network implementation and management strategies
Post on 19-Dec-2015
223 views
TRANSCRIPT
Network Implementation and Management Strategies
Outline
Explain why a network implementation strategy is needed
Examine the principles of network design Explain why a network management strategy is needed Describe network management categories and related
activities Classify current network management tools according to
functionality Examine different network management strategies Select a management strategy for this book
Network Implementation Strategy Design
Network Implementation Design Analysis
Category Issues
Geographical Distribution 1. Office· Subnets· LAN2. Department (many offices)· Subnets· LAN3. Division ( many departments)· LAN· WAN4. Organization ( many divisions)· Local
LAN MAN WAN
· National WAN
· Global WAN
Network Implementation Design Analysis (cont.)
Subnets 1. How many•Connectivity
Bridges Switches Routers
2. Ethernet•Wireless
Number of receivers•10BASET
Location of hub(s)•10BASE2•10BASE5•How many IP addresses
Static addresses Addresses supplied by DHCP
Network Implementation Design Analysis (cont.)
LAN 1. How many2. Domain names3. DNS (Domain Name Service) configuration4. Network address5. Subnets
•How many5. Connectivity
•Switched Ethernet•Router
6. Ethernet7. Token Ring8. FDDI (Fiber Distributed Data Network)
Network Implementation Design Analysis (cont.)
MAN (Metropolitan Area Network)
1. Connectivity between LANs FDDI SONET(Synchronous Optical Network) LAN ATM SMDS ( Switched Multi-megabit Data Service) DQDB (Dual Queue Dual Bus) Ethernet
WAN 1. Connectivity between LANs or MANs PSTN X.25 TI-T3 SONET Frame Relay SMDS ATM Distribution of services
Network Implementation Design Analysis (cont.)
Bandwidth Requirements 1. Video Bandwidth•Constant•Time Dependent•Bandwidth on Demand2. Audio Bandwidth•Constant•Time Dependent•Bandwidth on Demand3. Teleconferencing Bandwidth
Media Requirements 1. Cable2. Wireless3. Microwave4. Satellite5. Optical Fiber
Network Implementation Design Analysis (cont.)
Technology 1. What is available now2. Minimum required for the job3. Technology improvements during next 5 years4. Required to support expected growth
Service Level Agreements (SLA)
1. Specified bandwidth available at any time2. Specified bandwidth available during specified time periods3. Bandwidth on demand
Security Requirements 1. Location of firewalls2. Firewall capabilities3. Location of proxy servers4. Encryption and authentication needs5. Network Intrusion Detectors (NID)
Budget 1. To support resources of optimum network 2. To support resources of minimum network
A Network Management Categories and Associated Metrics
CATEGORY METRICS
Reliability Transmission error rates Dropped packets Link failures
Faults Proactive prevention Detection Location Correction time
Availability Mean time between failures (MTBF) of network
Performance Time to provide a response to the user Processor total use Processor interrupts/sec Processor queue length Transmit packet lengths
A Network Management Categories and Associated Metrics (cont.)
Throughput Bytes per second that a user can expect to transmit reliably. Guaranteed throughput based on Service Level Agreement (SLA)
Data Packet throughput
Voice Ordered packet throughput
Video Link bandwidth Bandwidth on demand
Use Packets/sec Transactions/sec
Resource Use Application software Network devices Services Permanent storage CPU
A Network Management Categories and Associated Metrics (cont.)
Policies Traffic What's Critical How many network control packets Which threshold alarms Alerts on what events What's Non-critical Backup-what and how often Application testing Software upgrades-how often Administration Type of service availability required Security level required Firewall protection requirements Network Intrusion Detection needs Number of Software License requirements User rights requirements and how distributed among which users.
Redundancy Number of redundant systems required Critical alternate paths
User Support Automatic responses to user questions about procedures Automatic responses to user questions about network problems Automatic reporting of problems and solutions to users and to a database
A Network Management Categories and Associated Metrics (Example-Micromuse Netcool/OMNIbus)
ISO Network Management Categories
ISO Network Management Categories (Cont.) 效能管理 (Performance Management)
Tells you how the network is doing 障礙管理 (Fault Management)
Tells you what your network is doing 組態管理 (Configuration Management)
Tells you where everything is in the network 安全管理 (Security Management)
Tells you who is using your network 計量管理 (Accounting Management)
Tells you when your network is used
Performance Management ( 效能管理 ) Performance Management
Measuring the performance of network hardware, software, and media
Measuring Metrics :Overall throughputPercentage utilizationError rateResponse time
Performance Management Sub-Categories and Related Activities
Collecting Baseline Utilization Data
Measuring link utilization using a probe Counting packets received/transmitted by a specific device Measuring device processor usage Monitoring device queue lengths Monitoring device memory utilization Measuring total response times
Collecting a History of Utilization Data
Measuring utilization and response times at different times of the day Measuring utilization and response times on different days over an extended period
Capacity Planning Manually graphing or using a network management tool to graph utilization as a function of time to detect trends Preparing trend reports to document projected need for and the cost of network expansion.
Performance Management Sub-Categories and Related Activities (cont.)
Setting Notification Thresholds
Having a network management tool poll devices for values of critical parameters and graphing these values as a function of time Setting polling intervals Setting alarms/alerts on those parameters when the threshold is reached or a percentage of it is reached Initiating an action when the threshold is reached such a sending a message to the network manager.
Building Databases Having the network management tool create a database of records containing device name, parameter, threshold and time for off-line analysis. Using the database to extract time dependence of utilization Using the time dependence of parameters to decide when network upgrades will be necessary to maintain performance
Running Network Simulations
Using a simulation tool to develop a model of the network Using the model’s parameters and utilization data to optimize network performance
Latency Query/Response time interval
Implementing Steps of Performance Management
1. 搜集目前網路設備與鏈結之使用效能相關資訊。
2. 分析所搜集之效能相關資訊。3. 設定使用率或相關效能參數之臨界值
(Threshold) 。4. 進行網路模擬。
搜集效能相關資訊
網路伺服器 :processor load, disk access rate, network
interface card utilization 橋接器 / 路由器 :
packet forwarding rate, processor load, percentage of dropped frames on each interface, number of packets being held in a queue.
網路鏈結使用率 (Link Utilization)
=
bandwidth
total bits sent + total bits receivedutil%
bandwidth
Max Max (total bits sent , total bits received)=util%
• 一般計算方式 (e.g, Ethernet, Token Ring, FDDI)
•Full-Duplex Serial Link (e.g. 專線 64K, ..., T1, T3)
利用 SNMP 讀取流量資訊 一般網路設備會隨時記錄其網路介面卡從開機至
目前為止已流入及已流出之位元組個數,即SNMP MIB II 中之 ifInOctets 及 ifOutOctets 。
使用 SNMP ,每隔一段時間週期性地讀取對應某一網路介面卡之 ifInOctets 及 ifOutOctets 值。
此次所讀得之值減去上次所讀得之值,即為此段時間內之流量。
使用率 使用率 = = 一週期內之流量 一週期內之流量 / (/ ( 頻寬頻寬週週期期 ))
Example
假設某一效能管理應用程式針對此網路設備之一 T1 專線介面 (1.544Mbps) 進行流量監測,
10:00 AM: ifInOctets = 1,500,000
ifOutOctets = 1,200,000
10:05 AM: ifInOctets = 2,500,000 ifOutOctets = 7, 200,000
使用率計算 流量計算
In: 2,500,000 - 1,500,000 = 1,000,000 BytesOut: 7,200,000 - 1,200,000 = 6,000,000 Bytes流量 = MaxMax (1,000,000 , 6,000,000) Bytes = 6, 000,000 Bytes = 48,000,000 bits
Util% = 48,000,000/(1,544,000 60 5) 100%
= 10.36%
Service Level Measurement
Total Response Time Rejection Rate Availability
Service Level Measurement (Cont.)
Total Response Time the amount of time it takes a datum to enter
the network and be processed and for a response to leave the network.
From the viewpoint of applicationsRound Trip Time (R.T.T) is measured from
the viewpoint of transport protocol.
Service Level Measurement (Cont.)
Rejection Rate the percentage of time the network cannot
transfer information because of the lack of resources and performance.
Availability the percentage of time the network is
accessible for use and operational.Usually measured as MTBF (Mean Time
Between Failure)
Analysis of Performance Information
Graphic performance informantionHistorical plots: weekly, monthly,
quarterly, yearlyReal-time graphical analysisTrend Prediction
Example of Performance Management
Example of Performance Management (TANET-NCTU-1)
Example of Performance Management (TANET-NCTU-2)
Reference: http://mrtg.twaren.net/mrtg
What to be Analyzed/Graphed?
Device Informationmemory usage, processor utilization, disk
access rate, number of sessions. Link Information
utilization, error rate, error percentage
Threshold Setup
Set thresholds on a variety of items affecting network performance
When the thresholds are crossed, events are reported.
In general, the values of thresholds are determined according to past experience.
Thresholds
Threshold Priority In general, priority: low, medium, highMultiple threshold values for the same itemThresholds for multiple items
Use rearmrearm mechanism to avoid frequent threshold events
Rearm
Threshold
Rearm
time
util%
1 2 3 4 5 6 7
Performance Prediction
Use Regression to predict future trend.
Apply Statistics Theory Should consider possible factors that
affect the prediction. Network Simulation
Prediction
time
util%
.... .. .... ....
....
.. ..
..
..
...... Predicted utilization
increase
Computed actual utilization
Threshold value
Fault Management ( 障礙管理 )
Fault Management Detection of a problem, fault isolation and correction
to normal operation A goal is to use trend analysis to predict faults and
change network conditions so that the network is always available to users
Fault Management involves the following steps Discover the problem Isolate the problem Fix the problem (if possible)
Fault Management Sub-Categories and Related Activities
Prioritization Prioritize faults in the order in which they should be addressed Use in-band management packets to learn about important faults Identify which fault events should cause messages to be sent to the manager Identify which devices should be polled and at what intervals Identify which device parameter values should be collected and how often Prioritize which messages should be stored in the manager’s database
Timeliness Required Management Station is passive and only receives event notifications Management Station is active and polls for device variable values at required intervals Application periodically requests a service from a service provider
Physical Connectivity Testing
Using a cable tester to check that links are not broken
Fault Management Sub-Categories and Related Activities (cont.)
Software Connectivity Testing
Using an application that makes a request of another device that requires a response.
The most often application for this is Ping.Exe. It calls the Internet Control Message Protocol ( ICMP) which sends periodic Echo Request messages to a selected device on a TCP/IP network Application on one device makes a request of an application on another device
Device Configuration Devices are configured conservatively to minimize chances of dropped packets.
SNMP Polls Devices are periodically polled to collect network statistics
Fault Reports Generated
Thresholds configured and alarms generated Text media used for report Audio media used for report A color graphical display used to show down devices Human manager is notified by pager
Traffic Monitored Remote Monitors used Protocol analyzers used Traps sent to Network Management Station Device statistics monitored
Trends Graphical trends generated to identify potential faults
Executing Steps for Fault Management Discover the problem
Identifying the occurrence of a fault on the network.
Isolate the problemIsolating the cause of the fault.
Fix the problem (if possible)Correcting the fault.
Discover the Problem Event report
網路設備自行發現問題時,主動向網管系統發出事件報告 (Event Report) 。
注意:當網路設備完全故障時,無法發出任何事件報告。
Periodic Polling網管系統每隔一段時間主動發出偵測訊息至被
管設備,或向被管設備要求障礙相關網管資訊 。
Periodic Polling
障礙監測之探詢週期一般設為 5~15 分鐘 探詢週期決定因素:
及時性需求被管設備之數目網路頻寬處理時間網管通信協定之限制
例如: SNMP: Counter (32-bit) 資料歸零問題
PING
PING: Packet Internet Groper PING 為一利用 ICMP ECHO / ECHO
Reply 所設計之 TCP/IP 網路探測工具。 功能:
測試可否通達某一主機計算封包來回時間 (Round Trip Time)估算封包漏失率 (Packet Loss Rate)
An Example of PING
網管系統障礙管理功能 問題偵測
利用類似 Ping 方式,對每一被管設備進行偵測。 問題存錄 (Log)
將發生問題之設備名稱、問題發現時間、可能原因等資訊記錄於存錄 (Log) 檔案中。
狀態顏色改變 改變在網管系統圖形化介面中代表發生問題之設備的圖示之顏
色。 偵測介面狀態
每一網路設備可能含有多個介面卡 (Interface) ,一般網管系統會監測每一介面卡之運作狀態 (Operational Status) 。
網管系統障礙管理功能 ( 續 )
事件解譯 (Interpret Event) 將探詢 (Polling) 結果以及收到的事件,進行解譯與進一步測
試,進而找出真正障礙,通知使用者。 事件關聯性分析 (Event Correlation)
將探詢 (Polling) 結果以及收到的事件,進行關聯性分析,進而找出真正障礙,通知使用者。
事件 / 動作 (Event/Action) 機制 網管人員可以設定當某一類事件發生時,網管系統應即刻執
行哪些動作 ( 應用程式 ) 。
Network PollingNetwork Polling Receive Network EventReceive Network Event
Critical Network EventCritical Network Event
Interpret Network EventInterpret Network Event
Event=Event=Link Down ?Link Down ?
Check Carrier Signal on SourceCheck Carrier Signal on Source
CarrierCarrierExist ?Exist ?
Alert User Link Alert User Link DownDown
Put Interface in LoopbackPut Interface in Loopback
Test Physical LayerTest Physical Layer
TestTestPass ?Pass ?
Alert User Physical Alert User Physical Layer DownLayer Down
Alert UserAlert UserRemote Device DownRemote Device Down
Alert UserAlert User
Generate Generate
Reply Poll Event
No
No
No
Yes
Yes
Yes
事件解譯事件解譯
障礙 ( 事件 ) 報告方式 文字 (Text)
以純文字訊息方式,顯示於螢幕上或圖形化使用者介面上之事件瀏覽器。
圖示 (Picture) 改變圖示顏色,或加以閃爍方式提醒網管人員。
聲音 (Audio) 以聲響方式引起網管人員注意。
Pager 以 B.B. Call 或行動電話短訊服務方式,即時告知網管人員。
E-mail 以 E-mail 方式,通知網管人員或客戶。
設備狀態與圖示顏色區
子區
POP
POP
一般節點Mail伺服器WWW伺服器DNS伺服器其他RAS
T1介面
Channel/Port
Critical
Major
Minor
Warning
Normal
Unknown
Disable
圖示顏色例子
State Critical Major Minor Warning Normal Unknown
Color
>80% >60% >40% >20% <20%PacketLoss Rate
RoundTrip Time
>Threshold
Round Trip Time Threshold Setting
Trouble Ticketing
Audio Alarm
Pager Alarm
E-Mail Alert
Alarm Reporting
Example of Fault Management
InternetInternet
RMONDevice
UNIX....
FDDI
UNIX PC
Firewall/ Router ....
...
....
...
PC UNIX
PC
UserUser DNS
MailServer
WWWServer
Example of Fault Management
Configuration Management ( 組態管理 ) Configuration Management
The process of finding and setting up (configuring) network devices
Automated configuration is becoming a more important part of network management as the sizes of networks grow
Configuration Management Sub-Categories and Related Activities
Configuration (Local)
Choice of medium access protocol Choice of correct cabling and connectors Choice of cabling layout Determining the number of physical interfaces on devices Setting device interface parameter values
Interrupts I/O Addresses DMA numbers Network layer addresses (e.g. IP, NetWare, etc)
Configuration of multiport devices (e.g. hubs, switches and routers) Use of the Windows Registry Comparing current versus stored configurations Checking software environments SNMP service
Configuration (Remote)
From the network management station Disabling device ports Redirecting port forwarding Disabling devices Comparing current versus stored configurations Configuring routing tables Configuring security parameters such as community strings and user names Configuring addresses of management stations to which traps should be sent
Verifying integrity of changes
Configuration Management Sub-Categories and Related Activities (cont.)
Configuration(Automated)
Using the Dynamic Host Configuration Protocol (DHCP) to configure IP addresses Using Plug and Play enabled NICs for automatic selection of interrupts and I/O addresses Domain Name Services (DNS) addresses Trap messages from agents
Configuration Management Sub-Categories and Related Activities (cont.)
Inventory (Manual)
Maintaining records of cable runs and the types of cables used Maintaining device configuration records Creating network database containing for each device:
Device types Software environment for each device operating systems utilities drivers applications versions configuration files (.ncf, .ini, .sys) vendor contact information IP address Subnet address
Inventory (Automated)
Auto-discovery of devices on the network using an NMS Auto-determination of device configurations using an NMS Creation of a network database Auto-mapping of current devices to produce a network topological map Accessing device statistics using an NMS and the Desktop Management Protocol
組態管理實施步驟
搜集目前網路組態相關資訊 利用所搜集組態資訊,調整、改變網路設
備之組態。儲存組態資訊,隨時更新維護其正確性,並可產生各式報表。
組態資訊之搜集 人工方式
遠端登入每一網路設備,讀取設備資訊,將之記錄於文件、檔案、或資料庫中。
維護不易。 自動化方式
利用網路管理通信協定 (SNMP)經常性至網路設備讀取設備資訊,自動儲存於檔案、或資料庫中。
自動搜尋功能 (Autodiscovery)
Auto-discovery
A method used by a network management system to dynamically find the devices attached to a data network.
兩種常見方式1. 利用 Ping 及網管通信協定2. 利用網管通信協定
1. 利用 Ping 及網管通信協定
(1). Send out a query, such as ICMP Echo (ping) to every possible address on the network.
(2). When a device answers the query, ask for detailed information using network management protocol (e.g. SNMP).
Eexample of Auto-discovery (I)
* Suppose the IP Address of NMS is 140.131.59.20 and the network attached is a Class B network (i.e. netmask is 255.255.0.0).
=> Possible Addresses: 140.131.0.1 ~ 140.131.255.254
* If there exists another network, e.g. 163.25.149.0, interconnected with network 140.131.0.0, there exists a router containing at least two interfaces with IP address 140.131.x.x and 163.25.149.x.
* Use SNMP to query the IP address table of the devices found by Ping, we can get more information about the existence of other networks and devices.
2. 利用網管通信協定
(1). Find one device on the network and query it by NM protocol to discover all of the devices it has communicated with recently.
(2). Repeatedly use NM protocol to query the devices found previously.
Eexample of Auto-discovery (II)
* Suppose the IP Address of NMS is 140.131.59.20 and its default gateway is 140.131.59.254.
=>
* Use SNMP to query 140.131.59.20 itself or 140.131.59.254.
ARP Cache, TCP/UDP Connection Table, IP Address Table, Routing Table.
* Use SNMP to query the devices found in the previous query.
網路圖示之狀態與顏色
Compound StatusCompound Status
Status PropagationStatus Propagation
DefaultDefault
Propagate Most CriticalPropagate Most Critical
Propagate At Threshold Values (0-100%)Propagate At Threshold Values (0-100%)
% Warning% Warning
% Minor% Minor
% Major% Major
% Critical% Critical
組態資訊之調整、改變
Manual modification is not efficient. Automatic modification should be recorded NMS can verify the configuration change.
組態資訊之儲存
Stored in a central location Consistency and Availability of
configuration data is important. CM data can be stored in ASCII Text Files
or DBMSs.
網管系統組態管理功能 Provide for central storage of all network
information. Autodiscovery mechanism Automapping facility Automatic data acquisition Allow user to manually add additional
configuration information Search function
網管系統組態管理功能 ( 續 )
Automatically compare current and stored configuration data.
View running configuration graphically. Make configuration change. Centralized storage and easy retrieval of
data. Configuration Event/Alarm. Graphical logical/physical view of devices
Configuration AlarmsConfiguration Alarms
網管系統組態管理功能 ( 續 )
The use of DBMS Evaluate device configurations Allow complex query of data in DBMS. Produce inventory reports. Provide simple query interface for critical
data.
Example of TracerouteExample of Traceroute
Example of Configuration Management
Example of Configuration Management: 中華電信 (CHTNet)
Security Management ( 安全管理 )
Security ManagementThe process of controlling access to
information on the networked system
Security Management Sub-Categories and Related Activities
Applying Basic Techniques
Identifying hosts that store sensitive information Management of passwords Assigning user rights and permissions Recording failed logins Setting remote access barrier codes Employing virus scanning Limiting views of the Enterprise network Tracking time and origin of remote accesses to servers
Identifying Access Methods Used
Electronic Mail File Transfer Web Browsing Directory Service Remote Login Remote Procedure Call Remote Execution Network Monitors Network Management System
Security Management Sub-Categories and Related Activities (cont.)
Using Access Control Methods
Encryption Packet filtering at routers Packet filtering at firewalls Source host authentication Source user authentication
Maintenance Audits of the activity at secure access points Executing security attack programs (Network Intrusion Detection) Detecting and documenting breaches
Accessing Public Data Networks
No restrictions - hosts are responsible for securing all access points Limited access - only some hosts can interface with the Public Data Network using a proxy server
Using an Automated Security Manager
Queries the configuration database to identify all access points for each device. Reads event logs and notes security-related events. Security Manager shows a security event on the network map. Reports of invalid access point attempts are generated daily for analysis
Functions of Security Management
The creation, deletion, and control of security services and mechanisms.
The distribution of security-relevant information.
The reporting of security-relevant events.
資訊安全之重點
機密性 (Confidentiality) 真實性 (Authentication) 完整性 (Integrity)不可否認性 (Non-repudiation) 存取控制 (Access control) 可用性 (Availability)
安全管理實施步驟
1. Identifying the sensitive information to be protected
2. Finding the access points3. Securing the access points4. Maintaining the access points
Access Point
A piece of network hardware or software that allows access to the data network. Software services Hardware components Network media
Finding the Access Points
Physical Wiring/Media Network Services
Remote Login File Transfer E-mail Remote Execution Directory Service …
NMS
Securing the Access Points
(1). Packet Filtering
(2). Host Authentication
(3). User Authentication
(4). Key Authentication
(5). Encryption
(1). Packet Filtering
Packet filtering usually can be performed in bridges, switches, and routers.
Packet filtering stops packets to or from unsecured hosts before they reach an access point.
Issues Each network device to perform packet filtering must
be configured. Packet filtering doesn't work if the unsecured host
changes its address.
Router with ACLsUsers
Users
ProtectedNetwork
E-mail Server
Micro Webserver
zip 100
Micro WebserverMicro Webserver
Web Server PublicPublicAccessAccess
ISP andISP andInternetInternet
Packet-Filtering Routers
(2). Host Authentication Allow access to a service based on a source
host identifier, e.g. network address.
Issues A host can change its network address. Different users in the same host have the same authority.
ServiceService Allow Allow
Remote Login Host-B, Host-C, 140.131.59.20File Transfer Host-A, Host-B, PC-bmw, Directory Host-C, 140.131.62.211, PC-benz… …
(3). User Authentication
Enable service to identify each user before allowing that user access.
Password Mechanism Generally, passwords are transferred on the network without
any encryption. Use encrypted passwords. Users tend to make passwords easy to remember. If the passwords are not common words, users will write them
down.
Host Authentication ++ User Authentication
(4). Key Authentication
Key A unique piece of information that authenticates the
data in a transaction.
Key Authentication The destination host requires the source host of a
transaction to present a key for the transaction.
Key Server A server that validates requests for transactions
between hosts by giving out keys.
SourceSource (S) (S) Key Server (K) Key Server (K) Destination (D) Destination (D)
1. S requests remote login to D
2. S requests a key to K.
3. K validates the request.
4. K send a key to S.
5. S requests login with valid key to D.
SS
SS KK
SS KK
KK
SS DD
Dear John: I am happy to know...
Dear John: I am happy to know...
atek49ffdlffffeffdsfsfsff …
atek49ffdlffffeffdsfsfsff …
plaintext plaintext
ciphertext ciphertextencryptionencryption decryptiondecryption
(5). Encryption
Network
Cryptography / Encryption
Encryption Encode, Scramble, or Encipher the plaintext information to
be sent. Encryption Algorithm
The method performed in encryption. Encryption Key
A stream of bits that control the encryption algorithm. Plaintext
The text which is to be encrypted. Ciphertext
the text after encryption is performed.
Encryption
Encryption Key
Dear John: I am happy to know...
Plaintext
Encryption Algorithm
atek49ffdlffffeffdsfsfsff …
Ciphertext
Decryption
Decryption Key
Dear John: I am happy to know...
Plaintext
Decryption Algorithm
atek49ffdlffffeffdsfsfsff …
Ciphertext
Encryption / Decryption
Encryption Techniques
Private Key Encryption Encryption Key == Decryption Key Also called Symmetric-Key EncryptionSymmetric-Key Encryption, Secret-Key Secret-Key
EncryptionEncryption, or Conventional Cryptography. Conventional Cryptography.
Public Key Encryption Encryption Key Decryption Key Also called Asymmetric EncryptionAsymmetric Encryption
Private Key Encryption:- DES (Data Encryption Standard)
Adopted by U.S. Federal Government. Both the sender and receiver must know the
same secret key code to encrypt and decrypt messages with DES
Operates on 64-bit blocks with a 56-bit key DES is a fast encryption scheme and works well
for bulk encryption. Issues:
How to deliver the key to the sender safely?
Symmetric Key in DES
Other Symmetric Key Encryption Techniques
3DES Triple DES
RC2, RC4 IDEA
International Data Encryption Algorithm
Key Size Matters!
Centuries
Decades
Years
Hours 40-bits
56-bits
168-bits*Triple-DES(recommendedfor commercial& corporate information)
Info
rmat
ion
Lif
etim
e
100’s 10K 1M 10M 100MBudget ($)
Public Key Encryption: - RSA
The public key is disseminated as widely as possible. The secrete key is only known by the receiver.
Named after its inventors Ron Rivest, Adi Shamir, and Leonard Adleman
RSA is well established as a de facto standard RSA is fine for encrypting small messages
Asymmetric Key in RSA
Symmetric Cipher(Conventional)
Asymmetric (RSA/D-H)
40 Bits 274 Bits 56 Bits 384 Bits 64 Bits 512 Bits 80 Bits 1024 Bits 96 Bits 1536 Bits112 Bits 2048 Bits120 Bits 2560 Bits128 Bits 3072 Bits192 Bits 10240 Bits
Average Time for Exhaustive Key Search
32 Bits 2 = 4.3 X 10 32 9
56 Bits 2 = 7.2 X 10 56 16Number of
Possible Key128 Bits 2 = 3.4 X 10
128 38
Time required at1 Encryption/uSEC
32 Bits ==> 2 usec =36 min31
56 Bits ==> 2 usec =1142 Years55
128 Bits ==> 2 usec =5X10 Years127 24
32 Bits ==> 2 millsec
56 Bits ==> 10 Hours
128 Bits ==> 5X10 Years18
Time required at
10 Encryption/uSEC6Performance
30~200 1
Key Length
Hybrid Encryption Technology:PGP (Pretty Good Privacy)
Hybrid Encryption Technique First compresses the plaintext. Then creates a session key, which is a one-time-only secret key. Using the session key, apply a fast conventional encryption
algorithm to encrypt the plaintext. The session key is then encrypted to the recipient’s public key. This public key-encrypted session key is transmitted along with the
ciphertext to the recipient.
PGP Encryption
PGP Decryption
The recipient uses its private key to recover the temporary session key
Use the session key to decrypt the conventionally-encrypted ciphertext.
PGP Decryption
Digital Signatures
Digital signatures enable the recipient of information to verify the authenticity of the information’s origin, and also verify that the information is intact.
Public key digital signatures provide authenticationauthentication data integritydata integrity non-repudiationnon-repudiation
Technique: public key cryptography
Simple Digital Signatures
Secure Digital Signatures
Maintaining the Secure Access Points
Locate potential and actual security breaches.
Audit Trail Security Test Programs
Attaching to a Public Network
No Access Full Access
All individual computers should have security management.
Limited AccessUse a firewallfirewall to enforce security between
private and public networks.
防火牆 (Firewall)
Firewall 為一組軟硬體系統,用來控制內部與外部網路間之通訊。
Firewall建置方式 Packet Filtering Firewall Dual-Homed Host Firewall Screened Host Firewall Screened Subnet Firewall
http://www.movies.acmecity.com/silent/6/doc/fwppt.zip
VPN (Virtual Private Network)
VPN: 虛擬私人網路藉由虛擬的方式,在公眾數據網路上建立一
個能夠秘密通訊的私人網路。 VPN 所使用之公眾數據網路
X.25 Frame Relay ATM Internet
VPN (Virtual Private Network)
VPN技術 穿隧技術 穿隧技術 (Tunneling)(Tunneling)
IPSec (IP Security) PPTP (Point-to-Point Tunneling Protocol) L2TP (Layer 2 Tunneling Protocol)
加解密技術 加解密技術 (Encryption/Decryption)(Encryption/Decryption) Private/Public/Hybrid Key Encryption
密鑰管理 密鑰管理 (Key Management)(Key Management) SKIP (Simple Key Management for IP) IKE (ISAKMP/Oakley)
使用者與設備身份認證技術 使用者與設備身份認證技術 (Authentication)(Authentication) Username/Password + Token Number X.509 Certificate by Certificate Authority (CA)
Accounting Management ( 計量管理 ) Accounting Management
Tracking each individual and group user's utilization of network resources to better ensure that users have sufficient resources
Enable charges to be established for the use of network resources, and the costs to be identified for the use of those network resources
Accounting Management Sub-Categories and Related Activities
Gather Network Device Utilization Data
Measure usage of resources by cost center Set quotas to enable fair use of resources Site metering to track adherence to software licensing
Bill Users of Network Resources
Set charges based on usage. Measure one of the following
Number of transactions Number of packets Number of bytes
Set charges on direction of information flow
Use and Accounting Management Tools
Query usage database to measure statistics versus quotas Define network billing domains Implement automatic billing based on usage by users in the domain Enable billing predictions Enable user selection of billing domains on the network map
Reporting Create historical billings trends Automatic distribution of billing to Cost Centers Project future billings by cost center
AM 名詞說明 MetricsMetrics
Measurement of network resources used. QuotasQuotas
The amount of a network's resources allowed for a user or group.
BillingBillingThe process of charging users for the use of
the data network and its associated services.
計費方式 One-Time Installation Fee and Monthly Fees Fee Based on Amount of Network Resource
Consumed Total numbers of transactions Total packets Total bytes sent Total bytes received
Fee Based on Amount of Time (For Dial-Up Serial Links)
}哪一種方式較合理?
網管系統計量管理功能
Monitor for any metrics that exceeds a quota. Store metric data into the database of NMS. Report the metric data that exceeds a quota. Use database's "trigger" ability to
automatically generate reports
網管系統計量管理功能 ( 續 )
Perform network billing. Determine where to poll for billing
information. Forecast the need of network resources
To establish reasonable metrics and quotas
To predict network billing cost for users Generate accounting reports
Billing Process Example
1. Get network topology from DBMS2. Get region user selected on network map3. Determine devices in region4. Find devices to query (with the aids of
user's input).5. Get billing information6. Get pricing information7. Get polling rate8. Start performing queries and calculations
Management Tools
Management Tools (Cont.)
Management Tools (Cont.)
Network Management Configurations Centralized configuration
Management is centralized to the network management station on the backbone network
Distributed configurationThe LANs are managed by a local NMS while
an NMS host connects to the backbone network
Centralized Network Management
Probe = Remote Monitor NMS = Network Management System WS = Workstation
LAN 1
Node 1
Backbone Node
Hub Agent
WS Agent
ProbeAgent
Router Agent
Router Agent
WS Agent
ProbeAgent
LAN 2
Node 2
Router Agent
ProbeAgent
WS Agent
LAN 3
Node 3
FIGURE 3-2: Centralized Network Management
NMS
Distributed Network Management
Probe = Remote Monitor NMS = Network Management System WS = Workstation -------- = In-band or out-of band management communication
FIGURE 3-3 : Distributed Network Management
NMS
ProbeAgent
WS Agent
LAN 3 Node 3
Router Agent
NMS
Backbone
Router Agent
WS Agent
ProbeAgent
LAN 2 Node 2
NMS
LAN 1
Node 1
Hub Agent
WS Agent
ProbeAgent
Router Agent
NMS
Selected Management Strategy