Network Security
Download
Report
Transcript Network Security
Chapter 19:
Network Management
Business Data Communications, 5e
Fault Management
• A fault is an abnormal condition that
requires management attention (or action)
to repair
• Fault is usually indicated by failure to
operate correctly or by excessive errors
• Users expect quick and reliable resolution
Business Data Communications, 5e
2
Responding to Faults
• When faults occur, it is critical to quickly:
– Determine exactly where the fault is
– Isolate the rest of the network from the failure so that
it can continue to function without interference
– Reconfigure or modify the network to minimize the
effect of removing the failed component(s)
– Repair or replace the failed components to restore the
network to its initial state
Business Data Communications, 5e
3
User Requirements
for Fault Management
• Tolerant of occasional outages, but expect
speedy resolution
• Requires rapid and reliable fault detection
and diagnostic management functions
• Impact and duration of faults can be
minimized with redundancy
• Good communication with users about
outages and faults is critical
Business Data Communications, 5e
4
Accounting Management
• Reasons for accounting management:
– Internal chargebacks on network use
– User(s) may be abusing access privileges and burdening the
network at the expense of other users
– Users may be making inefficient use of the network
– Network manager can plan better for network growth if user
activity is known in sufficient detail.
• Accounting reports should be generated under network
manager control.
• Facility must provide verification of users' authorization
to access and manipulate accounting information
Business Data Communications, 5e
5
Configuration Management
• Concerned with:
– initializing a network and gracefully shutting down
part or all of the network
– maintaining, adding, and updating the relationships
among components and the status of components
themselves during network operation
• Operations on certain components should be able
to be performed unattended
• Network manager needs the capability to change
the connectivity of network components
• Users should be notified of configuration changes
Business Data Communications, 5e
6
Performance Management
• Issues of concern to the network manager
include:
–
–
–
–
–
What is the level of capacity utilization?
Is there excessive traffic?
Has throughput been reduced to unacceptable levels?
Are there bottlenecks?
Is response time increasing?
• Network managers need performance statistics to
help them plan, manage, and maintain large
networks
Business Data Communications, 5e
7
Security Management
• Concerned with
– generating, distributing, and storing encryption keys
– monitoring and controlling access to networks
– access to all or part of the network management
information
– collection, storage, and examination of audit records
and security logs
• Provides facilities for protection of network
resources and user information
• Network security facilities should be available
for authorized users only
Business Data Communications, 5e
8
Network Management Systems
• Collection of tools for network monitoring and
control, integrated in these ways:
– A single user-friendly operator interface for
performing most or all network management tasks
– A minimal amount of separate equipment
• Consists of incremental hardware and software
additions implemented among existing network
components
• Designed to view the entire network as a unified
architecture, and provide regular feedback of
status information to the network control center
Business Data Communications, 5e
9
Network Management
System Architecture
Business Data Communications, 5e
10
Components of the NMS
• All nodes run the Network Management
Entity (NME) software
• Network control host or manager runs the
Network Management Application (NMA)
• Other nodes are considered agents
Business Data Communications, 5e
11
Network Management Entity
• Collection of software contained in each network
node, devoted to the network management task
• Performs the following tasks:
– Collect statistics on communications and network-related
activities.
– Store statistics locally
– Respond to commands from the network control center
– Send messages to NCC when local conditions undergo a
significant change
Business Data Communications, 5e
12
Simple Network Management
Protocol (SNMP)
• Originally developed for use as a network
management tool for networks and internetworks
operating TCP/IP.
• A collection of specifications that include the
protocol itself, the definition of a database, and
associated concepts.
• Network Management Model
–
–
–
–
Management station
Agent
Management information base
Network management protocolP
Business Data Communications, 5e
13
SNMPv1 Configuration
Business Data Communications, 5e
14
Role of SNMPv1
Business Data Communications, 5e
15
SNMPv2
• Released in 1992, revised in 1996
• Addressed functional deficiencies in
SNMP
• Accommodates decentralized network
management
• Improves efficiency of data transfer
Business Data Communications, 5e
16
Elements of SNMPv2
• Each "player" in the network management system
maintains local database of network management
information (MIB)
• Standard defines information structure and
allowable data types (SMI)
• At least one system must be responsible for
network management; others act as agents
• Information exchanged using simple
request/respond protocol, usually running over
UDP
Business Data Communications, 5e
17
Structure of Management
Information (SMI)
• Defines framework within which a MIB
can be defined and constructed
– data types that can be stored
– formal technique for defining objects and
tables of objects
– scheme for associating a unique identifier with
each actual object in a system
• Emphasis on simplicity and extensibility
Business Data Communications, 5e
18
SNMPv2 Protocol Operation
• Basic unit of exchange is the message
– Outer message wrapper
– Inner protocol data unit (PDU)
• Common fields in PDUs
– Request-id field is an integer assigned such that each
outstanding request can be uniquely identified.
– Variable-bindings field contains a list of object
identifiers; depending on the PDU, the list may also
include a value for each object.
Business Data Communications, 5e
19
SNMPv2 PDU Format
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
Business Data Communications, 5e
20
SNMPv3
• Released in 1998, addressed security
deficiencies in SNMP and SNMPv2
• Does not provide a complete SNMP
capability; defines an overall SNMP
architecture and a set of security
capabilities for use with SNMPv2
Business Data Communications, 5e
21
SNMPv3 Services
• User-Based Security (USM) model
– Authentication
– Privacy
• View-Based Access Control Model
(VACM)
– Access Control
Business Data Communications, 5e
22