Escolar Documentos
Profissional Documentos
Cultura Documentos
Outline
Explain why a network implementation strategy is needed Examine the principles of network design Explain why a network management strategy is needed Describe network management categories and related activities Classify current network management tools according to functionality Examine different network management strategies Select a management strategy for this book
Connectivity
Wireless
q q
10BASET
5. Connectivity
WAN
3. Teleconferencing Bandwidth
Media Requirements
1. 2. 3. 4. 5.
1. Specified bandwidth available at any time 2. Specified bandwidth available during specified time periods 3. Bandwidth on demand
Security Requirements
1. 2. 3. 4. 5.
Location of firewalls Firewall capabilities Location of proxy servers Encryption and authentication needs Network Intrusion Detectors (NID)
Budget
Faults
Availability
Performance
Time to provide a response to the user q Processor total use q Processor interrupts/sec q Processor queue length q Transmit packet lengths
Voice
Video
Use
Packets/sec Transactions/sec
Resource Use
Redundancy
User Support
(Performance Management)
Tells Tells Tells
you how the network is doing you what your network is doing you where everything is in the network
(Accounting Management)
Performance Management ( )
Performance Management
Measuring
Measuring Metrics
Overall
Capacity Planning
Manually graphing or using a network management tool to graph utilization as a function of time to detect trends Preparing trend reports to document projected need for and the cost of network expansion.
Building Databases
Latency
:
processor
load, disk access rate, network interface card utilization forwarding rate, processor load, percentage of dropped frames on each interface, number of packets being held in a queue.
/:
packet
(Link Utilization)
(e.g, Ethernet, Token Ring, FDDI)
util% = total bits sent + total bits received bandwidth
SNMP
= / ()
Example
T1(1.544Mbps) 10:00 AM: ifInOctets = 1,500,000 ifOutOctets = 1,200,000 10:05 AM: ifInOctets = 2,500,000 ifOutOctets = 7, 200,000
2,500,000 - 1,500,000 = 1,000,000 Bytes Out: 7,200,000 - 1,200,000 = 6,000,000 Bytes = Max (1,000,0006,000,000) Bytes = 6, 000,000 Bytes = 48,000,000 bits Util% = 48,000,000/(1,544,000 60 5) 100% = 10.36%
In:
Rejection Rate
Availability
amount of time it takes a datum to enter the network and be processed and for a response to leave the network. From the viewpoint of applications Round Trip Time (R.T.T) is measured from the viewpoint of transport protocol.
Rejection Rate
the
percentage of time the network cannot transfer information because of the lack of resources and performance.
Availability
the
percentage of time the network is accessible for use and operational. Usually measured as MTBF (Mean Time Between Failure)
performance informantion
Historical
plots: weekly, monthly, quarterly, yearly Real-time graphical analysis Trend Prediction
Reference: http://mrtg.twaren.net/mrtg
What to be Analyzed/Graphed?
Device Information
memory
usage, processor utilization, disk access rate, number of sessions. error rate, error percentage
Link Information
utilization,
Threshold Setup
Set thresholds on a variety of items affecting network performance When the thresholds are crossed, events are reported. In general, the values of thresholds are determined according to past experience.
Thresholds
Threshold Priority
In
general, priority: low, medium, high Multiple threshold values for the same item Thresholds for multiple items
Rearm
util%
Threshold Rearm
123 4
time
Performance Prediction
Use
Regression to predict future trend. Apply Statistics Theory Should consider possible factors that affect the prediction. Network Simulation
Prediction
util% Threshold value Predicted utilization increase Computed actual utilization
time
Fault Management ( )
Fault Management
Detection
of a problem, fault isolation and correction to normal operation A goal is to use trend analysis to predict faults and change network conditions so that the network is always available to users
the problem Isolate the problem Fix the problem (if possible)
Timeliness Required
Device Configuration
Traffic Monitored
Trends
Event report
(Event Report)
Periodic Polling
Periodic Polling
5~15
PING
PING: Packet Internet Groper PINGICMP ECHO / ECHO Reply TCP/IP
An Example of PING
Ping (Log)
(Interface) (Operational Status)
(Log)
()
(Interpret Event)
(Polling)
(Event Correlation)
(Polling)
/(Event/Action)
()
Event Receive Network Event Critical Network Event Interpret Network Event
Generate
Alert User
No
Yes
Put Interface in Loopback Test Physical Layer Alert User Physical Layer Down
No
Test Pass ?
Yes
()
(Text)
(Picture)
(Audio)
Pager
B.B.
Call
E-mail
E-mail
POP
Critical Major Minor Warning Normal Unknown Disable
POP
Mail WWW DNS
RAS T1
Channel/Port
State
Critical Major
Color
Packet Loss Rate Round Trip Time
>80%
>60%
> Threshold
>40%
>20%
<20%
Alarm Reporting
Round Trip Time Threshold Setting Trouble Ticketing Audio Alarm Pager Alarm E-Mail Alert
....
UNIX
Internet
Mail Server
WWW Server
...
RMON Device
DNS
FDDI
....
UNIX
...
PC
PC
Configuration Management ( )
Configuration Management
The
process of finding and setting up (configuring) network devices Automated configuration is becoming a more important part of network management as the sizes of networks grow
Configuration (Remote)
Inventory (Automated)
(SNMP)
(Autodiscovery)
Auto-discovery
A method used by a network management system to dynamically find the devices attached to a data network.
Ping 2.
1.
1. Ping
(1). Send out a query, such as ICMP Echo (ping) to every possible address on the network. (2). When a device answers the query, ask for detailed information using network management protocol (e.g. SNMP).
2.
(1). Find one device on the network and query it by NM protocol to discover all of the devices it has communicated with recently.
(2). Repeatedly use NM protocol to query the devices found previously.
Status Propagation
Compound Status
Default Propagate Most Critical Propagate At Threshold Values (0-100%) % Warning % Minor % Major % Critical
Manual modification is not efficient. Automatic modification should be recorded NMS can verify the configuration change.
Stored in a central location Consistency and Availability of configuration data is important. CM data can be stored in ASCII Text Files or DBMSs.
Provide for central storage of all network information. Autodiscovery mechanism Automapping facility Automatic data acquisition Allow user to manually add additional configuration information Search function
()
Automatically compare current and stored configuration data. View running configuration graphically. Make configuration change. Centralized storage and easy retrieval of data. Configuration Event/Alarm. Graphical logical/physical view of devices
Configuration Alarms
()
The use of DBMS Evaluate device configurations Allow complex query of data in DBMS. Produce inventory reports. Provide simple query interface for critical data.
Example of Traceroute
Security Management ( )
Security Management
The
Electronic Mail File Transfer Web Browsing Directory Service Remote Login Remote Procedure Call Remote Execution Network Monitors Network Management System
Maintenance
Audits of the activity at secure access points Executing security attack programs (Network Intrusion Detection) Detecting and documenting breaches
No restrictions - hosts are responsible for securing all access points Limited access - only some hosts can interface with the Public Data Network using a proxy server
Queries the configuration database to identify all access points for each device. Reads event logs and notes security-related events. Security Manager shows a security event on the network map. Reports of invalid access point attempts are generated daily for analysis
(Confidentiality) (Authentication) (Integrity) (Non-repudiation) (Access control) (Availability)
1. Identifying the sensitive information to be protected 2. Finding the access points 3. Securing the access points 4. Maintaining the access points
Access Point
A piece of network hardware or software that allows access to the data network.
Remote
NMS
Packet filtering usually can be performed in bridges, switches, and routers. Packet filtering stops packets to or from unsecured hosts before they reach an access point. Issues
Each
network device to perform packet filtering must be configured. Packet filtering doesn't work if the unsecured host changes its address.
Packet-Filtering Routers
Protected Network Router with ACLs
Users
Users
zip
E-mail Server
100
Micro Webserver
Web Server
Public Access
Allow access to a service based on a source host identifier, e.g. network address.
Service
Remote Login File Transfer Directory
Allow
Host-B, Host-C, 140.131.59.20 Host-A, Host-B, PC-bmw, Host-C, 140.131.62.211, PC-benz
Issues
A host can change its network address. Different users in the same host have the same authority.
Generally, passwords are transferred on the network without any encryption. Use encrypted passwords. Users tend to make passwords easy to remember. If the passwords are not common words, users will write them down.
Key
A
unique piece of information that authenticates the data in a transaction. destination host requires the source host of a transaction to present a key for the transaction. server that validates requests for transactions between hosts by giving out keys.
Key Authentication
The
Key Server
A
Source (S)
Destination (D)
1. S requests remote login to D S 2. S requests a key to K. S K 3. K validates the request. K 4. K send a key to S.
(5). Encryption
Network
atek49ffdlffffe ffdsfsfsff
encryption
ciphertext
Dear John: I am happy to know ...
atek49ffdlffffe ffdsfsfsff
decryption
Dear John: I am happy to know ...
ciphertext
plaintext
plaintext
Cryptography / Encryption
Encryption
Encryption Algorithm
Encryption Key
Plaintext
Ciphertext
Encryption
Encryption Key Encryption Algorithm Ciphertext
atek49ffdlffffe ffdsfsfsff
Plaintext
Dear John: I am happy to know ...
Decryption
Decryption Key Decryption Algorithm
Plaintext
Dear John: I am happy to know ...
Ciphertext
atek49ffdlffffe ffdsfsfsff
Encryption / Decryption
Encryption Techniques
Adopted by U.S. Federal Government. Both the sender and receiver must know the same secret key code to encrypt and decrypt messages with DES Operates on 64-bit blocks with a 56-bit key DES is a fast encryption scheme and works well for bulk encryption. Issues:
How
3DES
Triple
DES
Decades
168-bits
40-bits
10K 1M 10M Budget ($) 100M
- RSA
The public key is disseminated as widely as possible. The secrete key is only known by the receiver. Named after its inventors Ron Rivest, Adi Shamir, and Leonard Adleman RSA is well established as a de facto standard RSA is fine for encrypting small messages
Key Length
Average Time for Exhaustive Key Search
32 Bits Symmetric Cipher (Conventional) 40 56 64 80 96 112 120 128 192 Bits Bits Bits Bits Bits Bits Bits Bits Bits Asymmetric (RSA/D-H) 274 384 512 1024 1536 2048 2560 3072 10240 Bits Bits Bits Bits Bits Bits Bits Bits Bits Number of Possible Key 56 Bits 128 Bits 2 2
32 56 128 31
= 4.3 X 10 = 7.2 X 10
16 38
= 3.4 X 10
127
24
Performance 30~200 1
First compresses the plaintext. Then creates a session key, which is a one-time-only secret key. Using the session key, apply a fast conventional encryption algorithm to encrypt the plaintext. The session key is then encrypted to the recipients public key. This public key-encrypted session key is transmitted along with the ciphertext to the recipient.
PGP Encryption
PGP Decryption
The recipient uses its private key to recover the temporary session key Use the session key to decrypt the conventionally-encrypted ciphertext.
PGP Decryption
Digital Signatures
Digital signatures enable the recipient of information to verify the authenticity of the informations origin, and also verify that the information is intact. Public key digital signatures provide
All
individual computers should have security management. a firewall to enforce security between private and public networks.
Limited Access
Use
(Firewall)
Firewall Firewall
Packet
Filtering Firewall Dual-Homed Host Firewall Screened Host Firewall Screened Subnet Firewall
http://www.movies.acmecity.com/silent/6/doc/fwppt.zip
VPN:
VPN
VPN
(Tunneling)
IPSec (IP Security) PPTP (Point-to-Point Tunneling Protocol) L2TP (Layer 2 Tunneling Protocol)
(Encryption/Decryption)
(Key Management)
(Authentication)
Accounting Management ( )
Accounting Management
Tracking
each individual and group user's utilization of network resources to better ensure that users have sufficient resources Enable charges to be established for the use of network resources, and the costs to be identified for the use of those network resources
Query usage database to measure statistics versus quotas Define network billing domains Implement automatic billing based on usage by users in the domain Enable billing predictions Enable user selection of billing domains on the network map Create historical billings trends Automatic distribution of billing to Cost Centers Project future billings by cost center
Reporting
AM
Metrics
Measurement
Quotas
The
amount of a network's resources allowed for a user or group. process of charging users for the use of the data network and its associated services.
Billing
The
One-Time Installation Fee and Monthly Fees Fee Based on Amount of Network Resource Consumed
Total Total Total Total
()
Perform network billing. Determine where to poll for billing information. Forecast the need of network resources
To establish reasonable metrics and quotas To predict network billing cost for users
Management Tools
Centralized configuration
Management
is centralized to the network management station on the backbone network LANs are managed by a local NMS while an NMS host connects to the backbone network
Distributed configuration
The
NMS
WS Agent
Router Agent
Probe Agent
WS Agent
Router Agent
Probe Agent
LAN 2 Node 2
Probe = Remote Monitor NMS = Network Management System WS = Workstation
LAN 3 Node 3
Node 1
NMS
WS Agent
Router Agent
Probe Agent
NMS
WS Agent
Router Agent
Probe Agent
NMS
LAN 2
Node 2
LAN 3
Node 3
Probe = Remote Monitor NMS = Network Management System WS = Workstation -------- = In-band or out-of band management communication