380 likes | 673 Vues
Network Managment. FCAPS. FCAPS. Fault Configuration Accounting Performance Security. Fault Management. Network Monitoring Diagnosis and troubleshooting Logs Trouble Tickets. Configuration. Configuring Managed Resources Verify configuration (auditing) Backup and Restore
E N D
Network Managment FCAPS
FCAPS • Fault • Configuration • Accounting • Performance • Security
Fault Management • Network Monitoring • Diagnosis and troubleshooting • Logs • Trouble Tickets
Configuration • Configuring Managed Resources • Verify configuration (auditing) • Backup and Restore • Image Management
Accounting • Accounting and Billing • Track Consumption • Flat Fee • Additional Service features
Performance • Metrics – Throughput/Delay/QOS • Analysis • Collection (NetFlow)
Security • Secure management operations • Management of Security
Management Information Base • Conceptual Data Store • MIB is “connected” • Requests are made to the Agent • Get, Set, Delete • MO
Managed Object • Managed Object • Piece of Info in the MIB • Examples: Port status, ACL, Mem lvl
MIB A MIB is a view of a device and the agent retrieves the view for you and relays it to the management server SNMP is one such management protocol
MIB IETF Standards • SMI and SMIv2 used with SNMP - A specification used with snmp - RFC 1155, v2 RFC 2578 • MIB-2 - A MIB definition - RFC 1213
What is in the MIB • Object types (variables) • Notifications (traps) • Nodes (OSPF stats) • Textual Conventions (TT, IP)
MIB TREE • Each node is named relative to a containing node. Known as the OID Object Identifier iso(1) (root) org(3) dod(6) internet(1) mgmt(2) experimental(3) private(4) mib-2(1) system(1) interfaces(2) at(3) ip(4) icmp(5) tcp(6) udp(7)
MIB-2 RFC1213-MIB DEFINTIONS ::=BEGIN … Mib-2 OBJECT IDENTIFIER ::={ mgmt 1 } …. System OBJECT IDENTIFIER ::= { mib-2 1 } Interfaces OBJECT IDENTIFIER ::= { mib-2 2 }
System Group • OID value: 1.3.6.1.2.1.1.1 • OID description: • sysDescr OBJECT-TYPE • SYNTAX DisplayString (SIZE (0..255)) • ACCESS read-only • STATUS mandatory • DESCRIPTION "A textual description of the entity. This value should include the full name and version identification of the system's hardware type, software operating-system, and networking software. It is mandatory that this only contain printable ASCII characters." • ::= { system 1 }
Uptime • OID value: 1.3.6.1.2.1.1.3 • OID description: • sysUpTime OBJECT-TYPE • SYNTAX TimeTicks • ACCESS read-only • STATUS mandatory • DESCRIPTION "The time (in hundredths of a second) since the network management portion of the system was last re-initialized." • ::= { system 3 }
Examples snmpget -v 2c -c Example 192.168.1.1 1.3.6.1.2.1.1.1.0 RETURNS: SNMPv2-MIB::sysDescr.0 = Cisco_6509: snmpget -v 2c -c Example2 192.168.2.1 .1.3.6.1.2.1.1.3.0 RETURNS: SNMPv2-MIB::sysUpTime.0 = Timeticks: (2725219064) 315 days, 10:03:10.64
SNMP V1 • FIVE Management Operations • Get Request • Get-Next Request • Set • Get Response • Trap
SNMP PDU UDP 161 UDP 162
SNMP V2c • Get-Bulk Request • Inform
SNMP V3 • Snmp V2c + security snmpget –v 3 -a MD5 -l AuthPriv -x AES -A verysecret 192.168.1.1 sysUpTime
TRAPS/INFORMS • Alarms • Notify • Resource savings (less polling)
MRTG and Cacti • Monitor Traffic Load graphically • Monitor CPU/Bandwidth
Enterprise OID OID : 1.3.6.1.4.1.12356 ---FORTINET OID : 1.3.6.1.4.1.9 --- CISCO
Example snmpget -v 2c -c Sec 192.168.1.1 1.3.6.1.4.1.12356.1.9.0 SNMPv2-SMI::enterprises.12356.1.9.0 = Gauge32: 49 Snmpget –v 2c –c Sec 192.168.1.2 1.3.6.1.4.1.9.1.111.1.2.1.2.12.0 Cisco SNMP Object Navigator
Trap Example • snmptrap -v 1 -c Example 192.168.1.1 enterprises.12356 10.10.10.10 6 17 '50' 1.3.6.1.4.1.12356.0.102s "mem low“ • 13:13:59.394936 IP software.security.testing.ca.34368 > 192.168.1.1.snmptrap: C=Example Trap(48) E:12356 10.10.10.10 enterpriseSpecific s=102 50 E:12356.0[|snmp]
NetFlow V5 • Top flows (most connections) • How much bandwidth • IP Address and Port • Bottlenecks in the network
Classification • Src/Dst Address • Src/Dst Port • TCP/UDP/ICMP • TOS • Link
Example • 192.168.1.1:1100 ---> 10.10.10.1:80 • 192.168.1.1:1200 ---> 200.1.1.2:25 • 10.10.10.1:80 ---> 192.168.1.1:1100 • 192.168.1.1:1101 --> 10.10.10.1:81
Net Flow • Unidirectional • Flow ends when Fin Flag is seen (tcp) • Flow ends when no packet arrives (15 seconds) Flow info is sent via UDP to the management system (netflow collector)
NetFlow Once a Flow is ended, it is flushed from the cache and sent in a Netflow record
Netflow vs IDS Unlike an Intrusion detection system Netflow does not look at the payload. IDS systems like snort look into the data being transmitted
116.12.132.179.555 -> 201.44.144.29.1273: psh 776971900 ack 1065638971 • 0x0000 4500 00e8 fb87 4000 6f06 f935 740c 84b3 E.....@.o..5t... • 0x0010 8d75 901d 022b 04f9 2e4f a67c 3f84 5c3b .u...+...O.|?.\; • 0x0020 5018 ff63 db33 0000 3a73 7321 6e6f 6e65 P..c.3..:ss!none • 0x0030 4046 4249 2d31 3434 3945 3539 432e 646f @XXXXXXXXXX • 0x0040 7562 6c65 7365 7276 6963 652e 636f 6d20 xXXXXXXXXXX. • 0x0050 544f 5049 4320 2367 6720 3a21 6173 6320 TOPIC.#gg.:!asc. • 0x0060 2d53 202d 737c 2168 7474 7020 6874 7470 -S.-s|!http.http • 0x0070 3a2f 2f74 6561 6d74 7275 6e63 6174 6564 ://teamtruncated • 0x0080 2e6e 6574 2f74 202d 737c 2161 7363 2073 .net/t.-s|!asc.s • 0x0090 2031 3030 2033 2030 202d 6220 2d65 202d .100.3.0.-b.-e.- • 0x00a0 737c 2169 702e 7767 6574 2068 7474 703a s|!ip.wget.http: • 0x00b0 2f2f 6a64 6978 387a 2e74 3335 2e63 6f6d //jdix8z.t35.com • 0x00c0 2f6a 6176 612e 6c69 6220 633a 5c6e 742e /java.lib.c:\nt. • 0x00d0 6578 6520 3120 2d73 0d0a 5049 4e47 203a exe.1.-s..PING.: • 0x00e0 694e 4554 2e33 0d0a iNET.3..
TCPDUMP • Protocol Analyzer - Troubleshooting - Check Flows - Scripts
tcpdump –I eth1 –A port 23 • 13:57:27.581592 IP blob.admin.telnet > 172.28.2.6.ssmpp: P 55:66(11) ack 35 win 65535 • .!.*2.6}.P...._..blob login: • 13:57:27.631198 IP 172.28.2.6.ssmpp > blob.admin..telnet: P 35:44(9) ack 66 win 16351 • ....6}.!.*=P.?..X........... • 13:57:27.631828 IP blob.admin.telnet > 172.28.2.6.ssmpp: P 66:72(6) ack 44 win 65535 • .!.*=.6}.P............. • 13:57:27.679788 IP 172.28.2.6.ssmpp > blob.admin.telnet: P 44:47(3) ack 72 win 16345 • ....6}.!.*CP.?........ • 13:57:27.878683 IP blob.admin.telnet > 172.28.2.6.ssmpp: . ack 47 win 65535 • .!.*C.6}!P............. • 13:57:29.598062 IP 172.28.2.6.ssmpp > blob.admin..telnet: P 47:48(1) ack 72 win 16345 • E..). • ....6}!!.*CP.?./...b • 13:57:29.598854 IP blob.admin..telnet > 172.28.2.6.ssmpp: P 72:73(1) ack 48 win 65535 • .!.*C.6}"P...n...b..... • 13:57:29.694083 IP 172.28.2.6.ssmpp > blob.admin.telnet: P 48:49(1) ack 73 win 16344 • ....6}"!.*DP.?."...o • 13:57:29.694663 IP blob.admin..telnet > 172.28.2.6.ssmpp: P 73:74(1) ack 49 win 65535 • .!.*D.6}#P...a...o..... • 13:57:29.781474 IP 172.28.2.6.ssmpp > blob.admin..telnet: P 49:50(1) ack 74 win 16343 • ....6}#!.*EP.?./...b • 13:57:29.782133 IP blob.admin..telnet > 172.28.2.6.ssmpp: P 74:75(1) ack 50 win 65535 • .!.*E.6}$P...n...b..... • 13:57:29.931535 IP 172.28.2.6.ssmpp > blob.admin..telnet: . ack 75 win
LOGGING “cd /var/log” “tail snmpd.log” “cat messages”