Förra veckan: Säkerhet Brandväggar ❒ I nt ro t ill säkerhet Gatekeeper Information ❒ Säker kommunikat ion function system ❒ Krypt ograf i Computing resources Opponent (processor, memory, I/O) ❒ Aut ent icer ing Data Access Human Processes channel Software ❒ Nyckelhant ering Software Internal security controls ❒ Säker kommunikat ion på olika nivåer ❒ En “gat ekeeper” ❒ Brandväggar ❒ Helhet ssyn på säkerhet ❒ Et t skydd mot ej önskad t raf ik ❒ men också en begränsning f ör önskad t raf ik 23 October 2001 Data Communications, Jonny Pettersson, UmU Network Management 1 23 October 2001 Data Communications, Jonny Pettersson, UmU Network Management 2 Brandväggar - Nivå? Brandväggar - Konf igurering ❒ En br andvägg f ilt r er ar på något / några/ alla ❒ P roxyn sit t er ant ingen i brandväggen eller i Applikation pr ot okollnivåer fråga x en DMZ (DeMilit arized Zone) svar y ❒ P å t r anspor t nivån TCP/UDP ❍ Packet f ilt rerande rout er src port x Yttre nät Skyddat nät ❒ P å applikat ionsnivån dest port y ❍ Proxy server IP • För ut gående t r af ik src IP x Brandvägg dest IP y ❍ Relay host protocol z • För inkommande t r af ik Ethernet ❍ Of t ast kallar man båda DMZ src addr xxxx t yperna f ör proxy dest addr yyyy 23 October 2001 Data Communications, Jonny Pettersson, UmU Network Management 3 23 October 2001 Data Communications, Jonny Pettersson, UmU Network Management 4 Brandväggar - Konf igurering (6) Net wor k Management Goals: ❒ int r oduct ion t o net wor k management Webb Application Packet- servers servers ❍ mot ivat ion filtering router ❍ maj or component s Internet Data ❒ I nt er net net wor k management f ramewor k Backend ❍ SMI : dat a def init ion language system ❍ MI B: management inf or mat ion base Second firewall First firewall Third firewall layer with load layer layer ❍ SNMP : prot ocol f or net wor k management balancing ❍ secur it y and administ r at ion (e) A secure firewall system according to Wineasy ❒ present at ion services: ASN.1 23 October 2001 Data Communications, Jonny Pettersson, UmU Network Management 5 23 October 2001 Data Communications, Jonny Pettersson, UmU Network Management 6 1
What is net work management ? I nf rast ruct ure f or net work management ❒ aut onomous syst ems (aka “net wor k”): 100s or 1000s def init ions: of int er act ing hw/ sw component s ❒ f ive areas of net wor k management managing ent it y agent dat a ❍ perf ormance management managed devices cont ain managing dat a managed device ent it y ❍ f ault management managed obj ect s whose dat a is gat hered int o a ❍ conf igur at ion management agent dat a Management I nf ormat ion ❍ account ing management net wor k Base (MI B) ❍ securit y management management managed device pr ot ocol "Net work management includes t he deployment , int egrat ion dat a agent and coordinat ion of t he hardwar e, sof t war e, and human element s t o monit or, t est , poll, conf igur e, analyze, evaluat e, agent dat a managed device and cont rol t he net work and element resources t o meet t he real-t ime, operat ional perf ormance, and Qualit y of Service managed device requir ement s at a reasonable cost ." 23 October 2001 Data Communications, Jonny Pettersson, UmU Network Management 7 23 October 2001 Data Communications, Jonny Pettersson, UmU Network Management 8 Quest ions Net wor k Management st andar ds OSI CMI P SNMP: Simple Net wor k ❒ What should be monit ored? Management P r ot ocol ❒ Common Management ❒ What f orm of cont rol can be exercised on I nf ormat ion P rot ocol ❒ I nt er net r oot s (SGMP ) t he monit ored ent it ies? ❒ designed 1980’s: t he ❒ st ar t ed simple ❒ What specif ic f ormat should exchanged unif ying net ❒ deployed, adopt ed r apidly inf ormat ion have? management st andar d ❒ gr owt h: size, complexit y ❒ t oo slowly ❒ How should t he communicat ion prot ocol f or ❒ current ly: SNMP V3 st andar dized exchanging inf ormat ion look like? ❒ de f act o net wor k ❒ Which securit y model should be used? management st andar d 23 October 2001 Data Communications, Jonny Pettersson, UmU Network Management 9 23 October 2001 Data Communications, Jonny Pettersson, UmU Network Management 10 SNMP overview: 4 key part s SMI : dat a def init ion language P ur pose: synt ax, semant ics of Basic Data Types ❒ St ruct ure of Management I nf ormat ion (SMI ): management dat a well- INTEGER ❍ dat a def init ion language f or MI B obj ect s def ined, unambiguous Integer32 ❒ base dat a t ypes: ❒ Management inf ormat ion base (MI B): Unsigned32 ❍ st r aight f or war d, bor ing ❍ dist r ibut ed inf ormat ion st or e of net wor k OCTET STRING ❒ OBJ ECT-TYP E management dat a OBJECT IDENTIFIED ❍ dat a t ype, st at us, ❒ SNMP prot ocol IPaddress semant ics of managed Counter32 ❍ convey manager< -> managed obj ect inf o, commands obj ect Counter64 ❒ MODULE-I DENTI TY ❒ securit y, administ rat ion capabilit ies Guage32 ❍ groups relat ed obj ect s ❍ maj or addit ion in SNMP v3 Tie Ticks int o MI B module Opaque 23 October 2001 Data Communications, Jonny Pettersson, UmU Network Management 11 23 October 2001 Data Communications, Jonny Pettersson, UmU Network Management 12 2
SNMP MI B MI B example: UDP module MI B module specif ied via SMI Obj ect I D Name Type Comment s MODULE-I DENTI TY 1.3.6.1.2.1.7.1 UDPI nDat agr ams Count er 32 t ot al # dat agr ams deliver ed (100 st andar dized MI Bs, mor e vendor -specif ic) at t his node 1.3.6.1.2.1.7.2 UDPNoPor t s Count er 32 # under liver able dat agr ams no app at por t l MODULE OBJECT TYPE: 1.3.6.1.2.1.7.3 UDI nErr or s Count er 32 # undeliver able dat agr ams OBJECT TYPE: OBJECT TYPE: all ot her r easons 1.3.6.1.2.1.7.4 UDPOut Dat agr ams Count er 32 # dat agr ams sent 1.3.6.1.2.1.7.5 udpTable SEQUENCE one ent r y f or each por t obj ect s specif ied via SMI in use by app, gives por t # OBJ ECT-TYP E const r uct and I P addr ess 23 October 2001 Data Communications, Jonny Pettersson, UmU Network Management 13 23 October 2001 Data Communications, Jonny Pettersson, UmU Network Management 14 SNMP Naming OSI Obj ect quest ion: how t o name every possible st andard obj ect (prot ocol, dat a, more..) in every I dent if ier possible net work st andard?? Tr ee answer: I SO Obj ect I dent if ier t ree: ❍ hier ar chical naming of all obj ect s ❍ each br anch point has name, number 1.3.6.1.2.1.7.1 I SO udpI nDat agr ams UDP I SO-ident . Or g. MI B2 US DoD management I nt ernet Check out www.alvest r and.no/ har ald/ obj ect id/ t op.ht ml 23 October 2001 Data Communications, Jonny Pettersson, UmU Network Management 15 23 October 2001 Data Communications, Jonny Pettersson, UmU Network Management 16 SNMP pr ot ocol: message t ypes SNMP prot ocol Message t ype Funct ion Two ways t o convey MI B inf o, commands: Get Request Mgr -t o-agent : “get me dat a” managing Get Next Request managing (inst ance,next in list , block) ent it y ent it y Get BulkRequest r equest I nf ormRequest Mgr-t o-Mgr: here’s MI B value t r ap msg r esponse Set Request Mgr -t o-agent : set MI B value agent dat a agent dat a Agent -t o-mgr: value, r esponse t o Response Request Managed device Managed device Tr ap Agent -t o-mgr: inf orm manager r equest / r esponse mode t r ap mode of except ional event 23 October 2001 Data Communications, Jonny Pettersson, UmU Network Management 17 23 October 2001 Data Communications, Jonny Pettersson, UmU Network Management 18 3
Recommend
More recommend