Graduate School of Information Science Nara Institute of ... · Graduate School of Information...
-
Upload
nguyennguyet -
Category
Documents
-
view
213 -
download
0
Transcript of Graduate School of Information Science Nara Institute of ... · Graduate School of Information...
Information Network1 -13- 1
Network Management
Suguru YAMAGUCHI
Graduate School of Information Science
Nara Institute of Science and Technology
Information Network1 -13- 2
Overview
Preserving action of the infrastructure
Needs factors other than technical factor
– Legal compliance
– Management
More and more frameworks are built
– practical use of frameworks in real enterprise environment is
needed
– SNMP, ISMS, ISO27001, SOX….
– composite of technology and management
Information Network1 -13- 4
Requirements for Network Management
Stable provision of service
– construction of systems that stay up as long as possible
– provide the necessary service, for the user who needs it,
whenever he needs it
– when trouble occurs, we must recover the system as soon
as possible
– ensure trouble hypotheses and business continuity
We can learn from trouble
– understand and record the status of a system
– periodical audit
– Sharing lessons learned and knowledge
– search for high reliability, effectiveness and rationality
Information Network1 -13- 5
Clarification of The Method and Target
What kind of things we have to protect?
– Information asset
– Information processing
– Information system
– Network system
How to protect?
– Multiplexing
– Robustness
– Application of blocking policy
Information Network1 -13- 6
Network Management Platform
OS core
Middlewares
Application
Netw
ork
Mgm
t Core
Local mgmt. Policy
My mgmt. Policyclassic structure….
Information Network1 -13- 7
Network Management is a Science
Business IT platform
Information
gathering
Draft
countermeasure
implementation
Analysis・Verification
Problem
extraction
•Improving system continuously, rationally
•Acknowledge, Hypothesize, Verify
•Understanding the change of a system caused by
countermeasures
•Designing changes caused by the existence of risks
Information Network1 -13- 8
3 Entities
Technology
Management
Compliance
Technology Compliance
Management
Solution development
(Management decision)
Information Network1 -13- 9
New Challenges on Network
Management
SNMP: configuration
and status observation
remotely via network
(1990’s -)
Semantics mgmt.
For complex and multi-
vendor infrastructure. Esp.
“netconf”
Policy mgmt.
Consistency and integrity
management. Human readable to
computable expression.
Information Network1 -13- 10
Logical Structure
Policy
Management
Semantic
expression
processing
Knowledge and
Environment
Computable
Expression
Security
Finance
Accounting
Asset management/allocation
System and network operation
XML Expression
Information Network1 -13- 11
Steps Toward Building New Systems
Secure Business GRID
P2P friendly network
Connection management for networks featuring
quarantine functionality
Tunneling auto-configuration
Physical/Cyber convergence
Tangible Networking
….
Appearance of new technologies
– Technology convergence
Information Network1 -13- 13
Fundamental Components Configuration management
– Is construction at the time of the design implemented?
– Network management of entities and routing, service management of applications
Performance management
– Is the performance set at the time of design provided?
– Performance measurement, monitoring, countermeasure development
Troubleshooting
– Trouble prevention, response and relapse prevention
Accounting– User management and accounting
Security management
– Security measures
– Risk management
Information Network1 -13- 14
Configuration Management
Routing
– Most important element in network management
• Configuration and operation are difficult in the case different
routes were set for each application (Application oriented
routing, TOS (type of service) routing)
– dynamic routing management is being generalized but
reaching plug-and-play level is difficult
• IPv4/IPv6, unicast/multicast, ….
Terminal connection/disconnection and configuration
– Most important element: mobile nodes, typically laptops
• DHCP, access control, quarantine, ….
– Quite difficult in wireless network environment
Information Network1 -13- 15
Performance Management
Performance objectives set at network design time– user-centric settings
• maximum number of concurrent users, average time of data acquisition etc.
How to measure? How to improve?– engineering problems
• sometimes, we need to change the network composition
• needs continuous and stable management
– needs analysis
• characteristics are not given by just acquiring the value
• in many cases, the analysis method is not fixed
– judgment of investment time
• when do we improve the system?
• to which scale order do we implement?
Information Network1 -13- 17
Actually, The Extensive “Security
Management”
The 3 remaining management areas are known as
“security management” in a broad sense
– Trouble management
– Accounting management
– Security management
General action is need in a wider area
– Risk management
– Crisis management
– Information asset management
– User management
– Reliability management
Information Network1 -13- 18
Internet and Reliability
source : alaxala network
The internet runs in best effort
Best effort
– make efforts in order to obtain maximum results
– in the network, even when requests sent from users to a system
surpasses the network capacity, the network does not deal
expressly with the issue
– in the case the provider line adopts a best-effort quality, it often
means that network capacity exceeding traffic is thrown away
• there is no quality of service for each individual channel
Information Network1 -13- 19
Internet and Reliability
The internet needs high reliability
– Quality
– Robustness
– Fault tolerance
– Confidentiality
• Sniffer-proof
– MTTR (Mean Time To Repair )
Information Network1 -13- 20
Internet and Reliability
Outline of security and reliability standards in the ICT
(Information Communication Technology) network
– goals of countermeasures on ICT network: stability,
connectivity, security
– reinforces the ICT network resilience to internal
vulnerabilities
– stable maintenance of the ICT network
– standards of security and reliability
• adjustment and consideration about countermeasures
• requirements for hardware and software
• system maintenance and operation
source : Telecommunications Bureau of the Ministry of Internal
Affairs and Communications, Telecommunication Systems
Division
Information Network1 -13- 21
How to measure?
Quality
Trends
Reliability/Availability
Information gathering
platform
Analysis and verification
Knowledge accumulation
Digitalization of experience
….
Information
gathering
Draft
Countermeasure
implementation
Analysis・Verification
Issues
extraction
Information Network1 -13- 23
Management Structure Model
Data plane
Management plane
Agentperforms management
operations and status
monitoring of managed
machines based on
indications from the NMS
NMS (Network Management Station)operates management operation by instructions from NMS
Network Management Protocol
(individual access)
User traffic
Information Network1 -13- 24
Implementation Example(1)
config. information
statistical information
Routing engine
gathering from
packet
processing HW
UI prg. for console
Net. Management agent NMSSNMP
SNMP (Simple Network Management Protocol)
– the agent is implemented in many network equipments
Information Network1 -13- 25
Implementation Example(2)
Where does SNMP communicate?
– In-band
• uses networks where usual traffic flows
• data plane and management plane are the same
– Out-band
• prepares a dedicated management network
• completely separates data plane and management plane
• we can construct a more reliable environment
• cost is high
– Recently, networks are mostly constructed out-band
• we want to make human cost lower than network cost
• remote management is common knowledge
Information Network1 -13- 26
Implementation Example(3)
MIB (Management Information Base)
– database that expresses statistics and configuration
information
– system configuration is expressed using values
• e.g power: 1=ON, 0=OFF
– System status changes by value-altering operations
• e.g power: 1→0, power off
– MIB links to a state
• system status can be known by viewing status values
• system status can be changed by configuring status values
Information Network1 -13- 27
Implementation Example(4)
NMS AGENT
NMS software
SNMP agent
GET mib
statistical information and configuration information values
SET mib=val
setting configuration information
TRAP type
Information Network1 -13- 28
Management Operation using SNMP
Configuration management of each equipment from
NMS
– utilization of application provided by each equipment vendor
– construction of single interface that absorbed difference of
systems
• System management environment that uses the “netconf”
standard has entered our field of vision
Acquisition of operation status and performance
information about equipments
– Actually, SNMP has been mainly used recently
– Flow information at L3 switch etc.
– Packet analyzer that used Rmon (Remote monitoring) MIB
Transition from SNMP to netconf
Transition has started from the primitive SNMP to
netconf that allows for more abstraction and a unified
management description
– Some compliant products appeared around 2008
– Each vendor is currently working on it
– Problem : How to (semi-)automate conversion from highly
abstract description to real procedure.
• This part is a domain that has required much of the human
reflection
• We need to proceed from the previous implicit knowledge to
formal knowledge.
Information Network1 -14- 29
Information Network1 -13- 31
PDCA Cycle: Ensure rationality
design of the information
management system,
based on the risk
homogeneity, consistency
reasonability, effectiveness
countermeasure verification
audit and investigation
problem discovery
countermeasure
implementation
system operation and
management
remove issues
maintenance operationextraction of new issues
Plan
Do
Check
Act
need a more flexible “Plan” based on information security
characteristics
→ can not predict the time when a new will occur
Information Network1 -13- 32
Requires Rational Judgement
goals and
objectives
awareness
of the
situation
choice of suitable action
(manager)
resource+situation
mission
commitment
Information Network1 -13- 33
Requires Rational Judgement
(manager)
Crisisnormal
condition
response recover
normal
condition
“Which action is appropriate
to each situation?”
plan
doact
check
plan
doact
check
Information Network1 -13- 34
Requires Rational Judgement
At a critical moment:
We can only perform usual operations
We can’t satisfactorily perform usual operations
We definitely can’t perform unusual operations
(manager)
Information Network1 -13- 35
Usual execution
Risk assessment
Implementation of the
normal business
process
Strategic PlanEducation and training
Assessment
Strategy
Process
Training
Information Network1 -13- 36
Choice of The Countermeasure
loss
ou
tbre
ak fre
qu
en
cy avoidancereduction
acceptance transference
hig
hlo
w
largesmall
Information Network1 -13- 37
Conclusion
Network management does not have the correct
answer
– always challenging
– always report, communication and consultation
– this area needs originality and ingenuity
– technology, compliance and management
Network Management Technology
– spread of SNMP
– provides a lot of tools
– how far do we integrate effectively?
– transition from SNMP to netconf