A study of SNMP developments regarding to security and performance

La disponibilidad de la red de telecomunicaciones es esencial para todas las empresas porque sus ingresos están directamente relacionados con él. Así, los sistemas de gestión de red también se convirtieran en esencial. Sin embargo la importancia dada a la gestión de información por la mayoría de los administradores de red, los demás la consideran como inútil. Por lo tanto, la garantía de la gestión de datos no es levada en cuenta. El principal objetivo de este artículo es mostrar la importancia de la gestión de la red de datos y estimular el uso de la seguridad en los sistemas de gestión de red. El buen desempeño de los sistemas de gestión de red es también importante. Por lo tanto, algunas pruebas se realizan para verificar con qué intensidad lo rendimiento de los sistemas de gestión y de la red puede verse perjudicado por el uso de la criptografía y algoritmos, especialmente por el estándar cifrado AES, a fin de estudiar la viabilidad de lo conjunto SNMPv3 con AES. Estas pruebas se toman como una vista previa de una banda ancha de lo proyecto piloto Power Line Network Management (que traducido al español vendría a ser Gestión de la Comunicación por la Red Eléctrica) que se llevará a cabo en la principal empresa de transmisión de la red eléctrica en Goiás, Brasil.Telecommunication network availability is essential for all companies because their income is directly related to it. Because of this fact, network management systems also became essential, but the importance of managed information is faced by most network administrators as useless to others, therefore securing the management data is not considered. The main goal of this article is to show the importance of network management data and stimulate the use of security in network management systems. The good performance of network management systems are also important, therefore some tests are performed to verify how intensively the network and network manager performance can be injured by the use of cryptography algorithms and specially by the AES cryptographic standard in order to study the viability of the SNMPv3 with AES set. These tests are taken as a preview of a Broadband Power Line Network Management pilot project that is being implemented in the main electrical power transmission company in Goiás, Brazil.Workshop de Arquitecturas, Redes y Sistemas Operativos (WARSO)Red de Universidades con Carreras en Informática (RedUNCI

Performance Evaluation of SNMPv1/2c/3 using Different Security Models on Raspberry Pi

The Simple Network Management Protocol (SNMP) is one of the dominant protocols for network monitoring and configuration. The first two versions of SNMP (v1 and v2c) use the Community-based Security Model (CSM), where the community is transferred in clear text, resulting in a low level of security. With the release of SNMPv3, the User-based Security Model (USM) and Transport Security Model (TSM) were proposed, with strong authentication and privacy at different levels. The Raspberry Pi family of Single-Board Computers (SBCs) is widely used for many applications. To help their integration into network management systems, it is essential to study the impact of the different versions and security models of SNMP on these SBCs. In this work, we carried out a performance analysis of SNMP agents running in three different Raspberry Pis (Pi Zero W, Pi 3 Model B, and Pi 3 Model B+). Our comparisons are based on the response time, defined as the time required to complete a request/response exchange between a manager and an agent. Since we did not find an adequate tool for our assessments, we developed our own benchmarking tool. We did numerous experiments, varying different parameters such as the type of requests, the number of objects involved per request, the security levels of SNMPv3/USM, the authentication and privacy protocols of SNMPv3/USM, the transport protocols, and the versions and security models of SNMP. Our experiments were executed with Net-SNMP, an open-source and comprehensive distribution of SNMP. Our tests indicate that SNMPv1 and SNMPv2c have similar performance. SNMPv3 has a longer response time, due to the overhead caused by the security services (authentication and privacy). The Pi 3 Model B and Pi 3 Model B+ have comparable performance, and significantly outperform the Pi Zero W

A study of SNMP developments regarding to security and performance

La disponibilidad de la red de telecomunicaciones es esencial para todas las empresas porque sus ingresos están directamente relacionados con él. Así, los sistemas de gestión de red también se convirtieran en esencial. Sin embargo la importancia dada a la gestión de información por la mayoría de los administradores de red, los demás la consideran como inútil. Por lo tanto, la garantía de la gestión de datos no es levada en cuenta. El principal objetivo de este artículo es mostrar la importancia de la gestión de la red de datos y estimular el uso de la seguridad en los sistemas de gestión de red. El buen desempeño de los sistemas de gestión de red es también importante. Por lo tanto, algunas pruebas se realizan para verificar con qué intensidad lo rendimiento de los sistemas de gestión y de la red puede verse perjudicado por el uso de la criptografía y algoritmos, especialmente por el estándar cifrado AES, a fin de estudiar la viabilidad de lo conjunto SNMPv3 con AES. Estas pruebas se toman como una vista previa de una banda ancha de lo proyecto piloto Power Line Network Management (que traducido al español vendría a ser Gestión de la Comunicación por la Red Eléctrica) que se llevará a cabo en la principal empresa de transmisión de la red eléctrica en Goiás, Brasil.Telecommunication network availability is essential for all companies because their income is directly related to it. Because of this fact, network management systems also became essential, but the importance of managed information is faced by most network administrators as useless to others, therefore securing the management data is not considered. The main goal of this article is to show the importance of network management data and stimulate the use of security in network management systems. The good performance of network management systems are also important, therefore some tests are performed to verify how intensively the network and network manager performance can be injured by the use of cryptography algorithms and specially by the AES cryptographic standard in order to study the viability of the SNMPv3 with AES set. These tests are taken as a preview of a Broadband Power Line Network Management pilot project that is being implemented in the main electrical power transmission company in Goiás, Brazil.Workshop de Arquitecturas, Redes y Sistemas Operativos (WARSO)Red de Universidades con Carreras en Informática (RedUNCI

An SNMP filesystem in userspace

Modern computer networks are constantly increasing in size and complexity. Despite this, data networks are a critical factor for the success of many organizations. Monitoring their health and operation sta- tus is fundamental, and usually performed through specific network man- agement architectures, developed and standardized in the last decades. On the other hand, file systems have become one of the best well known paradigms of human-computer interaction, and have been around since early days in the personal computer industry. In this paper we propose a file system interface to network management information, allowing users to open, edit and visualize network and systems operation information

Tietoverkkojen valvonnan yhdenmukaistaminen

As the modern society is increasingly dependant on computer networks especially as the Internet of Things gaining popularity, a need to monitor computer networks along with associated devices increases. Additionally, the amount of cyber attacks is increasing and certain malware such as Mirai target especially network devices. In order to effectively monitor computer networks and devices, effective solutions are required for collecting and storing the information. This thesis designs and implements a novel network monitoring system. The presented system is capable of utilizing state-of-the-art network monitoring protocols and harmonizing the collected information using a common data model. This design allows effective queries and further processing on the collected information. The presented system is evaluated by comparing the system against the requirements imposed on the system, by assessing the amount of harmonized information using several protocols and by assessing the suitability of the chosen data model. Additionally, the protocol overheads of the used network monitoring protocols are evaluated. The presented system was found to fulfil the imposed requirements. Approximately 21% of the information provided by the chosen network monitoring protocols could be harmonized into the chosen data model format. The result is sufficient for effective querying and combining the information, as well as for processing the information further. The result can be improved by extending the data model and improving the information processing. Additionally, the chosen data model was shown to be suitable for the use case presented in this thesis.Yhteiskunnan ollessa jatkuvasti verkottuneempi erityisesti Esineiden Internetin kasvattaessa suosiotaan, tarve seurata sekä verkon että siihen liitettyjen laitteiden tilaa ja mahdollisia poikkeustilanteita kasvaa. Lisäksi tietoverkkohyökkäysten määrä on kasvamassa ja erinäiset haittaohjelmat kuten Mirai, ovat suunnattu erityisesti verkkolaitteita kohtaan. Jotta verkkoa ja sen laitteiden tilaa voidaan seurata, tarvitaan tehokkaita ratkaisuja tiedon keräämiseen sekä säilöntään. Tässä diplomityössä suunnitellaan ja toteutetaan verkonvalvontajärjestelmä, joka mahdollistaa moninaisten verkonvalvontaprotokollien hyödyntämisen tiedonkeräykseen. Lisäksi järjestelmä säilöö kerätyn tiedon käyttäen yhtenäistä tietomallia. Yhtenäisen tietomallin käyttö mahdollistaa tiedon tehokkaan jatkojalostamisen sekä haut tietosisältöihin. Diplomityössä esiteltävän järjestelmän ominaisuuksia arvioidaan tarkastelemalla, minkälaisia osuuksia eri verkonvalvontaprotokollien tarjoamasta informaatiosta voidaan yhdenmukaistaa tietomalliin, onko valittu tietomalli soveltuva verkonvalvontaan sekä varmistetaan esiteltävän järjestelmän täyttävän sille asetetut vaatimukset. Lisäksi työssä arvioidaan käytettävien verkonvalvontaprotokollien siirtämisen kiinteitä kustannuksia kuten otsakkeita. Työssä esitellyn järjestelmän todettiin täyttävän sille asetetut vaatimukset. Eri verkonvalvontaprotokollien tarjoamasta informaatiosta keskimäärin 21% voitiin harmonisoida tietomalliin. Saavutettu osuus on riittävä, jotta eri laitteista saatavaa informaatiota voidaan yhdistellä ja hakea tehokkaasti. Lukemaa voidaan jatkossa parantaa laajentamalla tietomallia sekä kehittämällä kerätyn informaation prosessointia. Lisäksi valittu tietomalli todettiin soveltuvaksi tämän diplomityön käyttötarkoitukseen

Converting CORBA Based Fault Management to SNMP

Vianhallinta pitää sisällään toimia, joilla havaitaan, eristetään ja korjataan tietoliikenneverkon epänormaaleja toimintoja. ITU-T:n tietoliikenteen hallintaverkkoarkkitehtuuri koostuu viidestä tasosta, joista kaksi alimmaista, elementinhallintataso sekä verkkoelementtitaso, keskittyvät verkkoelementtien hallintaan. Useita protokollia on hyödynnetty vianhallintaan näillä tasoilla. CORBA-pohjainen vianhallinta on ollut yleinen 3GPP:n ratkaisusarjaa hyödyntävissä verkkoelementeissä ja elementinhallintajärjestelmissä. Mutta tietoliikenneteollisuuden siirtyessä kohti all-IP-maailmaa, SNMP on jälleen uudelleen vahvistamassa asemaansa hallitsevana verkkoelementtien monitorointiprotokollana. Täten verkkonsa vianhallinnan yhdenmukaistamista tutkiva verkko-operaattori voisi harkita CORBA-pohjaisten verkkoelementtiensä konvertointia käyttämään SNMP:tä. Tämä työ tutkii tämänkaltaisen konversion edellytyksiä ja yksityiskohtia. Kirjallisuustutkimuksella otetaan selvää vianhallinnan eri puolista ja vertaillaan CORBA:a ja SNMP:tä konvertterin suunnittelua varten. Todiste konversiokonseptin toimivuudesta saadaan yksinkertaistetun implementaation avulla. Implementaatio osoittaa konvertterin olevan melko helposti rakennettavissa, ja että konvertteri voi toimia joko CORBA:n tai SNMP:n toimintaperiaatteella. Konvertteri mahdollistaa vianhallinnan yhdenmukaistamisen lisäämättä huomattavaa viivettä, rasitusta kaistaleveyskäytölle tai kuluttamatta runsaasti muistiresursseja. Tämän työn tulokset antavat aihetta esitettyjen konseptien laajemmalle tutkimukselle, sekä konvertterin laajentamiselle kattamaan konfiguraation hallinnan. Tähän tosin SNMP ei ehkä ole suositelluin protokolla.Fault management involves tasks to enable the detection, isolation and correction of abnormal operation of the telecommunication network. Telecommunications management network architecture of ITU-T consists of five layers, of which the bottom two, the element management layer and the network element layer, are focused on the management of network elements. For fault management tasks at these layers, several protocols have been utilised. CORBA based fault management has been common in network elements and element management systems utilising solution sets of 3GPP. But as the telecommunications industry moves towards an all-IP world, SNMP has yet again become the predominant protocol for monitoring network elements. A network operator looking into unifying the fault management of its network could consider converting the CORBA based network element to using SNMP. This thesis studies the requirements and details of this kind of conversion. With a literary study, aspects of fault management and comparison of CORBA and SNMP are scoped for designing a CORBA-SNMP converter. A proof of concept for the conversion is obtained with a simplified implementation. The implementation shows that a converter is quite easy to construct, and the converter can perform with operating principle of either CORBA or SNMP. The converter is also able to provide fault management unification without adding considerable delay, strain on bandwidth usage or consuming memory resources. The results of this thesis give grounds for studying the proposed concepts further and also broaden the converter to cover configuration management. Though for configuration management SNMP may not be the preferred protocol

An entity access control model for network services management

The Network Services Management Framework tries to overcome the most important limitations of present network management frameworks, namely the most widely supported framework – the Internet Network Management Framework – by defining a management framework using a network services management distributed architecture that provides services management functions with any desired level of functionality. This document introduces one of the most important parts of this framework, the Entity Access Control Model and the mechanisms needed to its deployment: management entities and management domains, entity access and resources control management, and security mechanisms (authentication, data integrity verification, confidentiality and non-repudiation assurances). This model, although originally developed to be integrated on the Network Services Management Framework, can be completely integrated or partially adopted by other frameworks since it supports a wide range of conceptual and functional requisites recognised to be fundamental to the future of modern distributed network management frameworks

A mid-level framework for independent network services configuration management

Tese doutoramento do Programa Doutoral em TelecomunicaçõesDecades of evolution in communication network’s resulted in a high diversity of solutions, not only in terms of network elements but also in terms of the way they are managed. From a management perspective, having heterogeneous elements was a feasible scenario over the last decades, where management activities were mostly considered as additional features. However, with the most recent advances on network technology, that includes proposals for future Internet as well as requirements for automation, scale and efficiency, new management methods are required and integrated network management became an essential issue. Most recent solutions aiming to integrate the management of heterogeneous network elements, rely on the application of semantic data translations to obtain a common representation between heterogeneous managed elements, thus enabling their management integration. However, the realization of semantic translations is very complex to be effectively achieved, requiring extensive processing of data to find equivalent representation, besides requiring the administrator’s intervention to create and validate conversions, since contemporary data models lack a formal semantic representation. From these constrains a research question arose: Is it possible to integrate the con g- uration management of heterogeneous network elements overcoming the use of manage- ment translations? In this thesis the author uses a network service abstraction to propose a framework for network service management, which comprehends the two essential management operations: monitoring and configuring. This thesis focus on describing and experimenting the subsystem responsible for the network services configurations management, named Mid-level Network Service Configuration (MiNSC), being the thesis most important contribution. The MiNSC subsystem proposes a new configuration management interface for integrated network service management based on standard technologies that includes an universal information model implemented on unique data models. This overcomes the use of management translations while providing advanced management functionalities, only available in more advanced research projects, that includes scalability and resilience improvement methods. Such functionalities are provided by using a two-layer distributed architecture, as well as over-provisioning of network elements. To demonstrate MiNSC’s management capabilities, a group of experiments was conducted, that included, configuration deployment, instance migration and expansion using a DNS management system as test bed. Since MiNSC represents a new architectural approach, with no direct reference for a quantitative evaluation, a theoretical analysis was conducted in order to evaluate it against important integrated network management perspectives. It was concluded that there is a tendency to apply management translations, being the most straightforward solution when integrating the management of heterogeneous management interfaces and/or data models. However, management translations are very complex to be realized, being its effectiveness questionable for highly heterogeneous environments. The implementation of MiNSC’s standard configuration management interface provides a simplified perspective that, by using universal configurations, removes translations from the management system. Its distributed architecture uses independent/universal configurations and over-provisioning of network elements to improve the service’s resilience and scalability, enabling as well a more efficient resource management by dynamically allocating resources as needed