Network Management

• Documentation
• Management Tools
• Administrative Costs
• Troubleshooting
• Planning Upgrades/New Installations

• Accounts
• Resources

• Purpose of Directory Services
• Components of Directory Services
• Directory Standards – X.500
• Lightweight Directory Access Protocol (LDAP)
• Microsoft Windows Workgroups and Domains
• Novell Directory Services (NDS)
• Microsoft Active Directory Service

• Policy Issues
• Account Issues
• Controlling Spam

Documentation - Document Everything! - Update!

• Client Types and Settings
• Location of system
• Type of system - down to serial numbers
• System hardware configuration - include types, sizes, and all settings
• Network Interface Card settings - including address
• System software configuration - include license audit, software versions and settings, and client software with protocol configurations
• Server Types and Settings
• Location of system
• Type of system - down to serial numbers
• System hardware configuration - include types, sizes, redundancy, and all settings
• Network Interface Card settings - including addresses with subnets
• System software configuration - include license audit, software versions and settings, and dates of software installations
• Network Operating System configuration - including all bug fixes and patches
• API's - settings and dates installed
• Facility Audit
• Hubs, routers, etc. - with types, locations, supported protocols, associated port locations
• Network Map - cable runs, types of cable, terminating points, etc.

• Server Monitors - performance monitoring
• Memory available - page faults
• CPU utilization
• Disk space free
• Disk transfer rate
• Error rates
• Network Monitors - track information about the network
• Client/Server-based
• MIB - Management Information Base - text file on host being monitored for each element being monitored
• SNMP - Simple Network Management Protocol
• Queries devices about their status, referring to MIBs
• UDP (User Datagram Protocol) - connectionless protocol used to pass information from the client to the server
• Messages - sent through port 161
• Traps (alerts) - sent through port 162
• Network Probes - network analyzer
• Stand-alone device (typically)
• Deployed on segment being monitored
• Used to measure data traffic patterns and determine the cause of any major bottlenecks
• Packet Sniffers - intercepts all packets on a network
• Can be used to analyze network traffic
• Can be used for hacking/cracking!
• Filters can limit data to only that which you want to see

• Can be biggest cost of computer ownership
• Can be minimized through system configurations and administrative software tools
• Standardize account management
• Standardize software through licensing
• Apply ALL patches and updates
• Document, document, and document…

• Know your network (i.e., document!)
• Have tools in place to resolve problems
• Centralize support
• Use the Web for information
• Pay attention to updates and patches
• Anticipate questions prior to support calls
• Determining the problem can be more difficult than solving the problem

• Needs analysis - identify requirements
• Plan layout and identify infrastructure (conduit, etc.) requirements
• Plan implementation
• Implement system (in parallel, if possible)
• Test implementation
• Solicit feedback

Accounts

• User Accounts
• Establish common naming convention
• Establish common account attributes
• Establish secure password requirements

• No dictionary words
• No common names, birthdates, personal information
• Minimum of 6 characters long
• Keep password history
• Require periodic password changes

• Policy on multiple simultaneous logins
• Ongoing Process – add and delete accounts as needed
• Group Accounts
• Organize users into common attributes
• Resource permissions based on group membership

• Establish disk quotas
• Include policy for expanding quotas
• Establish file access parameters
• User files private, public, some of each?
• Group files shared
• Software installation and upgrade policy
• Locked down – only administrator can do so
• Open – user can install or upgrade (keep track of software licenses!)
• Establish printer queues and policies
• Electronic mail queues

Purpose of Directory Services

• Store and organize information on network resources
• Users
• Printers
• Computers
• Control access to network resources
• Organizations may have multiple directories in place
• Independent of each other - different administrative procedures are needed for each
• Synchronized - procedures are in place that allows a change to one directory to filter to other directories

• Type of database - allows users to locate records using information associated with that record
• Structure
• All items should be uniquely identifiable
• Similar items should be grouped
• Namespace - the list of identifiable items pertaining to records within the directory
• Must be complete - all information pertaining to the items represented in the database must be present
• Must be accurate
• Must be accessible and efficient

• Applications of directory
• Authentication – verify identities of users
• Simple – username and password
• Strong – uses public key encryption certificates
• Interpersonal communications – resources for E-mail
• Intersystem communications – resources for systems to interact with services running on other systems
• Information within the directory
• Access information – access controls, internal consistency checks
• Information about people – e-mail addresses, name, address, phone, public key certificates, etc.
• Information about systems – location, availability, etc.
• Directory Information Base (DIB) – database entries, each of which is associated with one or more attributes
• Directory Information Tree (DIT) – hierarchical (inverted tree) representation of the directory contents
• C – Country – highest level grouping C=US
• O – Organization – next highest level O=Lehigh
• L – Locality – any point in the tree except directly below the "root" (top) L=Bethlehem
• OU – Organizational Unit – must be below Organization OU=Computing Center
• CN – Common Name – distinguishing attribute – must be below O and OU CN=John Doe
• Distribution – directory specifications allow directory information to be replicated to multiple locations
• Directory User Agent (DUA) – presents directory information to users
• Directory Access Protocol (DAP) – provides a standard means for Directory User Agents to interact and access information from the directory
• Functions for data interrogation
• Read – a specific entry
• Compare – compares supplied value of an attribute to the existing value of that attribute for a specific entry (e.g., password checking)
• List – lists subordinates to a given entry
• Search – returns all entries matching a filter condition
• Abandon – aborts any outstanding interrogation requests
• Functions for modifying directory information
• Add Entry
• Remove Entry
• Modify Entry
• Modify Distinguished Name – changes the name of a specified attribute

• Message-oriented, client/server protocol developed to access and manage directory services
• Simpler, less resource intensive than DAP (uses TCP transport; doesn’t need to support upper layers of the OSI stack) – DAP subset
• Official Internet standard
• Directory support can be added to more applications
• Can interact with X.500 directories
• Can interact with non-X.500 directories with appropriate server software

• Windows 95/98/Me/NT
• Workgroups – all systems that are members of the workgroup are allowed access to shared resources
• File directories (i.e., folders)
• Printers
• Domains – (Windows NT) go beyond resource sharing to include a shared security service that can be used to control access to resources
• User level control
• Group level control
• Controls access to resources regardless of whether the system is being accessed locally or over a network
• Systems must be explicitly added to a domain to gain access to the domain's security services
• Administrator account typically used to add or delete machines from a domain

• Based on X.500 structure and hierarchy
• Network infrastructure which links users to network services, applications, and data files
• LDAP interface
• Single sign on - log on once and be authenticated to the all network resources to which you have rights
• Security based on public key encryption technology
• Replication - allows for a distributed directory model where partitions can be replicated to distributed servers
• Single point of administration - centralized management or distributed management (e.g., departments)

• Windows 2000
• Based on NT domains with X.500, NDS, DNS additions
• Authentication scheme based on Kerberos V.5
• Uses Unix-style DNS for computer name resolution
• Supports mixed Active Directory and NT domain environment
• Domains organized into Trees starting with the root
• Hierarchy of domains have trust relationships to each other
• Domains can have a hierarchy of organizational units

Policy Issues

• Expectation of privacy?
• Backup Schedule
• Retention issues

• Disk space allocation
• POP – Post Office Protocol - messages are typically downloaded to a single client computer
• IMAP – Internet Message Access Protocol - messages remain on a server computer where they can be read from any client computer
• Virus scanning
• Centralized - on mail server
• Desktop (individually)

• Blocking "free" mail sites
• Blocks legitimate mail as well
• Blocking "Open Relay" Sites
• Mail Abuse Prevention System
• http://www.mail-abuse.org/rbl+/
• Testing for Open Relays
• http://relays.osirusoft.com/cgi-bin/rbcheck.cgi
• Complaining to abuse@... (mail origination site)
• Determine location through mail header information
• Netscape – click View, Headers, All
• Outlook – right-click on desired message from within the list of messages; click on Options
• Whois - find owner of an IP address
• American Registry for Internet Numbers http://www.arin.net/index.html
• Asia Pacific Network Information Center http://www.apnic.net/