With advancements in long-haul and broadband
technologies triggering an explosion in packet data traffic, service
providers have moved much of their data traffic onto more efficient
packet networks. They are now looking toward Voice over Internet
Protocol (VoIP) as a means to derive revenue from voice, but also other
multimedia services while providing a unified management console and
helping reduce OPEX.
GENBAND is a global leader of IP infrastructure solutions,
enabling service providers and enterprises around the world to evolve
communications networks through IP innovation. The company offers
market-leading switching, applications, networking and service
solutions, with products deployed in more than 600 customer networks
spanning more than 80 countries. GENBAND provides customers with
high-performance communication equipment (telephony, video, Internet,
and wireless services) to deliver secured quadruple-play and converged
services on IP networks.
Focusing on maximizing savings, increasing network simplicity and
providing new sources of revenue, GENBAND introduced the GENView
Manager, a best-in-class, unified operations, administration,
maintenance and provisioning system that provides operations support and
readiness, fulfillment, assurance and billing (OFAB, including
traditional FCAPS) functionality for network operators. Based on high
availability, highly scalable client/server environments, GENView
Manager provides the ease-of-use and scale required for even the largest
of network deployments.
This single unified interface for all the network elements means a
significant reduction in integration times and costs. The main
functional services with the GENBAND GENView Manager system include
fault processing, performance analysis, configuration management and
security management as well as a northbound interface to OSS systems. In
addition, network topology tools provide a good visibility into the
network issues for maintainability and problem resolution.
The system architecture is tiered providing aggregation of
GENBAND network elements for scaling purposes to meet larger network
requirements. GENView Manager has a backend server for data collection
and correlation logic, a front end to present the Graphical User
Interface and a database layer for persistence. GENView Manager operates
in a replicated high availability configuration to minimize service
outages or downtime, thereby protecting customer service-level metrics
and ensure service continuity. It can reside on ATCA blade in the
GENBAND GENiUS platform, or in a standalone Rack Mount Server, managed
from a different location within the service provider’s network.
GENBAND GENView Manager infrastructure uses a diverse set of
management protocols including standards such as SNMP and CORBA as well
as custom protocols. Fault processing includes business logic to
determine root-cause analysis. Alarm filtering and correlation is
performed to avoid duplicate faults. NOC operators can drill down from
an alarm to a graphical shelf level and view the chassis to see exactly
where and what is going on. Alarm resynchronization with network element
and OSS enable a reliable and robust fault capability.
Performance management performs the data collection and can
threshold at the network element and applications levels and generates
crossing alerts. Custom graphing and reporting can easily be
accomplished. Then performance data is aggregated to a northbound OSS
interface.
Configuration management allows NOC operators to control the
system by initiating configuration operations such as firmware upgrades,
patching, backup/restore, application management and high availability
settings.
GENBAND customers have high expectations around security and
GENView Manager treats it as an essential service and a key
differentiator. To harden its system, GENBAND typically secures
NMS-to-NE communications with protocols such as SSH, SFTP, IPsec and
SNMPv3 – depending on customer requirements. All communication:
southbound, northbound and between the GUI client server is secure via
SSL. GENView Manager uses a password encrypted single sign-on (SSO) to
ensure a seamless and solid operation to their authentication,
authorization and auditing (AAA) module. It can also be accessed
remotely via HTTPS. Authentication is achieved via a RADIUS-supported
central security server with configurable password-reset policies. The
central security server can also be integrated into the customer AAA
system using standard protocols such as Radius and LDAP. Authorization
is a simplified user and group management module that restricts views or
operations. Auditing records user operations on a per element basis.
Other GENBAND security measures include: pushing performance data
via secure FTP, hardening the OS, using restricted ports, conducting
periodic vulnerability scans, developing rules to better manage loads,
and enforcing rigorous backup/restore procedures to protect data from
being corrupted.
Another key component to the service provider’s environment is a
northbound interface that enables interoperability and unification into a
single-point management. To accomplish, GENBAND correlates data and
employs JMX (Java Management Extensions) as a means of a northbound
interface for faults, performance data and system configurations.
GENBAND, an innovative leader deployed in Tier 1 service
providers around the world, sets the standard with the unified
management system, GENView Manager, and is committed to responsiveness
and service to its customers.
Eric Wegner works for Zoho Corp, http://www.webnms.com
Wednesday, December 12, 2012
Carrier Ethernet OAM Part 2
Standards bodies are defining the data
collection, which is a good thing and could keep costs down. Discovering
switches, the ports and E-line/E-Lan services configured in the switch
can be made available in an inventory list view. Logical elements like
services, UNIs, endpoints and profiles can also be captured by a
discovery filter. These objects can be seen both under a network
database list view and a Carrier Ethernet physical map. However, scale,
high availability and the integration story is cloudy and can ultimately
drive the costs up. Developing to a complex integration standard costs
money. The end goal really is to enable informed, proactive management
and swift problem resolution that effectively runs their operations.
To overcome the management challenge, we (and others) have pre-built object models to support standards-based equipment and extend the object model, which can be mapped to support various equipment.
There can be better control over networks with flow-through automation, real-time QoS performance and bandwidth monitoring that accelerates time-to-market and ensures customer Service Level Agreements (SLAs) via standards.
Performance monitoring and health checking can be real-time or historical on service and can go down to a port, EVC utilization or transmission errors, and perform QoS thresholds and KPIs. For fault, you can use RFC2544FdAlarm and RFC2544JitterAlarm that can are parsed and correlated into meaningful actionable alarms. Class-of-service flows can allow for testing of throughput, latency and jitter. The network can be engineered for different traffic priorities.
Configuration, activation and monitoring of RFC2544 tests as well as threshold definitions and notification reception can be supported. Provisioning the Ethernet services and OAM profiles can be accomplished via a user interface. Logical elements like services, endpoints, UNIs, NNIs, and ports can be added. Various profiles like bandwidth profile, performance profile, an RFC2544 profile and CFM profile can be added and the same can be associated to endpoints of a service.
The scaling challenge is always present and if architected correctly, management systems can scale to very large sizes. One way to accommodate scale is to use multi-threading data collection in a distributed hardware environment or virtual machines. This distributed data collection can roll up to a centralized backend to handle the correlation business logic, performance KPIs and reporting across the network.
High availability can be accomplished by hardening the OS and providing standby hardware and using database replication techniques (a topic for a future blog).
Lastly, system integration between management systems and OSS and BSS systems need not be expensive and standards bodies can tend to go overboard. Technologies can be accomplished using the cloud model by publishing an SOAP or REST API and using accepted industry protocols, which will keep costs down. The technology exists today — use it.
Eric Wegner works for Zoho Corp, http://www.webnms.com
To overcome the management challenge, we (and others) have pre-built object models to support standards-based equipment and extend the object model, which can be mapped to support various equipment.
There can be better control over networks with flow-through automation, real-time QoS performance and bandwidth monitoring that accelerates time-to-market and ensures customer Service Level Agreements (SLAs) via standards.
Performance monitoring and health checking can be real-time or historical on service and can go down to a port, EVC utilization or transmission errors, and perform QoS thresholds and KPIs. For fault, you can use RFC2544FdAlarm and RFC2544JitterAlarm that can are parsed and correlated into meaningful actionable alarms. Class-of-service flows can allow for testing of throughput, latency and jitter. The network can be engineered for different traffic priorities.
Configuration, activation and monitoring of RFC2544 tests as well as threshold definitions and notification reception can be supported. Provisioning the Ethernet services and OAM profiles can be accomplished via a user interface. Logical elements like services, endpoints, UNIs, NNIs, and ports can be added. Various profiles like bandwidth profile, performance profile, an RFC2544 profile and CFM profile can be added and the same can be associated to endpoints of a service.
The scaling challenge is always present and if architected correctly, management systems can scale to very large sizes. One way to accommodate scale is to use multi-threading data collection in a distributed hardware environment or virtual machines. This distributed data collection can roll up to a centralized backend to handle the correlation business logic, performance KPIs and reporting across the network.
High availability can be accomplished by hardening the OS and providing standby hardware and using database replication techniques (a topic for a future blog).
Lastly, system integration between management systems and OSS and BSS systems need not be expensive and standards bodies can tend to go overboard. Technologies can be accomplished using the cloud model by publishing an SOAP or REST API and using accepted industry protocols, which will keep costs down. The technology exists today — use it.
Eric Wegner works for Zoho Corp, http://www.webnms.com
Carrier Ethernet OAM Part 1
Service providers are determining where there
is a need for more fiber and what kind of reach it can go to the rural
communities. As more network elements are deployed to keep up with
bandwidth demand, so is there an increased importance in scale for
network management and monitoring performance.
First step is data collection. If you can't see it, you can't manage and control it. Beyond the Carrier Ethernet NOC, questions are being asked. What do customers want? What do service providers want? There is a growing need for speed for consumers and enterprises. We are seeing incremental increases in bandwidth speed all the time.
A little historical perspective: Remember when the Hayes 9600 bit modem put the internet in the hands of the masses? Remember when a T1 was thousands per month? Speeds increase, costs come down. It's a classic case of economics and technology innovation.
Service providers want to see their costs go down. As bandwidth demand increases, their revenue is not moving in a parallel line to it. As customers see the advantages of higher speed, the service providers want to see the money. A bigger pipe just gets you so far.
Are you willing to pay for higher SLAs? Yes, enterprises are asking for it. Willing to pay extra for security? Certainly the government and military demand and pay for it. It would make sense that enterprises with sensitive information would pay for extra security. Are you willing to pay for higher quality or a class of service? Sure, but only if there is a portal for customers to see their service usage stats, performance metrics and can provision for their needs.
Back to the Carrier Ethernet NOC story. Controlling, measuring and reporting Ethernet service in a standards-based way across services and across vendors is a key to helping service providers with business continuity and reducing OPEX. Although the MEF-Ethernet management model has an established baseline, not all of the Carrier Ethernet vendors use standard MIBs and implement their own RFCs to support OAM and CFM by querying custom CLI command sets. Every service provider has a hodgepodge of systems that do different functions. That's the way it is, by design, best of breed or by legacy of investment. There are two ways to go about this, a unified system or an integrated approach.
First step is data collection. If you can't see it, you can't manage and control it. Beyond the Carrier Ethernet NOC, questions are being asked. What do customers want? What do service providers want? There is a growing need for speed for consumers and enterprises. We are seeing incremental increases in bandwidth speed all the time.
A little historical perspective: Remember when the Hayes 9600 bit modem put the internet in the hands of the masses? Remember when a T1 was thousands per month? Speeds increase, costs come down. It's a classic case of economics and technology innovation.
Service providers want to see their costs go down. As bandwidth demand increases, their revenue is not moving in a parallel line to it. As customers see the advantages of higher speed, the service providers want to see the money. A bigger pipe just gets you so far.
Are you willing to pay for higher SLAs? Yes, enterprises are asking for it. Willing to pay extra for security? Certainly the government and military demand and pay for it. It would make sense that enterprises with sensitive information would pay for extra security. Are you willing to pay for higher quality or a class of service? Sure, but only if there is a portal for customers to see their service usage stats, performance metrics and can provision for their needs.
Back to the Carrier Ethernet NOC story. Controlling, measuring and reporting Ethernet service in a standards-based way across services and across vendors is a key to helping service providers with business continuity and reducing OPEX. Although the MEF-Ethernet management model has an established baseline, not all of the Carrier Ethernet vendors use standard MIBs and implement their own RFCs to support OAM and CFM by querying custom CLI command sets. Every service provider has a hodgepodge of systems that do different functions. That's the way it is, by design, best of breed or by legacy of investment. There are two ways to go about this, a unified system or an integrated approach.
Wednesday, August 29, 2012
Inventory and Topology Mapping: Visualizing the Chaos
You would think the IT folks would have a
pretty good handle of their telecom assets and equipment. But in many
cases, their infrastructure has grown past the chaos stage. Sheer volume
of devices and applications require inventory and mapping tools to
manage and control system environments.
Think of an inventory and topology mapping application as an Org Chart for your networking gear. One can see the spatial relationship of the device and their links, and see the status and performance of between them. Then the mapping can be traced back to the system engineer or operator who is responsible for them. As an audit feature, user actions are recorded with timestamps. One may think this is a bit of corporate Big Brother, but knowing who did what and when to a device is imperative in resolving issues, troubleshooting and keeping the network up.
Once inventory and mapping are known, decision-making processes flow more efficiently and improve operator productivity. The mechanics of the network management application is to perform a “Discovery" or a scan of the network elements and provide physical and logical links between devices. Discovery spans from Layer 2 to all the way up to discovery at applications layer. The common protocols for discovery are CDP, LLDP, PING, SNMP, TL1, CORBA for the infrastructure discovery and protocols like RMI, SOAP, REST etc., for the application discovery. It’s like a CAT Scan of your system environment. Once mapping is complete, many out-of-the-box metrics are available for current and historical trending performance. his is just another hammer in the network engineer’s toolbox to keep systems up and running. It also gives management a quick visual of the hot zones.
Many companies struggle to even get through the discovery phase. The environment is constantly changing. Engineers are pulled away to fight fires. End-users, internal or external, start pointing fingers and it becomes a pissing match. No one wins and it gets escalated to top management.
Even in mature organizations, there can be siloed systems that have been operating and working well for years. If there are truly no integration points or data sharing, then map it as its own entity. But a No Integration situation is a rarity. Data is useful or impacts other data. I have seen situations were integration is a bigger chore on the organizational process than the integration work itself. Sometimes management is even unaware problems exist. Without a mapping application, they are flying blind. People rely on what’s in their heads and when anyone leaves the company, a new level of chaos rises up.
Inventory discovery and mapping connections start a discipline that makes the operator staff accept a common data source. Since this data source is fluid, re-discovery can happen on a daily basis. It can be a real eye-opener. It’s a snapshot in time where leadership can act upon, prioritize tasks and assign the right people. If network or device changes are necessary, you can establish the process to get the right people to approve, assign the right people to perform, then see an audit if it needs to be revisited. Over time, it becomes routine and fire fighting is reduced. Granted, you will need to carry out some interventions, but organizational changes will work given a common data set. Knowledge is shared equally and the focus can be on the problem and less on the communications.
In today’s new cloud environment, it does not mean cloud assets need to be isolated. They can be part of hybrid inventory and mapping picture. CIOs may struggle with the idea of cloud infrastructure, but knowing what’s there and how it is performing bridges the confidence gap.
Think of an inventory and topology mapping application as an Org Chart for your networking gear. One can see the spatial relationship of the device and their links, and see the status and performance of between them. Then the mapping can be traced back to the system engineer or operator who is responsible for them. As an audit feature, user actions are recorded with timestamps. One may think this is a bit of corporate Big Brother, but knowing who did what and when to a device is imperative in resolving issues, troubleshooting and keeping the network up.
Once inventory and mapping are known, decision-making processes flow more efficiently and improve operator productivity. The mechanics of the network management application is to perform a “Discovery" or a scan of the network elements and provide physical and logical links between devices. Discovery spans from Layer 2 to all the way up to discovery at applications layer. The common protocols for discovery are CDP, LLDP, PING, SNMP, TL1, CORBA for the infrastructure discovery and protocols like RMI, SOAP, REST etc., for the application discovery. It’s like a CAT Scan of your system environment. Once mapping is complete, many out-of-the-box metrics are available for current and historical trending performance. his is just another hammer in the network engineer’s toolbox to keep systems up and running. It also gives management a quick visual of the hot zones.
Many companies struggle to even get through the discovery phase. The environment is constantly changing. Engineers are pulled away to fight fires. End-users, internal or external, start pointing fingers and it becomes a pissing match. No one wins and it gets escalated to top management.
Even in mature organizations, there can be siloed systems that have been operating and working well for years. If there are truly no integration points or data sharing, then map it as its own entity. But a No Integration situation is a rarity. Data is useful or impacts other data. I have seen situations were integration is a bigger chore on the organizational process than the integration work itself. Sometimes management is even unaware problems exist. Without a mapping application, they are flying blind. People rely on what’s in their heads and when anyone leaves the company, a new level of chaos rises up.
Inventory discovery and mapping connections start a discipline that makes the operator staff accept a common data source. Since this data source is fluid, re-discovery can happen on a daily basis. It can be a real eye-opener. It’s a snapshot in time where leadership can act upon, prioritize tasks and assign the right people. If network or device changes are necessary, you can establish the process to get the right people to approve, assign the right people to perform, then see an audit if it needs to be revisited. Over time, it becomes routine and fire fighting is reduced. Granted, you will need to carry out some interventions, but organizational changes will work given a common data set. Knowledge is shared equally and the focus can be on the problem and less on the communications.
In today’s new cloud environment, it does not mean cloud assets need to be isolated. They can be part of hybrid inventory and mapping picture. CIOs may struggle with the idea of cloud infrastructure, but knowing what’s there and how it is performing bridges the confidence gap.
Monday, August 6, 2012
US House voted to prevent any increased U.N. Internet regulation
The House voted unanimously on Thursday to approve a resolution aimed
at preventing any efforts to hand the United Nations more power to
oversee the Internet.
The resolution had previously cleared the House Energy and Commerce Committee with a unanimous vote.
More on the topic:
http://www.nextgov.com/cio-briefing/2012/08/house-unanimously-approves-un-internet-resolution/57207/?oref=nextgov_today_nl
The resolution had previously cleared the House Energy and Commerce Committee with a unanimous vote.
More on the topic:
http://www.nextgov.com/cio-briefing/2012/08/house-unanimously-approves-un-internet-resolution/57207/?oref=nextgov_today_nl
Thursday, July 5, 2012
Firewall Analysis to Monitor Bandwidth Utilization: Mindtree Use Case
What's going through the pipes is important business and costs big
money. Guaranteeing customer service,
performance levels and quality experiences requires deep analysis and proactive
monitoring.
System Integrator and IT Consulting company, Mindtree, is servicing a leading
video software and services company that provides end-to-end media streaming
and video asset management solutions to over 2,400 clients in 50+ countries
including some of the world's biggest brands.
This was achieved through a global infrastructure, consisting of
regional R&D and data centers around the world through traditional, hybrid
and private clouds.
The challenge was simple - To ensure and deliver a truly broadcast
quality experience. MindTree consultants
were assigned with the responsibility of maintaining the global network
infrastructure and had to adhere to strict requirements for Information
Security Management, IT Service Management and Quality Management.
One of the tasks that MindTree consultants had to undertake for their
client was capacity planning and assist them in migrating data from one data
center to another; a challenging task that demands huge bandwidth availability.
They had carried out the pre-migration analysis and estimated that the
available bandwidth would be more than sufficient for a quick data migration.
However, during the actual migration they noticed that the available bandwidth
was much lower than they had estimated.
Hence, data migration was taking much longer than anticipated.
It was imperative for the consulting team to quickly identify the root
cause of high bandwidth utilization and free it up. Using a tool called Firewall Analyzer, they
unearthed the cause. It picked up
unusually high consumption on remote access VPN traffic and provided important
insights into specific users (with IP address) connected to the VPN and the
amount of traffic being sucked up. They
were able to bring the situation under control immediately.
In addition, they were able to perform firewall configuration audits,
which helped them detect issues and vulnerabilities, identify conflicting or
unused devices rules and meet auditing and compliance mandates. The firewall audit feature helped remove
unused rules and spot these vulnerabilities due to device misconfigurations.
When network anomalies
occurred in their clients’ environment, it triggered custom alerts from a
centralized console. They were able to
assign alerts to operators, whereby they could view the complete history of
actions, notes on the alert and report on a very granular basis on the top VPN hosts, top protocols used and bandwidth consumption.
Bandwidth is not cheap especially in a high capacity video streaming
environment. Problem determination costs
money too. Mindtree has an execution
model to meet customer expectation and service assurance levels.
Friday, June 8, 2012
Mobile SATCOM Management: Bandwidth In the Clouds
The need for speed on-the-go is often coined as COTM – Communications on the Move. Imagine command and control intelligence with high-speed bandwidth rates for encrypted high-def video, voice and Web browsing. Because of the increased capabilities and economics becoming much better, mobile SATCOM adoption is taking off.
Viasat looked for standards-based technologies and COTS software to build a highly custom teleport bandwidth management system called SAM – Satellite Access Manager. SAM runs on a 2-to-8 core Linux blade server in a high availability mode. They typically do not have the luxury of big footprint hardware. Using Ka-band or Ku-band satellite uplink with ultra small 12-inch tracking antenna, bandwidths reach up to 8-10 Mbps. Even higher data rates are possible with larger ground units. As with every network infrastructure, it needs to be managed and controlled. However, in this environment, very little was truly off the shelf.
To build SAM, Viasat employs a development methodology known as Agile Scrum, which is an iterative and incremental approach to software application development. Small tasks are identified and an estimated commitment for the sprint goal is made, then reviewed, and next tasks are prioritized by customer and internal stakeholder demand. Requirements change and churn based on an unpredictable nature. They accept that problem because features may not be fully understood or defined, so breaking down the tasks into smaller chunks reduces risk and they can respond to customer and market driven deliverables quickly.
Another challenge is not knowing what has already been developed and in the public domain. Developers tend to build from the ground up, and keeping aware of the technology stacks available keeps cost and development time down. Core COTS software functionality is out-of-the-box and they can focus on features particular to their space and spend time on actual customer requirements.
The management application has some of your traditional FCAPS functionality, but the main components are to monitor and control equipment and services. Topology is an on-the-move, hub-spoke architecture with a few thousand devices. For fault, it remotely monitors alarms on equipment that has gone down or degrading, equating to loss of service. SAM collects a large number of events and aggregates the data to a consolidated management view. The communication layer between remote and central server is SOAP / XML. Operators have a global view and can detect loss of service proactively before the customer calls come in. Fault correlation reveals very complicated outage scenarios into simple user interface displays. The NOC user is concerned with keeping the lights on, and their job is to simply make sure service is not interrupted. They spend more time on actionable tasks rather than troubleshooting. It's automated through the network management application.
The system handles intense signal processing. Because bandwidth is king, there is a ton of performance trending, business analytics and intelligence data collection. SAM takes in quite of bit of data from Eb/N0 (energy to noise ratios) compared to bit error rate performance to dropped CRCs. Managing device configurations and services are key too. They provision and audit multiple remote users on the network within a common bandwidth pool, provide dynamic assignment of bandwidth and prioritize communications.
SATCOM bandwidth increases and costs coming down prove to be an attractive solution. Provisioning and managing fault and performance data ensures service availability just like any other telecom application.
Viasat looked for standards-based technologies and COTS software to build a highly custom teleport bandwidth management system called SAM – Satellite Access Manager. SAM runs on a 2-to-8 core Linux blade server in a high availability mode. They typically do not have the luxury of big footprint hardware. Using Ka-band or Ku-band satellite uplink with ultra small 12-inch tracking antenna, bandwidths reach up to 8-10 Mbps. Even higher data rates are possible with larger ground units. As with every network infrastructure, it needs to be managed and controlled. However, in this environment, very little was truly off the shelf.
To build SAM, Viasat employs a development methodology known as Agile Scrum, which is an iterative and incremental approach to software application development. Small tasks are identified and an estimated commitment for the sprint goal is made, then reviewed, and next tasks are prioritized by customer and internal stakeholder demand. Requirements change and churn based on an unpredictable nature. They accept that problem because features may not be fully understood or defined, so breaking down the tasks into smaller chunks reduces risk and they can respond to customer and market driven deliverables quickly.Another challenge is not knowing what has already been developed and in the public domain. Developers tend to build from the ground up, and keeping aware of the technology stacks available keeps cost and development time down. Core COTS software functionality is out-of-the-box and they can focus on features particular to their space and spend time on actual customer requirements.
The management application has some of your traditional FCAPS functionality, but the main components are to monitor and control equipment and services. Topology is an on-the-move, hub-spoke architecture with a few thousand devices. For fault, it remotely monitors alarms on equipment that has gone down or degrading, equating to loss of service. SAM collects a large number of events and aggregates the data to a consolidated management view. The communication layer between remote and central server is SOAP / XML. Operators have a global view and can detect loss of service proactively before the customer calls come in. Fault correlation reveals very complicated outage scenarios into simple user interface displays. The NOC user is concerned with keeping the lights on, and their job is to simply make sure service is not interrupted. They spend more time on actionable tasks rather than troubleshooting. It's automated through the network management application.
The system handles intense signal processing. Because bandwidth is king, there is a ton of performance trending, business analytics and intelligence data collection. SAM takes in quite of bit of data from Eb/N0 (energy to noise ratios) compared to bit error rate performance to dropped CRCs. Managing device configurations and services are key too. They provision and audit multiple remote users on the network within a common bandwidth pool, provide dynamic assignment of bandwidth and prioritize communications.
SATCOM bandwidth increases and costs coming down prove to be an attractive solution. Provisioning and managing fault and performance data ensures service availability just like any other telecom application.
Thursday, January 12, 2012
Security in Network and Element Management Systems: Genband, Motorola and L-3 Communications Style
Security is getting enormous attention these days and it’s easy to understand why. Selling into carriers and government is big business and architecting and building secure management systems is essential.
In this blog, I’ll discuss a few representative NMS/EMS use cases and cover the three key security layers required in management systems: Authentication, Authorization and Audit (AAA), device-to-application communication, and the sometimes forgotten layer of inter-system communications.
The First Layer of NMS/EMS Security: AAA
NOC security usually assumes a good physical security system is already in place. You would see the guard station with the security cameras and maybe see a biometric entry mechanism, but once you are in the facility, it is all about the management system software.
The first layer of NMS/EMS security is generally around AAA or Authentication, Authorization, and Auditing.
Authentication is accomplished through a challenge-handshake mechanism where the credentials of the user are verified using a three-way handshake. The passwords are never sent across to the authentication module; rather a one-way-hash (called key) is used. This provides protection against playback attack using an incrementally changing identifier and a variable challenge value. Polices with strong password rules or the use of tokens can also be employed.
Once the user gets authenticated, he or she is given authorization for access control. Support for user groups provides a mechanism to collectively associate access rights to a set of users. Also, it is not sufficient to just tie up the access rights of a user with the operation performed. Hence, it becomes necessary to have a framework where the permissions are associated with the subsets of objects concerned with the application. This in turn delivers fine-grained access control. The authorization policy is designed with "Fine-Grained Access Control" as the focus. With a vast number of operators using the application, it’s essential that each one works within the allowed space.
Considering the complexity of applications, the Access Control Policy should have the flexibility to define access rights of a user to operate on a subset of objects that the applications work with. The security service achieves this by defining a set of authorized views called scopes. These authorized scopes consist of sets of properties associated with the user operations. Thus, managed object properties such as network, IP address, node, type, etc., are used in authorized views to control the access of the users to a specific type of device within a given IP range in a specified network. Database access or device configuration access may be limited to a few operators as well.
Auditing is about monitoring what the user does from the moment they sign in including the time and status of operation performed. This enables the network administrator to take necessary steps when an unauthorized execution is attempted by any user. Not only for security purposes, audit controls are extremely useful for debugging issues, for they allow you to determine what users were on the system before, during and after an incident so you can reverse engineer problems.
Device-to-Application Communications
The second layer of NMS/EMS protection is securing communications between the management application and devices across various protocols.
Of course, the first thing people think about are the various encryption standards. In the telecom business, the most common is SNMP v3 that can support SHA, MD5 or DES encryption algorithms. In the government and military space, SNMP v3 with AES encryption as defined and in some cases, mandated by the National Security Agency (NSA).
Besides the secure protocol layers, the management system has various infrastructure components, each looking through various ports. The management system should be flexible enough to be able to assign non-standard port configurations, harden the system by design and be able to monitor port activity.
The Third Layer: Inter-System Communication and Server Security
In the past, people figured that AAA and securing the device to the app pipe was sufficient protection. But to be truly secure today, inter-system communication is also vital.
The NMS/EMS can be deployed in various environments where it needs to support different data stores depending on the requirements. Different data stores like Relational Database, XML, LDAP, NDS, etc., can be integrated. The security module provides administrative interfaces to configure the data store.
In addition, an NMS/EMS can operate across several IT architectures. For instance, the back-end server, database server and a presentation-layer server are often components running on different hardware. Server-to-client communication and database access need to be secure by using SSL or secure RMI (Remote Management Interface). Remote access is set up via HTTPS.
Then, the physical server environment must be hardened. Several steps are involved, such as: ensuring OS patches are up to date; tuning the OS to stop unwanted services running in the system; removing unwanted user accounts; setting a short timeout value for the root account; setting BIOS passwords; and setting automated notification triggers when a list of commands is executed or when system files are modified. Often overlooked, the checking third-party software component configurations are also key.
Use Cases
Here are three representative cases in telecom, military and mobility apps to show how security is being applied in management systems.
Telecom Systems – GENBAND, an innovator in carrier VoIP systems deployed in Tier 1 carriers such as Verizon, views security as essential and a key differentiator. To harden its management system, GenView, GENBAND typically secures NMS-to-NE communications with protocols such as SSH, SFTP, IPsec and SNMPv3 – depending on customer requirements.
AAA is achieved via a RADIUS-supported central security server with configurable password-reset policies. The central security server can also be integrated into the customer AAA system using standard protocols such as Radius and LDAP. Single Sign On (SSO) is provided when launching applications within GenView. Alternatively, the app can be accessed remotely via HTTPS.
Other GENBAND security measures include: pushing performance data via secure FTP, hardening the OS, using restricted ports, conducting periodic vulnerability scans, developing rules to better manage loads, and enforcing rigorous backup/restore procedures to protect data from being corrupted.
Military Grade – An expert in military-grade security, L-3 Communications deploys Type-1 voice/data over IP technologies for governments around the world. L-3’s management system uses many of the same secure infrastructures as commercial carriers, but also supports High Assurance Internet Protocol Encryptor (HAIPE), a National Security Agency-certified technology.
HAIPE is encrypted utilizing Advanced Encryption Standard (AES) algorithms over SNMP v3. The security aspects of L-3’s management platform encompass access control, authentication, data integrity and end-to-end network traffic protection with dual IPv4/IPv6 encryptor capabilities. From a network management point of view, its NMS features real-time equipment fault and performance status, network provisioning and automated policy changes.
L-3 also performs extensive security level checking with an emphasis on device-to-device authentication, audit logging, secure remote software updates, and access control lists. The system is also hardened to operate in extreme temperatures in the range of -40 degrees C to 60 degrees C. The system is also built to withstand vibration/shock, sand, salt and other harsh environments that you don’t want to be in.
Mobile Intelligence & Public Safety – Motorola Solutions ASTRO and Public Safety LTE are leaders in the world of secure, real-time voice/data network for emergency response and mobile intelligence. Their systems, which service local fire/police and state governments, employ end-to-end AES over SNMPv3 for protocol message integrity and authentication. Similar to mil-spec, these systems are rugged, mission-critical and need to be managed via a central console.
These Motorola systems allow operators to troubleshoot faults and remotely configure/optimize system parameters. Since the systems are deployed for government agencies, they comply with FIPs 140-2, a government computer security standard. These days, Motorola Public Safety is moving beyond on-premise systems to managed services and a cloud core offering with guaranteed service levels.
As our brief uses cases show, security is a complex problem area that defies easy answers. Carrier and governmental security requirements are high, yet this has been done before and can be economically accomplished with the right tools and procedures.
In this blog, I’ll discuss a few representative NMS/EMS use cases and cover the three key security layers required in management systems: Authentication, Authorization and Audit (AAA), device-to-application communication, and the sometimes forgotten layer of inter-system communications.
The First Layer of NMS/EMS Security: AAA
NOC security usually assumes a good physical security system is already in place. You would see the guard station with the security cameras and maybe see a biometric entry mechanism, but once you are in the facility, it is all about the management system software.
The first layer of NMS/EMS security is generally around AAA or Authentication, Authorization, and Auditing.
Authentication is accomplished through a challenge-handshake mechanism where the credentials of the user are verified using a three-way handshake. The passwords are never sent across to the authentication module; rather a one-way-hash (called key) is used. This provides protection against playback attack using an incrementally changing identifier and a variable challenge value. Polices with strong password rules or the use of tokens can also be employed.
Once the user gets authenticated, he or she is given authorization for access control. Support for user groups provides a mechanism to collectively associate access rights to a set of users. Also, it is not sufficient to just tie up the access rights of a user with the operation performed. Hence, it becomes necessary to have a framework where the permissions are associated with the subsets of objects concerned with the application. This in turn delivers fine-grained access control. The authorization policy is designed with "Fine-Grained Access Control" as the focus. With a vast number of operators using the application, it’s essential that each one works within the allowed space.
Considering the complexity of applications, the Access Control Policy should have the flexibility to define access rights of a user to operate on a subset of objects that the applications work with. The security service achieves this by defining a set of authorized views called scopes. These authorized scopes consist of sets of properties associated with the user operations. Thus, managed object properties such as network, IP address, node, type, etc., are used in authorized views to control the access of the users to a specific type of device within a given IP range in a specified network. Database access or device configuration access may be limited to a few operators as well.
Auditing is about monitoring what the user does from the moment they sign in including the time and status of operation performed. This enables the network administrator to take necessary steps when an unauthorized execution is attempted by any user. Not only for security purposes, audit controls are extremely useful for debugging issues, for they allow you to determine what users were on the system before, during and after an incident so you can reverse engineer problems.
Device-to-Application Communications
The second layer of NMS/EMS protection is securing communications between the management application and devices across various protocols.
Of course, the first thing people think about are the various encryption standards. In the telecom business, the most common is SNMP v3 that can support SHA, MD5 or DES encryption algorithms. In the government and military space, SNMP v3 with AES encryption as defined and in some cases, mandated by the National Security Agency (NSA).
Besides the secure protocol layers, the management system has various infrastructure components, each looking through various ports. The management system should be flexible enough to be able to assign non-standard port configurations, harden the system by design and be able to monitor port activity.
The Third Layer: Inter-System Communication and Server Security
In the past, people figured that AAA and securing the device to the app pipe was sufficient protection. But to be truly secure today, inter-system communication is also vital.
The NMS/EMS can be deployed in various environments where it needs to support different data stores depending on the requirements. Different data stores like Relational Database, XML, LDAP, NDS, etc., can be integrated. The security module provides administrative interfaces to configure the data store.
In addition, an NMS/EMS can operate across several IT architectures. For instance, the back-end server, database server and a presentation-layer server are often components running on different hardware. Server-to-client communication and database access need to be secure by using SSL or secure RMI (Remote Management Interface). Remote access is set up via HTTPS.
Then, the physical server environment must be hardened. Several steps are involved, such as: ensuring OS patches are up to date; tuning the OS to stop unwanted services running in the system; removing unwanted user accounts; setting a short timeout value for the root account; setting BIOS passwords; and setting automated notification triggers when a list of commands is executed or when system files are modified. Often overlooked, the checking third-party software component configurations are also key.
Use Cases
Here are three representative cases in telecom, military and mobility apps to show how security is being applied in management systems.
Telecom Systems – GENBAND, an innovator in carrier VoIP systems deployed in Tier 1 carriers such as Verizon, views security as essential and a key differentiator. To harden its management system, GenView, GENBAND typically secures NMS-to-NE communications with protocols such as SSH, SFTP, IPsec and SNMPv3 – depending on customer requirements.
AAA is achieved via a RADIUS-supported central security server with configurable password-reset policies. The central security server can also be integrated into the customer AAA system using standard protocols such as Radius and LDAP. Single Sign On (SSO) is provided when launching applications within GenView. Alternatively, the app can be accessed remotely via HTTPS.
Other GENBAND security measures include: pushing performance data via secure FTP, hardening the OS, using restricted ports, conducting periodic vulnerability scans, developing rules to better manage loads, and enforcing rigorous backup/restore procedures to protect data from being corrupted.
Military Grade – An expert in military-grade security, L-3 Communications deploys Type-1 voice/data over IP technologies for governments around the world. L-3’s management system uses many of the same secure infrastructures as commercial carriers, but also supports High Assurance Internet Protocol Encryptor (HAIPE), a National Security Agency-certified technology.
HAIPE is encrypted utilizing Advanced Encryption Standard (AES) algorithms over SNMP v3. The security aspects of L-3’s management platform encompass access control, authentication, data integrity and end-to-end network traffic protection with dual IPv4/IPv6 encryptor capabilities. From a network management point of view, its NMS features real-time equipment fault and performance status, network provisioning and automated policy changes.
L-3 also performs extensive security level checking with an emphasis on device-to-device authentication, audit logging, secure remote software updates, and access control lists. The system is also hardened to operate in extreme temperatures in the range of -40 degrees C to 60 degrees C. The system is also built to withstand vibration/shock, sand, salt and other harsh environments that you don’t want to be in.
Mobile Intelligence & Public Safety – Motorola Solutions ASTRO and Public Safety LTE are leaders in the world of secure, real-time voice/data network for emergency response and mobile intelligence. Their systems, which service local fire/police and state governments, employ end-to-end AES over SNMPv3 for protocol message integrity and authentication. Similar to mil-spec, these systems are rugged, mission-critical and need to be managed via a central console.
These Motorola systems allow operators to troubleshoot faults and remotely configure/optimize system parameters. Since the systems are deployed for government agencies, they comply with FIPs 140-2, a government computer security standard. These days, Motorola Public Safety is moving beyond on-premise systems to managed services and a cloud core offering with guaranteed service levels.
As our brief uses cases show, security is a complex problem area that defies easy answers. Carrier and governmental security requirements are high, yet this has been done before and can be economically accomplished with the right tools and procedures.
The Business of Sports and Information Technology
An upset of epic proportions, the off the scale magnitude, the incredible happened this past weekend. The Indiana University Hoosiers (unranked and my Alma Mater) defeated the NCAA #1 ranked team, the Kentucky Wildcats, on a last second 3 pointer at the buzzer. The lead changed hands three times in the closing 2 minutes, Score 73-72. The barn burner could not have been predicted better.
Not only the significance of this win, the Hoosiers has not beat a ranked team since 2002 and have not won the National Championship since 1987 (under Bobby Knight fame and the heroes of Steve Alford and Keith Smart...And Yes, I was at the Fountain in Bloomington, but that is another story). Let me put this into perspective, there are over 340 Division 1 schools in the nation. It takes a lot of talent and hard work to be #1.
With the Indy Colts in the cellar without Peyton Manning, the State of Indiana needed and shot in the arm, a hair of dog pick-me-up, a just a plain old fashion confidence boost. Even the engineers from Purdue were cheering.
I know what you are thinking. What does this have to do with Business of Sports and Information Technology? Two Things:
1. Just like sports competition, there is competition in business. If you consider the breadth of the ManageEngine product line, we compete with over 100 other software vendors in the market. That's a lot of choice. ManageEngine has over 20 products covering network management, application management, desktop management, Active Directory management, log analysis, traffic analysis...and there is more. Then, if you consider the depth of the ManagEngine product line, it covers operational, security and compliance management. Each category has several distinct players in the marketplace.
2. The Sporting industry is big business. They have the same needs as any other business. They have networks and servers to run their infrastructure to serve their employees, their players and in some cases, their Fans. And Fans are pretty loyal. The parallel that I will draw is our customers are Fans. By last count, we have over 50,000 customers and the vast majority renew year after year. Price competition will only take you so far. High functioning technology and high quality support proves to be the determining factors on the playing field of IT Software.
I have compiled a list of Sporting companies who use ManageEngine. From the major leagues, the Sacramento Kings, Chicago Cubs and the 1st American League Central, Detroit Tigers, use ManageEngine. USA Olympic Volleyball too. Not only from the USA, but the Australian Football League and Chelsea Football Club use ManageEngine. These teams need to play somewhere and the Philly Comcast Spectacor, home of the National Hockey League’s Philadelphia Flyers and the National Basketball Association’s Philadelphia 76ers and Mercedes-Benz Superdome, home of the National Football League’s New Orleans Saints and the Allstate Sugar Bowl, use ManageEngine. These teams have players who need equipment and Nike Bauer, the best Hockey skates in the world (I know, I played hockey for 25 years) and Easton Bell Sports, leader is protective sports, cycling and motorcycle helmets (that I personally own), both use ManageEngine. And it would not be complete unless I mentioned that SportingIndex.com, the world's #1 online sports spread betting website and MapleLeafSports.com, proudly serving collectors of sportscards and autographed memorabilia, use ManageEngine.
With the Indy Colts in the cellar without Peyton Manning, the State of Indiana needed and shot in the arm, a hair of dog pick-me-up, a just a plain old fashion confidence boost. Even the engineers from Purdue were cheering.
I know what you are thinking. What does this have to do with Business of Sports and Information Technology? Two Things:
1. Just like sports competition, there is competition in business. If you consider the breadth of the ManageEngine product line, we compete with over 100 other software vendors in the market. That's a lot of choice. ManageEngine has over 20 products covering network management, application management, desktop management, Active Directory management, log analysis, traffic analysis...and there is more. Then, if you consider the depth of the ManagEngine product line, it covers operational, security and compliance management. Each category has several distinct players in the marketplace.
2. The Sporting industry is big business. They have the same needs as any other business. They have networks and servers to run their infrastructure to serve their employees, their players and in some cases, their Fans. And Fans are pretty loyal. The parallel that I will draw is our customers are Fans. By last count, we have over 50,000 customers and the vast majority renew year after year. Price competition will only take you so far. High functioning technology and high quality support proves to be the determining factors on the playing field of IT Software.
I have compiled a list of Sporting companies who use ManageEngine. From the major leagues, the Sacramento Kings, Chicago Cubs and the 1st American League Central, Detroit Tigers, use ManageEngine. USA Olympic Volleyball too. Not only from the USA, but the Australian Football League and Chelsea Football Club use ManageEngine. These teams need to play somewhere and the Philly Comcast Spectacor, home of the National Hockey League’s Philadelphia Flyers and the National Basketball Association’s Philadelphia 76ers and Mercedes-Benz Superdome, home of the National Football League’s New Orleans Saints and the Allstate Sugar Bowl, use ManageEngine. These teams have players who need equipment and Nike Bauer, the best Hockey skates in the world (I know, I played hockey for 25 years) and Easton Bell Sports, leader is protective sports, cycling and motorcycle helmets (that I personally own), both use ManageEngine. And it would not be complete unless I mentioned that SportingIndex.com, the world's #1 online sports spread betting website and MapleLeafSports.com, proudly serving collectors of sportscards and autographed memorabilia, use ManageEngine.
Subscribe to:
Posts (Atom)