Upload
knox-rowe
View
23
Download
0
Embed Size (px)
DESCRIPTION
Network Information and Management Infrastructure. Igor Mandrichenko, Eileen Berman, Phil DeMar, Maxim Grigoriev, Joe Klemencic, Donna Lamore, Mark Leininger, Don Petravick, Vladimir Podstavkov, Randy Reitz Fermi National Accelerator Laboratory. Challenges of FNAL LAN management. - PowerPoint PPT Presentation
Citation preview
CHEP2006
Network Information and Management Infrastructure
Igor Mandrichenko, Eileen Berman, Phil DeMar, Maxim Grigoriev, Joe Klemencic, Donna Lamore, Mark Leininger, Don Petravick, Vladimir Podstavkov, Randy Reitz
Fermi National Accelerator Laboratory
CHEP2006
Challenges of FNAL LAN management
Specifics of FNAL network Large Open, dynamic Exposed
Successful network and network security management requires coordinated cooperation of key players:
Data Communications Computer Security Users Desktop support
CHEP2006
What is NIMI ?
NIMI stands for Network Information and Management Infrastructure
Hardware – 2 Linux servers Database with quasi-real time network status data
PostgreSQL Network Data Collector Data access and application building framework
Python as programming language PostgreSQL as the database solution (Kerberized) SOAP as middleware communication
mechanism Kerberos, X509 as authentication mechanisms Zope as Web interface development tool
CHEP2006
Big Picture
CHEP2006
NIMI Database
PostgreSQL based Stores network state quasi-realtime data Uses PostgreSQL backup functionality to make
backup in 3 locations Another disk on the same server Backup NIMI DB server FNAL CD Backup Server
Data is kept since March 2004 < 5GB on disk
CHEP2006
NIMI Collector
Collects network state information from network devices
Stores data in NIMI Database and makes it available to applications
Information collected: DHCP leases (quasi-realtime) ARP tables (periodic polls) VPN sessions (periodic polls) Switch forwarding tables (periodic polls)
CHEP2006
NIMI-Based Applications
Network Inventory Up-to-date inventory of network devices and services
Scanners Configuration problems Software version monitoring Vulnerabilities
TIssue Computer Security Issue Tracking workflow system Fed by scanners
CHEP2006
Network Inventory
Provides up-to-date information about network devices present on the LAN
New node discovery Periodic subnet pings (every 2 minutes) ARP tables (delayed up to 15 minutes)
Uses ping scans and ARP tables data for node discovery
Collects information about OS version and services found on each computer
Most of new nodes scanned within 5 minutes Helps optimize efficiency of other Scanners
CHEP2006
Scanners
Run on Scanner Farm Use data from Inventory Scanner to scan new
nodes within 10-20 minutes of their arrival, and then re-scan them in lazy manner as they stay online
Three areas: Vulnerabilities (Vulnerability Scanner) System misconfiguration Outdated software
Vulnerability Scanner Uses nmap to detect vulnerabilities
Scanners supply events for TIssue
CHEP2006
TIssue
Workflow engine used to keep track of security vulnerabilities and network-related issues
Provides flexible abstract interface to plug in Detectors (e.g. Scanners)
Keeps track of events in detector-independent way
Communicates with machine administrators via e-mail and web interface
Requests blocks of network addresses as the enforcement tool
Zope-based web GUI uses X509 certificates as the authentication mechanism
CHEP2006
Advantages of using NIMI Common data storage easily available to
applications Simple modular design of the system
Collector – deals with variety of vendor-specific network data
Central database APIs Middleware
Carefully chosen set of software tools covering all areas of application development
PostgreSQL Python SOAP Zope Kerberos, X509
CHEP2006
NIMI: Success Story
Recent computer security related events have demonstrated that applications such as TIssue and Inventory Scanner are very reliable, powerful and useful computer security and network management tools
NIMI provides building blocks for rapid development of applications like these
We continue new application development using NIMI as the framework