Security Server

Previous page
Table of content
Next page

If there is one area of network management that has moved to the very top of the operator's agenda, it is security. There are many aspects to security provision; for example, IPSec can be deployed to protect the underlying managed network if all nodes implement it. All management traffic on such a managed network is then protected. There are other aspects to securing NMS, and we now study the elements of a Security Server from a number of perspectives:

  • Access application : SNMP, telnet, Secure Shell, Web, console (serial port)

  • Authentication : Password, community string, Kerberos, user-based security, Remote Access Dial-In User Service (RADIUS)

  • Privilege level : Superuser, Read-only, and User

  • Permitted views : Specific objects and sources

Each of the above is described in the following sections. Up to this point we have tacitly assumed that all management interaction with NEs go via the NMS. In many cases this is not what may occur in practice as operators use a range of access methods to achieve the following tasks :

  • NE configuration using a CLI

  • Fault access and analysis

These operations may be made directly on the NEs themselves . There are advantages and disadvantages to the use of direct NE access. However, it should be noted that there is a certain minimum number of steps ”such as IP address assignment and SNMP enabling ”needed in order to configure an NE. In most cases, this set of steps has to be executed directly on the NE using a serial interface.

Access Applications

Access applications are the software facilities used to gain entry to the NMS. Depending on the design, the user can gain access either by direct connection to the NEs or via the NMS. Configuration using a CLI is a quick and generally easy way of bringing up a network. However, it presents a few security hazards:

  • Limited or no logging apart from that provided by the NE or CLI

  • Fairly open access to sensitive NE data

  • It may be error-prone , and help facilities may be quite limited

On the other hand, configuration carried out via the NMS can be piped to a comprehensive logging facility. Also, scripts can be maintained in the NMS for subsequent reuse (HP OpenView NNM provides this). In addition, a good NMS may provide extensive context-sensitive help or automated assistance to the user.

Some popular access applications are:

  • SNMP

  • Telnet

  • Secure Shell

  • Web

  • Console (serial port requires an intermediate device such as a terminal server)

The different versions of SNMP provide the means by which an NMS can conveniently access NE MIB objects. Telnet is a simple method of gaining access to the CLI of a given NE. Secure Shell provides a secure method of accessing the NE CLI. Web access uses HTTP (or possibly the secure version of HTTP) for gaining access to a mixed textual and graphical management interface. Console access is essentially the same as telnet except that connection is made directly to a serial interface on the NE. These are typical applications for gaining access to NEs, and in the next section we look at ways in which degrees of security are added to them.

Authentication

Once the access application has been chosen , some means of authenticating (or checking and authorizing) the user must be selected. The most basic level of security is none ”that is, the user is given unrestricted access. Moving up the security food chain, passwords provide a first level of protection against unauthorized access. The SNMP community string is essentially a password that has to be supplied in the SNMP messages sent to remote agents . If the community is not correct, then the message is discarded. SNMPv1/2c community strings are clear text embedded in SNMP messages sent over the wire. They are open to interception and therefore don't really provide any protection. Kerberos provides stronger security mechanisms in the form of a secret key network authentication protocol that allows a user to communicate using a DES-encrypted telnet session. The SNMPv3 framework provides the user-based security model (USM). This consists of authentication, privacy, and timeliness (protects against the replaying of a captured message). RADIUS is a client/server protocol for the authentication of users trying to connect to a system via various access applications.

Privilege Levels

Some security schemes provide different levels of authority to users, such as:

  • Read-only

  • User-level

  • Superuser

Read-only access allows only MIB gets; user-level allows get s and some set s; superusers can get and set all appropriate objects.

Permitted Views

It may be required to restrict the set of objects accessible to a given user. Two ways of doing this are:

  • Access control lists

  • Permitted object views

An access control list contains the source IP addresses allowed to connect to an NE. This is similar to the access control lists used in IP routers. Permitted object views specify a subset of MIB objects accessible to a given NMS user. Both access control lists and permitted object views are stored on NEs. However, the NMS can either retrieve (or discover) them from NEs or provision them in the first place.


Previous page
Table of content
Next page
Network Management, MIBs and MPLS
Network Management, MIBs and MPLS: Principles, Design and Implementation
ISBN: 0131011138
EAN: 2147483647
Year: 2003
Pages: 150
Authors: Stephen B. Morris
BUY ON AMAZON
MySQL Stored Procedure Programming
The CISSP and CAP Prep Guide: Platinum Edition
C++ GUI Programming with Qt 3
Introduction to 80x86 Assembly Language and Computer Architecture
Lotus Notes Developers Toolbox: Tips for Rapid and Successful Deployment
Special Edition Using FileMaker 8
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy