Secure Configuration and Management of Linux Systems using a Network Service Orchestrator.

Manual management of the configuration of network devices and computing devices (hosts) is an error-prone task. Centralized automation of these tasks can lower the costs of management, but can also introduce unknown or unanticipated security risks. Misconfiguration (deliberate (by outsiders) or inadvertent (by insiders)) can expose a system to significant risks. Centralized network management has seen significant progress in recent years, resulting in model-driven approaches that are clearly superior to previous "craft" methods. Host management has seen less development. The tools available have developed in separate task-specific ways. This thesis explores two aspects of the configuration management problem for hosts: (1) implementing host management using the model-driven (network) management tools; (2) establishing the relative security of traditional methods and the above proposal for model driven host management. It is shown that the model-driven approach is feasible, and the security of the model driven approach is significantly higher than that of existing approaches

Tietoverkkojen valvonnan yhdenmukaistaminen

As the modern society is increasingly dependant on computer networks especially as the Internet of Things gaining popularity, a need to monitor computer networks along with associated devices increases. Additionally, the amount of cyber attacks is increasing and certain malware such as Mirai target especially network devices. In order to effectively monitor computer networks and devices, effective solutions are required for collecting and storing the information. This thesis designs and implements a novel network monitoring system. The presented system is capable of utilizing state-of-the-art network monitoring protocols and harmonizing the collected information using a common data model. This design allows effective queries and further processing on the collected information. The presented system is evaluated by comparing the system against the requirements imposed on the system, by assessing the amount of harmonized information using several protocols and by assessing the suitability of the chosen data model. Additionally, the protocol overheads of the used network monitoring protocols are evaluated. The presented system was found to fulfil the imposed requirements. Approximately 21% of the information provided by the chosen network monitoring protocols could be harmonized into the chosen data model format. The result is sufficient for effective querying and combining the information, as well as for processing the information further. The result can be improved by extending the data model and improving the information processing. Additionally, the chosen data model was shown to be suitable for the use case presented in this thesis.Yhteiskunnan ollessa jatkuvasti verkottuneempi erityisesti Esineiden Internetin kasvattaessa suosiotaan, tarve seurata sekä verkon että siihen liitettyjen laitteiden tilaa ja mahdollisia poikkeustilanteita kasvaa. Lisäksi tietoverkkohyökkäysten määrä on kasvamassa ja erinäiset haittaohjelmat kuten Mirai, ovat suunnattu erityisesti verkkolaitteita kohtaan. Jotta verkkoa ja sen laitteiden tilaa voidaan seurata, tarvitaan tehokkaita ratkaisuja tiedon keräämiseen sekä säilöntään. Tässä diplomityössä suunnitellaan ja toteutetaan verkonvalvontajärjestelmä, joka mahdollistaa moninaisten verkonvalvontaprotokollien hyödyntämisen tiedonkeräykseen. Lisäksi järjestelmä säilöö kerätyn tiedon käyttäen yhtenäistä tietomallia. Yhtenäisen tietomallin käyttö mahdollistaa tiedon tehokkaan jatkojalostamisen sekä haut tietosisältöihin. Diplomityössä esiteltävän järjestelmän ominaisuuksia arvioidaan tarkastelemalla, minkälaisia osuuksia eri verkonvalvontaprotokollien tarjoamasta informaatiosta voidaan yhdenmukaistaa tietomalliin, onko valittu tietomalli soveltuva verkonvalvontaan sekä varmistetaan esiteltävän järjestelmän täyttävän sille asetetut vaatimukset. Lisäksi työssä arvioidaan käytettävien verkonvalvontaprotokollien siirtämisen kiinteitä kustannuksia kuten otsakkeita. Työssä esitellyn järjestelmän todettiin täyttävän sille asetetut vaatimukset. Eri verkonvalvontaprotokollien tarjoamasta informaatiosta keskimäärin 21% voitiin harmonisoida tietomalliin. Saavutettu osuus on riittävä, jotta eri laitteista saatavaa informaatiota voidaan yhdistellä ja hakea tehokkaasti. Lukemaa voidaan jatkossa parantaa laajentamalla tietomallia sekä kehittämällä kerätyn informaation prosessointia. Lisäksi valittu tietomalli todettiin soveltuvaksi tämän diplomityön käyttötarkoitukseen

Performance Evaluation of SNMPv1/2c/3 using Different Security Models on Raspberry Pi

The Simple Network Management Protocol (SNMP) is one of the dominant protocols for network monitoring and configuration. The first two versions of SNMP (v1 and v2c) use the Community-based Security Model (CSM), where the community is transferred in clear text, resulting in a low level of security. With the release of SNMPv3, the User-based Security Model (USM) and Transport Security Model (TSM) were proposed, with strong authentication and privacy at different levels. The Raspberry Pi family of Single-Board Computers (SBCs) is widely used for many applications. To help their integration into network management systems, it is essential to study the impact of the different versions and security models of SNMP on these SBCs. In this work, we carried out a performance analysis of SNMP agents running in three different Raspberry Pis (Pi Zero W, Pi 3 Model B, and Pi 3 Model B+). Our comparisons are based on the response time, defined as the time required to complete a request/response exchange between a manager and an agent. Since we did not find an adequate tool for our assessments, we developed our own benchmarking tool. We did numerous experiments, varying different parameters such as the type of requests, the number of objects involved per request, the security levels of SNMPv3/USM, the authentication and privacy protocols of SNMPv3/USM, the transport protocols, and the versions and security models of SNMP. Our experiments were executed with Net-SNMP, an open-source and comprehensive distribution of SNMP. Our tests indicate that SNMPv1 and SNMPv2c have similar performance. SNMPv3 has a longer response time, due to the overhead caused by the security services (authentication and privacy). The Pi 3 Model B and Pi 3 Model B+ have comparable performance, and significantly outperform the Pi Zero W

SDN Architecture and Southbound APIs for IPv6 Segment Routing Enabled Wide Area Networks

The SRv6 architecture (Segment Routing based on IPv6 data plane) is a promising solution to support services like Traffic Engineering, Service Function Chaining and Virtual Private Networks in IPv6 backbones and datacenters. The SRv6 architecture has interesting scalability properties as it reduces the amount of state information that needs to be configured in the nodes to support the network services. In this paper, we describe the advantages of complementing the SRv6 technology with an SDN based approach in backbone networks. We discuss the architecture of a SRv6 enabled network based on Linux nodes. In addition, we present the design and implementation of the Southbound API between the SDN controller and the SRv6 device. We have defined a data-model and four different implementations of the API, respectively based on gRPC, REST, NETCONF and remote Command Line Interface (CLI). Since it is important to support both the development and testing aspects we have realized an Intent based emulation system to build realistic and reproducible experiments. This collection of tools automate most of the configuration aspects relieving the experimenter from a significant effort. Finally, we have realized an evaluation of some performance aspects of our architecture and of the different variants of the Southbound APIs and we have analyzed the effects of the configuration updates in the SRv6 enabled nodes

Cloud-Native Realization of Network Configuration Protocol

Many of the telecommunication companies aim to support Network Configuration Protocol (NETCONF) to manage their large network in cloud-native environment. The NETCONF protocol provides automation and security using permanent SSH and TLS connections as well as cloudnative brings scalability advantages. However, supporting the NETCONF protocol in cloud-native environment represents challenges since the NETCONF protocol is not stateless. The thesis implements a proof of concept for cloud-native Network Configuration Protocol and investigates issues of such an implementation. The approach in this thesis is to have two implementations of standard Network Configuration Protocol and Network Configuration Protocol Call Home in cloud-native environment. A solution is applied together with these implementations by terminating the permanent established sessions in the end of messaging. The evaluations are made by analysing changing number of connections and events per connection in the both implementations. Based on the evaluation of the proof of concept, the results indicate that terminating the established NETCONF sessions in the end of messaging is an operable solution. However, it is also observed that throughput and CPU could be limitations for such an implementation in cloud-native environment. In addition, it must be considered that authentication time is affected based on chosen security provider

Centralized model driven trace route mechanism for TCP/IP routers : Remote traceroute invocation using NETCONF API and YANG data model

During the recent years, utilizing programmable APIs and YANG data model for service configuration and monitoring of TCP/IP open network devices from a centralized network management system as an alternative to SNMP based network management solutions has gained popularity among service providers and network engineers. However, both SNMP and YANG lacks any data model for tracing the routes between different routers inside and outside the network that has not addressed. Having a centralized traceroute tool provides a central troubleshooting point in the network. And rather than having to individually connect to each router terminal, traceroute can be invoked remotely on different routers. And the responses can be collected on the network management system. The aim of this thesis is to develop a centralized traceroute tool called Trace that invokes traceroute CLI tool with a unique syntax from a centralized network management system on a TCP/IP router, traces the hops and BGP AS and measures RTT between a router and specific destination and returns the response back to the network management system. And evaluates the possibility of utilizing this traceroute tool along with YANG based network management solutions. This implementation has shown that YANG based data models enables a unique syntax on the network management system for invoking traceroute command on different TCP/IP devices. This unique syntax can be used to invoke the traceroute CLI command on the routers with the different operating systems. And the evaluation has shown that using NETCONF as an API between the network management system and the network devices, enables the Trace to be utilized in YANG and NETCONF based network management solutions

Centralized model driven trace route mechanism for TCP/IP routers : Remote traceroute invocation using NETCONF API and YANG data model

During the recent years, utilizing programmable APIs and YANG data model for service configuration and monitoring of TCP/IP open network devices from a centralized network management system as an alternative to SNMP based network management solutions has gained popularity among service providers and network engineers. However, both SNMP and YANG lacks any data model for tracing the routes between different routers inside and outside the network that has not addressed. Having a centralized traceroute tool provides a central troubleshooting point in the network. And rather than having to individually connect to each router terminal, traceroute can be invoked remotely on different routers. And the responses can be collected on the network management system. The aim of this thesis is to develop a centralized traceroute tool called Trace that invokes traceroute CLI tool with a unique syntax from a centralized network management system on a TCP/IP router, traces the hops and BGP AS and measures RTT between a router and specific destination and returns the response back to the network management system. And evaluates the possibility of utilizing this traceroute tool along with YANG based network management solutions. This implementation has shown that YANG based data models enables a unique syntax on the network management system for invoking traceroute command on different TCP/IP devices. This unique syntax can be used to invoke the traceroute CLI command on the routers with the different operating systems. And the evaluation has shown that using NETCONF as an API between the network management system and the network devices, enables the Trace to be utilized in YANG and NETCONF based network management solutions

An ICT-oriented Management Solution for NGNs

NGN architecture reused several standards from the IP world, as exemplified by the Session Initiation Protocol SIP, which is ubiquitous in the majority of these network components. However, the NGN management architecture simply presented a very generic management model that follows TMN. Several management technologies are proposed, such as Web services, CORBA and SNMP, to implement management solutions. Network and systems management standardizing bodies currently promote newer technologies that aim to solve known shortcomings to these. This paper proposes a management solution for NGNs based on recent IP world technologies. The presented solution was implemented in the form of a middleware to manage NGN elements. This middleware was used in the management of an element belonging to the IP Multimedia Subsystem platform, namely the Policy and Charging Rules Function

An IDE for NETCONF management applications

The development of network and system management software typically requires data models definition, the creation of specific applications respecting the data model, and yet the implementation of communication interfaces. Skilled professionals usually perform such tasks in a predefined sequence and using different development solutions, but any error or lacks in the data model frequently force to repeat several time-consuming tasks. In this paper we present an integrated development framework that simplifies the construction of NETCONF management applications, from data model specification to deployment and evaluation. The framework is available at http://atnog.av.it.pt/∼ptavares/ yangplugin