Transcript management information.

NETWORK CONTROL
The Fourth Meeting
Table of Contents
 Introduction
 Configuration Control
 Security Control
2
Introduction
 Network control is concerned with modifying parameters in and
causing actions to be taken by the end systems, intermediate
systems, and subnetworks that make up the network to be
managed
 All five functional areas of Network Management involve
monitoring and control but configuration and security are more
concerned with control
 Issues in network control
 what to control?
• define what is to be controlled
 how to control?
• how to cause actions to be performed
3
Configuration Management
1. Define Configuration Information
2. Configuration Monitoring
 Examine values and relationships
 Report on configuration status
3. Configuration Control may be required as a result of
monitoring or event reports
 Initialize and terminate network operations
 Set and modify attribute values
 Define and modify relationships
4
Define Configuration Information
Includes the nature and status of managed resources
 specification and attributes of resources
Network Resources
 physical resources
• end systems, routers, bridges, switches, modems, etc.
 logical resources
• TCP connections, timers, counters, virtual circuits, etc.
Attributes
 name, address, ID number, states, operational characteristics,
# of connections, etc.
Control function should be able to
 define new classes and attributes (mostly done off-line)
define the type and range of attribute values
5
Set and Modify Attribute Values
when requesting agents to perform set and modify
 the manager must be authorized
 some attributes cannot be modified (e.g., # of physical ports)
Modification categories
 MIB update only
• does not require the agent to perform any other action
• e.g., update of static configuration information
 MIB update plus resource modification
• requires the agent to modify the resource itself
• e.g., changing the state of a physical port to “disabled”
 MIB update plus action
• perform actions as a side effect of set operation
• SNMP takes this approach
6
Define and Modify Relationships
A relationship describes an association, connection,
or condition that exists between network resources
 topology
 hierarchy
 containment
 physical or logical connections
 management domain
Configuration control should allow on-line
modification of resources without taking all or part
of network down
7
Security Management
What should be secured in networks?
 information security
 computer security
 network security
Security Requirements
 Secrecy
• making information accessible to only authorized users
• includes the hiding of the existence of information
 Integrity
• making information modifiable to only authorized users
 Availability
• making resources available to only authorized users
8
Security Threats
Interruption
destroyed or becomes unavailable or unusable threat to “availability”
Interception
an unauthorized party gains access threat to “secrecy”
Modification
an unauthorized party makes modification threat to “integrity”
Fabrication
an unauthorized party inserts false information
Masquerade
an entity pretends to be a different entity
9
Types of Security Threats
Information
source
information
destination
(a) Normal flow
(b) Interruption
(d) Modification
(c) Interception
(e) Fabrication
10
Security Threats and Network Assets
Modification
Interception
(capture, analysis)
Modification
Interception
(capture, analysis)
Masquerade
.
Masquerade
Data
.
Communication
Lines
Interruption
(loss)
Interruption
(loss)
.
.
Interruption
(theft, denial of service)
Modification
Software
hardware
Interception
Interruption
(deletion)
11
Security Management Functions
Maintain Security Information
 event logging, monitoring usage of security-related resources
 receiving notification and reporting security violations
 maintaining and examining security logs
 maintaining backup copies of security-related files
Control Resource Access Service
 use access control (authentication and authorization)
• security codes (e.g., passwords)
• routing tables, accounting tables, etc.
Control the Encryption Process
 must be able to encrypt messages between managers &
agents specify encryption algorithms
12
Summary
 Network control is concerned with setting and
changing parameters of various parts of network
resources as consequences of network monitoring
and analysis
 Configuration control and security control are two
essential aspects of network control
13
THE BASIC INGREDIENTS
OF NETWORK
MANAGEMENT
Basic Components of Network Management
The Network Device
 The first main component in network management consists of
the device that must be managed
 In network management parlance, we also call the managed
devices network elements (NEs).
 To be properly managed, they must participate in the
management process
Management Agent
 To be managed, a network element must offer a management
interface through which a managing system can communicate
with the network element for management purposes.
 For example, the management interface allows the
managing system to send a request to the network element.
This could be, for example, a request to configure a sub
interface, to retrieve statistical data about the utilization of a
port, or to obtain information about the status of a
connection.
Manager-Agent Communication
 Manager and agent are important
terms in network management
parlance.
 They refer to the systems that manage
(manager) and the systems that are
managed (agent). Client/server is
another
well-known
asymmetric
communication relationship that the
reader might already be familiar with;
therefore, a few words on the
relationship between manager/agent
and client/server are in order.
Manager/Agent Versus Client/Server
 Network elements must provide a piece of
software that implements the management
interface.
 This software effectively provides the intermediary
between external manager and managed device.
 We refer to this software generally as the
management agent.
 In fact, this means that we are slightly overloading
the term agent. Agent is used to refer both to the
agent role that a network element plays in network
management and to the software component,
called the management agent, that allows the
network element to play that role, that provides
the management interface, and that represents the
managed device to the manager.
Manager/Agent Versus Client/Server
 The management agent conceptually consists of three main parts: a
management interface, a Management Information Base, and the core
agent logic
 The management interface handles management communication.
 The Management Information Base (MIB) is a conceptual data store that
contains a management view of the device being managed. The
conceptual data contained in this data store constitutes the
management information.
 The core agent logic translates between the operation of the
management interface, the MIB, and the actual device. For example, it
translates the request to “retrieve a counter” into an internal operation
that reads out a device hardware register that contains the desired
information.
Anatomy of a Management Agent
Management Information, MOs, MIBs, and Real
Resources
 Management information that is provided by a management agent
provides an abstraction of these real-world aspects for management
purposes.
 We refer to a chunk of management information that exposes one of these
real-world aspects as a managed object (MO).
 An MO could represent a device fan along with its operational state, a port
on a line card along with a set of statistical data, or a firewall rule.
 As you shall see later, many management protocols, including the Simple
Network Management Protocol (SNMP), use their own flavor of MO, but for
now, we refer to an MO in its more general.
 An “MO” could thus be a MIB object in SNMP, a parameter in a commandline interface (CLI) command, or an element of an XML document in a webbased management interface.
Different Abstractions of the Same Real
Resource
Basic Parts of Network Management
The Management System
 Management systems provide network providers with the
tools to manage the network. These tools include applications
to monitor the network, service provisioning systems, craft
terminals, and so forth.
A Management Hierarchy
The MIB Always Resides with the Agent
Connecting a Craft Terminal to a Managed Device
Dedicated Versus Shared Management and
Production Networks
The advantages of using a dedicated
management network are numerous:
 Reliability—With a dedicated management network, management traffic is
carried independently of traffic over the production network, making
management significantly more reliable.
 Interference avoidance—When carried over the production network,
management traffic competes with other networking traffic.
 Ease of network planning—Avoiding interference as described in the
previous bullet requires careful network planning that takes into account
the effects of unpredictable network management traffic.
 Security—A dedicated management network is harder to attack and easier
to secure. End users and subscribers will never come into contact with it; its
devices are on a completely separate network.
There are a variety of reasons not to use a dedicated management
network and to use management communication exchanges over a
shared network
 Cost and overhead—Despite its advantages, a dedicated management
network requires a separate network to be built.
 No reasonable alternative—In quite a few cases, a shared network might
realistically be the only option.
A good organizational structure and clear network management
responsibilities, many other things need to be considered to be able
to run the network smoothly
 Establishment of process and operational policies, documentation of
operational procedures—This helps make management of the network
consistent and efficient, and facilitates meeting a consistently high standard
of operations.
 Collection of audit trails—Automatically logging the activities of
operations support staff— who initiated what action, at what time
 Network documentation—Make sure not just your procedures and
policies, but also your network itself is well documented
 Reliable backup and restore procedures—This provides your network
operations with an invaluable lifeline that lets you bring the network back
up in case of disasters and emergencies.
 Security emphasis—Security threats in networking have received a lot of
attention in recent years. The most significant threat to your network might
not be hackers from the outside, but disgruntled employees on the inside.