Network Information and Management Infrastructure

1. Network Information and Management Infrastructure Igor Mandrichenko, Eileen Berman, Phil DeMar, Maxim Grigoriev, Joe Klemencic, Donna Lamore, Mark Leininger, Don Petravick, Vladimir Podstavkov, Randy Reitz Fermi National Accelerator Laboratory CHEP2006

2. Challenges of FNAL LAN management • Specifics of FNAL network • Large • Open, dynamic • Exposed • Successful network and network security management requires coordinated cooperation of key players: • Data Communications • Computer Security • Users • Desktop support CHEP2006

3. What is NIMI ? • NIMI stands for Network Information and Management Infrastructure • Hardware – 2 Linux servers • Database with quasi-real time network status data • PostgreSQL • Network Data Collector • Data access and application building framework • Python as programming language • PostgreSQL as the database solution • (Kerberized) SOAP as middleware communication mechanism • Kerberos, X509 as authentication mechanisms • Zope as Web interface development tool CHEP2006

4. Big Picture CHEP2006

5. NIMI Database • PostgreSQL based • Stores network state quasi-realtime data • Uses PostgreSQL backup functionality to make backup in 3 locations • Another disk on the same server • Backup NIMI DB server • FNAL CD Backup Server • Data is kept since March 2004 • < 5GB on disk CHEP2006

6. NIMI Collector • Collects network state information from network devices • Stores data in NIMI Database and makes it available to applications • Information collected: • DHCP leases (quasi-realtime) • ARP tables (periodic polls) • VPN sessions (periodic polls) • Switch forwarding tables (periodic polls) CHEP2006

7. NIMI-Based Applications • Network Inventory • Up-to-date inventory of network devices and services • Scanners • Configuration problems • Software version monitoring • Vulnerabilities • TIssue • Computer Security Issue Tracking workflow system • Fed by scanners CHEP2006

8. Network Inventory • Provides up-to-date information about network devices present on the LAN • New node discovery • Periodic subnet pings (every 2 minutes) • ARP tables (delayed up to 15 minutes) • Uses ping scans and ARP tables data for node discovery • Collects information about OS version and services found on each computer • Most of new nodes scanned within 5 minutes • Helps optimize efficiency of other Scanners CHEP2006

9. Scanners • Run on Scanner Farm • Use data from Inventory Scanner to scan new nodes within 10-20 minutes of their arrival, and then re-scan them in lazy manner as they stay online • Three areas: • Vulnerabilities (Vulnerability Scanner) • System misconfiguration • Outdated software • Vulnerability Scanner • Uses nmap to detect vulnerabilities • Scanners supply events for TIssue CHEP2006

10. TIssue • Workflow engine used to keep track of security vulnerabilities and network-related issues • Provides flexible abstract interface to plug in Detectors (e.g. Scanners) • Keeps track of events in detector-independent way • Communicates with machine administrators via e-mail and web interface • Requests blocks of network addresses as the enforcement tool • Zope-based web GUI uses X509 certificates as the authentication mechanism CHEP2006

11. Advantages of using NIMI • Common data storage easily available to applications • Simple modular design of the system • Collector – deals with variety of vendor-specific network data • Central database • APIs • Middleware • Carefully chosen set of software tools covering all areas of application development • PostgreSQL • Python • SOAP • Zope • Kerberos, X509 CHEP2006

12. NIMI: Success Story • Recent computer security related events have demonstrated that applications such as TIssue and Inventory Scanner are very reliable, powerful and useful computer security and network management tools • NIMI provides building blocks for rapid development of applications like these • We continue new application development using NIMI as the framework CHEP2006