SYSTEM & NETWORK TRAFFIC SECURITY ANALYTICS

COURSE CODE:22DLA3101

CO5_SESSION 28

1
 AIM OF THE SESSION
To familiarize students with the basic concept of the System and Network Security Analytics
course is to equip students with the knowledge and skills necessary to understand, analyze, and
respond to security threats and vulnerabilities in computer systems and networks.

INSTRUCTIONAL OBJECTIVES

This Session is designed to:

1. SNMP and Network Management
2. Network Management Standards
3. Network Management Models

LEARNING OUTCOMES

At the end of this session, you should be able to:

1. Understand Network Management
2. Analyse Network Management Models

2
 CONTENTS

 SNMP and Network Management

 Network Management Standards
 Network Management Models
 Summary
 References

3
 SNMP and Network Management
 Network management standards that are currently used are SNMP(internet), CMlP (OSI), TMN,
IEEE, and Web-based Management of these. SNMP is the most widely deployed management
system due to its truly simple architecture and implementation.
 The SNMP management system is based on polling. Remote monitoring of network components
using probes and sending only relevant data to the network management system is that goal of
RMON (Remote Network Monitoring).
 The network management standards and present the general architecture of the network
management models. (SNMP - Simple Network Management Protocol)
 The International Standards Organization (ISO) has defined a generalized model that addresses all
aspects of network management.
 The three models of the architecture, which deal with organization, information, and
communication.

4
 Continued…
 All the above three models are designed fur management applications lo manage networks,
systems, and services.
 The fourth model is Functional model, The applications fall into the categories of fault,
configuration, performance security and accounting.
 Network management as management of the network comprising nodes and links, and system
management as managing system resources, such as central processor usage, disk usage, and
application processes.
 Service management deals with services provided by organizations to customers. Service
management is an extension of network and systems.
 The two leading models of network management are the internet model and the Open System
interconnection (OSI) model.

5
 Continued…
 The internet model is the most widely used for network management. It is a simple scalar model
and hence easy to implement.
 The OSI model, which is object oriented, is more complex and harder to implement. However,
with the matured State of object-oriented technology and the convergence of data and
telecommunications technologies, object-oriented implementation of network management has
come into vogue.

6
 Network Management Standards
 There are several network management standards that are in use today, Four standards, along with
a fifth class based on emerging technologies, and their salient points.
 The first four are the OSI model, the Internet model, TMN, and IEEE LAN/MAN. A detailed
treatment of the various standards can be found in [Black, 1995].
 Open System Interconnection (OST) management standard, is the standard adopted by the
operational Standards Organization (ISO).
 The OSI management protocol standard is Common Management Information Protocol (CMIP).
The OSI management protocol bas built-in services, Common Management information Service
(CMIS), which specify the basic services needed to perform the various functions.
 It is the most comprehensive set of specifications and addresses all seven layers. OSI specifications
are structured and deal with all seven layers of the OSI Reference Model.

7
 Continued…
 The specifications are object oriented and hence managed objects are based on object classes and
inheritance rules. Besides specifying the management protocols, CMIP/CMIS also address network
management applications.
 Some of the major drawbacks of the OSI management standard were that it was complex and that
the CMIP stack was large. Although these fare no longer impediments to the implementation of the
CMIP/CMIS network management, SNMP is the protocol that is extensively deployed.

8
Continued…

9
Continued…

10
 Continued…
 The internet Engineering Task Force(IETF) is responsible for all Internet specification's
including network management. The managed objects are defined as scalar objects in SNMP. It
was primarily intended to manage Internet components, but is now used to manage WAN and
telecommunications systems.
 TMN is ITU-T (International Telecommunications Union-Telecommunications) standard and
is based on OSI CMIP/CMIS specifications. TMN extends tbc concept of management beyond
managing networks and network components. Its specifications address service and business
considerations (M3000).
 Enhanced Telecommunications Operations Map (eTOM) is a guidebook for business processes
in the telecommunications industry. It is an extension of TMN.
 It is being developed by Tele Management Forum (TM Forum) as component of NGOSS (New
Generation OSS).
11
 Continued…
 The main difference between the TMN and eTOM approaches is that the former has been
developed starting from networks and network equipment (bottom up), while eTOM is a top-down
approach.
 The eTOM framework has been incorporated within the TMN framework as a set of standards
(M.3050 x).
 The IEEE standards for Local Area Network (LAN) and Metropolitan Area Network (MAN)
specifications are only concerned with OSI layers I (physical) and 2 (data link). Those
specifications ore structured similar to specifications.
 Both OSI/CMIP and Internet/SNMP protocols use IEEE standards for the lower layers. the IEEE
802.1 series of specifications define the standards for the various physical media and data link
protocols.

12
 Continued…
 IEEE 802. I specifications present overview, architecture, and management. The IEEE 802.2
standard specifies the Logical Link Control (LLC) layer.
 The Well-Based Enterprise Management (WBEM) standard is developed by the Desktop
Management Task Force (DMTF). It is based on the Common information Model (CIM) data
model transported using CIM Operations over HTTP.
 The Java Management Extension [JMX] is an open Java technolo.gy for management. It defines
management architecture, application programming interfaces (APIs). and management services
under a single umbrella specification. It was developed under Sun Microsystems’s. JMAPI. (Java
Management API) initiative.
 XML is a meta-markup language standardized by the Worldwide Web Consortium (W3C) for
document exchange in the Web.

13
 Continued…
 XML-based network management is based on a network management method, which defines
management information by XML and the exchange of data for management in the form of an
XML document, and it uses an XML document processing standard method for processing data.
 Common Object Request Broker Architecture (CORBA)-based Network Management is
an object-oriented client server model that uses GORBA. The objects are defined using interface
Description Language (IDL) and uses a distributed managed objects architecture.

14
 Network Management Models
 The OSI network model is an ISO standard and is most Complete of all the models. It is
structured and it addresses all aspects of management.
 An OSI network management architectural model that comprises four models. They are the
organization model, the information model, the communication model, and the functions model.

 Although, the above classification is based on the OSI architectural model, and only parts of it
are applicable to other models, it helps us understand the holistic picture of different aspects of
network management.

15
 Organization Model
 The organization model describes the components of network management and their relationship.
Network objects consist of network elements such as hosts, hubs, bridges, routers, etc.
 They can be classified into managed and unmanaged objects or elements. The managed elements
have a management process running in them called an agent. The unmanaged elements do not
have a management process running in them.
 For example, one can buy a managed or unmanaged hub. Obviously the managed hub has
management capability built it and hence is more expensive than the unmanaged hub, which does
not have an agent running in it. The manager communicates with the agent in the managed
element.
 The manager manages the managed element, there is a database in the manager, but not in the
agent.

16
Continued…

17
 Continued…
 The manager queries and receives management data from the agent process them. and stores
them in its database.
 The agent can also send a minimal set of alarm information to the manager unsolicited.
 Three tier network management organization model is the intermediate layer acts as both agent
and manager. As manager, it collects data from the network elements, processes them, and stores
the results in its database. As agent it transmits information to the top-level manager.
 For example, an intermediate system is used for making statistical measurements on a network
and passes the information as needed to the top-level manager. Alternatively, an intermediate
NMS could be at local site of a network and the information is passed on to a remote site.

18
Continued…

19
 Continued…
 Network domains can be managed locally; and a global view of the networks can be monitored
by a manager of managers (MoM).
 This configuration uses an enterprise NMS and is applicable to organizations with sites
distributed across cities. It is also applicable to a configuration where vendor management
systems manage the domains of their respective components, and MoM manages the entire
network.
 Network management systems can also be configured on a peer-to-peer relationship.
 We can recognize the similarity between this and the client-server architecture where a boost
serves as both a client and a server.

20
Continued…

21
 Continued…
 An example of such a situation would be two network service providers needing to exchange
management information between them. From the user's point of view, the information traverses
both networks and needs to be monitored end-to-end.

22
 Information Model
 An information model is concerned with the structure and storage of information.
 Let us consider, for example, how information is structured and stored in a library and is accessed
by all. A book is uniquely identified by an International Standard Book Number (ISBN). It is a ten-
digit number identification that refers to a specific edition of a specific book.
 For example. ISBN 0-13-437708-7 refers to the book "Understanding SNMP MIBs" by David
Perkins and Evan McGinnis.
 We can refer to a specific figure in the book by identifying a chapter number and a figure number;
e.g., Fig. 3.1 refers to figure I in Chapter 3.
 Thus, a hierarchy of designation {ISBN, Chapter, Figure} uniquely identifies the object, which is a
figure in the book. "ISBN," "Chapter," and "Figure" define the syntax of the three pieces of
information associated with the figure; and the definition of their meaning in a dictionary would be
the semantics associated with them.
23
 Continued…
 The information model specifies the information base to describe managed objects and the
relationship between managed objects.
 The structure defining the syntax and semantics of management information is specified by
Structure of Management information (SMI).
 The information base is called the Management Information Base (MIB). The MIB is used by both
agent and management processes to store and exchange management information.
 The MIB associated with an agent is called an agent MIB and the MIB associated with a manager is
designated as the manager MIB.
 The manager MIB consists of information on all the network components that it manages; whereas
the MIB associated with an agent process ·needs to know only its local information, its MIB view.
 For example, a county may have many libraries. Each library has an index of all the books in that
location-its MID view.
24
 Continued…

 However, the central index at the county's main library, which manages all other libraries, has
the index of all books in all the county's libraries global manager MIB view.
 The manager has both the management database (MDB) and the MIB. The MDB is a real
database and contains the measured or administratively configured value of the elements of the
network.
 On the other hand, the MIS is a virtual database and contains the information necessary for
processes to exchange information among themselves.

25
Continued…

26
 Continued…
Management Data Base / Information Base
 Distinction between MDB and MIB
• MDB physical database; e.g., Oracle, Sybase
• MIB virtual database; schema compiled into management software
 An NMS can automatically discover a managed object, such as a hub, when added to the
network.
 The NMS can identify the new object as hub only after the MIB schema of the hub is compiled
into NMS software.

27
 Continued…
 Managed objects can be
1. Network elements (hardware, system)
 Hubs, bridges, routers, transmission facilities
2. Software (non-physical)
 Programs, algorithms, Protocol functions, databases, etc.,
3. Administrative information
 Contact person, account number, name of group of objects (IP group)

28
 Continued…
Management Information Tree
 The managed objects are uniquely defined by a tree structure specified by the OSI model and
are used in the Internet model shows the generic representation of the tree, defined as the
Management Information Tree (MIT).
 There is a root node and well-defined nodes underneath each node at different levels,
designated ns Level I, Leve12, etc. Each managed object occupies a node in the tree. In the
OSI model, the managed objects arc defined by a containment tree representing the MIT.

29
 Continued…
OSI Management Information Tree
ISO - International Standards Organization
ITU - International Telecommunications Union
DOD - Department of Defense
Designation:
 iso 1
 org 1.3
 dod 1.3.6
 internet 1.3.6.1

30
 Continued…
Managed Object Perspective
 A managed object ·need not be a physical object that can be seen, touched, or tell, it is
convenient use a physical representation to understand the characteristics and operations
associated with a managed object.
 A managed object in the internet is defined by five parameters. They are:
 Object identifier and descriptor Uunique ID and name for the object
 Syntax Used to model the object
 access Access privilege to a managed object
 Status Implementation requirements
 Definition Textual Description of the semantics of object
type

31
Continued…

32
 Continued…
The characteristics of an OSI managed object are:
 object class Managed object
 attributes Attributes visible at its boundary
 operations Operations that may be applied to it
 behavior · Behavior exhibited by it in response to an operation
 notifications Notifications emitted by the object

33
Continued…

34
 Communication Model
 Management data are communicated between agent and manager processes, as well as
between manager processes. Three aspect need to be addressed in the communication of
information between two entities: Transport medium of message exchange (transport protocol),
message format of communication (application protocol), and the actual message (commands
and responses).
 The applications in the manager module initiate requests to the agent in the internet model. It is
pan of the operations in the OSI model.
 The agent executes the request on the network element; i.e., managed object, and return
responses to the manager. The traps/notifications are the unsolicited messages, such as alarms,
generated by the agent.

35
Continued…

36
 Continued…
Transfer Protocol

37
 Continued…

Abstract Syntax Notation One: ASN.1

 To communicate, a formalized set of rules be agreed upon regarding the structure and meaning of
the language- syntax & semantics
 ASN.1 is a formal language developed jointly by ITU-T and ISO for use with application
 We define abstract syntax as the set of rules used to specify data types and structures for storage
of information
 Transfer syntax represents the set of rules for communicating between systems.
 The abstract syntax in ASN.1 makes it independent of the lower-layer protocols.
 <name>::<definition> here “<entity>" denotes an entity and the symbol "::" represent “defined
as".
 <digit>::0 | 1|2|3|4|5|6|7|8|9 the symbol “|" represents “or”

38
 Continued…

 <op>:: + | - |*|/
 <number> :: <digit> | <digit><number>
The number 9 is the digit 9
The number 19 is the concat of digit 1 and number 9,
and the number 219 is the concat of the digit 2 with the number 19.
 <BooleanType> :: BOOLEAN – Data type assignment and name of the entity.
<BooleanValue> :: TRUE | FALSE – Value assignment.

39
 Continued…

 Primitive data types: INTEGER, REAL, NULL, AND GraphicString

 Other kinds of data
 alternative: CHOICE
 list: SET and SEQUENCE
 repetition: SET OF and SEQUENCE OF
 A formal definition of module:
<module name> DEFINITION :: BEGIN
<name> :: <definition>
<name> :: <definition>
END

40
 Continued…

 ASN.1 Symbols

41
 Continued…

 ASN.1 Keywords

42
 Continued…

 ASN.1 Data Types

43
 Continued…

Objects and Data Types

 BookPageNumber ::= SEQUENCE {ChapterNumber, Separator, PageNumber}
 BookPages ::= SEQUENCE OF
{
SEQUENCE
{ChapterNumber, Separator, PageNumber}
}

44
Continued…

45
 Continued…

Universal Class tag assignments

46
 Continued…

Enumerated Type
ErrorStatus ::=
INTEGER {
noError(0)
tooBig(1)
noSuchName(2)
badValues(3)
readOnly(4)
genErr(5)
}

47
 Encoding Structure

 The ASN.1 syntax containing the management information is encoded using the BER (Basic
Encoding Rule) defined for the transfer syntax.
 The ASCII text data are converted to bit-oriented data. We will describe one specific encoding
structure, called TLV, denoting Type, Length, and Value components of the structure. The full
record consists of type, Length and value.

48
Continued…

49
Continued…

Tag Numbers
>=31

50
Continued…

51
Continued…

52
Continued…

53
Continued…

54
 Macros
 The ASN.1 macros also facilitate grouping of instances of an object or concisely defining
various characteristics associated with an object.

55
 Continued…
 Object Identity Macro

56
 Continued…
 Example for Object Identity Macro

57
 Functional Model
 The functional model component of an OSI model addresses user-oriented applications. They
are formally specified in the OSI model.
 The model consists of five models: configuration management, fault management,
performance management, security management, and accounting management.
 Configuration management addresses the setting and changing of configurations of
networks and network components. Relevant management information is embedded in
managed objects, such as switches, hubs, bridges, and routers. Configuration management
involves setting up these parameters.
 For example, alarm thresholds could be set to generate alarms when packet loss exceeds a
defamed value information on the object name and contact person to be contacted when the
component fails could he entered in the management agent.

58
 Continued…
 The configuration data are gathered automatically by, and are stored in, the NMS at the
network operations center (NOC). NMS displays in real-time the configuration of the network
and its status.

59
 Continued…
 Fault management involves detection and isolation of the problem causing the failure in the
network. An NMS constantly monitors and displays in real-time major and minor alarms based
on the severity of failures.
 Restoration of service is done as soon as possible and il could involve reconfiguration of the
network, which is part of configuration management. In several failure situations, the network
could do this automatically. This network failure is called self-healing.
 ln other situations, restoration of service does not include fixing the cause of the problem. A
trouble ticket is generated and followed up for resolution of the problem using a trouble ticket
administration system.
 This is the trouble ticket administration of fault management and is used to track problem in the
network.

60
 Continued…
 All problems-including non-problems-are to be tracked until resolved. Periodic analysis of the
data, which are maintained in a database, is done to establish patterns of the problems fur
follow-up action.
 Performance management is concerned with the performance behavior of the network. The
status of the network is displayed by a network-monitoring system that measures the traffic and
performance statistics on the network.
 Network statistics include data on traffic volume, network availability, and network delay.
Traffic data can be captured based on the traffic volume in various segments of the network.
 Data need to be gathered by the NOC and updated in timely fashion in order to administer
performance management. Any configuration changes needed to relieve temporary congestion in
traffic are made by the NOC.

61
 Continued…
 Permanent relief is engineered by the addition of equipment and facilities as well as policy
changes. Performance-monitoring tools can gather statistics of all protocol layers. We can
analyze the various application-oriented traffic such as Web traffic, Internet mail, file transfers,
etc.
 The statistics on applications could be used (o make policy decisions on managing the
applications. Performance data on availability and delay are useful for tuning the network to
increase the reliability and to improve its response time.
 Security management covers a broad range of security aspects. It involves physically securing
the network, access to the network resources, and secured communication over the network.
 A security database is established and maintained by the NOC for access to the network and
network information.

62
 Continued…
 Any unauthorized access lo 1he network resources generates an alarm on the NMS at the NOC.
Firewalls are implemented to protect corporate networks and network resources from being
accessed by unauthorized personnel and programs including virus programs.
 Secured Communication is concerned with the tampering of information as it traverses the
network. The content of the information should neither be accessed nor altered by unauthorized
personnel. Cryptography plays a vital part in security management.
 Accounting management administers cost allocation of the usage of network. Metrics are
established to measure the usage of resources and services provided. Traffic data gathered by
performance management serve as input to this process.

63
 SUMMARY

In This Session we discussed about SNMP and Network Management, Network Management
Standards, Network Management Models. Upon completion of the course, learners ought to
possess the ability to examine network traffic, identify and address security risks, and put into
practice efficient security procedures to safeguard network infrastructure.

64
 SELF-ASSESSMENT QUESTIONS

1. Which organization is responsible for developing the SNMP standards?

(a) IEEE
(b) IETF
(c) ISO
(d) ITU

2. What does RMON stand for in network management?

(a) Remote Monitoring

(b) Real-time Monitoring
(c) Random Monitoring
(d) Reliable Monitoring

65
 TERMINAL QUESTIONS
1. Analyse the security concerns associated with SNMP and the measures that can be taken to
mitigate these risks.

2. Discuss the importance of network management standards and how they contribute to the
interoperability and efficiency of network management systems.

3. Evaluate the impact of specific network management standards on the design and operation
of network management systems.

4. Explain the OSI Network Management Model and its five functional areas.

5. Compare and contrast different network management models, such as the OSI Network
Management Model, the Telecommunications Management Network (TMN), and the Internet
Network Management Framework.

66
REFERENCES FOR FURTHER LEARNING OF THE SESSION

Reference Books
1. Network Management Principles and Practice: Mani Subramanian; Timothy A. Gonsalves; N.
Usha Rani – (Edition1).
2. Network Analysis, Architecture, and Design: James D. McCABE (Edition3).
3. Wireless Communications & Networking: An Introduction Vijay K. Garg (Edition1).
4. Intrusion Detection Systems: Rebecca Bace1 and Peter Mell2 (Edition1).
5. Wireless Network Security for IEEE 802.11a/b/g and Bluetooth (DRAFT): Karen Scarfone
Derrick Dicoi (Edition1).

67
 THANK YOU

by Mr. N. Rajender

68