Using NETCONF-proxy server to integrate laboratory equipment into software-defined infrastructures

The essential changes that have taken place over the past decade in the field of telecommunications present new requirements for the educational institutions laboratory complexes management. The modern management concept "Infrastructure as Code"(Infrastructure as Code, IaC) proclaims the usage of a single and universal approach for programmatic management of all components of the communication and computing infrastructure. One of the most common ways to implement this approach is based on the representation of managed unit's configurations in the form of specially marked-up records that form the configuration management database. In this case, process of infrastructure components control is nothing more then sequence of transactions that can be performed for this database records, both locally or remotely - by using network management protocols. The implementation of solutions based on modern universal protocols and network management tools will be complicated when the controlled components do not support modern network management protocols and are separated by the institution's intranet. As one of the possible approaches to solving these problems, we consider the use of gateway communication servers as part of the training classes, which will be able to implement dynamic configuration management of special laboratory equipment of the training class and to provide information interaction between the components of the laboratory complex. The paper considers the choice of control protocols for the gateway server, as well as tools for managing communication infrastructures, and presents an implementation option for this approach for integrating special laboratory equipment of the IRIT RTF at Ural Federal University laboratory classes into a single software-defined laboratory complex. © Published under licence by IOP Publishing Ltd

Suporte de monitorização baseada em NETCONF

Mestrado em Engenharia de Computadores e TelemáticaA necessidade de gestão dos equipamentos das redes tem juntado em volta de organismos normalizadores como o IETF e o DMTF, a comunidade académica e os fabricantes de equipamentos. A evolução das características das redes, como por exemplo a sua dimensão, o número e a heterogeneidade dos equipamentos interligados, e a crescente diversidade de serviços de rede têm vindo a alterar os requisitos de gestão e, por conseguinte, a criar a necessidade de novas tecnologias para gerir essas redes. A tecnologia de gestão SNMP surgiu em meados dos anos 80 e, apesar de um conjunto de defeitos que rapidamente lhe foram apontados, rapidamente se tornou a tecnologia de gestão de facto, sendo omnipresente na maioria dos equipamentos de rede e estando disponível sob a forma de imensas APIs e aplicações de gestão. Sendo uma tecnologia nascida de entre a comunidade de gestão de redes IP, não incluía outros detalhes relacionados com a gestão de sistemas e serviços que entretanto foram incluídos pelo DMTF na tecnologia WBEM, segundo uma lógica de gestão integrada. O WBEM inclui já tecnologias da web para representar e codificar a informação de gestão, de forma a fomentar a interoperabilidade da gestão dos equipamentos de diferentes modelos e fabricantes. Com o advento dos Web services, e dada as suas vantagens de rápido desenvolvimento e interoperabilidade, as entidades normalizadoras da área da gestão dos sistemas propuseram novas tecnologias como o WSDM-MUWS do OASIS e o WS-MAN do DMTF. Como forma de ultrapassar os problemas desde sempre apontados ao SNMP, especialmente os relacionados com a sua segurança e falta de escalabilidade para transporte de grandes quantidade de informação, o IETF desenvolveu uma nova tecnologia designada de NETCONF que utiliza a codificação XML e alternativas de transporte de informação seguras e fiáveis. Normalizou também uma linguagem para descrição da informação de gestão, o YANG, criada especificamente para ser utilizada com este protocolo. Neste trabalho, implementou-se uma solução de monitorização utilizando a tecnologia NETCONF, que efetua o transporte da informação de gestão em SOAP. A presente dissertação documenta a implementação da solução de monitorização NETCONF proposta e da respetiva avaliação, comparado as características e capacidades da tecnologia utilizada com as tecnologias de gestão SNMP e WBEM em termos de tráfego gerado, de eficiência de sinalização e de tempos de resposta. Da análise destes testes são tiradas ilações acerca do desempenho destes protocolos e da viabilidade do NETCONF como solução futura para a gestão e monitorização de redes.The need for management of network equipment has gathered around standard setting bodies like the IETF and the DMTF, the academic community and equipment manufacturers. The evolution of network characteristics such as its size, the number and heterogeneity of devices, and the growing diversity of network services are changing the management requirements and, therefore creating the need for new technologies to manage these networks. The SNMP management technology emerged in the mid 80s and, despite a number of defects that were pointed out, it quickly became the de facto management technology, is ubiquitous in most network equipment and is available in lots of APIs and management applications. Being a technology born from IP network management community, it did not include other details related to the management of systems and services which have been included in the DMTFs WBEM standard, for integrated management. WBEM already includes web-based technologies to represent and encode management information in order to enhance interoperability among the solutions and equipment from different manufacturers. With the advent of Web services, and given its advantages of rapid development and interoperability, entities standardizing management systems proposed new technologies such as the OASIS WSDM-MUWS and the DMTF WS-MAN. To overcome the problems pointed to SNMP, especially those related to its safety and lack of scalability to transport large amount of information, the IETF has developed a new technology called NETCONF that uses the XML encoding and several alternatives for secure and reliable transport of information. They also normalized a language for describing management information, YANG, created specifically for use with this protocol. In this work, we implemented a monitoring solution using NETCONF, which makes the transport of management information in SOAP. This dissertation documents this implementation, the relevant technical assessment of the proposal and compared the features and capabilities of the technology used with the WBEM and SNMP technologies in terms of generated traffic, coding efficiency and response times. From the analysis of these tests lessons are taken about the performance of these protocols and the feasibility of NETCONF as a solution for the future of network management and monitoring

A Security Framework for Routing Protocols

With the rise in internet traffic surveillance and monitoring activities, the routing infrastructure has become an obvious target of attack as compromised routers can be used to stage large scale attacks. Routing protocols are also subjected to various threats such as capture and replay of packets that disclose the network information, forged routing control messages that may compromise a connection by deception, disruption of an on-going connection causing DoS attacks and spreading of unauthentic routing information in the network. Presently, strong cryptographic suites and key management mechanisms (IPsec and IKE) are available to secure host-to-host data communication but none of them focus on securing routing protocols. Today's routing protocols use a shared secret to perform mutual authentication and authorization, and depend on manual keying methods. For message integrity, they either rely on some built-in or external security feature that uses the same shared secret. The KARP working group of the IETF identified that the work is required to tighten the security of the routing protocols and demonstrated that automated key management solutions are needed for increasing security. Towards this goal we propose the RPsec framework. RPsec provides a common baseline for development of KMPs for the routing protocols, supports both automated and manual key management, and overcomes the weakness of existing manual key methods

Gestion automatique des configurations réseaux : une approche déductive

La gestion des réseaux informatiques est une tâche de plus en plus complexe et sujette aux erreurs. Les recherches dans le passé ont montré qu’entre 40% et 70% des modifications apportées à la configuration d’un réseau échouent à leur première tentative d’utilisation, et la moitié de ces échecs sont motivés par un problème situé ailleurs dans le réseau. Les opérateurs de réseau sont ainsi confrontés à un problème commun : comment s’assurer qu’un service installé sur le réseau d’un client fonctionne correctement et que le réseau lui-même est exempt de défaut de toute nature ? L’ingénieur réseau a donc à chaque fois qu’un nouveau service sera ajouté au réseau, la responsabilité d’un groupe de périphériques dont les configurations sont gérées individuellement et manuellement. Cette opération vise deux objectifs : 1) Mettre en oeuvre la fonctionnalité désirée. 2) Préserver le bon fonctionnement des services existants, en évitant de mettre en conflit les nouveaux paramètres et ceux déjà configurés sur le même réseau. L’évolution fulgurante du nombre de dispositifs, la complexité des configurations, les besoins spécifiques de chaque service, le nombre même de services qu’un réseau doit être capable de supporter, et le fait que les données traversent généralement des réseaux hétérogènes appartenant à plusieurs opérateurs, rendent cette tâche de plus en plus difficile. Nous pouvons aisément comprendre la nécessité de nouvelles approches au problème de gestion de configuration réseau. Au cours de notre étude, nous avons utilisé un formalisme basé sur la logique de configurations qui offre plusieurs avantages, tel que : la vérification efficace et aisée des configurations d’équipements multiples, la séparation claire entre les spécifications de contraintes de configuration et sa validation réelle, mis en relief dans l’outil de configuration et de vérification automatique de configuration appelé ValidMaker. Nous avons aussi présenté un modèle de données génériques pour des informations de configuration des dispositifs réseaux qui prennent en compte l’hétérogénéité des fabricants et de leurs versions. Les concepts tels que Meta-CLI ont été utilisés pour représenter la configuration extraite du dispositif sous forme d’arbre dont les feuilles représentent les paramètres extraits dans le but de pouvoir tester certaines propriétés complexes et d’en déduire les informations restantes. Nonobstant le fait que nos résultats sont basés et validés sur des cas d’utilisation et des configurations matérielles d’une entreprise cible, la méthodologie pourrait être appliquée à des équipements se rapportant à n’importe quel fournisseur de service réseau

Новые информационные технологии в исследовании сложных структур : материалы Тринадцатой международной конференции, 7-9 сентября 2020 г

Тринадцатая конференция с международным участием «Новые информационные технологии в исследовании сложных структур» была проведена в дистанционном формате с 7 по 9 сентября 2020 г. Материалы сборника ориентированы на использование специалистами в области информационных технологий в различных сферах человеческой деятельности, включая вычислительные и телекоммуникационные системы, образование, архитектуру и градостроительство, охрану природы, здравоохранение, разработку систем искусственного интеллекта, исследование дискретных и стохастических структур управления и связи

Gestion unifiée et dynamique de la sécurité : un cadriciel dirigé par les situations

Les systèmes de gestion de la sécurité (SGS) font le lien entre les exigences de sécurité et le domaine d'application technique. D'un côté, le SGS doit permettre à l'administrateur sécurité de traduire les exigences de sécurité en configurations de sécurité (appelé ici le processus de déploiement). De l'autre, il doit lui fournir des mécanismes de supervision (tels que des SIEM, IDS, fichiers de logs, etc.) afin de vérifier que l'état courant du système est toujours conforme aux exigences de sécurité (appelé ici processus de supervision). Aujourd'hui, garantir que les exigences de sécurité sont respectées nécessite une intervention humaine. En effet, les processus de déploiement et de supervision ne sont pas reliés entre eux. Ainsi, les SGS ne peuvent garantir que les exigences de sécurité sont toujours respectées lorsque le comportement du système change. Dans le cadre du projet européen PREDYKOT, nous avons tenté de boucler la boucle de gestion en intégrant les informations sur le changement de comportement du système et en les injectant dans le processus de déploiement. Cela permet de faire appliquer des mesures de sécurité dynamiques en fonction des changements de comportement du système. Toutefois, il existe diverses approches pour exprimer et mettre en œuvre des politiques de sécurité. Chaque solution de gestion est dédiée à des problématiques de gestion des autorisations ou à celles des configurations de sécurité. Chaque solution fournit son propre langage de politique, son propre modèle architectural et son propre protocole de gestion. Or, il est nécessaire de gérer à la fois les autorisations et les configurations de sécurité de manière unifiée. Notre contribution porte principalement sur trois points : Le retour d'information de supervision : Le processus de supervision capture le comportement dynamique du système au travers d'évènements. Chaque évènement transporte peu de sens. Nous proposons de considérer non pas les évènements individuellement mais de les agréger pour former des situations afin d'amener plus de sémantique sur l'état du système. Nous utilisons ce concept pour relier les exigences de sécurité, les changements dans le système et les politiques de sécurité à appliquer. Un nouvel agent, appelé gestionnaire de situations, est responsable de la gestion du cycle de vie des situations (début et fin de situation, etc.) Nous avons implanté cet agent grâce à la technologie de traitement des évènements complexes. Expression de la politique : Nous proposons d'utiliser le concept de situation comme élément central pour exprimer des politiques de sécurité dynamiques. Les décisions de sécurité peuvent être alors automatiquement dirigées par les situations sans avoir besoin de changer la règle courante. Nous appliquons l'approche de contrôle d'accès à base d'attributs pour spécifier nos politiques. Cette approche orientée par les situations facilite l'écriture des règles de sécurité mais aussi leur compréhension. De plus, ces politiques étant moins techniques, elles sont plus proches des besoins métiers. L'architecture de gestion : Nous présentons une architecture de gestion orientée événement qui supporte la mise en œuvre de politiques de sécurité dirigées par les situations. Considérer les messages de gestion en terme d'évènements, nous permet d'être indépendant de tout protocole de gestion. En conséquence, notre architecture couvre de manière unifiée les approches de gestion des autorisations comme des configurations (obligations) selon les modèles de contrôle de politiques en externalisation comme en approvisionnement. De plus, les agents de gestion sont adaptables et peuvent être dynamiquement améliorés avec de nouvelles fonctionnalités de gestion si besoin. Notre cadriciel a été complètement implanté et est conforme au standard XACMLv3 d'OASIS. Enfin, nous avons évalué la généricité de notre approche à travers quatre scénarii.A Security Management System (SMS) connects security requirements to the technical application domain. On the one hand, an SMS must allow the security administrator/officer to translate the security requirements into security configurations that is known as the enforcement process. On the other hand, it must supply the administrator/officer with monitoring features (SIEM, IDS, log files, etc.) to verify that the environments' changes do not affect the compliance to the predefined security requirements known as the monitoring process. Nowadays, guarantying security objectives requires a human intervention. Therefore, the SMS enforcement process is disconnected from the monitoring process. Thus, an SMS cannot dynamically guarantee that security requirements are still satisfied when environment behavior changings are observed. As part of the European project PREDYKOT, we have worked on closing the management loop by establishing a feedback on the dynamic behavior, captured from the environment, to impact the enforcement process. As a result, expressing and applying a dynamic security policy will be possible. However, many policy expression and enforcement approaches exist currently. Each security management solution is dedicated to some specific issues related to authorization or to system/network management. Each solution provides a specific policy language, an architectural model and a management protocol. Nevertheless, closing the management loop implies managing both authorizations and system/network configurations in a unified framework. Our contribution tackles the following three main issues: Feedback: The monitoring process captures the highly dynamics of the behavior through events. However, each event is not semantically associated with other events. We propose to get more semantics about behavior's changings thus introducing the concept of "situation" to be dealt with in security management applications. This concept aggregates events and links relevant security requirements, relevant behavior changes, and relevant policy rules. A new management agent, called the situation manager, has been added. The latter is responsible for the management process of the situations lifecycle (situation beginning and ending, etc.). We implement this software module using the complex event processing technology. Policy Expression: We propose to specify dynamic security policies oriented by situations. By doing so, the expression of the security policy rules becomes simpler to understand, easier to write and closer to the business and security needs. Hence, each relevant situation orients automatically the policy evaluation process towards a new dynamic decision that doesn't require updating the policy rules. We apply the attribute-based expression approach because of its ability to represent everything through attribute terms, which is a flexible way to express our dynamic policy rules. Enforcement Architecture: we propose a unified and adaptive architecture that supports situations-oriented policies enforcement. We choose to build an event-driven architecture. Exchanging management messages in terms of events allows our architecture to be independent from the management protocols. Thus, it covers in a unified way authorizations as well as configurations management approaches considering both provisioning and outsourcing policy control models. In addition, management agents are adaptable and can be upgraded dynamically with new management functionalities. Our framework has been implemented and is compliant with the OASIS XACMLv3 standard. Finally, we evaluated our contributed according to four different scenarios to prove its generic nature