Post on 05-Apr-2018
7/31/2019 Ch3 Network Implementation
1/132
Network Implementation
and Management
Strategies
7/31/2019 Ch3 Network Implementation
2/132
Outline
Explain why a network implementation strategy isneeded
Examine the principles of network design
Explain why a network management strategy is needed
Describe network management categories and relatedactivities
Classify current network management tools according to
functionality Examine different network management strategies
Select a management strategy for this book
7/31/2019 Ch3 Network Implementation
3/132
Network Implementation Strategy
Design
7/31/2019 Ch3 Network Implementation
4/132
Network Implementation Design
AnalysisCategory Issues
Geographical Distribution 1. Office Subnets LAN2. Department (many offices) Subnets LAN3. Division ( many departments) LAN WAN4. Organization ( many divisions)
Localq LANq MANq WAN
Nationalq WAN
Globalq WAN
7/31/2019 Ch3 Network Implementation
5/132
Network Implementation Design
Analysis (cont.)
Subnets 1. How many Connectivity
q Bridges
q Switchesq Routers
2. Ethernet Wireless
q Number of receivers 10BASET
q Location of hub(s) 10BASE2
10BASE5
How many IP addressesq Static addressesq Addresses supplied by DHCP
7/31/2019 Ch3 Network Implementation
6/132
Network Implementation Design
Analysis (cont.)LAN 1. How many
2. Domain names3. DNS (Domain Name Service) configuration4. Network address5. Subnets
How many
5. ConnectivitySwitched Ethernet
Router
6. Ethernet7. Token Ring8. FDDI (Fiber Distributed Data Network)
7/31/2019 Ch3 Network Implementation
7/132
Network Implementation Design
Analysis (cont.)MAN (Metropolitan Area
Network)
1. Connectivity between LANsq FDDIq SONET(Synchronous Optical Network)q LANq
ATMq SMDS ( Switched Multi-megabit DataService)q DQDB (Dual Queue Dual Bus)q Ethernet
WAN 1. Connectivity between LANs or MANsq PSTNq X.25q TI-T3q SONETq Frame Relayq SMDSq ATMq Distribution of services
7/31/2019 Ch3 Network Implementation
8/132
Network Implementation Design
Analysis (cont.)Bandwidth Requirements 1. Video Bandwidth
Constant
Time Dependent
Bandwidth on Demand
2. Audio Bandwidth
Constant Time Dependent
Bandwidth on Demand
3. Teleconferencing Bandwidth
Media Requirements 1. Cable2. Wireless3. Microwave4. Satellite5. Optical Fiber
7/31/2019 Ch3 Network Implementation
9/132
Network Implementation Design
Analysis (cont.)Technology 1. What is available now
2. Minimum required for the job3. Technology improvements during next 5 years4. Required to support expected growth
Service Level Agreements
(SLA)
1. Specified bandwidth available at any time2. Specified bandwidth available during specifiedtime periods3. Bandwidth on demand
Security Requirements 1. Location of firewalls
2. Firewall capabilities3. Location of proxy servers4. Encryption and authentication needs5. Network Intrusion Detectors (NID)
Budget 1. To support resources of optimum network2. To support resources of minimum network
7/31/2019 Ch3 Network Implementation
10/132
A Network Management Categories
and Associated MetricsCATEGORY METRICS
Reliability Transmission error rates Dropped packets Link failures
Faults Proactive prevention Detection Location Correction time
Availability Mean time between failures (MTBF) of network
Performance Time to provide a response to the userq Processor total useq Processor interrupts/secq Processor queue lengthq Transmit packet lengths
7/31/2019 Ch3 Network Implementation
11/132
A Network Management Categories
and Associated Metrics (cont.)Throughput Bytes per second that a user can expect to transmit reliably.
Guaranteed throughput based on Service Level Agreement(SLA)
Data Packet throughput
Voice Ordered packet throughput
Video Link bandwidth Bandwidth on demand
Use Packets/sec Transactions/sec
Resource Use Application software Network devices Services Permanent storage CPU
7/31/2019 Ch3 Network Implementation
12/132
A Network Management Categories
and Associated Metrics (cont.)Policies Traffic
What's Critical How many network control packets Which threshold alarms Alerts on what events What's Non-critical Backup-what and how often Application testing Software upgrades-how often Administration Type of service availability required Security level required Firewall protection requirements Network Intrusion Detection needs Number of Software License requirements User rights requirements and how distributed among whichusers.
Redundancy Number of redundant systems required Critical alternate paths
User Support Automatic responses to user questions about procedures Automatic responses to user questions about networkproblems Automatic reporting of problems and solutions to users and to
a database
7/31/2019 Ch3 Network Implementation
13/132
A Network Management Categories
and Associated Metrics (Example-
Micromuse Netcool/OMNIbus)
7/31/2019 Ch3 Network Implementation
14/132
ISO Network Management
Categories
7/31/2019 Ch3 Network Implementation
15/132
ISO Network Management
Categories (Cont.) (Performance Management)
Tells you how the network is doing
(Fault Management) Tells you what your network is doing
(Configuration Management) Tells you where everything is in the network
(Security Management) Tells you who is using your network
(Accounting Management) Tells you when your network is used
7/31/2019 Ch3 Network Implementation
16/132
Performance Management (
) Performance Management
Measuring the performance of network
hardware, software, and media Measuring MetricsOverall throughput
Percentage utilization
Error rate
Response time
7/31/2019 Ch3 Network Implementation
17/132
Performance Management Sub-
Categories and Related ActivitiesCollecting Baseline
Utilization Data
Measuring link utilization using a probe Counting packets received/transmitted by a specificdevice Measuring device processor usage
Monitoring device queue lengths Monitoring device memory utilization Measuring total response times
Collecting a History of
Utilization Data
Measuring utilization and response times at differenttimes of the day Measuring utilization and response times on differentdays over an extended period
Capacity Planning Manually graphing or using a network management toolto graph utilization as a function of time to detect trends Preparing trend reports to document projected need forand the cost of network expansion.
7/31/2019 Ch3 Network Implementation
18/132
Performance Management Sub-
Categories and Related Activities (cont.)Setting Notification
Thresholds
Having a network management tool poll devices forvalues of critical parameters and graphing these values as afunction of time Setting polling intervals Setting alarms/alerts on those parameters when thethreshold is reached or a percentage of it is reached Initiating an action when the threshold is reached sucha sending a message to the network manager.
Building Databases Having the network management tool create a databaseof records containing device name, parameter, thresholdand time for off-line analysis. Using the database to extract time dependence ofutilization Using the time dependence of parameters to decide
when network upgrades will be necessary to maintainperformance
Running Network
Simulations
Using a simulation tool to develop a model of thenetwork Using the models parameters and utilization data tooptimize network performance
Latency Query/Response time interval
7/31/2019 Ch3 Network Implementation
19/132
Implementing Steps of
Performance Management1.
2.
3.(Threshold)
4.
7/31/2019 Ch3 Network Implementation
20/132
:processor load, disk access rate, network
interface card utilization/:packet forwarding rate, processor load,
percentage of dropped frames on eachinterface, number of packets being held in aqueue.
7/31/2019 Ch3 Network Implementation
21/132
(Link Utilization)
= bandwidth
total bits sent + total bits received
util%
bandwidth
Max (total bits sent , total bits received)=util%
(e.g, Ethernet, Token Ring, FDDI)
Full-Duplex Serial Link(e.g. 64K, ..., T1, T3)
7/31/2019 Ch3 Network Implementation
22/132
SNMP
SNMP MIB II ifInOctets ifOutOctets SNMP
ifInOctetsifOutOctets
= / ()
7/31/2019 Ch3 Network Implementation
23/132
Example
T1(1.544Mbps)
10:00 AM: ifInOctets = 1,500,000
ifOutOctets = 1,200,000
10:05 AM: ifInOctets = 2,500,000
ifOutOctets = 7, 200,000
7/31/2019 Ch3 Network Implementation
24/132
In: 2,500,000 - 1,500,000 = 1,000,000 Bytes
Out: 7,200,000 - 1,200,000 = 6,000,000 Bytes = Max(1,000,0006,000,000) Bytes
= 6, 000,000 Bytes
= 48,000,000 bits
Util% = 48,000,000/(1,544,000 60 5) 100%
= 10.36%
7/31/2019 Ch3 Network Implementation
25/132
Service Level Measurement
Total Response Time
Rejection Rate Availability
7/31/2019 Ch3 Network Implementation
26/132
Service Level Measurement (Cont.)
Total Response Time
the amount of time it takes a datum to enter
the network and be processed and for aresponse to leave the network.
From the viewpoint of applications
Round Trip Time (R.T.T) is measured fromthe viewpoint of transport protocol.
7/31/2019 Ch3 Network Implementation
27/132
Service Level Measurement (Cont.)
Rejection Rate
the percentage of time the network cannot
transfer information because of the lack ofresources and performance.
Availability
the percentage of time the network is
accessible for use and operational.Usually measured as MTBF (Mean Time
Between Failure)
7/31/2019 Ch3 Network Implementation
28/132
Analysis of Performance
InformationGraphic performance informantion
Historical plots: weekly, monthly,
quarterly, yearly
Real-time graphical analysis
Trend Prediction
7/31/2019 Ch3 Network Implementation
29/132
Example of Performance
Management
7/31/2019 Ch3 Network Implementation
30/132
Example of Performance
Management (TANET-NCTU-1)
7/31/2019 Ch3 Network Implementation
31/132
Example of Performance
Management (TANET-NCTU-2)
Reference: http://mrtg.twaren.net/mrtg
http://mrtg.twaren.net/mrtghttp://mrtg.twaren.net/mrtg7/31/2019 Ch3 Network Implementation
32/132
7/31/2019 Ch3 Network Implementation
33/132
What to be Analyzed/Graphed?
Device Information
memory usage, processor utilization, disk
access rate, number of sessions. Link Information
utilization, error rate, error percentage
7/31/2019 Ch3 Network Implementation
34/132
Threshold Setup
Set thresholds on a variety of items
affecting network performance
When the thresholds are crossed, events
are reported.
In general, the values of thresholds are
determined according to past experience.
7/31/2019 Ch3 Network Implementation
35/132
Thresholds
Threshold Priority
In general, priority: low, medium, high
Multiple threshold values for the same item
Thresholds for multiple items
Use rearmmechanism to avoid frequent
threshold events
7/31/2019 Ch3 Network Implementation
36/132
Rearm
Threshold
Rearm
time
util%
1 2 3 4 5 6 7
7/31/2019 Ch3 Network Implementation
37/132
Performance Prediction
Use Regression to predict future
trend.Apply Statistics Theory
Should consider possible factors that
affect the prediction.Network Simulation
7/31/2019 Ch3 Network Implementation
38/132
Prediction
time
util%
Predicted utilization increase
Computed actual utilization
Threshold value
7/31/2019 Ch3 Network Implementation
39/132
Fault Management ( )
Fault Management Detection of a problem, fault isolation and correction
to normal operation
A goal is to use trend analysis to predict faults andchange network conditions so that the network isalways available to users
Fault Management involves the following steps Discover the problem
Isolate the problem Fix the problem (if possible)
7/31/2019 Ch3 Network Implementation
40/132
Fault Management Sub-Categories
and Related ActivitiesPrioritization Prioritize faults in the order in which they should be addressed
Use in-band management packets to learn about importantfaults Identify which fault events should cause messages to be sentto the manager Identify which devices should be polled and at what intervals
Identify which device parameter values should be collectedand how often Prioritize which messages should be stored in the managersdatabase
Timeliness Required Management Station is passive and only receives eventnotifications Management Station is active and polls for device variable
values at required intervals Application periodically requests a service from a serviceprovider
Physical Connectivity
Testing
Using a cable tester to check that links are not broken
7/31/2019 Ch3 Network Implementation
41/132
Fault Management Sub-Categories and
Related Activities (cont.)Software ConnectivityTesting
Using an application that makes a request of another devicethat requires a response.
q The most often application for this is Ping.Exe. It callsthe Internet Control Message Protocol ( ICMP) whichsends periodic Echo Request messages to a selecteddevice on a TCP/IP networkq Application on one device makes a request of an
application on another deviceDevice Configuration Devices are configured conservatively to minimize chances of
dropped packets.
SNMP Polls Devices are periodically polled to collect network statistics
Fault Reports
Generated
Thresholds configured and alarms generated Text media used for report Audio media used for report A color graphical display used to show down devices Human manager is notified by pager
Traffic Monitored Remote Monitors used Protocol analyzers used Traps sent to Network Management Station Device statistics monitored
Trends Graphical trends generated to identify potential faults
7/31/2019 Ch3 Network Implementation
42/132
Executing Steps for Fault
Management Discover the problem
Identifying the occurrence of a fault on
the network.
Isolate the problem
Isolating the cause of the fault.
Fix the problem (if possible)
Correcting the fault.
7/31/2019 Ch3 Network Implementation
43/132
Discover the Problem
Event report
(Event Report)
Periodic Polling
7/31/2019 Ch3 Network Implementation
44/132
Periodic Polling
5~15
SNMP: Counter (32-bit)
7/31/2019 Ch3 Network Implementation
45/132
PING
PING: Packet Internet Groper
PINGICMP ECHO / ECHO Reply
TCP/IP
(Round Trip Time) (Packet Loss Rate)
7/31/2019 Ch3 Network Implementation
46/132
An Example of PING
7/31/2019 Ch3 Network Implementation
47/132
Ping
(Log)
(Log)
(Interface)
(Operational Status)
7/31/2019 Ch3 Network Implementation
48/132
()
(Interpret Event)
(Polling)
(Event Correlation)
(Polling)
/(Event/Action)
()
Reply Poll Event
7/31/2019 Ch3 Network Implementation
49/132
Network Polling Receive Network Event
Critical Network Event
Interpret Network Event
Event=
Link Down ?
Check Carrier Signal on Source
Carrier
Exist ?
Alert User LinkDown
Put Interface in Loopback
Test Physical Layer
Test
Pass ?
Alert User Physical
Layer Down
Alert User
Remote Device Down
Alert User
Generate Generate
No
No
No
Yes
Yes
Yes
7/31/2019 Ch3 Network Implementation
50/132
()
(Text)
(Picture)
(Audio)
PagerB.B. Call
E-mailE-mail
7/31/2019 Ch3 Network Implementation
51/132
POP
POP
WWW
DNS
RAS
T1
Channel/Port
Critical
MajorMinor
Warning
Normal
Unknown
Disable
7/31/2019 Ch3 Network Implementation
52/132
State Critical Major Minor Warning Normal Unknown
Color
>80% >60% >40% >20% Threshold
Al
7/31/2019 Ch3 Network Implementation
53/132
Round Trip TimeThreshold Setting
Trouble Ticketing
Audio Alarm
Pager Alarm
E-Mail Alert
AlarmReporting
7/31/2019 Ch3 Network Implementation
54/132
Example of Fault Management
Internet
RMONDevice
UNIX....
FDDI
UNIX PC
Firewall/ Router ....
...
....
...
PC UNIX
PC
UserDNS
MailServer
WWWServer
7/31/2019 Ch3 Network Implementation
55/132
Example of Fault Management
7/31/2019 Ch3 Network Implementation
56/132
Configuration Management (
) Configuration Management
The process of finding and setting up
(configuring) network devicesAutomated configuration is becoming a more
important part of network management as the
sizes of networks grow
7/31/2019 Ch3 Network Implementation
57/132
Configuration Management Sub-
Categories and Related ActivitiesConfiguration(Local)
Choice of medium access protocol Choice of correct cabling and connectors Choice of cabling layout Determining the number of physical interfaces on devices Setting device interface parameter values
q Interruptsq I/O Addressesq
DMA numbersq Network layer addresses (e.g. IP, NetWare, etc)
Configuration of multiport devices (e.g. hubs, switches androuters) Use of the Windows Registry Comparing current versus stored configurations Checking software environments SNMP service
Configuration
(Remote)
From the network management stationq Disabling device portsq Redirecting port forwardingq Disabling devicesq Comparing current versus stored configurationsq Configuring routing tablesq Configuring security parameters such as communitystrings and user namesq Configuring addresses of management stations towhich traps should be sent
Verifying integrity of changes
7/31/2019 Ch3 Network Implementation
58/132
Configuration Management Sub-
Categories and Related Activities (cont.)
Configuration
(Automated)
Using the Dynamic Host Configuration Protocol (DHCP) toconfigure IP addresses Using Plug and Play enabled NICs for automatic selection of
interrupts and I/O addresses Domain Name Services (DNS) addresses Trap messages from agents
7/31/2019 Ch3 Network Implementation
59/132
Configuration Management Sub-
Categories and Related Activities (cont.)Inventory
(Manual)
Maintaining records of cable runs and the types of cablesused Maintaining device configuration records Creating network database containing for each device:
q Device typesq Software environment for each deviceq operating systems
q utilitiesq driversq applicationsq versionsq configuration files (.ncf, .ini, .sys)q vendor contact informationq IP addressq Subnet address
Inventory
(Automated)
Auto-discovery of devices on the network using an NMS Auto-determination of device configurations using an NMS Creation of a network database Auto-mapping of current devices to produce a networktopological map Accessing device statistics using an NMS and the DesktopManagement Protocol
7/31/2019 Ch3 Network Implementation
60/132
7/31/2019 Ch3 Network Implementation
61/132
(SNMP)
(Autodiscovery)
7/31/2019 Ch3 Network Implementation
62/132
Auto-discovery
A method used by a network
management system to dynamically findthe devices attached to a data network.
1.Ping2.
7/31/2019 Ch3 Network Implementation
63/132
1.Ping
(1). Send out a query, such as ICMP Echo
(ping) to every possible address on the
network.
(2). When a device answers the query, ask
for detailed information using networkmanagement protocol (e.g. SNMP).
7/31/2019 Ch3 Network Implementation
64/132
Eexample of Auto-discovery (I)
* Suppose the IP Address of NMS is 140.131.59.20 and
the network attached is a Class B network (i.e. netmask
is 255.255.0.0).
=> Possible Addresses: 140.131.0.1 ~140.131.255.254
* If there exists another network, e.g. 163.25.149.0,
interconnected with network 140.131.0.0, there exists a
router containing at least two interfaces with IP address140.131.x.x and 163.25.149.x.
* Use SNMP to query the IP address table of the devices
found by Ping, we can get more information about the
existence of other networks and devices.
7/31/2019 Ch3 Network Implementation
65/132
7/31/2019 Ch3 Network Implementation
66/132
Eexample of Auto-discovery (II)
* Suppose the IP Address of NMS is 140.131.59.20
and its default gateway is 140.131.59.254.
=>
* Use SNMP to query 140.131.59.20 itself or
140.131.59.254.
ARP Cache, TCP/UDP Connection Table, IP Address
Table, Routing Table.* Use SNMP to query the devices found in the
previous query.
7/31/2019 Ch3 Network Implementation
67/132
Compound Status
Status Propagation
Default
Propagate Most Critical
Propagate At Threshold Values (0-100%)
% Warning
% Minor
% Major
% Critical
7/31/2019 Ch3 Network Implementation
68/132
7/31/2019 Ch3 Network Implementation
69/132
Manual modification is not efficient.
Automatic modification should be recorded
NMS can verify the configuration change.
7/31/2019 Ch3 Network Implementation
70/132
Stored in a central location
Consistency and Availability of configuration
data is important.
CM data can be stored in ASCII Text Files
or DBMSs.
7/31/2019 Ch3 Network Implementation
71/132
Provide for central storage of all network
information.
Autodiscovery mechanismAutomapping facility
Automatic data acquisition
Allow user to manually add additional
configuration information
Search function
7/31/2019 Ch3 Network Implementation
72/132
()
Automatically compare current and stored
configuration data.
View running configuration graphically. Make configuration change.
Centralized storage and easy retrieval of
data.
Configuration Event/Alarm.
Graphical logical/physical view of devices
7/31/2019 Ch3 Network Implementation
73/132
Configuration Alarms
7/31/2019 Ch3 Network Implementation
74/132
()
The use of DBMS
Evaluate device configurations
Allow complex query of data in DBMS.
Produce inventory reports.
Provide simple query interface for critical
data.
7/31/2019 Ch3 Network Implementation
75/132
Example of Traceroute
E l f C fi ti
7/31/2019 Ch3 Network Implementation
76/132
Example of Configuration
Management
7/31/2019 Ch3 Network Implementation
77/132
Example of Configuration
Management: (CHTNet)
7/31/2019 Ch3 Network Implementation
78/132
Security Management ( )
Security Management
The process of controlling access to
information on the networked system
S S
7/31/2019 Ch3 Network Implementation
79/132
Security Management Sub-
Categories and Related Activities
Applying Basic
Techniques
Identifying hosts that store sensitive information Management of passwords Assigning user rights and permissions Recording failed logins Setting remote access barrier codes Employing virus scanning Limiting views of the Enterprise network Tracking time and origin of remote accesses to servers
Identifying Access
Methods Used
Electronic Mail File Transfer Web Browsing Directory Service Remote Login
Remote Procedure Call Remote Execution Network Monitors Network Management System
7/31/2019 Ch3 Network Implementation
80/132
Security Management Sub-Categories
and Related Activities (cont.)
Using Access
Control Methods
Encryption Packet filtering at routers Packet filtering at firewalls Source host authentication Source user authentication
Maintenance Audits of the activity at secure access points Executing security attack programs (Network Intrusion Detection) Detecting and documenting breaches
Accessing Public
Data Networks
No restrictions - hosts are responsible for securing all access points Limited access - only some hosts can interface with the Public DataNetwork using a proxy server
Using an Automated
Security Manager
Queries the configuration database to identify all access points for eachdevice. Reads event logs and notes security-related events. Security Manager shows a security event on the network map. Reports of invalid access point attempts are generated daily for analysis
7/31/2019 Ch3 Network Implementation
81/132
Functions of Security Management
The creation, deletion, and control of
security services and mechanisms.
The distribution of security-relevant
information.
The reporting of security-relevant events.
7/31/2019 Ch3 Network Implementation
82/132
(Confidentiality)
(Authentication)
(Integrity)
(Non-repudiation)
(Access control)
(Availability)
7/31/2019 Ch3 Network Implementation
83/132
1. Identifying the sensitive information to
be protected2. Finding the access points
3. Securing the access points
4. Maintaining the access points
7/31/2019 Ch3 Network Implementation
84/132
Access Point
A piece of network hardware or software
that allows access to the data network.
Software services Hardware components
Network media
7/31/2019 Ch3 Network Implementation
85/132
7/31/2019 Ch3 Network Implementation
86/132
Securing the Access Points
(1). Packet Filtering
(2). Host Authentication
(3). User Authentication
(4). Key Authentication
(5). Encryption
7/31/2019 Ch3 Network Implementation
87/132
(1). Packet Filtering
Packet filtering usually can be performed inbridges, switches, and routers.
Packet filtering stops packets to or from
unsecured hosts before they reach an accesspoint.
Issues Each network device to perform packet filtering must
be configured. Packet filtering doesn't work if the unsecured host
changes its address.
Packet Filtering Routers
7/31/2019 Ch3 Network Implementation
88/132
Router with ACLs
Users
Users
ProtectedNetwork
Server
Micro Webserver
zip 100
Micro Webserver
Web ServerPublicAccess
ISP andInternet
Packet-Filtering Routers
7/31/2019 Ch3 Network Implementation
89/132
7/31/2019 Ch3 Network Implementation
90/132
(3). User Authentication
Enable service to identify each userbefore allowing that user access.
Password Mechanism Generally, passwords are transferred on the network without
any encryption.
Use encrypted passwords.
Users tend to make passwords easy to remember.
If the passwords are not common words, users will write themdown.
Host Authentication + User Authentication
7/31/2019 Ch3 Network Implementation
91/132
(4). Key Authentication
KeyA unique piece of information that authenticates the
data in a transaction.
Key Authentication The destination host requires the source host of a
transaction to present a key for the transaction.
Key ServerA server that validates requests for transactions
between hosts by giving out keys.
Source (S) Key Server (K) Destination (D)
7/31/2019 Ch3 Network Implementation
92/132
1. S requests remote login to D
2. S requests a key to K.
3. K validates the request.
4. K send a key to S.
5. S requests login with valid key to D.
S
S K
S K
K
S D
7/31/2019 Ch3 Network Implementation
93/132
Dear John:I am happy to know...
Dear John:I am happy to know...
atek49ffdlffffeffdsfsfsff
atek49ffdlffffeffdsfsfsff
plaintext plaintext
ciphertext ciphertextencryption decryption
(5). Encryption
Network
7/31/2019 Ch3 Network Implementation
94/132
Cryptography / Encryption
Encryption Encode, Scramble, or Encipher the plaintext information to
be sent.
EncryptionAlgorithm The method performed in encryption.
EncryptionKey A stream of bits that control the encryption algorithm.
Plaintext The text which is to be encrypted.
Ciphertext the text after encryption is performed.
7/31/2019 Ch3 Network Implementation
95/132
Encryption
Encryption Key
Dear John:I am happy to know...
Plaintext
Encryption Algorithm
atek49ffdlffffeffdsfsfsff
Ciphertext
7/31/2019 Ch3 Network Implementation
96/132
Decryption
Decryption Key
Dear John:I am happy to know...
Plaintext
Decryption Algorithm
atek49ffdlffffeffdsfsfsff
Ciphertext
7/31/2019 Ch3 Network Implementation
97/132
Encryption / Decryption
7/31/2019 Ch3 Network Implementation
98/132
Encryption Techniques
Private Key Encryption
Encryption Key = Decryption KeyAlso called Symmetric-Key Encryption, Secret-Key
Encryption, orConventional Cryptography.
Public Key Encryption
Encryption Key Decryption Key
Also calledAsymmetric Encryption
Private Key Encryption:
7/31/2019 Ch3 Network Implementation
99/132
Private Key Encryption:- DES (Data Encryption Standard)
Adopted by U.S. Federal Government.
Both the sender and receiver must know thesame secret key code to encrypt and decrypt
messages with DES Operates on 64-bit blocks with a 56-bit key
DES is a fast encryption scheme and works wellfor bulk encryption.
Issues: How to deliver the key to the sender safely?
7/31/2019 Ch3 Network Implementation
100/132
7/31/2019 Ch3 Network Implementation
101/132
Other Symmetric Key Encryption Techniques
3DES
Triple DES
RC2, RC4 IDEA
International Data Encryption Algorithm
Key Size Matters!
7/31/2019 Ch3 Network Implementation
102/132
Key Size Matters!
Centuries
Decades
Years
Hours 40-bits
56-bits
168-bits*Triple-DES(recommended
for commercial
& corporate
information)Information
Lifetime
100s 10K 1M 10M 100M
Budget ($)
7/31/2019 Ch3 Network Implementation
103/132
7/31/2019 Ch3 Network Implementation
104/132
Asymmetric Key in RSA
Key Length
7/31/2019 Ch3 Network Implementation
105/132
Symmetric Cipher
(Conventional)
Asymmetric
(RSA/D-H)
40 Bits 274 Bits
56 Bits 384 Bits64 Bits 512 Bits
80 Bits 1024 Bits
96 Bits 1536 Bits
112 Bits 2048 Bits
120 Bits 2560 Bits
128 Bits 3072 Bits
192 Bits 10240 Bits
Average Time for Exhaustive Key Search
32 Bits 2 = 4.3 X 1032 9
56 Bits 2 = 7.2 X 1056 16Number of
Possible Key128 Bits 2 = 3.4 X 10
128 38
Time required at
1 Encryption/uSEC
32 Bits ==> 2 usec =36 min31
56 Bits ==> 2 usec =1142 Years55
128 Bits ==> 2 usec =5X10 Years127 24
32 Bits ==> 2 millsec
56 Bits ==> 10 Hours
128 Bits ==> 5X10 Years18
Time required at
10 Encryption/uSEC6Performance
30~200 1
y g
Hybrid Encryption Technology:
7/31/2019 Ch3 Network Implementation
106/132
Hybrid Encryption Technology:PGP (Pretty Good Privacy)
Hybrid Encryption Technique First compresses the plaintext.
Then creates a session key, which is a one-time-only secret key.
Using the session key, apply a fast conventional encryptionalgorithm to encrypt the plaintext.
The session key is then encrypted to the recipients public key.
This public key-encrypted session key is transmitted along with the
ciphertext to the recipient.
7/31/2019 Ch3 Network Implementation
107/132
PGP Encryption
7/31/2019 Ch3 Network Implementation
108/132
PGP Decryption
The recipient uses its private key to
recover the temporary session key
Use the session key to decrypt theconventionally-encrypted ciphertext.
7/31/2019 Ch3 Network Implementation
109/132
PGP Decryption
7/31/2019 Ch3 Network Implementation
110/132
Digital Signatures
Digital signatures enable the recipient of
information to verify the authenticity of the
informations origin, and also verify that the
information is intact. Public key digital signatures provide
authentication
data integrity
non-repudiation
Technique: public key cryptography
7/31/2019 Ch3 Network Implementation
111/132
Simple Digital Signatures
S S
7/31/2019 Ch3 Network Implementation
112/132
Secure Digital Signatures
Maintaining the Secure Access
7/31/2019 Ch3 Network Implementation
113/132
Points
Locate potential and actual security
breaches.
Audit Trail
Security Test Programs
Att hi t P bli N t k
7/31/2019 Ch3 Network Implementation
114/132
Attaching to a Public Network
No Access
Full Access
All individual computers should have securitymanagement.
Limited Access
Use a firewall to enforce security betweenprivate and public networks.
(Fi ll)
7/31/2019 Ch3 Network Implementation
115/132
(Firewall)
Firewall
Firewall Packet Filtering Firewall
Dual-Homed Host Firewall
Screened Host Firewall
Screened Subnet Firewall
http://www.movies.acmecity.com/silent/6/doc/fwppt.zip
VPN (Vi t l P i t N t k)
7/31/2019 Ch3 Network Implementation
116/132
VPN (Virtual Private Network)
VPN:
VPN
X.25
Frame Relay
ATM Internet
VPN (Vi t l P i t N t k)
7/31/2019 Ch3 Network Implementation
117/132
VPN (Virtual Private Network)
VPN
7/31/2019 Ch3 Network Implementation
118/132
VPN
(Tunneling) IPSec (IP Security)
PPTP (Point-to-Point Tunneling Protocol)
L2TP (Layer 2 Tunneling Protocol)
(Encryption/Decryption) Private/Public/Hybrid Key Encryption
(Key Management) SKIP (Simple Key Management for IP)
IKE (ISAKMP/Oakley)
(Authentication) Username/Password + Token Number X.509 Certificate by Certificate Authority (CA)
Accounting Management (
7/31/2019 Ch3 Network Implementation
119/132
Accounting Management (
)
Accounting Management
Tracking each individual and group user's
utilization of network resources to betterensure that users have sufficient resources
Enable charges to be established for the use
of network resources, and the costs to be
identified for the use of those networkresources
Accounting Management Sub-
7/31/2019 Ch3 Network Implementation
120/132
Accounting Management Sub
Categories and Related ActivitiesGather Network Device
Utilization Data
Measure usage of resources by cost center Set quotas to enable fair use of resources Site metering to track adherence to software licensing
Bill Users of Network
Resources
Set charges based on usage. Measure one of the following
q Number of transactionsq Number of packetsq Number of bytes
Set charges on direction of information flow
Use and Accounting
Management Tools
Query usage database to measure statistics versusquotas Define network billing domains Implement automatic billing based on usage by usersin the domain Enable billing predictions Enable user selection of billing domains on the networkmap
Reporting Create historical billings trends Automatic distribution of billing to Cost Centers Project future billings by cost center
AM
7/31/2019 Ch3 Network Implementation
121/132
AM
Metrics
Measurement of network resources used.
QuotasThe amount of a network's resources allowed
for a user or group.
Billing
The process of charging users for the use ofthe data network and its associated services.
7/31/2019 Ch3 Network Implementation
122/132
One-Time Installation Fee and Monthly Fees
Fee Based on Amount of Network Resource
Consumed Total numbers of transactions
Total packets
Total bytes sent
Total bytes received
Fee Based on Amount of Time (For Dial-UpSerial Links)
}
7/31/2019 Ch3 Network Implementation
123/132
Monitor for any metrics that exceeds a
quota.
Store metric data into the database ofNMS.
Report the metric data that exceeds a
quota.
Use database's "trigger" ability to
automatically generate reports
()
7/31/2019 Ch3 Network Implementation
124/132
()
Perform network billing.
Determine where to poll for billing
information. Forecast the need of network resources
To establish reasonable metrics and quotas
To predict network billing cost for users
Generate accounting reports
Billing Process E ample
7/31/2019 Ch3 Network Implementation
125/132
Billing Process Example
1. Get network topology from DBMS
2. Get region user selected on networkmap
3. Determine devices in region4. Find devices to query (with the aids of
user's input).
5. Get billing information
6. Get pricing information
7. Get polling rate
8. Start performing queries and
calculations
Management Tools
7/31/2019 Ch3 Network Implementation
126/132
g
Management Tools (Cont.)
7/31/2019 Ch3 Network Implementation
127/132
g ( )
Management Tools (Cont.)
7/31/2019 Ch3 Network Implementation
128/132
Network Management
7/31/2019 Ch3 Network Implementation
129/132
g
Configurations
Centralized configuration
Management is centralized to the network
management station on the backbone
network
Distributed configuration
The LANs are managed by a local NMS while
an NMS host connects to the backbone
network
7/31/2019 Ch3 Network Implementation
130/132
Distributed Network
7/31/2019 Ch3 Network Implementation
131/132
Management
Probe = Remote Monitor
NMS = Network Management System
WS = Workstation
-------- = In-band or out-of band
management
communication
FIGURE 3-3 : Distributed Network Management
NMS
Probe
AgentWS
Agent
LAN 3 Node 3
Router
AgentNMS
Backbone
Router
AgentWS
Agent
Probe
Agent
LAN 2 Node 2
NMS
LAN 1
Node 1
Hub
AgentWS
Agent
Probe
Agent
Router
Agent
NMS
Selected Management Strategy
7/31/2019 Ch3 Network Implementation
132/132
Selected Management Strategy