and secondary alarms) and automatic handling of alarm on/off situations. The service and customer impact of a serious alarm should be presented, to govern the further handling of the error. TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 4
Performance Management This is a component that normally is capable to: Auto-detect the current configuration of the infrastructure by browsing the IP network and the MIBs. Collect performance data at specified periods or intervals. MIB polling, ping, remote ping, RMON (I and II) and ftp are techniques used to obtain (and even create) measurement data. The data is normalized and stored into a common database. Here it also may be retrieved and utilized for long-term planning purposes. Perform threshold checking and generate alarms (to the Alarm handler) when thresholds are passed. Produce customized reports regularly or on demand. TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 5
Problem Management The Problem Management (Trouble Ticketing) components are used to administrate the workflow and logistics around efforts that normally require human intervention. To send out a field engineer to perform repair or installation work, and letting him report back into the TT system when he has completed his task is a common usage. Since these tasks are often initiated by customer complaints the TT component is sometimes also used as a helpdesk tool. This component normally has interfaces towards the Alarm manager (both directions) and provides user interfaces towards the customer help desk, the operations staff and the service personnel. TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 6
Network Management perspective TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 7
NM Principle of Operation TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 8
Internet Management - SNMP Management is done from the management station (manager) It communicates via the SNMP protocol with Agents Information from a node not being able to run an agent can be retrieved from a proxy agent running on another node The biggest part of SNMP describes the kind of information that a specific type of agent provides and the format of it Each managed node holds the information that can be retrieved by SNMP in a special information base called MIB (Management Information Base) (RFC1213) The MIB uses ASN.1 (Abstract Syntax Notation) to describe the managed information as objects. The ASN.1 OBJECT IDENTIFIER is used to uniquely identify every object TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 9
SNMP Management SNMP Simple Network Management Protocol Application-layer protocol for managing TCP/IP based networks. Runs over UDP, which runs over IP NMS (Network Management Station) Device that pools SNMP agent for info. SNMP Agent Device (e.g. Router) running software that understands SNMP language MIB Management Information Base Database of information conforming to SMI. SMI Structure of Management Information Standard that defines how to create a MIB. TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 10
Management Station A Management Station is a Stand Alone system or part of shared system: interface for human network manager set of management applications data analysis fault recovery interface to monitor and control network translate manager s requirements into monitoring and control of remote elements data base of network management information extracted from managed entities TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 11
Management Agent Agents are found in equipment platforms and/or software e.g. hosts, bridges, hubs, routers allow their management by management station respond to requests for information respond to requests for action asynchronously supply unsolicited information TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 12
SNMP Architecture TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 13
SNMP Architecture TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 14
SNMP Protocol TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 15
SNMP Protocol The SNMP protocol is request-response based: A request is sent to an agent from the management station Normally the agent replies with the requested information or confirms the update Various errors can also be reported TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 16
MIB Management Information Base MIB Breakdown - OBJECT-TYPE - String that describes the MIB object. - Object IDentifier (OID). - SYNTAX - Defines what kind of info is stored in the MIB object. - ACCESS - READ-ONLY, READ-WRITE. - STATUS - State of object in regards the SNMP community. - DESCRIPTION Standard MIB Object: sysuptime OBJECT-TYPE SYNTAX Time-Ticks ACCESS read-only STATUS mandatory DESCRIPTION Time since the network management portion of the system was last reinitialised. ::= {system 3} - Reason why the MIB object exists. TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 17
MIB Management Information Base Object IDentifier (OID) - Example.1.3.6.1.2.1.1 - iso(1) org(3) dod(6) internet(1) mgmt(2) mib-2(1) system(1) Note: -.1.3.6.1 ~100% present. - mgmt and private most common. - MIB-2 successor to original MIB. - STATUS mandatory, All or nothing in group iso(1) 1 org(3) 3 dod(6) 6 internet(1) 1 private(4) directory(1) 4 1 mgmt(2) experimental(3) 2 3 mib-2(1) 1 tcp(6) system(1) 6 1 interfaces(2) ip(4) 2 4 TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 18
MIB Management Information Base system(1) group - Contains objects that describe some basic information on an entity. - An entity can be the agent itself or the network object that the agent is on. 1 system(1) 2 1 mib-2(1) interfaces(2) system(1) group objects - sysdescr(1) Description of the entity. - sysobjectid(2) Vendor defined OID string. - sysuptime(3) Time since net-mgt was last re-initialised. - syscontact(4) Name of person responsible for the entity. TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 19
MIB Management Information Base 1 MIB - tree view mib-2(1) 1 system(1) 1 syscontact(3) 4 sysdesc(1) sysuptime(3) 3 sysobjectid(2) 2 MIB - syntax view sysuptime OBJECT-TYPE SYNTAX INTEGER ACCESS read-only STATUS mandatory DESCRIPTION The time (in hundredths of a second) since the network management portion of the system was last re-initialized. ::= {system 3} TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 20
MIB Management Information Base SNMP Instances - Each MIB object can have an instance. - A MIB for a router s (entity) interface information iso(1) org(3) dod(6) internet(1) mgmt(2) mib-2(1) interfaces(2) iftable(2) ifentry(1) iftype(3) - Require one iftype value per interface (e.g. 3) - One MIB object definition can represent multiple instances through Tables, Entries, and Indexes. TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 21
MIB Management Information Base Tables, Entries, and Indexes. - Imagine tables as spreadsheets - Three interface types require 3 rows (index no.s) - Each column represents a MIB object, as defined by the entry node. ENTRY + INDEX = INSTANCE iftype(3) ifmtu(4) Etc Index #1 Index #2 Index #3 iftype.1[6] iftype.2:[9] iftype.3:[15] ifmtu.1 ifmtu.2 ifmtu.3 TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 22
MIB Management Information Base Example MIB Query - If we queried the MIB on iftype we could get: - iftype.1 : 6 - iftype.2 : 9 - iftype.3 : 15 Which corresponds to - iftype.1 : ethernet - iftype.2 : tokenring - iftype.3 : fddi iftype OBJECT-TYPE SYNTAX INTEGER { other(1), ethernet(6), tokenring(9) fddi(15), } etc TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 23
Simple Network Management Protocol Retrieval protocol for the MIB. Can retrieve by: - CLI (snmpwalk), - GUI (MIB Browser), or - Larger applications called Network Management Software NMSoftware is a collection of smaller applications to manage network with illustrations, graphs, etc. NMSoftware runs on Network Management Stations, which can run several different NMS software applications. TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 24
SNMP Commands SNMP has 5 different functions referred to as Protocol Data Units (PDU), which are: (1) GetRequest, aka Get (2) GetNextRequest, aka GetNext (3) GetResponse, aka Response (4) SetRequest, aka Set (5) Trap TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 25
SNMP Commands [Get] GetRequest [Get] - Most common PDU. - Used to ask SNMP agent for values of a particular MIB agent. - NMS sends out 1 Get PDU for each instance, which is a unique OID string. - What happens if you don t know how many instances of a MIB object exist? TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 26
SNMP Commands [GetNext] GetNextRequest [GetNext] - NMS application uses GetNext to walk down (a table) within a MIB. - Designed to ask for the OID and value of the MIB instance that comes after the one asked for. - Once the agent responds the NMS application can increment its count and generate a GetNext. - This can continue until the NMS application detects that the OID has changed, i.e. it has reached the end (of the table). TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 27
SNMP Commands [GetResponse] GetResponse [Response] - Simply a response to a Get, GetNext or Set. - SNMP agent responds to all requests or commands via this PDU. TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 28
SNMP Commands [SetRequest] SetRequest [Set] - Issued by an NMS application to change a MIB instance to the variable within the Set PDU. - For example, you could issue a - GetRequest against a server asking for syslocation.0 and may get HEAVEN as the response. - Then, if the server was moved, you could issue a Set against that server to change its location to HELL. - You must have the correct permissions when using the set PDU. TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 29
Trap SNMP Commands [Trap] - Asynchronous notification. - SNMP agents can be programmed to send a trap when a certain set of circumstances arise. - Circumstances can be view as thresholds, i.e. a trap may be sent when the temperature of the core breaches a predefined level. TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 30
SNMP Security SNMP Community Strings (like passwords) - 3 kinds: - READ-ONLY: You can send out a Get & GetNext to the SNMP agent, and if the agent is using the same read-only string it will process the request. - READ-WRITE: Get, GetNext, and Set. If a MIB object has an ACCESS value of read-write, then a Set PDU can change the value of that object with the correct read-write community string. - TRAP: Allows administrators to cluster network entities into communities. Fairly redundant. TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 31
Management Tools Generic Management Tools Management Tools Development Tools Isolated Platforms Integrated Testers Protocol Analysers Documentation Management Enterprise Management MIBs Agents Applications Internet Tools Problem Management IHM TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 32
Monitoring and Test Tools Single Tools Lower levels Network TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 33
Management Platforms Integrated Tools Network TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 34
Enterprise Management Systems Network TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 35
Management Platforms Problem Management Event Correlation Management Platforms TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 36
Example of a broad NMS solution TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 37
Example of a visual Flow Manager TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 38
Example of a visual Fault Manager TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 39
Example of an Alert/Event Manager TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 40
Example of an Performance Manager TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 41
Example of an Impact Manager TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 42
Other Tools: Business Intelligence Costumer acquisition Costumer care Fraud detection Strategic Decision Support Segmentation & Scoring Campaign Assignment & Management Event Management Contact Management Costumer Information Management Business Intelligence Data Warehouse Business Management Operational Data Store TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 43
Confidentiality: Security goals Data transmitted or stored should only be revealed to an intended audience Confidentiality of entities is also referred to as anonymity Data Integrity: It should be possible to detect any modification of data This requires to be able to identify the creator of some data Accountability: It should be possible to identify the entity responsible for any communication event Availability: Services should be available and function correctly Controlled Access: Only authorized entities should be able to access certain services or information TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 44
What is a threat? Abstract Definition: A threat in a communication network is any possible event or sequence of actions that might lead to a violation of one or more security goals The actual realization of a threat is called an attack Examples: A hacker breaking into a computer Disclosure of emails in transit Someone changing accounting data A hacker temporarily shutting down a website Someone using services or ordering goods in the name of others TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 45
Masquerade: Threats technically defined An entity claims to be another entity Eavesdropping: An entity reads information it is not intended to read Authorization Violation: An entity uses a service or resources it is not intended to use Loss or Modification of (transmitted) Information: Data is being altered or destroyed Denial of Communication Acts (Repudiation): An entity falsely denies its participation in a communication act Forgery of Information: An entity creates new information in the name of another entity Sabotage: Any action aiming to reduce the availability and / or correct functioning TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 46
Threats and technical security goals These threats are often combined in order to perform an attack! TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 47
Physical Security: Safeguards Against Information Security Threats Locks or other physical access control Tamper-proofing of sensitive equipment Environmental controls Personnel Security: Identification of position sensitivity Employee screening processes Security training and awareness Administrative Security: Controlling import of foreign software Procedures for investigating security breaches Reviewing audit trails Reviewing accountability controls TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 48
Safeguards Against Information Security Threats Emanations Security: Radio Frequency and other electromagnetic emanations controls Media Security: Safeguarding storage of information Controlling marking, reproduction and destruction of information Ensuring that media containing information are destroyed securely Scanning media for viruses Lifecycle Controls: Trusted system design, implementation, evaluation and endorsement Programming standards and controls Documentation controls TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 49
Safeguards Against Information Security Threats Computer Security: Protection of information while stored / processed in a computer system Protection of the computing devices itself Communications Security: Protection of information during transport from one system to another Protection of the communication infrastructure itself TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 50
Security Service: Communications security: Some terminology An abstract service that seeks to ensure a specific security property A security service can be realized with the help of cryptographic algorithms and protocols as well as with conventional means Cryptographic Algorithm: A mathematical transformation of input data (e.g. data, key) to output data Cryptographic algorithms are used in cryptographic protocols Cryptographic Protocol: A series of steps and message exchanges between multiple entities in order to achieve a specific security objective TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 51
Security Services: overview Authentication The most fundamental security service which ensures, that an entity has in fact the identity it claims to have Integrity It ensures, that data created by specific entities may not be modified without detection Confidentiality To ensure secrecy of protected data Access Control Controls that each identity accesses only those services and information it is entitled to Non-Repudiation Protects against that entities participating in a communication exchange can later falsely deny that the exchange occurred TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 52
TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 53
References and Readings TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 54