Presentation is loading. Please wait.

Presentation is loading. Please wait.

8: Network Management1 17: Network Management and Monitoring Last Modified: 5/21/2015 5:07:07 PM.

Published byBrandon Elliott Modified over 9 years ago

Similar presentations

Presentation on theme: "8: Network Management1 17: Network Management and Monitoring Last Modified: 5/21/2015 5:07:07 PM."— Presentation transcript:

1 8: Network Management1 17: Network Management and Monitoring Last Modified: 5/21/2015 5:07:07 PM

2 8: Network Management2 Network Management Tasks r Protecting the network (e.g. intrusion detection) r Detecting failed components (interfaces, links, hosts, routers) r Monitoring traffic patterns (recommend needed upgrades, cap certain types of traffic) r Detect abnormal traffic (rapid changes in routing tables, huge spikes in BW usage)

3 8: Network Management3 Snort  Detection/logging of packets matching filters/rule sets similar to Ethereal capture/display filters  Three primary uses  Packet sniffer  Packet logger  Intrusion Detection System

4 8: Network Management4 Snort IDS  Snort consists of three subsystems:  packet decoder (libpcap-based)  detection engine  logging and alerting subsystem  Detection engine:  Rules form signatures  Modular detection elements are combined to form these signatures  Anomalous activity detection is possible: stealth scans, OS fingerprinting, invalid ICMP codes, etc.  Rules system is very flexible, and creation of new rules is relatively simple

5 8: Network Management5 Snort Rules  Snort rules consist of two parts  Rule header  Specifies src/dst host and port  Alert tcp !128.119.0.0/16 any -> 128.119.166.5 any  Notice: negation, any in network 128.119.0.0  Rule options  Specifies flags, content, output message  (flags: SFAPR; msg: “Xmas tree scan”)

6 8: Network Management6 Writing Snort Rules  Snort uses a simple rules language  http://www.snort.org/writing_snort_rules.htm  Rule header consists of  Rule Actions  Alert, Log, Pass Dynamic, activate, etc…  Protocol  Tcp, udp, icmp, etc…  IP Addresses  Source, dest, CIDR mask  Port numbers  Source, dest, range  Direction  Negation

7 8: Network Management7 Simple examples r log tcp any any -> $SMTP 23 (msg: “telnet to the mail server!”;) r alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg: “TELNET login incorrect”; content: “Login incorrect”; flags: A+;) r alert icmp any any -> any any (msg:”ICMP Source Quench”; itype: 4; icode: 0;)

8 8: Network Management8 Prewritten Rulesets r Snort comes packaged with a number of prewritten rulesets m include bad-traffic.rules m include exploit.rules m include scan.rules m include finger.rules m include ftp.rules m include telnet.rules m include smtp.rules m include rpc.rules m include rservices.rules m include dos.rules m include ddos.rules m include dns.rules m include tftp.rules m include web-cgi.rules m include web-coldfusion.rules m include web-frontpage.rules m ……….

9 8: Network Management9 Vulnerability databases r Rules correlated to common databases r Bugtraq m http://www.securityfocus.com/cgi-bin/vulns.pl http://www.securityfocus.com/cgi-bin/vulns.pl m Ex. Bugtraq id 2283: 23-01-2001: Lotus Domino Mail Server 'Policy' Buffer Overflow Vulnerability r ArachNIDS m http://www.whitehats.com/ids/index.html http://www.whitehats.com/ids/index.html r Common Vulnerabilities and Exposures m http://cve.mitre.org http://cve.mitre.org

10 8: Network Management10 Firewalls r Gateway machines through which all traffic passes r Can *stop* rather than simply log traffic that matches rules/filters

11 8: Network Management11 Types of firewalls  Packet Filtering firewall  Operate on transport and network layers of the TCP/IP stack  Application Gateways/Proxies  Operate on the application protocol level

12 8: Network Management12 Packet Filtering Firewall  Operate on transport and network layers of the TCP/IP stack  Decides what to do with a packet depending upon the following criteria:  Transport protocol (TCP,UDP,ICMP),  Source and destination IP address  The source and destination ports  ICMP message type/code  Various TCP options such as packet size, fragmentation etc  A lot like Ethereal capture/display filters

13 8: Network Management13 Packet Filtering r Example 1: block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23. m All incoming and outgoing UDP flows and telnet connections are blocked. r Example 2: Block inbound TCP segments with ACK=0 or with SYN bit set and ACK bit unset. m Prevents external clients from making TCP connections with internal clients, but allows internal clients to connect to outside.

14 8: Network Management14 Packet Filtering Firewall: Terminology r Stateless Firewall: The firewall makes a decision on a packet by packet basis. r Stateful Firewall : The firewall keeps state information about transactions (connections). r NAT - Network Address translation m Translates public IP address(es) to private IP address(es) on a private LAN. m We looked at this already (must be stateful)

15 8: Network Management15 Packet Filtering Firewall: Functions r Forward the packet(s) on to the intended destination r Reject the packet(s) and notify the sender (ICMP dest unreach/admin prohibited) r Drop the packet(s) without notifying the sender. r Log accepted and/or denied packet information r NAT - Network Address Translation

16 8: Network Management16 Application Gateway (Proxy Server)  Operate at the application protocol level. (Telnet, FTP, HTTP)  Filters packets on application data as well as on IP/TCP/UDP fields  Application Gateways “Understand” the protocol and can be configured to allow or deny specific protocol operations.  Typically, proxy servers sit between the client and actual service. Both the client and server talk to the proxy rather than directly with each other.

17 8: Network Management17 Application gateways r Example: allow select internal users to telnet outside. host-to-gateway telnet session gateway-to-remote host telnet session application gateway router and filter 1. Require all telnet users to telnet through gateway. 2. For authorized users, gateway sets up telnet connection to dest host. Gateway relays data between 2 connections 3. Firewall filter blocks all telnet connections not originating from gateway.

18 8: Network Management18 Firewall Hardware/Software r Dedicated hardware/software application such as Cisco PIX Firewall which filters traffic passing through the multiple network interfaces. r A Unix or Windows based host with multiple network interfaces, running a firewall software package which filters incoming and outgoing traffic across the interfaces. r A Unix or Windows based host with a single network interface, running a firewall software package which filters the incoming and outgoing traffic to the individual interface.

19 8: Network Management19 Firewall Architecture In the real world, designs are far more complex

20 8: Network Management20 Limitations of firewalls and gateways r IP spoofing: router can’t know if data “really” comes from claimed source r If multiple app’s. need special treatment, each has own app. gateway. r Client software must know how to contact gateway. m e.g., must set IP address of proxy in Web browser r Filters often use all or nothing policy for UDP. r Tradeoff: degree of communication with outside world, level of security r Many highly protected sites still suffer from attacks.

21 8: Network Management21 Managing the network? r autonomous systems (network under a single administrative control): 100s or 1000s of interacting hw/sw components m Many complex pieces…that can break Hardware (end hosts, routers, hubs, cabling) Software m Something is broken – where? What is normal? What is abnormal? m Planning for the future – where is the bottleneck? r Need information stream from remote components

22 8: Network Management22 Network Management Architecture r (1) a network manager r (2) a set of managed remote devices r (3) management information bases (MIBs) r (4) remote agents that report MIB information and take action under the control of the network manager r (5) a protocol for communicating between the network manager and the remote devices Network Operations Center (NOC) = control center

23 8: Network Management23 Infrastructure for network management agent data agent data agent data agent data managed device managing entity data network management protocol definitions: managed devices contain managed objects whose data is gathered into a Management Information Base (MIB) managing entity

24 8: Network Management24 Network Management standards OSI CMIP r Common Management Information Protocol r designed 1980’s: the unifying net management standard r too slowly standardized SNMP: Simple Network Management Protocol r Internet roots (Simple Gateway Monitoring Protocol, SGMP) r started simple r deployed, adopted rapidly r growth: size, complexity r de facto network management standard

25 8: Network Management25 SNMP overview: 4 key parts r SNMP protocol m convey manager managed object info, commands r Structure of Management Information (SMI): m data definition language for MIB objects, format of data to be exchanged m Protocol independent type language r Management information base (MIB): m distributed information store of network management data, collection of MIB objects r security, administration capabilities m major addition in SNMPv3

26 8: Network Management26 SMI: data definition language Purpose: syntax, semantics of management data well- defined, unambiguous r base data types: m straightforward, boring r Higher level structs m OBJECT-TYPE m MODULE_IDENTITY SMI Basic Data Types INTEGER Integer32 Unsigned32 OCTET STRING OBJECT IDENTIFIED IPaddress Counter32 Counter64 Guage32 Tie Ticks Opaque

27 8: Network Management27 OBJECT-TYPE r SYNTAX = basic type of this object r MAX-ACCESS = operations allowed on the object (read, write, create, notify) r STATUS = current/valid, obsolete (should not be implemented), deprecated (implemented for backwards compatibility) r DESCRIPTION = comment, human readable description ipInDelivers OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The total number of input datagrams successfully delivered to IP user-protocols (including ICMP)." ::= { ip 9 }

28 8: Network Management28 MODULE-IDENTITY r MODULE-IDENTITY construct allows related objects to be grouped together within a "module.“ r Contains the OBKECT- TYPE constructs for each object in the module r Plus contact and description information ipMIB MODULE-IDENTITY LAST-UPDATED “941101000Z” ORGANZATION “IETF SNPv2 Working Group” CONTACT-INFO “ Keith McCloghrie ……” DESCRIPTION “The MIB module for managing IP and ICMP implementations, but excluding their management of IP routes.” REVISION “019331000Z” ……… ::= {mib-2 48}

29 8: Network Management29 SNMP MIB OBJECT TYPE: objects specified via SMI OBJECT-TYPE construct MIB module specified via SMI MODULE-IDENTITY (100+ standards-based MIBs written by IETF, more vendor-specific) MODULE

30 8: Network Management30 SNMP Naming question: how do we keep track of/name every possible standard object (protocol, data, more..) in every possible network standard?? answer: ISO Object Identifier tree: m hierarchical naming of all objects m each branchpoint has name, number 1.3.6.1.2.1.7.1 ISO ISO-ident. Org. US DoD Internet udpInDatagrams UDP MIB2 management

31 8: Network Management31 Check out www.alvestrand.no/harald/objectid/top.html OSI Object Identifier Tree

32 8: Network Management32 MIB example: UDP module Object ID Name Type Comments 1.3.6.1.2.1.7.1 UDPInDatagrams Counter32 total # datagrams delivered at this node 1.3.6.1.2.1.7.2 UDPNoPorts Counter32 # underliverable datagrams no app at portl 1.3.6.1.2.1.7.3 UDInErrors Counter32 # undeliverable datagrams all other reasons 1.3.6.1.2.1.7.4 UDPOutDatagrams Counter32 # datagrams sent 1.3.6.1.2.1.7.5 udpTable SEQUENCE one entry for each port in use by app, gives port # and IP address

33 8: Network Management33 SNMP protocol Two ways to convey MIB info, commands: agent data Managed device managing entity response agent data Managed device managing entity trap msg request request/response mode: Give me your regular report trap mode: Better hear about this now!

34 8: Network Management34 SNMP protocol: message types GetRequest GetNextRequest GetBulkRequest Mgr-to-agent: “get me data” (instance,next in list, block) Message type Function InformRequest Mgr-to-Mgr: here’s MIB value SetRequest Mgr-to-agent: set MIB value Response Agent-to-mgr: value, response to Request Trap Agent-to-mgr: inform manager of exceptional event

35 8: Network Management35 SNMP protocol: message formats

36 8: Network Management36 SNMP security and administration r encryption: DES-encrypt SNMP message r authentication: compute, send Message Integrity Code (MIC) MIC(m,k): compute hash (MIC) over message (m), secret shared key (k) r protection against playback: use nonce r view-based access control m SNMP entity maintains database of access rights, policies for various users m database itself accessible as managed object!

37 8: Network Management37 Multi Router Traffic Grapher (MRTG) r SNMP client r Will gather data from remote machines via SNMP r Graphs changes in info over time

38 8: Network Management38 Outtakes

39 8: Network Management39 Packet Filtering Firewall: Disadvantages r Filters can be difficult to configure. It’s not always easy to anticipate traffic patterns and create filtering rules to fit. r Filter rules are sometimes difficult to test r Packet filtering can degrade router performance r Attackers can “tunnel” malicious traffic through allowed ports on the filter.

40 8: Network Management40 Application Gateway (Proxy Server): Disadvantages r Requires modification to client software application r Some client software applications don’t accommodate the use of a proxy r Some protocols aren’t supported by proxy servers r Some proxy servers may be difficult to configure and may not provide all the protection you need.

41 8: Network Management41 Snort: Sample IDS output  Apr 12 01:56:21 ids snort: EXPLOIT sparc setuid 0: 218.19.15.17:544  xxx.yyy.zzz.41:37987  Apr 12 01:56:21 ids snort: EXPLOIT x86 NOOP: 23.91.17.7:544  xxx.yyy.zzz.41:37987  Apr 12 07:31:03 ids snort: ICMP Nmap2.36BETA or HPING2 Echo : 63.26.255.221  xxx.yyy.zzz.34  Apr 12 09:59:38 ids snort: RPC portmap request rstatd: 28.11.67.132:1033  xxx.yyy.zzz.29:111  Apr 12 13:20:05 ids snort: ICMP Nmap2.36BETA or HPING2 Echo : 12.13.1.67  xxx.yyy.zzz.126  Apr 12 14:13:22 ids snort: RPC portmap request rstatd: 134.1.5.12:3649  xxx.yyy.zzz.29:111  Apr 12 20:19:34 ids snort: BACKDOOR back orrifice attempt: 209.255.213.130:1304  xxx.yyy.zzz.241:31337  Apr 12 22:53:52 ids snort: DNS named iquery attempt: 209.126.168.231:4410  xxx.yyy.zzz.23:53

42 8: Network Management42 Example: smtp.rules r alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP RCPT TO overflow"; flags:A+; content:"rcpt to|3a|"; dsize:>800; reference:cve,CAN-2001-0260; reference:bugtraq,2283; classtype:attempted-admin; sid:654; rev:1;) r alert tcp $EXTERNAL_NET 113 -> $SMTP 25 (msg:"SMTP sendmail 8.6.9 exploit";flags: A+; content:"|0a|D/"; reference:arachnids,140; reference:cve,CVE-1999-0204; classtype:attempted-admin; sid:655; rev:1;) r alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP expn root";flags: A+; content:"expn root"; nocase; reference:arachnids,31; classtype:attempted-recon; sid:660; rev:2;)

43 8: Network Management43

Download ppt "8: Network Management1 17: Network Management and Monitoring Last Modified: 5/21/2015 5:07:07 PM."

Similar presentations

Chapter 9 Network Management Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 A note on the use of.

Chapter 9 Network Management Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 A note on the use of.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
8: Network Management1 23: Network Management: Firewalls and SNMP Last Modified: 5/21/2015 5:05:56 PM.

8: Network Management1 23: Network Management: Firewalls and SNMP Last Modified: 5/21/2015 5:05:56 PM.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Lecture 16 Network Management CPE 401 / 601 Computer Network Systems slides are modified from Dave Hollinger slides are modified from Jim Kurose, Keith.

Lecture 16 Network Management CPE 401 / 601 Computer Network Systems slides are modified from Dave Hollinger slides are modified from Jim Kurose, Keith.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
TCP/IP Protocol Suite 1 Chapter 21 Upon completion you will be able to: Network Management: SNMP Understand the SNMP manager and the SNMP agent Understand.

TCP/IP Protocol Suite 1 Chapter 21 Upon completion you will be able to: Network Management: SNMP Understand the SNMP manager and the SNMP agent Understand.
8: Network Management1 Network Management r introduction to network management m motivation m major components r Internet network management framework.

8: Network Management1 Network Management r introduction to network management m motivation m major components r Internet network management framework.
Network Management 9-1 23 - Network Management. Network Management 9-2 Chapter 9 Network Management Computer Networking: A Top Down Approach Featuring.

Network Management Network Management. Network Management 9-2 Chapter 9 Network Management Computer Networking: A Top Down Approach Featuring.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
COMP4690, by Dr Xiaowen Chu, HKBU

COMP4690, by Dr Xiaowen Chu, HKBU
Chapter 6 Overview Simple Network Management Protocol

Chapter 6 Overview Simple Network Management Protocol
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.

Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
Network Protocols UNIT IV – NETWORK MANAGEMENT FUNDAMENTALS.

Network Protocols UNIT IV – NETWORK MANAGEMENT FUNDAMENTALS.
OSI Model Routing Connection-oriented/Connectionless Network Services.

OSI Model Routing Connection-oriented/Connectionless Network Services.
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.

CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Similar presentations

Ads by Google