Implementation of a Department Local Area Network Management System
I-Ping Hsieh Lai-Ming Shiue Shang-Juh Kao
Department of Computer Science Department of Applied Mathematics Department of Computer Science
National Chung-Hsing University, Taichung, Taiwan Email : { iphsieh, lmshiue, sjkao}@amath.nchu.edu.tw
ABSTRACT
Management tasks of a Department Local Area Network (DLAN) may include invasion detecting, traffic monitoring, appropriate IP usage, proper device configuration…etc. We physically divide a DLAN into a firewall component and four functional groups: open area group, public servers group, proprietary servers group, and management group. A practical implementation of DLAN management system from the perspective of a manager is reported in this paper. In this DLAN management system, a checkpoint mechanism based upon firewall technology is constructed to protect the DLAN from intrusions, while the MAC-IP mapping technique is adopted to prevent IP addresses from misusing. The traffic, both incoming and outgoing, of each internal user is also monitored. And, configuration of devices is managed through Simple Network Management Protocol (SNMP) operations.
KEYWORDS: DLAN, firewall, SNMP
1 Introduction
A department local area network (DLAN) [1] within a campus has the characteristics of making available of public resources to public while imposing restrictions on internal resources, such as printing service and IP allocation. As having played as system managers for years, our primary task is to provide the DLAN a safe, convenient, and fair access environment. In particular, we have spent a lot of time in detecting invasions, dealing with inappropriate IP uses, monitoring the exceeding traffic usage, and ensuring a proper system configuration. Since these problems often occur unexpectedly, in order to provide an efficient solution and to make a manager’s life easy, we are motivated to implement a practical DLAN management system.
We will first briefly describe the constitution of the SNMP management architecture, explore the usage of related MIBs, and introduce practical issues of network security. The design of a DLAN management system in, the architecture of the firewall system, and the management functions, are presented. Implementation details and a snapshot of management applications are given next. Finally,
we summarize the research works and raise several future enhancements. 2 Network Management Fundamentals
In IP network, Simple Network Management Protocol (SNMP) is a de facto standard for managing network resources. SNMP architecture consists of four components [2]: NMS, agent, MIB, and SNMP. A Network Management Station (NMS) manages and controls the managed objects. A management agent exists inside each managed object. The agent collects and stores information in Management Information Base (MIB). SNMP is utilized to exchange management information between NMS’s and agents.
Network management is a general topic which comprises five main management functional areas (MFAs) [3]: configuration management, fault management, performance management, accounting management, and security management. In the following, we only include related MIBs and network security technology, which are incorporated into the proposed DLAN management system.
2.1 Related MIBs
SNMPv2 MIB is first defined in RFC1213. Of management groups defined in RFC1213, two groups are intensively used in the DLAN management system: the interfaces group and the address translation group. The interfaces group contains generic information about the physical interface of a network entity, including configuration information and statistics on the events occurring at each interface. And, we can adjust the interface configuration values by performing the SNMP Set operation. The address translation group consists of a single table which is called atTable. Each row in the table corresponds to one of the physical interfaces in the system. The row provides a mapping from a network address to physical address. This table is useful for obtaining the MAC-IP mapping information throughout the DLAN which is required in our DLAN management system. Bridge MIB is defined in RFC1493. The MIB defines objects for managing MAC bridges between LAN segments. Within the MIB, dot1dTpFdbTable is useful for our management system. This table contains information about unicast entries for which the traffic is destined for, and is forwarded or filtered by a bridge. Thus, we can get the port information of each MAC address. RMON is a great step toward internetwork management [4]. It defines RMON as a supplement to SNMPv2 MIB and provides network management with fruitful information of internetworking. RMON MIB is defined in RFC1757. With RMON MIB, we can obtain incoming and outgoing traffic information related to each MAC address. Hence, the network manager is able to detect uncommon usage of network.
2.2 Network Security
A firewall is simply a component or a set of components located between the internet and external network for safeguarding the internal system. It provides a control point for restricting user incoming and outgoing the network, and builds defensive gateway to prevent from attacking [5]. There are three popular firewalls [6]: packet filter, proxy, and gateway firewall. Packet filtering is the simplest firewall.
It forwards or drops packets according to the predefined rules. Proxy is a middleware that deals with the connection between client and server. For clients in the internal network, the proxy acts as a server; while for servers in the outside world, the proxy plays the role of a client. By playing the functions similar to a gateway, a gateway firewall [7] translates communication protocols and forwards messages to destined node. For example, Network Address Translation (NAT) is one kind of the gateway firewalls.
Intrusion detection is a process of reporting whether the activity is legal or not. The system that helps in conducting this process is so called “Intrusion Detection System (IDS).” Usually, an IDS can not avoid on-going intrusions. It can only detect intrusions afterward. Currently, newly developed IDS’s are designed to be able to perform certain response to an abnormal event, such as stopping the connection. There are two major types of IDSs, Host-based IDSs (HIDSs) and Network-based IDSs (NIDSs) [8]. Detecting information of HIDS is obtained from a single host, while NIDS obtains data by monitoring the traffic from the network.
3 Design of a DLAN Management System
The DLAN management functions can be differentiated from either internal or external viewpoint. From the external perspective, a checkpoint scheme based upon firewall technology is constructed to protect the system from intruders. From the internal perspective, an MAC-IP mapping technique is adopted to prevent IP addresses from misusing, and the traffic, both incoming and outgoing, of each internal user is monitored.
3.1 Four Functional Clusters
A typical DLAN may consist of a variety of computer devices with a few centralized servers and hundreds of PCs. In order to ease the management, we classify computing facilities within DLAN into four categories: open area, public server group, proprietary servers group, and management group as shown in Figure 3.1. All these machines residing locally are under the protection from the firewall.
Figure 3.1 Overview of a DLAN Environment
Figure 3.2 Architecture of the Firewall System
3.2 Firewall System Architecture
Firewall system protects all four clusters of DLAN against threats from Internet. It is composed of the front-end firewall, back-end firewall, IDS, policy management unit (PMU), and firewall agent, as
shown in Figure 3.2.
Both front-end and back-end firewalls serve as safeguards to provide the entrance examination. The front-end firewall, which could be either a packet filter or proxy, checks the incoming and outgoing packets, and examines connection requests according to the defense policies. The back-end firewall is a gateway firewall, which restricts the connection between the front-end firewall and management clusters. IDS can be any available one. It detects illegal or abnormal activities by monitoring network traffic in the preemptory mode. When any illegal or abnormal activity is detected, IDS records the action and issues an alert to PMU. After receiving the alerts, PMU appends relative rules to the front-end firewall. Firewall agent is the kernel of the firewall system. It plays the role of an agent of the firewall system and a coordinator among firewalls, IDS, PMU, and NMS. Firewall agent can communicate with NMS and make necessary configuration changes. In additions, firewall agent collects management information, stores in the database, and forwards messages to both front-end and back-end firewalls.
3.3 Network Management Station
Network management station exists for management information processing inside the management group. Either an application user or a system manager can obtain public management information or operate NMS using the web interface. In addition to be quipped with a web server, a NMS contains a system management unit, information store, and security and communication facility, as shown in Figure 3.3. System management unit is the core unit and provides management functions required for device, traffic, IP, accounting, and firewall management. All management information is stored in the information store. Security facility will check the legitimacy of each connection.
Figure 3.3 DLAN NMS Architecture Figure 4.1 System configuration 4 Implementation Details and a Snapshot of Applications
4.1 Environment and Tools
The DLAN management system1 contains a firewall, a network management station, and several
1
The DLAN management system was developed for the department of Applied Mathematics at National Chang-Hsing University, Taiwan.
SNMP-equipped network devices. The overall system is configured as shown in Figure 4.1, with related attributes listed in Table 4.1.
Table 4.1 Device Attributes Device Role GoGo Firewall NMS NMS MaoMao HTTP server NAS FTP server LJ4050 Printer server NPI16 Switch NPI24 Switch 3COM Switch
Table 4.2 Software Packages of Firewall System Components Defense System Component Software package
Front-end firewall netfilter ( linux kernel 2.4.X ) iptables-1.2.8 Back-end firewall netfilter ( linux kernel 2.4.X )
iptables-1.2.8
IDS snort-2.0.0 PMU pmu-0.1b Firewall agent Developed by ourselves
SNMP agent net-nsmp-5.0.8
4.2 Firewall System Implementation 4.2.1 Firewall System Components
The software packages that are applied for the firewall system implementation are listed in Table 4.2. Netfilter is a framework inside the Linux kernel 2.4.x, and it provides filtering either stateless or stateful, and supports NAT. Iptables is a generic table structure for the definition of rule sets. Both are adopted as our front-end and back-end firewalls. Snort is an open source network intrusion detection system, which is capable of performing real-time traffic analysis and packet logging on IP networks. Snort also supports SNMP and many DBMS’s, and provides many useful detecting tools.
In the firewall system, PMU takes the suggestions from IDS and generates rules. Pmu[9] is a security program which works together with Snort to update firewall rules automatically. The updated firewall rules block all incoming data from the IP address of the attacking machine. As of designing a firewall agent, we use iptables C library to inplement functions required for the firewall operations. MySQL C library is applied for database query implementation. And, we also make use of socket library to implement the commands of sending and receiving data from NMS. Hosts without SNMP supported are equipped with net-snmp. This software package provides SNMP C library and a bunch of useful tools.
4.2.2 An Example to Add a Firewall Rule
We simulated an attack by using Nmap to scan communication ports. Figure 4.2 is a list of the commands and the results of scanning IP address 140.120.6.31 from 140.120.7.13. Snort then recorded all information as shown in Figure 4.3. After pmu having read alerts generated by Snort, it added a rule to block all packets coming from IP address 140.120.7.13. Figure 4.4 shows the firewall rule.
Figure 4.2 Scan 140.120.6.31 Figure 4.3 Alerts Generated by Snort
Figure 4.4 Firewall Rule Added by Pmu
4.3 Snapshots of Management Applications
The DLAN management system has two major applications. One2 is to check the MAC-IP legitimacy
and to examine the traffic of the corresponding MAC address. We have composed two programs, CHECKIP and CHECKTRAFFIC, to accomplish these tasks.
4.3.1 IP Legality
Figure 4.5 shows the operational flow of CHECKIP. When CHECKIP is active, it will get both the currently used MAC-IP mapping from atTable (step 1) and the pre-defined MAC-IP list from the database (step 2). CHECKIP will then make a comparison and determine the legitimacy of the current IP. Two situations will occur when the program identifies an IP misuse. One is that a user is using an illegal IP address, that is, a registered MAC but incorrect corresponding IP. In this case, CHECKIP will close the port by setting ifTable (step 4). The other situation is that CHECKIP discovers an unregistered MAC address. In such case, the program will get the port number from dot1dTpFdbTable in 3COM (step 3) and disconnect the link (step 4). Consequently, IP misuse can be prevented.
Figure 4.5 Operational Flow of CHECKIP Figure 4.6 Operational Flow of CHECKTRAFFIC 4.3.2 Traffic Legality
Figure 4.6 shows the operational flow of CHECKTRAFFIC. When CHECKTRAFFIC is executed, it will get the amount of traffic of the related MACs from hostTable in 3COM (step 1) and update the NMS database (step 2). It then checks the traffic usage of each current MAC addresses (step 3). If the
2
traffic outstrips the upper bound, the program will terminate the connection (step 4). Thus, whenever a user’s network traffic usage exceeds, the connection will be terminated.
Both CHECKIP and CHECKTRAFFIC are executed every 5 minutes. More frequency is possible, but if so, more SNMP request and response packets may degrade the network performance.
4.3.3 System Interface
Since NMS is the kernel of the network management, we develop a friendly web interface3 for
operating the functions provided by the NMS. The main page includes management functions of IP Registration, User Login, and Manager Login.
After clicking IP Registration, a user is asked to enter related data to obtain a legal IP address. User Login is a login interface for all users. After entering the system, the user can get his personal data and make a modification, such as e-mail address and password. Figure 4.7 shows each legal user’s information. Figure 4.7 Information of a legal User Figure 4.8 Rules in FORWARD Chain Figure 4.9 Information of 3COM Figure 4.10 IP management A Manager can operate NMS through the web interface. There are three management tools available for the manager: firewall tools, device tools, and IP management tools. Firewall tools enable the manager to select one of input, output, and forward chains, and to add or delete filtering rules. Figure 4.8 shows rules in FORWARD Chain. Device tools can be used to examine device’s status and to perform necessary operations, such as lock and unlock the device port. Figure 4.9 shows the information of a 3COM switch and lists the port status. IP management can be accomplished from the perspective of allocation or identity. From either a location or an IP, through the window of IP management tools, the manager can get the traffic usage and modify the IP allocation, such as taking off the IP address. An example of IP management in a dedicated room is shown in Figure 4.10.
Chapter 5 Concluding Remarks 5.1 Summary
Throughout this paper, we built a firewall system and made use of MIBs to develop a DLAN management system. Firewall system protects DLAN against attacks from Internet. Bridge MIB gives
us the mapping of MAC addresses and ports on a switch, and we can monitor traffic usage of each user by invoking RMON MIB. In this system, we aim at protecting internal resources. Specifically, we screen packets to prevent intrusions from Internet and ensure the proper resource usage of each internal user, represented by a legal IP. With the help of existing software packages, such as netfilter, iptables, snort, pmu, etc, we are able to build a practical DLAN management system.
5.2 Future Work
Using MIBs to manage a network system is simple, but the required MIB may not be available in every device, such as the firewall MIB. Our approach is to write a firewall agent to supplement the existing SNMP agent. By doing this way, we may face a problem that this firewall agent can only control netfilter and iptables, which are used in our firewall system. We must rewrite the firewall agent whenever a change is made to the firewall software. We are waiting for a standard firewall MIB to be defined, so we may perform firewall operations by using uniform SNMP commands. The other shortcoming of our system is that messages flowing between the firewall system and NMS are not encrypted. Encryption could be critical and necessary for high security-required systems. One other future direction comes along with the rapid growth of wireless and mobile computing technology. Management requirement may be changed accordingly and new management functions deserve for further development.
References
[1] Lai-Ming Shiue, I-Ping Hsieh, and Shang-Juh Kao, Security and Traffic Management for a Department Local Area Network, ICC&IE 2003.
[2] Marshall T. Rose, The Simple Book, Revised 2nd Edition, Prentice-Hall, 1996, ISBN
0-13-451659-1.
[3] James D. Murray, Windows NT SNMP, O’Reilly, 1998, ISBN 1-56592-338-3.
[4] William Stallings, SNMP, SNMPv2, SNMPv3, and RMON1 and 2, 3rd Edition, Addison Wesley,
1999, ISBN 0-201-48534-6.
[5] Wolfgang Weber, Firewall Basics, Telecommunications in Modern Satellite, Cable and broadcasting Services, 1999 4th International Conference on, Volume:1, 1999, Page(s):300~305, 13~15 October 1999.
[6] Robert Zalenski, Firewall Technologies, IEEE Potentials, Volume:21 Issue:1, Page(s):24~29, Feb/Mar 2002.
[7] Robert N. Smith and Sourav Bhattacharya, Operating firewalls outside the LAN perimeter, Performance, Computing and Communications Conference, 1999. IPCCC '99. IEEE International, Page(s): 493~498, 10-12 Feb 1999.
[8] Anonymous, Maximum Security, 4th Edition, SAMS, 2002, ISBN 0672324598.
[9] pmu, http://lab511.amath.nchu.edu.tw/, Lai-Ming Shiue, Department of Applied Math, National Chung-Hsing University, Taiwan.
