1

Network Management and Network Security

Chapter-8
8.1 Network Management
We can define network management as monitoring, testing, configuring, and troubleshooting
network components to meet a set of requirements defined by an organization. These requirements
include the smooth, efficient operation of the network that provides the predefined quality of
service for users. To accomplish this task, a network management system uses hardware, software,
and humans.
The International Organization for Standardization (ISO) defines five areas of network

Figure 1 Areas of Network Management

management: configuration management, fault management, performance management, security

management, and accounting management, as shown in Figure 1

a. Performance Management:
To quantify, measure, report, analyze, and control the performance (e.g, utilization and
throughput) of different network components are the main goal of performance
management. These components include individual devices (e.g, links, routers, and hosts)
as well as the end to end abstraction such as a path through the network. Protocol standard
such as the Simple Network Management Protocol (SNMP) play a central role in Internet
performance management.
b. Fault Management:
The goal of fault management is to log, detect, and respond to fault condition int the
network. The difference between fault management and performance management is
blurred. The fault management is used to manage immediate handling of the failures like
link failure, host failure, or router hardware problem, these problems are also known as a
transient network failure. With the help of performance management, the SNMP protocol
plays a major part in fault management.
c. Configuration Management:
Tracking of the devices that are on the managed network and the hardware and software
configurations are allowed by Configuration management.
d. Accounting Management:
To specify, log, and control user and device access to network resources are allowed by
Accounting management. usage quotas, usage-based charging, and the allocation of
resource-access privileges all fall under accounting management.

Compiled by: Er. Raju Dhakal

 2

e. Security Management:
The goal of security management is to control access to network resource according to
some well-defined policy. The key distribution centers are a component of network
management. The use of firewalls to monitor and control external access point to one’s
network is another crucial component.

8.1.1 Simple Network Management Protocol

SNMP uses the concept of manager and agent. That is, a manager, usually a host, controls and
monitors a set of agents, usually routers or servers.

Figure 2 SNMP concepts

SNMP is an application-level protocol in which a few manager stations control a set of agents.
The protocol is designed at the application level so that it can monitor devices made by different
manufacturers and installed on different physical networks. A management station, called a
manager, is a host that runs the SNMP client program. A managed station, called an agent, is a
router (or a host) that runs the SNMP server program. Management is achieved through simple
interaction between a manager and an agent. The agent keeps performance information in a
database. The manager has access to the values in the database. For example, a router can store in
appropriate variables the number of packets received and forwarded. The manager can fetch and
compare the values of these two variables to see if the router is congested or not. The manager can
also make the router perform certain actions. For example, a router periodically checks the value
of a reboot counter to see when it should reboot itself. It reboots itself, for example, if the value of
the counter is 0. The manager can use this feature to reboot the agent remotely at any time. It
simply sends a packet to force a 0 value in the counter. Agents can also contribute to the
management process. The server program running on the agent can check the environment and, if
it notices something unusual, it can send a warning message (called a Trap) to the manager. In
other words, management with SNMP is based on three basic ideas:
a. A manager checks an agent by requesting information that reflects the behavior of the
agent.
b. A manager forces an agent to perform a task by resetting values in the agent database.
c. An agent contributes to the management process by warning the manager of an unusual
situation.

Compiled by: Er. Raju Dhakal

 3

Management Components
To do management tasks, SNMP uses two other protocols: Structure of Management Information
(SMI) and Management Information Base (MIB). In other words, management on the Internet is
done through the cooperation of three protocols: SNMP, SMI, and MIB, as shown in Figure 3.

Figure 3 components of network management in the internet

Role of SNMP
It defines the format of the packet to be sent from a manager to an agent and vice versa. It also
interprets the result and creates statistics (often with the help of other management software). The
packets exchanged contain the object (variable) names and their status (values). SNMP is
responsible for reading and changing these values.
Role of SMI
To use SNMP, we need rules for naming objects. We also need rules to define the types of objects.
What types of objects are handled by SNMP? Can SNMP handle simple types or structured types?
How many simple types are available? What are the sizes of these types? What is the range of
these types? In addition, how are each of these types encoded? We need these universal rules
because we do not know the architecture of the computers that send, receive, or store these values.
The sender may be a powerful computer in which an integer is stored as 8-byte data; the receiver
may be a small computer that stores an integer as 4-byte data. SMI is a protocol that defines these
rules. However, we must understand that SMI only defines the rules; it does not define how many
objects are managed in an entity or which object uses which type. SMI is a collection of general
rules to name objects and to list their types. The association of an object with the type is not done
by SMI.
Role of MIB
We hope it is clear that we need another protocol. For each entity to be managed, this protocol
must define the number of objects, name them according to the rules defined by SMI, and associate
a type to each named object. This protocol is MIB. MIB creates a set of objects defined for each
entity in a manner similar to that of a database (mostly metadata in a database, names and types
without values).

Compiled by: Er. Raju Dhakal

 4

Figure 4 Comparing computer programming and network

management

8.1.2 Network Security

Network security is the process of taking preventative measures to protect the underlying
networking infrastructure from unauthorized access, misuse, malfunction, modification,
destruction, or improper disclosure.
8.1.2.1 Security Goals
Let us first discuss three security goals: confidentiality, integrity, and availability.
a. Confidentiality
Confidentiality is probably the most common aspect of information security. We need to protect
our confidential information. An organization needs to guard against those malicious actions that
endanger the confidentiality of its information. Confidentiality not only applies to the storage of
information, but it also applies to the transmission of information. When we send a piece of
information to be stored in a remote computer or when we retrieve a piece of information from a
remote computer, we need to conceal it during transmission.
b. Integrity
Information needs to be changed constantly. In a bank, when a customer deposits or withdraws
money, the balance of her account needs to be changed. Integrity means that changes need to be
done only by authorized entities and through authorized mechanisms. Integrity violation is not
necessarily the result of a malicious act; an interruption in the system, such as a power surge, may
also create unwanted changes in some information.
c. Availability
The third component of information security is availability. The information created and stored
by an organization needs to be available to authorized entities. Information is useless if it is not
available. Information needs to be constantly changed, which means it must be accessible to
authorized entities. The unavailability of information is just as harmful for an organization as the
lack of confidentiality or integrity. Imagine what would happen to a bank if the customers could
not access their accounts for transactions.
8.1.1.2 Network attacks
a. packet sniffing
The act of capturing data packet across the computer network is called packet sniffing. It is similar
to as wiretapping to a telephone network. It is mostly used by crackers and hackers to collect
information illegally about network. It is also used by ISPs, advertisers, and governments. ISPs use
packet sniffing to track all your activities such as:

Compiled by: Er. Raju Dhakal

 5

• who is receiver of your email

• what is content of that email
• what you download
• sites you visit
• what you looked on that website
• downloads from a site
• streaming events like video, audio, etc.
Advertising agencies or internet advertising agencies are paid according to:
• number of ads shown by them.
• number of clicks on their ads also called PPC (pay per click).
To achieve this target, these agencies use packet sniffing to inject advertisements into the flowing
packets. Most of the time these ads contain malware.

Government agencies use packet sniffing to:

• ensure security of data over the network.
• track an organization’s unencrypted data.
Packet Sniffer
Packet sniffing is done by using tools called packet sniffer. It can be either filtered or unfiltered.
Filtered is used when only specific data packets have to be captured and Unfiltered is used
when all the packets have to be captured. Wireshark, SmartSniff are examples of packet sniffing
tools.
How to prevent packet sniffing –
• Encrypting data, you send or receive.
• using trusted Wi-Fi networks.
• Scanning your network for dangers or issues.
b. Denial of Service
Denial of service (DoS) is a very common attack. It may slow down or totally interrupt the service
of a system. The attacker can use several strategies to achieve this. She might send so many bogus
requests to a server that the server crashes because of the heavy load. The attacker might intercept
and delete a server’s response to a client, making the client believe that the server is not responding.
The attacker may also intercept requests from the clients, causing the clients to send requests many
times and overload the system.
d. Spoofing
Packet spoofing or IP spoofing is the creation of Internet Protocol (IP) packets having a source IP
address with the purpose of concealing the identity of the sender or impersonating another
computing system. A spoofing attack occurs when a malicious party impersonates another device
or user on a network in order to launch attacks against network hosts, steal data, spread malware,
or bypass access controls.
The attacker creates an IP packet and sends it to the server, which is known as an SYN
(synchronize) request. The attacker puts own source address as another computer’s IP address in
the newly created IP packet. The server responds back with a SYN ACK response, which travels
to the forged IP address. The attacker receives this SYN ACK response sent by the server and
acknowledges it so as to complete a connection with the server. Once this is done the attacker can
try various commands on the server computer. The most common methods include IP address
spoofing attacks, ARP spoofing attacks, and DNS server spoofing attacks. Common measures that

Compiled by: Er. Raju Dhakal

 6

organizations can take for spoofing attack prevention include packet filtering, using spoofing
detection software, and cryptographic network protocols.
8.2 Cryptography
Cryptography is derived from the Greek words: kryptos, "hidden", and graphein, "to write" - or
"hidden writing". Cryptography is the science of using mathematics to encrypt and decrypt data.
Cryptography enables you to store sensitive information or transmit it across insecure networks
(like the Internet) so that it cannot be read by anyone except the intended recipient. While
cryptography is the science of securing data, cryptanalysis is the science of analyzing and breaking
secure communication. Classical cryptanalysis involves an interesting combination of analytical
reasoning, application of mathematical tools, pattern finding, patience, determination, and luck.
Cryptanalysts are also called attackers. Cryptology embraces both cryptography and cryptanalysis.
Encryption and Decryption

Plain-text and Cipher-text

The original message, before being transformed, is called plaintext. After the message is
transformed, it is called cipher-text. An encryption algorithm transforms the plain text into
ciphertext; a decryption algorithm transforms the cipher-text back into plain- text. The sender uses
an encryption algorithm, and the receiver uses a decryption algorithm.
Cipher
We refer to encryption and decryption algorithms as ciphers. The term cipher is also used to refer
to different categories of algorithms in cryptography. This is not to say that every sender-receiver
pair needs their very own unique cipher for a secure communication. On the contrary, one cipher
can serve millions of communicating
pairs.
Key
A key is a number (or a set of numbers) that the cipher, as an algorithm, operates on. To encrypt a
message, we need an encryption algorithm, an encryption key, and the plain-text. These create the
cipher-text. To decrypt a message, we need a decryption algorithm, a decryption key, and the
cipher-text. These reveal the original plaintext.
Alice, Bob, and Eve
In cryptography, it is customary to use three characters in an information exchange scenario; we
use Alice, Bob, and Eve. Alice is the person who needs to send secure data. Bob is the recipient of
the data. Eve is the person who somehow disturbs the communication between Alice and Bob by
intercepting messages to uncover the data or by sending her own disguised messages. These three

Compiled by: Er. Raju Dhakal

 7

names represent computers or processes that actually send or receive data, or intercept or change
data.

Symmetric-key cryptography/private key cryptography

In conventional cryptography, also called secret-key or symmetric-key encryption, one key is
used both for encryption and decryption. The Data Encryption Standard (DES) is an example of
a conventional cryptosystem that is widely employed by the Federal Government. Figure below
shows an illustration of the conventional encryption process.

Conventional encryption has benefits. It is very fast. It is especially useful for encrypting data that
is not going anywhere. However, conventional encryption alone as a means for transmitting secure
data can be quite expensive simply due to the difficulty of secure key distribution.
For a sender and recipient to communicate securely using conventional encryption, they must
agree upon a key and keep it secret between themselves. If they are in different physical locations,

Compiled by: Er. Raju Dhakal

 8

they must trust a courier, the Bat Phone, or some other secure communication medium to prevent
the disclosure of the secret key during transmission. Anyone who overhears or intercepts the key
in transit can later read, modify, and forge all information encrypted or authenticated with that key.
Asymmetric-Key Cryptography
Public key cryptography is an asymmetric scheme that uses a pair of keys for encryption: a public
key, which encrypts data, and a corresponding private, or secret key for decryption. You publish
your public key to the world while keeping your private key secret. Anyone with a copy of your
public key can then encrypt information that only you can read. It is computationally infeasible to
deduce the private key from the public key. Anyone who has a public key can encrypt information
but cannot decrypt it. Only the person who has the corresponding private key can decrypt the
information.

The Essential steps in Asymmetric-key cryptography are the following:

1. Each user generates a pair of keys to be used for the encryption and decryption of
messages.
2. Each user places one of the keys in a public register or other accessible file. This
is the public key. The companion key is kept private. Each user maintains a
collection of public keys obtained from others.
3. If Bob wishes to send a private message to Alice, Bob encrypts the message using
Alice's public key.
4. When Alice receives the message, she decrypts it using her private key. No other
recipient can decrypt the message because only Alice knows the Alice's private
key.

Compiled by: Er. Raju Dhakal

 9

With this approach, all the participants have access to public keys, and private keys are generated
locally by each participant and therefore need never be distributed. As long as a user protects his
and her private key, incoming communication is secure. At any time, a user changes the private
key and publish the companion public key replace the old public key.
Comparison
Let us compare symmetric-key and asymmetric-key cryptography. Encryption can be thought of
as electronic locking; decryption as electronic unlocking. The sender puts the message in a box
and locks the box by using a key; the receiver unlocks the box with a key and takes out the message.
The difference lies in the mechanism of the locking and unlocking and the type of keys used. In
symmetric-key cryptography, the same key locks and unlocks the box. In asymmetric-key
cryptography, one key locks the box, but another key is needed to unlock it.

8.3 IP Security
(IPSec) is a collection of protocols designed by the Internet Engineering Task Force (IETF) to
provide security for a packet at the network level. IPSec helps create authenticated and confidential
packets for the IP layer.
Two Modes
IPSec operates in one of two different modes: transport mode or tunnel mode.
Transport Mode
In transport mode, IPSec protects what is delivered from the transport layer to the network layer.
In other words, transport mode protects the payload to be encapsulated in the network layer, as
shown in Figure below.

Figure 5 IPsec in transport mode

Note that transport mode does not protect the IP header. In other words, transport mode does not
protect the whole IP packet; it protects only the packet from the transport layer (the IP-layer
payload). In this mode, the IPSec header (and trailer) are added to the information coming from
the transport layer. The IP header is added later. Transport mode is normally used when we need
host-to-host (end-to-end) protection of data. The sending host uses IPSec to authenticate and/or
encrypt the payload delivered from the transport layer. The receiving host uses IPSec to check the

Compiled by: Er. Raju Dhakal

 10

authentication and/or decrypt the IP packet and deliver it to the transport layer. Figure below shows
this concept.

Figure 6 Transport mode in action

Tunnel Mode
In tunnel mode, IPSec protects the entire IP packet. It takes an IP packet, including the header,
applies IPSec security methods to the entire packet, and then adds a new IP header, as shown in
Figure 7 below

Figure 7 IPsec in Tunnel mode

The new IP header, as we will see shortly, has different information than the original IP header.
Tunnel mode is normally used between two routers, between a host and a router, or between a

Compiled by: Er. Raju Dhakal

 11

router and a host, as shown in Figure 9. The entire original packet is protected from intrusion
between the sender and the receiver, as if the whole packet goes through an imaginary tunnel.
Figure 9 Tunnel Figure
mode8 Tunnel
in action
mode in action

8.4 FIREWALLS
All previous security measures cannot prevent Eve from sending a harmful message to a system.
To control access to a system we need firewalls. A firewall is a device (usually a router or a
computer) installed between the internal network of an organization and the rest of the Internet. It
is designed to forward some packets and filter (not forward) others. Figure 10 shows a firewall.

Figure 10 Firewall

For example, a firewall may filter all incoming packets destined for a specific host or a specific
server such as HTTP. A firewall can be used to deny access to a specific host or a specific service
in the organization. A firewall is usually classified as a packet-filter firewall or a proxy-based
firewall.
a. Packet-Filter Firewall
A firewall can be used as a packet filter. It can forward or block packets based on the information
in the network-layer and transport-layer headers: source and destination IP addresses, source and
destination port addresses, and type of protocol (TCP or UDP). A packet-filter firewall is a router

Compiled by: Er. Raju Dhakal

 12

that uses a filtering table to decide which packets must be discarded (not forwarded). Figure 11
shows an example of a filtering table for this kind of a firewall.

Figure 11 Packet filter firewall

According to the figure, the following packets are filtered:

1. Incoming packets from network 131.34.0.0 are blocked (security precaution). Note that the
* (asterisk) means “any.”
2. Incoming packets destined for any internal TELNET server (port 23) are blocked.
3. Incoming packets destined for internal host 194.78.20.8 are blocked. The organization
wants this host for internal use only.
4. Outgoing packets destined for an HTTP server (port 80) are blocked. The organization does
not want employees to browse the Internet.

b. Proxy Firewall
The packet-filter firewall is based on the information available in the network layer and transport
layer headers (IP and TCP/UDP). However, sometimes we need to filter a message based on the
information available in the message itself (at the application layer). As an example, assume that
an organization wants to implement the following policies regarding its web pages: only those
Internet users who have previously established business relations with the company can have
access; access to other users must be blocked. In this case, a packet-filter firewall is not feasible
because it cannot distinguish between different packets arriving at TCP port 80 (HTTP). Testing
must be done at the application level (using URLs). One solution is to install a proxy firewall
(computer) (sometimes called an application gateway), which stands between the customer
computer and the corporation computer. When the user client process sends a message, the
application gateway runs a server process to receive the request. The server opens the packet at the
application level and finds out if the request is legitimate. If it is, the server acts as a client process
and sends the message to the real server in the corporation. If it is not, the message is dropped and
an error message is sent to the external user. In this way, the requests of the external users are
filtered based on the contents at the application layer. Figure 12 shows an application gateway
implementation for HTTP.

Compiled by: Er. Raju Dhakal

 13

Figure 12 Proxy firewall

8.5 Virtual Private Network (VPN)

One of the applications of IPSec is in virtual private networks. A virtual private network
(VPN) is a technology that is gaining popularity among large organizations that use the global
Internet for both intra- and interorganizational communication, but require privacy in their
intraorganizational communication. VPN is a network that is private but virtual. It is private
because it guarantees privacy inside the organization. It is virtual because it does not use real
private WANs; the network is physically public but virtually private. Figure 13 shows the idea of
a virtual private network. Routers R1 and R2 use VPN technology to guarantee privacy for the
organization. VPN technology uses the ESP protocol of IPSec in the tunnel mode. A private
datagram, including the header, is encapsulated in an ESP packet. The router at the border of the
sending site uses its own IP address and the address of the router at the destination site in the new
datagram. The public network (Internet) is responsible for carrying the packet from R1 to R2.
Outsiders cannot decipher the contents of the packet or the source and destination addresses.
Deciphering takes place at R2, which finds the destination address of the packet and delivers it.

WEP and WPA (read yourself from internet)

Compiled by: Er. Raju Dhakal

 14

Figure 13 Virtual Private Networks

Compiled by: Er. Raju Dhakal