CS Efficient Network Management. Class 14 *

Similar documents
TEQUILA Engineering Approach

IMPLEMENTATION ISSUES OF POLICY BASED NETWORK MANAGEMENT SYSTEMS

Distribution of Client Security Policies

IP SLAs Overview. Finding Feature Information. Information About IP SLAs. IP SLAs Technology Overview

Push Notifications (On-Premises Deployments)

Sentinet for BizTalk Server SENTINET

Design of Next Generation Internet Based on Application-Oriented Networking

Managing Site-to-Site VPNs

Overview SENTINET 3.1

Sophos Mobile as a Service

IPv6-based Beyond-3G Networking

WhatsConfigured v3.1 User Guide

Pulse Policy Secure. Identity-Based Admission Control with Check Point Next-Generation Firewall Deployment Guide. Product Release 9.0R1 Document 1.

Context-aware Services for UMTS-Networks*

Management Intranet: Integrating Web-based Network Management Applications

A Policy Deployment Model for the Ponder Language

Managing Site-to-Site VPNs: The Basics

F5 BIG-IQ Centralized Management: Local Traffic & Network. Version 5.2

Cisco Wide Area Application Services: Secure, Scalable, and Simple Central Management

Title DC Automation: It s a MARVEL!

Lecture 14: Performance Architecture

Managing Site-to-Site VPNs: The Basics

A Policy Based Context-aware Service for Next Generation Networks

Sophos Mobile SaaS startup guide. Product version: 7.1

Question: 1 The NAC Agent uses which port and protocol to send discovery packets to an ISE Policy Service Node?

Policy management on the Nortel Ethernet Switch 460, Ethernet Switch 470, and BPS

Quality of Service (QoS) Computer network and QoS ATM. QoS parameters. QoS ATM QoS implementations Integrated Services Differentiated Services

Services. Service descriptions. Cisco HCS services

Semantic SOA - Realization of the Adaptive Services Grid

In the world of networks, control techniques

Cisco ISR G2 Management Overview

The Impact of SOA Policy-Based Computing on C2 Interoperation and Computing. R. Paul, W. T. Tsai, Jay Bayne

Grid Computing. MCSN - N. Tonellotto - Distributed Enabling Platforms

WBEM-based SLA Management across multi-domain networks for QoS-guaranteed DiffServ-over-MPLS Provisioning

Cisco 5921 Embedded Services Router

Cisco 5921 Embedded Services Router

Grid Computing Fall 2005 Lecture 5: Grid Architecture and Globus. Gabrielle Allen

Open Networking through Programmability Tal Lavian Nortel Network, Advanced Technology Lab

User Identity Sources

INFORMATION EXCHANGE GATEWAYS: REFERENCE ARCHITECTURE

OnCommand Unified Manager

User Directories and Campus Network Authentication - A Wireless Case Study

BIG-IQ Centralized Management: ADC. Version 5.0

Configure Push Notifications for Cisco Jabber on iphone and ipad

OpenIAM Identity and Access Manager Technical Architecture Overview

Configuring the Cisco APIC-EM Settings

UNIVERSITY OF CAGLIARI

Analysis of Protocol Operations and Scalability of COPS-SLS Negotiation System

Foundations and Concepts. 04 December 2017 vrealize Automation 7.3

FortiNAC. Aerohive Wireless Access Point Integration. Version 8.x 8/28/2018. Rev: E

ForeScout CounterACT. Resiliency Solutions. CounterACT Version 8.0

Monitoring. Ping CHAPTER

10 BEST PRACTICES TO STREAMLINE NETWORK MONITORING. By: Vinod Mohan

BIG-IP Access Policy Manager : Secure Web Gateway. Version 13.0

ForeScout CounterACT Resiliency Solutions

Cisco Networking Services Flow-Through Provisioning

Securing Containers Using a PNSC and a Cisco VSG

Finding Support Information for Platforms and Cisco IOS Software Images

Foreword xxiii Preface xxvii IPv6 Rationale and Features

Securing Containers Using a PNSC and a Cisco VSG

Telecommunication Services Engineering Lab. Roch H. Glitho

Test - Accredited Configuration Engineer (ACE) Exam - PAN-OS 6.0 Version

Identität und Autorisierung als Grundlage für sichere Web-Services. Dr. Hannes P. Lubich IT Security Strategist

Sophos Mobile Control SaaS startup guide. Product version: 6.1

Cisco Next Generation Firewall Services

Centrix WorkSpace IQ Installation Guide. Version 4.5

Microsoft Architecting Microsoft Azure Solutions.

Problems with IntServ. EECS 122: Introduction to Computer Networks Differentiated Services (DiffServ) DiffServ (cont d)

Migrating traditional Java EE applications to mobile

Getting Started with the VG248

Directory-Enabled Networking

NetAlly. Application Advisor. Distributed Sites and Applications. Monitor and troubleshoot end user application experience.

LDAP Directory Integration

Nortel Networks Optivity Policy Services

Cisco Configuration Engine 2.0

MPLS VPN MIB Support. Cisco IOS Release 12.0(24)S1 1

Differentiated Services

Test Accredited Configuration Engineer (ACE) Exam PAN OS 6.0 Version

Workflow, Planning and Performance Information, information, information Dr Andrew Stephen M c Gough

Cisco Unified Communications Manager TCP and UDP Port

Office 365 and Azure Active Directory Identities In-depth

Configuring QoS on the GGSN

Network Management. Network Management: Goals, Organization and Functions

MOC 6232A: Implementing a Microsoft SQL Server 2008 Database

Cisco Unified Communications Manager TCP and UDP Port

Configuring Dynamic VPN v2.0 Junos 10.4 and above

TCG Compliance TNC IF-MAP Metadata for Network Security Compliance Test Plan

Oracle Streams. An Oracle White Paper October 2002

Differentiated Services

What s New in Release 9.2 Martin Adamčík

Foundations and Concepts. 12 April 2018 vrealize Automation 7.4

How to Route Internet Traffic between A Mobile Application and IoT Device?

Real4Test. Real IT Certification Exam Study materials/braindumps

Cisco IWAN Application on DNA Center Quick Start Guide, Release 1.1 Patch 1, Limited Availability

Mohammad Hossein Manshaei 1393

Chapter 6 Global CONFIG Commands

ForeScout Extended Module for MaaS360

BlackBerry Enterprise Server for Microsoft Exchange Version: 5.0. Feature and Technical Overview

McAfee Product Entitlement Definitions

IBM Proventia Management SiteProtector Policies and Responses Configuration Guide

Transcription:

CS236635 Efficient Network Management Class 14 * Danny Raz * Special thanks to Prof. Morris Sloman, Imperial College London, UK 1

Minhalot Ex2: will be returned today Projects : first report DONE Project submission date is: 10 March 2006 2

Objectives Advanced network management Policy based management Event correlation WEB based management So what did we do in this course? 3

Policy Based Network Management Main idea: define offline policies,, and then in real time use the policies to decide what active measures to take Usage: fault/performance management configuration management security management 4

Policy fault management Correction action New functionality Programmable Networks Correction action Fault detection Monitoring Discovery Policies Monitoring policies Fault detection Discovery 5

Policy configuration management Configuration manager Policies Discovery Always use multicast OSPF: use only one area NO QoS ToS1 = minimal delay 6

Policy security management security manager Policies Allow TCP connection from this area only Allow workflow to marketing Allow access to personal data only to top management 7

Example Policies Who is permitted to access a service, what operations they can perform, and when. E.g. Research staff can set up video conferences between UK and USA only between 16:00 and 19:00, Monday to Wednesday. What resources a mobile user can access when visiting a remote location. What information transformations and UI adaptations should take place when a user is mobile. What actions should be performed when a login violation is detected. What diagnostic tests should be performed when an error count is exceeded in a network component. Allocate 10% of available bandwidth to voice over IP. 8

Policy Definition Rule governing choices in behaviour of the system Derived from enterprise goals and service level agreements Need to specify and modify policies without coding into automated agents Policies are persistent But can be dynamically modified Change system behaviour without modifying implementation not new functionality 9

Policy Main idea: Separating the (dynamically changing) set of rules and the flow of the decision process How to define rules (policies)? How to use them? Is SNMP good for that? Is it efficient? 10

IETF Framework 0..n Policy Group Contained policy groups 0..n Policy Rule Contained policy rules 0..n Contained policy conditions Ored set of ANDed conditions or ANDed set of ORed Contained policy actions 0..n Policy Condition 0..n Policy validity period condition Policy Action Range of time Time Masks Month of year Day of Month (1-31 & 31-1) 1) Day of week Time of day 11

IETF Concepts LDAP, Lightweight Directory Access Protocol, is an Internet protocol that programs use to look up information from a server Policy group is a set of related policy rules Each policy rule component (condition, action) is stored as an LDAP object Can reuse (share) policy component objects between multiple rules to avoid respecifying i.e. multiple rules can use the same period condition object. 12

Example IETF Policy Specification (From Strassner Policy 2001) If (SourcePort( == MyWebServerPort) ) then Color DSCP=5 Objectclass:qosPolicyRule Type: 1 Direction: out Priority: 1 Objectclass: qoscolorpolicyaction DSCPValue: : 5 Objectclass: qoscolorpolicycondition Type: Integer OID Operator: == == Objectclass: qospolicyvariable Name: SourcePort Type: IntegerOID Objectclass: qospolicyconstant Name: MyWebServerPort Type: IntegerOID Objectclass: qospolicynumbervalue Type: IntegerOID PortValue: : 80 13

IETF Policy Architecture Policy Management Application Status & Config. Info. Notification Repository Access Protocol (e.g. LDAP) User interface Conflict detection Notification generation Management information repository Policy Repository (e.g. Directory, DB) Policy rules Policy Consumer Policy decision point Policy translation PDP Policy Protocol (e.g.: COPS, SNMP...) Policy Target Policy execution point Network element interface PEP 14

Policy Consumer Receives policy and translates it into format applicable to target Knows about target capabilities Policy Decision Point (PDP) makes policy decisions based on policy conditions and configures target to enforce policy, e.g. access control list, priority Q relating to packet address Each target is controlled by one consumer Consumer may control multiple targets 15

Policy Target Policy Execution Point (PEP) A specific functional feature (interface) of a device e.g. priority queuing, committed access rate for router a router with 2 interfaces and 4 manageable features will have 8 targets. A sophisticated device (programmable( node) may include both PDP and PEPs 16

PEP PDP Interaction 1) Event e.g. RSVP Request 5)RSVP Request PEP RSVP Router 2) REQ: Request (Source addr,, etc) 3) DEC: Decision (resources) 4) Reserve resources Can also pre-configure devices with policy data, so they do not have to query PDP on every event provisioning PDP Policy Server 17

Cisco Secure Policy Manager Components Policy Manager Functions IE 5.0 Policy Reporting NS 4.x Policy Administration Policy Config Policy Server Policy Monitoring Report Generation Central Policy Database Policy Server Functions Event Collection Policy Distribution PIX Control Agent Cisco IOS Control Agent IDS Control Agent Network Infrastructure Policy Enforcement Points (i.e network devices) PIX Firewall Router/VPN Gateway IDS Sensor Networks Policy Generation Certificate Authority Server 18

HP OpenView PolicyXpert Initially a policy-based network management tool QoS/Bandwidth management Access and security management Now evolved to automated provisioning with policy and configuration management features. Uses CIM + XML to unite application specific data sources into a configuration management database (CMDB) 19

OV PolicyXpert Architecture Console creates, assigns, and deploys policies Primary server stores and distributes policies; maintains status information secondary server provides intra-domain scalability Configuration proxy provisions network elements Configuration PEP provisions application/file servers Outsourcing PEP enforces PDP decisions (signaled QoS) COPS used to communicate policies, requests, decisions user interface server agent CLI, SNMP,... COPS - Common Open Policy Service. This is a protocol developed by IETF to provide policy console a common methodology for policy services COPS to communicate with devices that apply priority to traffic. PDP PolicyXpert database configuration proxy primary policy server secondary policy server COPS COPS COPS PDP PEP COPS PEP (outsourcing) (configuration) 20

Problems with the IETF Approach No distinction between authorisation and obligation policies Association of policy with consumer (subject) and target is not clearly specified No event triggering of policies No language for specifying policies Representing each policy component (action, condition etc) as an LDAP object is unwieldy and leads to consistency problems on update Instance-based reuse rather than specification based reuse Very QoS management oriented, although meant to be applicable to other applications. Conflicts detection and resolution identified but not defined. 21

The Ponder Policy Framework Domains Primitive policies Composite Policies Object orientation issues 22

Domains Grouping A domain is a collection of objects which have been explicitly grouped together for management purposes e.g. to apply a common policy (LDAP) directory Hub People Hardware Components Software Components 23

Domains Hierarchy Sub-domains & overlapping domains A D B C A B E C D E 24

Domains and Policies Policy Policy Managers Manager Agents Impractical to specify policy for individual objects in large systems with many objects specify policy for domains Can change domain membership without changing policy Managed Objects 25

Primitive Policies Authorisation Defines what a subject is permitted or not permitted (prohibited) to do to a target Permitted operations Protect target objects from unauthorised management actions Target based interpretation and enforcement Obligation Defines what actions a subject must do Subject based subject interprets policy and performs actions on targets Event triggered obligation Actions can be remote invocations or local scripts Can specify sequencing or concurrency of actions 26

Composite Policies Group Policies Defines a syntactic scope for specifying a set of related policies to be instantiated at the same time + constraints on the policies Role relationships Role groups the rights and duties related to a position in an organisation E.g., network operator, network manager, finance director, ward-nurse Specify policy in terms of roles rather than persons Object orientation Role Instances Role Specialisation Inheritance 27

Ponder Summary Object Meta Model Class Hierarchy Object BasicPolicy MetaPol CompositePolicy auth oblig refrain deleg group role rel mstruct auth+ auth- deleg+ deleg- 28

Policy Conflicts Modality conflict detection and resolution Policy priority Semantic conflicts and meta-policies Policy analysis tools 29

Precedence Can resolve some conflicts automatically by specifying precedence. e.g.: Negative policies override Does not permit positive exceptions to negative policies. Specified Priorities Hard to define priority Several managers may specify inconsistent priority Evaluating a distance between a policy and the object to which it refers Refinement level more concrete overrides? Time of last update more recent overrides? 30

Constraints Only potential modality conflicts are detected as constraints may limit the applicability of a policy e.g., to a particular time interval Typed Constraints: Inst auth+lineop { subject s = operators ; actions enable, disable, reset, off ; target Sregion ; when time.between(0800,1800) and s.state = active } time inst auth- lineop {subject s= operators actions enable, disable, reset, off} target Sregion when time.between(1600,2400) and s.state = standby } subject state 31

Semantic Conflicts Types of conflict: separation of duty e.g., the same person is not allowed to authorise payments and initiate them self-management e.g., a manager cannot authorise it s s own expenses conflict for resources e.g., not more than 5 persons are authorised to change the DB Need to specify the conditions which result in conflict Constraints on a set of policies (Meta-Policies). Specified using Prolog,, OCL Included in composite policies such as roles or mstructs 32

Policy Implementation Edit, enable disable... Authorisation Policies Policy service Query subjects & targets Obligation & Refrain Policies Domain service Query targets Target Objects Actions Policy Management Agents (Subjects) Events Events Monitoring service 33

Policy ManagementAgent Generic Interface Distribute, Remove, Enable, Disable obligation & refrain policies Load, Unload code Policies Agent specific functions Programming Execution Environment Application Specific Interface Operations on target objects Events 34

Authorisation Agent Load, Remove, Enable, Disable, policies Authentication Policies Map onto operating system or object-support access control mechanisms 35

Future Work Inter-organisational policy negotiation Policy based response to network attacks Refinement and analysis tools Trust specification, analysis and refinement into security management policy Case studies and implementation Policy based programmable networks Policy aware applications Policy based network elements routers and firewalls Direct implementation of policy in hardware (FPGAs( FPGAs) 36

Policy and efficiency Computation efficiency in the manager in the agent Communication efficiency Creating policies Access to policies Encoding policy The old tradeoff abstraction Vs. efficiency A newer tradeoff Distributing policies or keep in a centralized repository 37

Event correlation What is an event? An example: Errors log file We want to reduce the number of events and to find the root event 38

Event correlation - issues False positive Vs. false negative Efficiency which resource is limited Communication computation Centralized Vs. distributed Where will the knowledge come from 39

WEB based NM Web based tool are out there HTML, XML, Easy to use tools and knowledge is available Should we use it for NM? Cons: portability easy to use reusable code 40

SNMP WEB-based Network Management WEB based manager push SERVER WEB/SNMP gateway Notification Service SNMP Get - Set SNMP Trap SNMP Agent 41

Web based NM Is it good? Is it efficient? Do we really need it? 42

Overall CONTEXT Architecture Consumer Scripts/Users Provider Scripts/ Users Service Layer Service Subscription/ Customization Server Policy -based Service lifetime Management High-Level Service APIs Service 1 Service N Context aware Service Creation Server Active Application Network Platform Active Application Layer Low-Level Medium-Specific APIs IP Layer Network Element Abstraction GPRS IP WLAN Layers considered in CONTEXT 43

WP5 Services Demo Technology / Infrastructure Demo WP2 Service Management Policy Server Context Services Repository Service Deployment Context Services Creation Server WP3 AS AS WP4 Active Management platform Active Application Layer AS AS AS AS Mobile Network Network Management platform mobile user Internet fixed user 44

Service Framework CAS Provider Register/ Manage Proxy Proxy SLA/Policy Mngt. Tool Policy Repository Component DB Proxy Subscription Portal CAS Reconfiguration Policy-based Policy-based CAS CAS Control Control Module Module CAS Composition Informs context change thus triggers the re-reasoning of policies Context Mngt. Module Context DB CAS PEP CAS PEP CAS PEP WLAN Broker QoS Broker Control Broker DINA Packet Formatter Context Info. Broker DINA API AAL Active Packets WLAN IP IP GPRS 45

Service Framework Definition Realization Service Creation Service Definition Modules Context Info Realization Action Functional Broker Service Publication Service Management Logic Configuration Subscription Invocation Assurance Deployment Customers AN EE CIAH AN EE Network CIAH AN EE CIAH 46

47

Where is the Management? What if it does not work? configuration management and provisioning What if it does not pay? accounting management What if it works slow? performance management What if it works bad? fault management What if it works against you? security management 48

What is NM? Normal operation conditions Network Management It is all a matter of design 49

The Challenges Guaranty the desired end to end QoS to the application Utilize much of the available resources with as little as possible overhead Automated discovery and configuration in the heterogeneous environment Distributed cost aware network management 50

Our Goal Introduce efficiency to network management using active networks technology Shorter control loops Fusion of control messages in the network Exposing the actual cost to the programmer 51

Are Active Networks Efficient? An AN node is always slower than a router Fast/slow track System view: fewer packets shorter control loops smarter algorithms 52

Course Objectives Advanced course in computer communication networks Provide a basis knowledge of the field of network management Understand the challenges of efficient network management, and the modern techniques that may help to generate tools that address these challenges (mobile code, active networks) 53

54

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback