1 / 55

Network Management and Initialization

Network Management and Initialization. Based on Computer Networks and Internets, Comer. Network management: What is it?. A network manager is responsible for monitoring and controlling the hardware and software that make up a network.

twillie
Download Presentation

Network Management and Initialization

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Management and Initialization Based on Computer Networks and Internets, Comer

  2. Network management: What is it? • A network manager is responsible for monitoring and controlling the hardware and software that make up a network. • The network manager works to repair the network when it goes down. • The network manager also attempts to tune and tweak the network so that it operates more efficiently. • There is a variety of software and hardware to help network managers in their work.

  3. Network management • Network management can include: • Security: Making sure that the network is protected from hackers, viruses, denial of service (DoS) attacks, etc. • Performance: Making sure the bandwidth is used to the fullest, eliminating bottlenecks, etc. • Reliability: Making sure the network is up and running as much as possible. • “Anticipate to Avoid”

  4. Difficulty of Network Management • Some failures, like a cut cable, while catastrophic are easy to detect. • Intermittent or partial failures can be more difficult to find because TCP (with its retransmission procedure) is designed to “hide” (work in spite of) these problems. • However, retransmission uses bandwidth that could be used for other traffic if the error did not occur. • A good network manager will root out such problems before they become more severe.

  5. SNMP PDU UDP • Simple Network Management Protocol is a set of rules for exchanging messages that allow a network manager to monitor and control network hosts/nodes. • The messages are called Protocol Data Units (PDUs) and are sent using User Datagram Protocol (UDP). • SNMP is part of TCP/IP and as with many other application layers services it is a separate install. • The term “manager” refers not only to the person overseeing the network but also to special software used.

  6. Uses UDP

  7. Vocabulary change • SNMP follows the standard client-server paradigm — a client requests and a server responds/replies. • But the situation is somewhat unusual in that there are more servers than clients in this case and the client’s machine is probably the better machine. • The SNMP client runs on the manager’s computer and is called the manager. • The SNMP server runs on various hosts and is called the agent.

  8. Vocabulary change II • Client is to server as manager is to agent, i.e. the manager requests information from the agent, the manager initiates. Client Server Manager Agent

  9. A community • The manager (a person) organizes the computers into groups for management purposes, these are called communities. • A computer can belong to more than one community. • The manager (software) requests information (network statistics, such as how many packets required retransmission) from the agents in its community. • The manager can set parameters on the agents and thus change delivery routes, configure network interfaces, etc.

  10. Fetch and Store • The S in SNMP is “simple” because it has a small set of commands. • The manager can request a value from an agent — a fetch. • the agent receives the request, retrieves information from an MIB (management information base) and sends it to the manager. • The manager can request an agent to set a parameter to a particular value — a store. • Certain parameter values are interpreted by the agents as a command and cause them to initiate a sequence of events, such as a reboot.

  11. MIB • The information (and procedures) accessed by SNMP are stored in the Management Information Base (MIB). • The SNMP specifies a few simple messages. The complexity and flexibility (how to handle new software or hardware) is in MIB. • A separate standard defines MIB variables and the meaning of the operations on each variable.

  12. SNMP Messages • Get: The simplest SNMP request message. A manager sends a get message requesting a single MIB entry (e.g., the amount of free drive space); the agent responds with the entry — provided the manager belongs to the same community as the agent.

  13. SNMP Messages • Get-next: A type of request message that can be used to browse the entire collection of management objects. When a manager sends a get-next request for a particular object, the agent replies with the identity and value of the object which follows the object in the request message. • Get-next is useful for accessing tables, such as internal IP route tables.

  14. SNMP Messages • Getbulk: Requests that the data packets sent by the agent be as large as possible. This minimizes the number of protocol exchanges required. • The maximum message size should not be larger than the path MTU. • Set: If the manager has write privileges, this message is used to update an agent’s MIB value.

  15. SNMP Messages • Trap: Typically the manager (client) requests and the agent (server) responds. However, some situations require the agent to initiate an interaction. A trap is an unsolicited message sent by an agent to a manager when certain predefined conditions occur in the agent. • The manager that receives a trap message is known as a trap destination. There may be more than one manager. • E.g., a trap might be sent if a host is about to go down. • E.g. a trap might be sent if a manager without permission contacts an agent.

  16. SNMP Help

  17. SNMP Help

  18. SNMP Help

  19. SNMP Help

  20. Scenario from Help • The management system (Host A), sends an SNMP datagram to the agent (Host B), using the agent's host name, IP address or IPX address. • The SNMP agent receives the datagram and verifies the community name to which the management system belongs. • If it is a valid community name, the agent retrieves the data requested from the appropriate SNMP subagent. The SNMP agent returns the datagram to the management system with the requested information. • If the community name is incorrect, the agent sends an "authentication failure" trap to its trap destinations (Hosts C and D).

  21. And now for something completely different

  22. DHCP • Dynamic Host Configuration Protocol does not require an administrator to add an entry for a computer into the database. • Instead DHCP is “plug-and-play” networking. The computer runs a client to • obtain configuration info from DHCP • obtain a permanent address if the computer is nonmobile.

  23. DHCP • DHCP uses permanent address that are assigned to server computers and a pool of addresses that are allocated on demand. • Based on the computer’s entry in the server’s database, the DHCP decides the type of address to assign. • For dynamic addresses, the computers IP may change with each boot. • This challenges internet connections. (Recall dynamic DNS.)

  24. DHCP Considerations • When a system reboots, there is a flood of DHCP requests. This is handled by using a random wait time before transmitting an address request. • Caching allows the computer to save the DHCP server’s address in a cache on a permanent storage, and use the cache information on reboot once it has been validated.

  25. Lease • DHCP uses the concept of a "lease" or amount of time that a given IP address will be valid for a computer. • The lease time can vary depending on how long a user is likely to require the Internet connection at a particular location. • It's especially useful in education and other environments where users change frequently. Using very short leases, DHCP can dynamically reconfigure networks in which there are more computers than there are available IP addresses

  26. APIPA • Automatic Private IP Addressing, a feature of the Windows 98 and Windows 2000 • If a DHCP client finds no DHCP server when it boots, it uses APIPA to automatically configure itself with an IP address from a range that has been reserved especially for Microsoft. • The IP address range is 169.254.0.1 through 169.254.255.254. The client also configures itself with a default class B subnet mask of 255.255.0.0. A client uses the self-configured IP address until a DHCP server becomes available.

  27. Network Security Based on Computer Networks and Internets, Comer

  28. Security Policy • Information must be seen as part of a company’s assets and thus worth securing. • On the other hand, if the information is not accessible to an appropriate set of people, it is worthless. • Thus security and accessibility must be balanced. There is no ideal blend that is right for all companies. • An important step toward securing a network is to develop a security policy.

  29. Security policy • A security policy is a written document stating how a company intends to protect its information. • While written, it must be flexible so it can adapt to changes in technology and so forth. • A security policy might include • A description of who has access to what information and for what use. • A description of security measurements and penalties for the violation thereof. • An evaluation procedure. • A policy for educating users.

  30. Security Aspects • Some aspects of data security to address are • Integrity: the data should be protected from corruption (accidental or intentional). • Availability: the data should be readily accessible by designated users. • Confidentiality: the data should not be accessible by undesignated users. • Privacy: in some situations it is the user’s data that requires protecting.

  31. Protecting Data from Accidental Corruption • Checksum, CRC and parity are used to ensure integrity during transmission, similar approaches can be used on information in storage. • A backup scheme can be seen as protecting data integrity. • A RAID (Redundant Array of Independent/ Inexpensive Disks)scheme protects integrity while maintaining availability. • Protect hardware from power surges, water damage, etc.

  32. Protecting Data from Intentional Corruption • Authenticate users before giving them access to information. • Restrict access to hardware, computers, servers, hubs, etc. • Protect the network against viruses and hacker attacks. • Have a recovery plan.

  33. Data Availability/User Privacy • The whole reason for a network is sharing information and resources. • Data and resources must be accessible to authenticated users. • Protecting system data and resources should not violate the user’s privacy rights or at least the user’s level of privacy should be acknowledged.

  34. Audit trail • One mechanism for tracking security is an “audit trail.” The term comes from accounting where it means the set of paperwork used to validate or invalidate an accounting procedure. • Any logging of activity (paper or electronic) is known as an audit trail. One can track: • The information a user accesses or attempts to access • Businesses maintain an audit trail for customer transactions. • Some ISPs and chat rooms maintain logs of users. • Etc.

  35. Authorization and Authentication • Authorization is the setting of user’s permissions • Can a user read a file? Edit a file? Delete a file? Etc. • Space and/or time limits on access, e.g. a user has so much space on a drive • Location limits, certain information can only be accessed from certain locations • Authentication is the attempt to ensure that the user is who he or she claims to be • Username and password • Biometric devices • Possessed object

  36. Sniffing Passwords • The problem with the username/password approach to authentication in networks is that the password information must be sent over the network where it can be read by a sniffer (computer with MAC card in promiscuous mode). • The best defense here is to encrypt the communication. The password packet can still be sniffed but it is unintelligible to the hacker.

  37. Cryptography • One way to secure data, be it in storage or in transit, is encryption. • Encryption coverts information in its usual readable form (called plaintext) to information in an encoded, unreadable form (called cyphertext). • PGP (Pretty Good Privacy) program: a good encrypter that works with most email systems.

  38. Encryption • The data is stored or transmitted in binary (numerical) form. • To encrypt data one applies some mathematical operation to it. • The mathematical operation should have an inverse so that one can recover the original data (decrypt the message). • The mathematical operation often has a parameter (known as a key in encryption) which specifies the precise operation within a family of operations.

  39. Caesar Shift Example • The Caesar shift is an early form of encryption. • The mathematical operation is addition. • The key (parameter) is the amount added, e.g. 3 • CAT  FDW (ASCII for C + 3 is ASCII for F) • The inverse operation is subtraction which uses the same key. • FDW  CAT (ASCII for F - 3 is ASCII for C)

  40. Public Key Encryption • In some cases, the parameters for the mathematical operation and its inverse are not the same. Then one is said to have two keys. • For purposes of encryption, it is ideal if knowledge of one of the parameters does not (easily) lead to knowledge of the other. • Such a mathematical operation is the basis for public key encryption.

  41. Public Key/Private Key • A user is assigned two keys (a private key and a public key). • The private key should be known only to the user. • The public key is published along with the user’s name. • Someone can send the user a private message by using the user’s public key to encrypt, then the user is the only person (presumably) who can decrypt the message.

  42. Digital signature • Use this process in reverse. • The user encrypts the message with his or her private key. • Anyone with the users’ public key can decrypt it. • BUT since the user’s public key decoded the message, the message must have come from the user • This does not give privacy but authentication.

  43. Double Key Encryption • To have a private and authenticated transaction use two keys. • Mary encrypts a message with John’s public key and then does a second encryption using her private key. • The message must be decrypted using Mary’s public key (authenticated: we know it’s from Mary) and further decrypted using John’s private key (private: only John can do this).

  44. Firewalls • A firewall guards the perimeter of a network, all traffic flows through and is examined by the firewall. • The earliest firewalls performed a packet filtering service. • If sending packets is analogous to sending mail then a having a firewall is analogous to having the mail censored. • Certain packets are not allowed in based on their content or source; certain packets are not allowed in based on their content or destination.

  45. Firewall • A firewall can help centralize part of a network’s security effort. • A firewall can prevent • outsiders from probing all computers in an organization • flooding the network with unwanted traffic • attacking a computer by causing it to crash.

  46. Firewall: Fig. 40.1

  47. Packet filter

  48. Firewall • The firewall working closely with the router, it examines each packet to determine whether or not to forward it. • The filtering may be based on any number of criteria: • Source or destination IP address • Allow only certain addresses or rule out certain addresses • Direction • Service type (FTP, SMTP, telnet, etc., identified by port number) • Time

  49. Firewall • A firewall can also maintain an audit trail (log file). • A firewall can be trained to look for virus signatures. • The firewall can scan for tokens or tickets which authenticate users. • A pair of firewalls can agree on an encryption scheme, for instance if two private networks are connected by a public line (a virtual private network).

  50. Tunneling • If one encrypted an entire packet it could not be delivered. • But if one encrypts only the data then there are all those fields supplying information about the source, destination, etc. • One can encrypt an entire packet and then place it in another packet (encapsulate it). • The destination of this outer packet must then decrypt the original packet and forward it, but by then it has presumably reached a private, secure network.

More Related