Frra veckan: Skerhet Brandvggar I nt ro t ill skerhet Gatekeeper - - PDF document

SLIDE 1

1

23 October 2001 Network Management 1 Data Communications, Jonny Pettersson, UmU

Förra veckan: Säkerhet

❒ I nt ro t ill säkerhet ❒ Säker kommunikat ion ❒ Krypt ograf i ❒ Aut ent icer ing ❒ Nyckelhant ering ❒ Säker kommunikat ion på olika nivåer ❒ Brandväggar ❒ Helhet ssyn på säkerhet

23 October 2001 Network Management 2 Data Communications, Jonny Pettersson, UmU

Brandväggar

❒ En “gat ekeeper” ❒ Et t skydd mot ej önskad t raf ik ❒ men också en begränsning f ör önskad t raf ik

Access channel

Information system

Computing resources (processor, memory, I/O) Data Processes Software Internal security controls

Opponent

Human Software

Gatekeeper function

23 October 2001 Network Management 3 Data Communications, Jonny Pettersson, UmU

Brandväggar - Nivå?

❒ En br andvägg f ilt r er ar på

något / några/ alla pr ot okollnivåer

❒ P

å t r anspor t nivån

❍ Packet f ilt rerande rout er

❒ P

å applikat ionsnivån

❍ Proxy server

• För ut gående t r af ik

❍ Relay host

• För inkommande t r af ik

❍ Of t ast kallar man båda

t yperna f ör proxy

Applikation fråga x svar y Ethernet src addr xxxx dest addr yyyy IP src IP x dest IP y protocol z TCP/UDP src port x dest port y

23 October 2001 Network Management 4 Data Communications, Jonny Pettersson, UmU

Brandväggar - Konf igurering

❒ P

roxyn sit t er ant ingen i brandväggen eller i en DMZ (DeMilit arized Zone)

Brandvägg Yttre nät Skyddat nät DMZ

23 October 2001 Network Management 5 Data Communications, Jonny Pettersson, UmU

Brandväggar - Konf igurering (6)

Internet

Packet- filtering router Backend system Data First firewall layer Second firewall layer with load balancing Third firewall layer Application servers Webb servers

(e) A secure firewall system according to Wineasy

23 October 2001 Network Management 6 Data Communications, Jonny Pettersson, UmU

Net wor k Management

Goals:

❒ int r oduct ion t o net wor k management

❍ mot ivat ion ❍ maj or component s

❒ I nt er net net wor k management f ramewor k

❍ SMI : dat a def init ion language ❍ MI B: management inf or mat ion base ❍ SNMP

: prot ocol f or net wor k management

❍ secur it y and administ r at ion

❒ present at ion services: ASN.1

SLIDE 2

2

23 October 2001 Network Management 7 Data Communications, Jonny Pettersson, UmU

What is net work management ?

❒ aut onomous syst ems (aka “net wor k”): 100s or 1000s

• f int er act ing hw/ sw component s

❒ f ive areas of net wor k management

❍ perf ormance management ❍ f ault management ❍ conf igur at ion management ❍ account ing management ❍ securit y management

"Net work management includes t he deployment , int egrat ion and coordinat ion of t he hardwar e, sof t war e, and human element s t o monit or, t est , poll, conf igur e, analyze, evaluat e, and cont rol t he net work and element resources t o meet t he real-t ime, operat ional perf ormance, and Qualit y of Service requir ement s at a reasonable cost ."

23 October 2001 Network Management 8 Data Communications, Jonny Pettersson, UmU

I nf rast ruct ure f or net work management

agent dat a agent dat a agent dat a agent dat a managed device managed device managed device managed device managing ent it y dat a net wor k management pr ot ocol

def init ions:

managed devices cont ain managed obj ect s whose dat a is gat hered int o a Management I nf ormat ion Base (MI B)

managing ent it y

23 October 2001 Network Management 9 Data Communications, Jonny Pettersson, UmU

Net wor k Management st andar ds

OSI CMI P

❒ Common Management

I nf ormat ion P rot ocol

❒ designed 1980’s: t he

unif ying net management st andar d

❒ t oo slowly

st andar dized SNMP: Simple Net wor k Management P r ot ocol

❒ I nt er net r oot s (SGMP

)

❒ st ar t ed simple ❒ deployed, adopt ed r apidly ❒ gr owt h: size, complexit y ❒ current ly: SNMP

V3

❒ de f act o net wor k

management st andar d

23 October 2001 Network Management 10 Data Communications, Jonny Pettersson, UmU

Quest ions

❒ What should be monit ored? ❒ What f orm of cont rol can be exercised on

t he monit ored ent it ies?

❒ What specif ic f ormat should exchanged

inf ormat ion have?

❒ How should t he communicat ion prot ocol f or

exchanging inf ormat ion look like?

❒ Which securit y model should be used?

23 October 2001 Network Management 11 Data Communications, Jonny Pettersson, UmU

SNMP overview: 4 key part s

❒ St ruct ure of Management I nf ormat ion (SMI ):

❍ dat a def init ion language f or MI B obj ect s

❒ Management inf ormat ion base (MI B):

❍ dist r ibut ed inf ormat ion st or e of net wor k

management dat a ❒ SNMP

prot ocol

❍ convey manager<

• >

managed obj ect inf o, commands ❒ securit y, administ rat ion capabilit ies

❍ maj or addit ion in SNMP

v3

23 October 2001 Network Management 12 Data Communications, Jonny Pettersson, UmU

SMI : dat a def init ion language

P ur pose: synt ax, semant ics of management dat a well- def ined, unambiguous

❒ base dat a t ypes:

❍ st r aight f or war d, bor ing

❒ OBJ ECT-TYP

E

❍ dat a t ype, st at us,

semant ics of managed

• bj ect

❒ MODULE-I DENTI TY

❍ groups relat ed obj ect s

int o MI B module

Basic Data Types

INTEGER Integer32 Unsigned32 OCTET STRING OBJECT IDENTIFIED IPaddress Counter32 Counter64 Guage32 Tie Ticks Opaque

SLIDE 3

3

23 October 2001 Network Management 13 Data Communications, Jonny Pettersson, UmU

SNMP MI B

OBJECT TYPE: OBJECT TYPE: OBJECT TYPE:

• bj ect s specif ied via SMI

OBJ ECT-TYP E const r uct MI B module specif ied via SMI MODULE-I DENTI TY (100 st andar dized MI Bs, mor e vendor -specif ic) MODULE

23 October 2001 Network Management 14 Data Communications, Jonny Pettersson, UmU

MI B example: UDP module

Obj ect I D Name Type Comment s

1.3.6.1.2.1.7.1 UDPI nDat agr ams Count er 32 t ot al # dat agr ams deliver ed at t his node 1.3.6.1.2.1.7.2 UDPNoPor t s Count er 32 # under liver able dat agr ams no app at por t l 1.3.6.1.2.1.7.3 UDI nErr or s Count er 32 # undeliver able dat agr ams all ot her r easons 1.3.6.1.2.1.7.4 UDPOut Dat agr ams Count er 32 # dat agr ams sent 1.3.6.1.2.1.7.5 udpTable

SEQUENCE one ent r y f or each por t

in use by app, gives por t # and I P addr ess

23 October 2001 Network Management 15 Data Communications, Jonny Pettersson, UmU

SNMP Naming

quest ion: how t o name every possible st andard

• bj ect (prot ocol, dat a, more..) in every

possible net work st andard?? answer: I SO Obj ect I dent if ier t ree:

❍ hier ar chical naming of all obj ect s ❍ each br anch point has name, number

1.3.6.1.2.1.7.1

I SO I SO-ident . Or g. US DoD I nt ernet udpI nDat agr ams UDP MI B2 management

23 October 2001 Network Management 16 Data Communications, Jonny Pettersson, UmU

Check out www.alvest r and.no/ har ald/ obj ect id/ t op.ht ml

OSI Obj ect I dent if ier Tr ee

23 October 2001 Network Management 17 Data Communications, Jonny Pettersson, UmU

SNMP prot ocol

Two ways t o convey MI B inf o, commands:

agent dat a Managed device managing ent it y

r esponse

agent dat a Managed device managing ent it y

t r ap msg r equest r equest / r esponse mode t r ap mode

23 October 2001 Network Management 18 Data Communications, Jonny Pettersson, UmU

SNMP pr ot ocol: message t ypes

Get Request Get Next Request Get BulkRequest Mgr -t o-agent : “get me dat a” (inst ance,next in list , block) Message t ype Funct ion I nf ormRequest Mgr-t o-Mgr: here’s MI B value Set Request Mgr -t o-agent : set MI B value Response Agent -t o-mgr: value, r esponse t o Request Tr ap Agent -t o-mgr: inf orm manager

• f except ional event

SLIDE 4

4

23 October 2001 Network Management 19 Data Communications, Jonny Pettersson, UmU

SNMP secur it y and administ r at ion

❒ encrypt ion: DES-encrypt SNMP

message

❒ aut hent icat ion: comput e, send MI C(m,k):

comput e hash (MI C) over message (m) and secr et shared key (k)

❒ prot ect ion against playback: use nonce ❒ view-based access cont rol

❍ SNMP

ent it y maint ains dat abase of access right s, policies f or various user s

23 October 2001 Network Management 20 Data Communications, Jonny Pettersson, UmU

The pr esent at ion pr oblem

Q: does perf ect memory-t o-memory copy solve “t he communicat ion problem”? A: not always!

pr oblem: dif f erent dat a f ormat , st orage convent ions

struct { char code; int x; } test; test.x = 256; test.code=‘a’ a 00000001 00000011 a 00000011 00000001 test.code test.x test.code test.x host 1 f ormat host 2 f ormat

23 October 2001 Network Management 21 Data Communications, Jonny Pettersson, UmU

Solving t he pr esent at ion pr oblem

• 1. Translat e local-host f or mat t o host -independent f or mat
• 2. Transmit dat a in host -independent f or mat
• 3. Translat e host -independent f ormat t o remot e-host

f or mat

23 October 2001 Network Management 22 Data Communications, Jonny Pettersson, UmU

ASN.1: Abst r act Synt ax Not at ion 1

❒ I SO st andard X.680

❍ used ext ensively in I nt ernet ❍ like eat ing veget ables, knowing t his “good f or you”!

❒ def ined dat a t ypes, obj ect const ruct ors

❍ like SMI

❒ BER: Basic Encoding Rules

❍ specif y how ASN.1-def ined dat a obj ect s t o be

t r ansmit t ed

❍ each t r ansmit t ed obj ect has Type, Lengt h, Value

(TLV) encoding

23 October 2001 Network Management 23 Data Communications, Jonny Pettersson, UmU

Net wor k Management

❒ int r oduct ion t o net wor k management

❍ mot ivat ion ❍ maj or component s

❒ I nt er net net wor k management f ramewor k

❍ SMI : dat a def init ion language ❍ MI B: management inf or mat ion base ❍ SNMP

: prot ocol f or net wor k management

❍ secur it y and administ r at ion

❒ present at ion services: ASN.1

23 October 2001 Network Management 24 Data Communications, Jonny Pettersson, UmU

Klart !

❒ Alla lager

❍ Applikat ion ❍ Transpor t ❍ Nät verk ❍ Länk ❍ (Fysiska)

❒ Mult imedia ❒ Säkerhet ❒ Nät verksövervakning

applicat ion t r anspor t net wor k link physical