Internet criticalities
Download
Report
Transcript Internet criticalities
INTERNET
CRITICALITIES
Activation and deactivation
of the emergency back-up
network
Fabrizio Cuccoli,
Francesco Sermi
RaSS CNIT
UO Firenze
Outline
1) Reference Scenario and Network.
2) Most Reasonable Scenario.
3) Worst Case Scenario.
4) Characteristics of the SWING system.
5) Supervision of the Internet Links.
6) Simple Network Management Protocol.
7) Performance Monitoring and Management Tools
8) SWING Network Management System.
9) Reactivation of the Internet Links.
10) Considerations
13/12/2013
SWING Final Meeting | CNIT - Pisa, Italy
2
Reference Scenario and Network
13/12/2013
SWING Final Meeting | CNIT - Pisa, Italy
3
Most Reasonable Scenario 1/2
• t0 – Hackers undertakes a DoS attack to the Barcelona harbour facility.
• t0 + 2m – The ECI of Barcelona detects the missing internet connection and
reports an alert to its connected CGA located in Madrid via the SWING
network.
• t0 + 2 m 30 s – After receiving the alert from Barcelona’s ECI, the SWING
station in the CGA – Madrid begins a check among all its connected ECIs
(Malaga and Valencia) and CGAs (Rome and Athens) to verify the status of
internet connection for each of them. The interaction takes place via the
SWING network.
• t0 + 5 m – All the connected ECIs, with the exception of the one located in
Barcelona report a normal status of the internet connection. The treat is
classified as “local”.
• t0 + 6 m 30 s – After about 8 minutes from its activation, the CGA in Madrid
consolidates the HF link with the ECI in Barcelona, providing a safe basic
connection via the SWING network.
13/12/2013
SWING Final Meeting | CNIT - Pisa, Italy
4
Most Reasonable Scenario 2/2
13/12/2013
SWING Final Meeting | CNIT - Pisa, Italy
5
Worst Case Scenario 1/2
•
t0 + 3 m – The ECI – Palermo is under attack: it detects an interruption in the internet
connection and via the HF link signals its status to the connected CGA in Rome.
•
t0 +1m 30 s– The Rome’s CGA receives the alert message from one of its ECIs and
activates a check procedure among the connected nodes.
•
t0 + 3 m 20 s – Also the ECIs in Naples and Patrasso experience a loss of internetconnection. In about one minute they both send an alert to their relative CGA.
•
t0 + 4 m – The CGA – Athens is under attack. It submits to the other CGAs a request to
activate the SWING network.
•
t0 + 5 m 15s – Also the CGA in Rome, detecting a multiple alert form some of its ECIs,
confirms the request of SWING activation.
•
t0 + 18 m – All the nodes are connected via the SWING network while their broadband
connection is inhibited.
13/12/2013
SWING Final Meeting | CNIT - Pisa, Italy
6
Worst Case Scenario 2/2
13/12/2013
SWING Final Meeting | CNIT - Pisa, Italy
7
Characteristics of the SWING system
• Hierarchical structure (each CGA monitors the relative ECIs);
• Simple design (it is an emergency system: fast activation, cheap
stand-by status);
• System resilience (it needs to be operative when other systems
are not);
• Scalability of the infrastructure (the definition of new node does
not effect the functioning of the network).
13/12/2013
SWING Final Meeting | CNIT - Pisa, Italy
8
Supervision of the Internet Links
• Fault Management (detection, isolation and resolution of
network faults);
• Configuration Management (configuring and adjusting a
network);
• Accounting Management (tracking the usage of network
resources);
• Performance Management (monitoring network utilization at
various points in a network);
• Security Management (processes to make the network secure).
13/12/2013
SWING Final Meeting | CNIT - Pisa, Italy
9
Simple Network Management Protocol
The SNMP is an internet-standard protocol for managing devices on
IP networks.
SNMP is made by 3 components:
• Network Management System (NMS);
• Managed device;
managing entity
• Agent.
agent data
managing
entity
The SNMP operates in the
Application Layer of the
Internet Protocol Suite
(Layer 7 of the OSI model).
data
managed device
agent
network
management
protocol
managed device
agent
agent
data
data
data
managed device
managed device
13/12/2013
SWING Final Meeting | CNIT - Pisa, Italy
10
Perform. Monitoring & Managem. Tools
Active tools:
Passive tools:
13/12/2013
Tool
Metrics
Measurement approach
ping
delay (RTT), loss
ICMP echo
iperf
achievable bandwidth
path flooding
bing
bandwidth capacity, loss
RTT delay
variable packet size
traceroute
Topology, delay (RTT)
varied TTL
pathchar
bandwidth capacity
loss, delay (RTT)
variable packet size
netperf
achievable bandwidth
path flooding
•
Weather Maps – Multi Router Traffic Grapher (MRTG)
Diagram;
• Nagios (an host and service monitor designed to detect
network problems in advance respect the user);
SWING Final Meeting | CNIT - Pisa, Italy
11
SWING Network Management System
Web
Server
ECI/CGA
Site
Ethernet LAN
Router
HF
Network
End-User
NMS
Internet
Gateway
HF
- Distributed Monitoring Server at each ECI site;
- Central Monitoring Server at each CGA site.
13/12/2013
SWING Final Meeting | CNIT - Pisa, Italy
12
Reactivation of the Internet links
• The CGAs involved in the attack regularly carry out a sensing of the Internet
connections for the relative ECIs. This is done through simple sensing
procedure whose repetition frequency depends on the minimum latency for
the broadband reactivation indicated by the customer.
• When the CGA senses the availability of the internet connection to one of the
relative ECIs, it restores the broad band connection and disables the HF
emergency link.
• The deactivation of the emergency HF link is subordinated to the restoration
of the traditional internet connection.
• The restoration of the broad band connection takes place in a capillary way:
from the external nodes to the inner CGAs ring.
• The SWING deactivation procedure must occur in a controlled fashion, by
using specifically designed not-ambiguous end-of-message signals.
13/12/2013
SWING Final Meeting | CNIT - Pisa, Italy
13
Final Considerations
• The complete process required for the activation of the HF back-up network
after a warning alert event has been considered assuming a realistic network
configuration and two different potential terroristic attacks.
• The time needed to guarantee a safe basic internet connection via SWING to
the node under attack has been estimated in less than 10 minutes from the
triggering event.
• However the effective time required for a complete SWING activation/
deactivation will depend on the event sequence that triggered the SWING and
on the complexity of the effective physical topology of the SWING network.
13/12/2013
SWING Final Meeting | CNIT - Pisa, Italy
14
References
[1] Technical Report N. 2, “Technical analysis of the communication problems
related to the identification and designation of CIs in the interested area”, Swing
project, Sep. 2012
[2] Douglas R. Mauro and Kevin J. Schmidt, “Essential SNMP”, (1st ed.)
Sebastopol, CA: O’Reilly & Associates, 2001.
[3] “An Architecture for Describing Simple Network Management Protocol (SNMP)
Management Frameworks”, IETF RFC 3411
[4] The MultiRouter Traffic Grapher Home Page, http://oss.oetiker.ch/mrtg/
[5] Nagios Home Page, http://www.nagios.org
13/12/2013
SWING Final Meeting | CNIT - Pisa, Italy
15