801 1115_06F9_c1
1
© 1999, Cisco Systems, Inc.
Evolution of Network Management Technologies Session 801
801 1115_06F...
15 downloads
568 Views
1MB Size
Report
This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!
Report copyright / DMCA form
801 1115_06F9_c1
1
© 1999, Cisco Systems, Inc.
Evolution of Network Management Technologies Session 801
801 1115_06F9_c1
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
2
1
How Can We?
We can evolve the network management infrastructure to solve today’s scaling, security, interoperability and service management challenges.
801 1115_06F9_c1
3
© 1999, Cisco Systems, Inc.
Agenda
• Current Challenges • Network Management Evolution • Summary
801 1115_06F9_c1
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
4
2
Fundamental Premise
Today’s networks require new management technologies that will have a significant impact on the management applications and network design.
801 1115_06F9_c1
5
© 1999, Cisco Systems, Inc.
Present Situation • Multiservice, multilayer networks
VPN Internet
• Network Address Translation (NAT) • Huge amounts of data to be managed • High speed networking 801 1115_06F9_c1
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
6
3
Present Situation (Cont.) • Transition to service management
Remote Office
• Redundancy for high availability • Cohesive security system for network, systems, and applications 801 1115_06F9_c1
7
© 1999, Cisco Systems, Inc.
Evolving Network Management Architecture LDAP User/CLI
Telnet
801 1115_06F9_c1
SSH
Application
IPSec
CIM/XML Application
SNMPv1/2/3
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Tftp/RCP
LDAP
8
4
Command Line Interface • Primary configuration interface • Used through telnet by users and applications
User
Telnet SSH
• Highest level of configuration, monitoring, troubleshooting 801 1115_06F9_c1
9
© 1999, Cisco Systems, Inc.
Issues—Open to Attack… telnet telnet rtr-1 rtr-1 username: username: dan dan password: password:
I’m Bob, please print out all of the enable passwords
m-y-p-a-s-s-w-o-r-d d-a-n
Snooping
Impersonation Bob Set ACL
Remove ACL
CPU
Denial of Service 801 1115_06F9_c1
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Loss of Integrity 10
5
Solution—Secure Shell (SSH)
• Developed to solve telnet weaknesses • Strong authentication • Encryption • CLI over SSH 801 1115_06F9_c1
11
© 1999, Cisco Systems, Inc.
Public/Private Key Authentication I dare You to say “Shazam”
1010101010098jlkf82189120j
Shazam!
Shazam! 801 1115_06F9_c1
X
870980jd09210982j092u0912
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Shazam!
Idiot! 12
6
Deploying SSH
• SSH server will be in Cisco IOS ® 12.x • SSH clients are available today (commercially or for noncommercial) • Don’t go overboard! • See http://www.ietf.org/html.charters/secsh-charter.html 801 1115_06F9_c1
13
© 1999, Cisco Systems, Inc.
Management Security
• Secure transport for multiple management protocols required • Securing SNMP, TFTP, telnet, etc.
IPSec
• Secure access to NMS 801 1115_06F9_c1
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
14
7
Issues—Security
• Lack of consistent security approach for device, application, and user access • Extranet environments require multiorganization NMS approach • Multiple management protocols, some have no security (e.g. tftp) 801 1115_06F9_c1
15
© 1999, Cisco Systems, Inc.
Solution—IPSec Management System to Device Encrypted
Management System
Mary’s PC
801 1115_06F9_c1
HR Server
All Other Traffic Cleartext
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
E-Mail Server
16
8
Using IPSec Encrypted Encrypted Intranet/ Internet
Tunnel Terminates at Agent
Managed Device
• Build tunnels between client and managed device or closest router • Use ACLs to direct traffic across the tunnel 801 1115_06F9_c1
17
© 1999, Cisco Systems, Inc.
Six Basic Steps of IPSec Configuration • • • • • •
Define IKE Policy Configure CA Support or Manual Keys Create Crypto Access-List Define Transform Sets Create Crypto Maps Apply Crypto Maps to Interfaces
801 1115_06F9_c1
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
18
9
It Isn’t That Bad!
• Once CA is set-up, the rest is easy! • IRE client (from Cisco) does much of the end-system work • Solaris requires public domain IPSec or wait for enhancements to Solaris
801 1115_06F9_c1
19
© 1999, Cisco Systems, Inc.
SNMP Management • “The” protocol for retrieving information • MIB semantics defines “what” can be communicated • Unsolicited and unconfirmed traps • Simple protocol and data model 801 1115_06F9_c1
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
SNMPv1/2/3
20
10
Issues—SNMP
• SNMPv1 showing its age • Large counters (gigabit), security, bulk information • Poor WAN protocol • Can the industry evolve the standard? 801 1115_06F9_c1
21
© 1999, Cisco Systems, Inc.
Solution—SNMPv3
• Security User Security Model (USM) Authenticates users Multiple user/administrative levels Encrypts PDUs Addresses SNMP security issue 801 1115_06F9_c1
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
22
11
Solution—SNMPv3
• Additional features Distributed management Confirmed notifications Extends reach? 64-bit counters Bulk data retrieval 801 1115_06F9_c1
23
© 1999, Cisco Systems, Inc.
SNMP Protocol Formats SNMPv1
SNMPv3
msgVersion community
msgVersion msgID msgMaxSize msgFlags msgSecurityM msgAuthoritat odel msgAuthoritat iveEngineID iveEngineBoot msgAuthoritat iveEngineTime msgUserName s msgAuthentic ationParamete msgPrivacyPa rameters rs contextEngine ID contextName
PDU
PDU 801 1115_06F9_c1
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
24
12
Cisco’s SNMP Evolution • SNMPv1 in all devices • SNMPv2c introduced into Cisco IOS routers • Cisco IOS 12.0(3) T supports SNMPv3 USM • Cisco applications use SNMPv1 and sometimes V2 SMI (Gigabit interfaces) 801 1115_06F9_c1
25
© 1999, Cisco Systems, Inc.
Application Data Exchange
• Structured method of exchanging information • Multisystem, multivendor interoperability
Appl
CIM/XML CIM/XML
Appl
• Durable, supports mix and match application versions 801 1115_06F9_c1
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
26
13
Issues—Application Data Exchange • SQL interfaces subject to schema redefinition and proprietary to each vendor • SNMP data model not robust enough for reliable app-to-app communication • Platform approach has not resulted in any solution 801 1115_06F9_c1
© 1999, Cisco Systems, Inc.
27
Solution—CIM + XML
• CIM = Common Information Model CIM 2.1 ratified (physical network) CIM 2.2 going to ballot (logical network and users)
• Provides open schema to describe objects • Enables application interoperability without APIs 801 1115_06F9_c1
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
28
14
CIM Data Model LogicalElement
Service LogicalDevice
w
w
System
1
CreationClassName: string [key] NameFormat: string Name: string [key] PrimaryOwnerName: string PrimaryOwnerContact: string Roles: string [ ]
*
HostedService
1 HostedBootService
w
*
*
BootService
1
ClusterService
w
SystemDevice
StorageExtent
Processor
w
ComponentCS
*
* *
ComputerSystem
1
2..n
ApplicationSystem
1 HostedClusterService
InstalledOS w
w
RunningOS
* OperatingSystem
* 1 Computer System Processor ComputerSystem Memory
801 1115_06F9_c1
0..1
ParticipatingCS
Memory
*
UnitaryComputerSystem
InitialLoadInfo: string [ ] LastLoadInfo: string ResetCapability: uint16 1 PowerMgmtSupported: boolean PowerMgmtCapabilities: uint16 [ ] PowerState: uint16 SetPowerState([IN] uint16 PowerState, [IN] datetime Time): uint32
*
Cluster
1
Interconnect: string InterconnectAddress: string Types: uint16 [ ] MaxNumberOfNodes: uint32 ClusterState: uint16
29
© 1999, Cisco Systems, Inc.
CIM Example: Inventory Data
CIM CIM
//////////////////////////////////////////////////////// // Device: nmcpw1601.cisco.com //////////////////////////////////////////////////////// instance of DEN_NetworkElement { DeviceId = "133"; CommonName = "nmcpw1601"; DNSName = "cisco.com"; Description = ""; 801 1115_06F9_c1
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
30
15
Sample Inventory Data
instance of DEN_NetworkPort { CIM_PhysicalElementID = "143"; CommonName = "ethernetCsmacd"; Description = "CiscoPro EtherSwitch CPW1601 HW Rev 5; SW 2.0(1) (Oct 15 1996 11:17:49)"; Status = "up"; MACAddress = "00:80:24:38:9c:90"; NetworkAddress = ""; };
801 1115_06F9_c1
31
© 1999, Cisco Systems, Inc.
Transporting CIM: XML! • XML = eXtensible Markup Language • Over HTTP, XML enables access to CIM objects • Enables mixed vendor, distributed server environments! <XML>CIM Data HTTP/HTTPS 801 1115_06F9_c1
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
32
16
Sample Inventory Data with XML WBEM_ROUTER_2 ROOT CIMV2 CIM_ManagedSystemElement