CHEP2006

Network Information and Management Infrastructure

Igor Mandrichenko, Eileen Berman, Phil DeMar, Maxim Grigoriev, Joe Klemencic, Donna Lamore, Mark Leininger, Don Petravick, Vladimir Podstavkov, Randy Reitz

Fermi National Accelerator Laboratory

CHEP2006

Challenges of FNAL LAN management

Specifics of FNAL network Large Open, dynamic Exposed

Successful network and network security management requires coordinated cooperation of key players:

Data Communications Computer Security Users Desktop support

CHEP2006

What is NIMI ?

NIMI stands for Network Information and Management Infrastructure

Hardware – 2 Linux servers Database with quasi-real time network status data

PostgreSQL Network Data Collector Data access and application building framework

Python as programming language PostgreSQL as the database solution (Kerberized) SOAP as middleware communication

mechanism Kerberos, X509 as authentication mechanisms Zope as Web interface development tool

CHEP2006

Big Picture

CHEP2006

NIMI Database

PostgreSQL based Stores network state quasi-realtime data Uses PostgreSQL backup functionality to make

backup in 3 locations Another disk on the same server Backup NIMI DB server FNAL CD Backup Server

Data is kept since March 2004 < 5GB on disk

CHEP2006

NIMI Collector

Collects network state information from network devices

Stores data in NIMI Database and makes it available to applications

Information collected: DHCP leases (quasi-realtime) ARP tables (periodic polls) VPN sessions (periodic polls) Switch forwarding tables (periodic polls)

CHEP2006

NIMI-Based Applications

Network Inventory Up-to-date inventory of network devices and services

Scanners Configuration problems Software version monitoring Vulnerabilities

TIssue Computer Security Issue Tracking workflow system Fed by scanners

CHEP2006

Network Inventory

Provides up-to-date information about network devices present on the LAN

New node discovery Periodic subnet pings (every 2 minutes) ARP tables (delayed up to 15 minutes)

Uses ping scans and ARP tables data for node discovery

Collects information about OS version and services found on each computer

Most of new nodes scanned within 5 minutes Helps optimize efficiency of other Scanners

CHEP2006

Scanners

Run on Scanner Farm Use data from Inventory Scanner to scan new

nodes within 10-20 minutes of their arrival, and then re-scan them in lazy manner as they stay online

Three areas: Vulnerabilities (Vulnerability Scanner) System misconfiguration Outdated software

Vulnerability Scanner Uses nmap to detect vulnerabilities

Scanners supply events for TIssue

CHEP2006

TIssue

Workflow engine used to keep track of security vulnerabilities and network-related issues

Provides flexible abstract interface to plug in Detectors (e.g. Scanners)

Keeps track of events in detector-independent way

Communicates with machine administrators via e-mail and web interface

Requests blocks of network addresses as the enforcement tool

Zope-based web GUI uses X509 certificates as the authentication mechanism

CHEP2006

Advantages of using NIMI Common data storage easily available to

applications Simple modular design of the system

Collector – deals with variety of vendor-specific network data

Central database APIs Middleware

Carefully chosen set of software tools covering all areas of application development

PostgreSQL Python SOAP Zope Kerberos, X509

CHEP2006

NIMI: Success Story

Recent computer security related events have demonstrated that applications such as TIssue and Inventory Scanner are very reliable, powerful and useful computer security and network management tools

NIMI provides building blocks for rapid development of applications like these

We continue new application development using NIMI as the framework