Embed Size (px)
Citation preview
NETWORK CONTROLThe Fourth Meeting
2
Table of Contents
Introduction Configuration Control Security Control
3
Introduction Network control is concerned with modifying parameters
in and causing actions to be taken by the end systems, intermediate systems, and subnetworks that make up the network to be managed
All five functional areas of Network Management involve monitoring and control but configuration and security are more concerned with control
Issues in network control what to control?
• define what is to be controlled how to control?
• how to cause actions to be performed
4
Configuration Management1. Define Configuration Information2. Configuration Monitoring
Examine values and relationships Report on configuration status
3. Configuration Control may be required as a result of monitoring or event reports Initialize and terminate network operations Set and modify attribute values Define and modify relationships
5
Define Configuration InformationIncludes the nature and status of managed resources specification and attributes of resources
Network Resources physical resources
• end systems, routers, bridges, switches, modems, etc. logical resources
• TCP connections, timers, counters, virtual circuits, etc.Attributes name, address, ID number, states, operational
characteristics, # of connections, etc.Control function should be able to define new classes and attributes (mostly done off-line)
define the type and range of attribute values
6
Set and Modify Attribute Valueswhen requesting agents to perform set and modify the manager must be authorized some attributes cannot be modified (e.g., # of physical
ports)Modification categories MIB update only
• does not require the agent to perform any other action• e.g., update of static configuration information
MIB update plus resource modification• requires the agent to modify the resource itself• e.g., changing the state of a physical port to “disabled”
MIB update plus action• perform actions as a side effect of set operation• SNMP takes this approach
7
Define and Modify Relationships
A relationship describes an association, connection, or condition that exists between network resources
topology hierarchy containment physical or logical connections management domain
Configuration control should allow on-line modification of resources without taking all or part of network down
8
Security Management
What should be secured in networks? information security computer security network security
Security Requirements Secrecy
• making information accessible to only authorized users• includes the hiding of the existence of information
Integrity• making information modifiable to only authorized users
Availability• making resources available to only authorized users
9
Security Threats
Interruptiondestroyed or becomes unavailable or unusable threat to “availability”
Interceptionan unauthorized party gains access threat to “secrecy”
Modificationan unauthorized party makes modification threat to “integrity”
Fabricationan unauthorized party inserts false information
Masqueradean entity pretends to be a different entity
10
Types of Security Threats
Informationsource
informationdestination
(a) Normal flow
(b) Interruption(c) Interception
(d) Modification (e) Fabrication
11
Security Threats and Network Assets
. .
. .
DataCommunicationLines
hardware Software
Masquerade
Modification
Interception(capture, analysis)
Interruption(loss)
Masquerade
Modification
Interception(capture, analysis)
Interruption(loss)
Modification
Interception Interruption(deletion)
Interruption(theft, denial of service)
12
Security Management Functions
Maintain Security Informationevent logging, monitoring usage of security-related
resources receiving notification and reporting security violationsmaintaining and examining security logsmaintaining backup copies of security-related files
Control Resource Access Serviceuse access control (authentication and authorization)
• security codes (e.g., passwords)• routing tables, accounting tables, etc.
Control the Encryption Processmust be able to encrypt messages between managers
& agents specify encryption algorithms
13
Summary Network control is concerned with setting
and changing parameters of various parts of network resources as consequences of network monitoring and analysis
Configuration control and security control are two essential aspects of network control
THE BASIC INGREDIENTS OF NETWORK MANAGEMENT
Basic Components of Network Management
The Network Device
The first main component in network management consists of the device that must be managed
In network management parlance, we also call the managed devices network elements (NEs).
To be properly managed, they must participate in the management process
Management Agent
To be managed, a network element must offer a management interface through which a managing system can communicate with the network element for management purposes. For example, the management interface allows the
managing system to send a request to the network element. This could be, for example, a request to configure a sub interface, to retrieve statistical data about the utilization of a port, or to obtain information about the status of a connection.
Manager-Agent Communication
Manager and agent are important terms in network management parlance.
They refer to the systems that manage (manager) and the systems that are managed (agent). Client/server is another well-known asymmetric communication relationship that the reader might already be familiar with; therefore, a few words on the relationship between manager/agent and client/server are in order.
Manager/Agent Versus Client/Server
Network elements must provide a piece of software that implements the management interface.
This software effectively provides the intermediary between external manager and managed device.
We refer to this software generally as the management agent.
In fact, this means that we are slightly overloading the term agent. Agent is used to refer both to the agent role that a network element plays in network management and to the software component, called the management agent, that allows the network element to play that role, that provides the management interface, and that represents the managed device to the manager.
Manager/Agent Versus Client/Server The management agent conceptually consists of three main
parts: a management interface, a Management Information Base, and the core agent logic The management interface handles management
communication. The Management Information Base (MIB) is a conceptual data
store that contains a management view of the device being managed. The conceptual data contained in this data store constitutes the management information.
The core agent logic translates between the operation of the management interface, the MIB, and the actual device. For example, it translates the request to “retrieve a counter” into an internal operation that reads out a device hardware register that contains the desired information.
Anatomy of a Management Agent
Management Information, MOs, MIBs, and Real Resources
Management information that is provided by a management agent provides an abstraction of these real-world aspects for management purposes.
We refer to a chunk of management information that exposes one of these real-world aspects as a managed object (MO).
An MO could represent a device fan along with its operational state, a port on a line card along with a set of statistical data, or a firewall rule.
As you shall see later, many management protocols, including the Simple Network Management Protocol (SNMP), use their own flavor of MO, but for now, we refer to an MO in its more general.
An “MO” could thus be a MIB object in SNMP, a parameter in a command-line interface (CLI) command, or an element of an XML document in a web-based management interface.
Different Abstractions of the Same Real Resource
Basic Parts of Network Management
The Management System
Management systems provide network providers with the tools to manage the network. These tools include applications to monitor the network, service provisioning systems, craft terminals, and so forth.
A Management Hierarchy
The MIB Always Resides with the Agent
Connecting a Craft Terminal to a Managed Device
Dedicated Versus Shared Management and Production Networks
The advantages of using a dedicated management network are numerous:
Reliability—With a dedicated management network, management traffic is carried independently of traffic over the production network, making management significantly more reliable.
Interference avoidance—When carried over the production network, management traffic competes with other networking traffic.
Ease of network planning—Avoiding interference as described in the previous bullet requires careful network planning that takes into account the effects of unpredictable network management traffic.
Security—A dedicated management network is harder to attack and easier to secure. End users and subscribers will never come into contact with it; its devices are on a completely separate network.
There are a variety of reasons not to use a dedicated management network and to use management communication exchanges over a shared network Cost and overhead—Despite its advantages, a dedicated
management network requires a separate network to be built. No reasonable alternative—In quite a few cases, a shared
network might realistically be the only option.
A good organizational structure and clear network management responsibilities, many other things need to be considered to be able to run the network smoothly Establishment of process and operational policies,
documentation of operational procedures—This helps make management of the network consistent and efficient, and facilitates meeting a consistently high standard of operations.
Collection of audit trails—Automatically logging the activities of operations support staff— who initiated what action, at what time
Network documentation—Make sure not just your procedures and policies, but also your network itself is well documented
Reliable backup and restore procedures—This provides your network operations with an invaluable lifeline that lets you bring the network back up in case of disasters and emergencies.
Security emphasis—Security threats in networking have received a lot of attention in recent years. The most significant threat to your network might not be hackers from the outside, but disgruntled employees on the inside.
