Tele 9752 Report PDF

Preview

Summary

Download Tele 9752 Report PDF

Description

University of New South Wales School of Electrical Engineering and Telecommunications TELE9752 Network Operations and Control

Project Report

Banking Enterprise Network Group 3 ●Abhishek Chandrasekar- Z5231825 ●Nihitha Sampath Sudarsan- Z5247932 ●Karamveer Kaur Sidhu- Z5281128 ●Archana Govindarajulu- Z5269201 ●Simrandeep Rana- Z5280381 ●Natthaporn Phaoseree- Z5231044 ●Pamu Kalpa Vani- Z5252317 ●Devang Chheda- Z5248048 ●Yansong Xu- Z5174541 ●Anish Anbalagan- Z5277781 ●Hetalben Tarunkumar Patel- Z5252583 ●Naveen Daniel- Z5193365

Contents

1.

Introduction

2.

Literature Review 2

3.

Network Architecture

3

4.

SNMP

4

5.

Configuration Of Network Using SNMP

4

6.

Disadvantages Of SNMP

5

7.

NETCONF/YANG

5

8.

Configuration Of Router Using NETCONF/YANG

6

9.

Our bank ACLS

6

10. Performance Monitoring

2

8

11. Process Of Configuring SNMP & NETCONF 10 12. Conclusion

12

1

Introduction For financial services firms like us, business networks are at a turning point in our need for modernization. Many are no longer in a position to provide the quality, protection, and resources necessary to maintain enforcement, streamline operations, and use the information for competitive advantage.Yet superior network services provide a critical foundation for success in a marketplace where customers and employees expect to conduct digital business easily, securely, and seamlessly. As an IT leader in a commercial or retail bank, credit union, insurance company, investment firm, or other financial services organization, we probably know that the company network is responsible for an update. We will need a sensible strategy before launching a refresh program to select new solutions to reduce costs and risks as well as simplify network infrastructure and management. Today financial services organizations that are planning a technology refresh face five key challenges. Massive personal data breaches generate news headlines, but they are not the only security risk faced by financial services firms. Threats are ever-present. Electronic theft of money, ransomware, and malware that disrupts or spreads digital banking services to customer phones. Another factor that hinders the efforts for cybersecurity: Most financial institutions are vulnerable to attacks by the lack of technology. These security risks increase with the increased use of digital and mobile services by financial institutions and their clients. In this sense, the goal will be to keep cybersecurity at the highest priority across the network of the organization and all connected devices as well as in the data center and the cloud compatible devices. For the 2017 mid-year Cybersecurity study, more than half of the financial services companies surveyed said that they are trying to solve this problem by using solutions from several vendors, which require a complex and time-intensive management burden. Data, analytics, and machine learning are becoming instrumental in informing today’s smart, secure networks so they can detect and mitigate emerging threats. Literature Review In the last five years, the number and complexity of malicious events have dramatically increased and will continue to grow. With the proliferation of internet trading systems across business and financial institutions, prospects for cybercrime grow both at the commercial and customer rates.Cyber criminals have shown their willingness to use the Internet, card payments and the economy through digital financial and business infrastructure. In such situations, the use of the system users instead of the applications is a simple way to commit cybercrime. This is usually achieved by compromising the legal account credentials of a legitimate user. The most common result of attacks against financial institutions, payment processors and traders is fraudulent money transactions and counterfeiting of stored value cards. In 2010, a pattern was detected by law enforcement agencies and financial regulators in which cyber criminals conducted fraudulent financial transactions from compromised victim bank or brokerage account. Such transactions were paired with a Telephone Denial of Service (TDoS) attack in which the victim's legitimate telephone line was filled with spam-like phone calls to stop banks or brokerage firms from contacting the victim to confirm the validity of the transactions. In February 2011, criminal actors placed on the public website for a foreign stock exchange an online advertisement infected with malicious software. In an attempt to trick users into paying for and downloading rogue "antivirus" software, the malicious advertisement appeared on the victims ' computers as a pop-up, alerting the user to non-existent computer infections. Cyber crimes have always been a nagging problem in the banking sector and over the years, several steps have been taken to reduce the number and intensity of these crimes. These include:- Network insight, Extend security layers

2

and controls, Data protection, Employee training and Advanced security threat protection strategies.Cybersecurity strategies effectively defend the company from attacks and threats. Although there is no way to stop every single threat, it is necessary to implement solutions to help you stay on top of today's and tomorrow's ever-changing threats. Network Architecture Figure 1 shows banking network architecture that includes different connecting nodes from core routers. The main network elements are core routers, performing centralized data routing for different bank sub networks. It can be referred as backbone of whole network. All network elements are connected to core routers through different data links. Bank office and core routers are connected with edge router and distributed switch. Here, distributed switch works as a bridge in between edge router and core switch. Edge router is a specialized router that directly sends and receives data to and from other organizations. Branch Local Area Network (LAN) provides network connection to two different branch offices. Branch PCs are connected with their own branch routers to get network access. Apart from these work offices, Automated Teller Machines (ATMs) are also connected to core routers through particular branch routers. Data links provides connection to this centralized core router to remotely located ATM’s branch router.

Figure 1 : The architecture of banking network Another important part of this banking network is its data center. In figure, three different internal data centers provide support to organize, process and store disseminate large amounts of data in a bank. One data center is being used as a secondary data center in emergency circumstances. Two gateways works as entry and exit points in between data centers and core routers. The dedicated server group includes different server such as application server, radius server (for checking authentication), web server (for checking incoming HTTP request) etc. This group is connected to server switch. Data from this server switch can be transferred to core routers by firewall. This firewall protects bank network from external environment and regulates incoming traffic as well.

SNMP

3

Two crucial SNMP concepts are OIDs (Object Identifier) and MIBs (Management Information Base). SNMP works by querying “Objects”. An object is where we can gather information on a network device. For instance, an object might be something like Interface Status. Querying Interface Status would return a variable – the interface could be Up, or Down. SNMP identifies objects like with an OID. The OIDs are very structured, and follow a hierarchical tree pattern.OIDs are always written in a numerical form, instead of a text form. Because of the way the tree is structured, most SNMP values which are interested, will always start with the same set of objects – 1.3.6.1.

Figure 2: OID Tree Closely related to the concept of an OID, are MIBs. A MIB is like a translator that helps a Management Station to understand SNMP responses obtained from network devices. Configuration Of Network Using SNMP The network element that we selected for configuration was an ATM(Automated Teller Machine) before that we had to configure SNMP agent into our computers so that it simulated the ATM device. The software we used for it was MG-Soft SNMP Agent, first we created a virtual SNMP agent which in our case was an ATM. We then assigned it an IP address(192.168.10.1), since we where using SNMP V1 for security so we had to give it a read and write community we it as “bank_read” & “bank_write” respectively. So to read and write the values in the MIB of the ATM we used a software known as iReasoning MIB Browser, we first type the IP address of the device we need to configure and monitor then we fill in the read and write community into it followed by the SNMP version we are using. So now we have configured everything required to perform monitoring we will go to the MIB tree and we perform the set operation by selecting set from the drop down box on the sysLocation which has OID:1.3.6.1.2.1.1.6.0 and it gives us a prompt asking us the value we need to set. Similarly we can use to get operation to read the values.

Figure 3: Configuration of SNMP Agent.

4

Figure 4: Using MIB Browser to perform get and set operation. Disadvantages of SNMP ● ● ●

Lack of security for SNMP V1 & SNMP V2. Unreliable as it uses USP. Some vendors have proprietary MIB.

NETCONF/ YANG YANG(Yet Another Next Generation) is a data modelling language that describes the configuration changes of a device whereas NETCONF( NETwork CONFiguration) is a network management protocol that makes changes of data in the memory of the desired device. NETCONF is defined by IETF to install, manipulate and delete the configuration of network devices. NETCONF/ YANG is a standardized way to programmatically update and modify the configuration of a network device. YANG was published as RFC 6020 in September 2010 and NETCONF was published as RFC4741 in 2006 which was an initial standard and the latest standard is RFC6241 which was published in 2011. YANG data model is related to the operation layers in NETCONF. Each YANG module defines a hierarchy of data which can be used for NETCONF- based operations including configuration, state data, RPC’s(Remote Procedure Calls) and notifications. These modules are constructed to create standard data models for network data. Modules can import data from other external modules and includes data from sub- modules. YANG data model is protocol independent that is it can be converted into any encoding format. NETCONF operations are performed through RPC layer using XML based encoding. The key features of NETCONF is the ability to rollback the configurations, ability to support any data model and separation of configuration from operational states. NETCONF protocol has four layers. They are content, operations, messages and transport. NETCONF is based upon client/ server which is referred to as manager and agent. NETCONF session has three parts. They are session establishment, operation request and session close. There are four NETCONF configuration data stores. They are running, startup, candidate and URL. The device configuration data and the protocol itself are encoded with XML (Extensible Markup Language). All NETCONF messages are encoded in XML within XML namespaces. NETCONF and YANG provide tools that network administrators need to automate configuration tasks across heterogeneous devices in a SDN (Software-Defined Network). YANG also provides descriptions of a network’s nodes and their interactions. Some of the device data models of YANG are interface, VLAN, device ACL, tunnel, OSPF, etc… Some of the service data models of YANG are L3 MPLS VPN, MP- BGP, VRF, network ACL, system

5

management, network faults, etc… YANG data model can be represented in any formats.In this project, a router is configured using NETCONF/ YANG. Configuration Of Router Using NETCONF/YANG 1. A devnet account is created and then a preconfigured sandbox(IOS XE in CSR Recommended Code) is reserved for seven days. This can be configured in the schedule field after clicking the reserve button.

2. Then an email will be received with the configurations of the sandbox. 3. Later install YANG Explorer to generate NETCONF RPCs. YANG Explorer can be used for netconf, restconf and to generate python code 4. Then create a lookback interface, delete interface and process telemetry for performance monitoring operation fetches running configuration and device state information. Our Bank ACLS We configured ACLs in the core router in our Network Architecture. The below figure represents the Various departments and Subnets allocated to those particular departments.

Figure 5: ACL Topology table After designing the ACLs we pushed those rules to the Router, Figure 2 describes the various rules we imposed in our core router. As a bank network we wanted the IT department to talk to every other Departments so we permit

6

access for IT to all. Similarly, we do not want the Randwick Branch office and CBD branch office to talk to each other so we denied their there access in this way to avoid explicit transfer of information of different branches all traffic flows through the core router which has more functionality in the network.We designed the rule based on the requirements of our bank

Figure 6: ACL Rules pushed in the core router After pushing the ACLs in the router we used yang explorer to GET the interfaces, ACLs and IP information associated with the router.

Figure 7: YANG Explorer

Some of the key capabilities of NETCONF are ·

Distinction between configuration and state data.

·

Multiple configuration data stores.

·

Configuration change transactions.

7

·

Configuration testing and validation support.

Performance Monitoring Performance monitoring is to monitor and track the performance statistics of the network regularly, to verify how well and consistently our network is performing. As an enterprise valuing security, performance monitoring is of vital importance to be implemented. With the configuration we chose on ACLs, we focus on the performance of access lists. There are 3 key points that we are interested in: the number of packets matching each rule (Match Count), the number of incoming/outcoming packets of the interfaces(Packets In/Out), the status of each interface (Interface Status).

Figure 8: Process for Performance Monitoring ACLs are the user defined rules used to configure the forwarding behaviour in a device. Each rule matches packets based on the action elements defined (permit, deny) and a filter element based on criteria such as source address, destination address, protocol etc. Traffic Filtering is done with the use of ACLs and is good for the banks for security purposes.In the above figure, the ACLs are inserted in the router and we retrieve the data by polling to the router requesting in the form of XML file. After gathering the data, we insert all our data from our workstation into the InfluxDB. We used InfluxDB as it is open-source tool written in GO language which is optimized for fast, high-availability storage and retrieval of time series-data in fields such as operations monitoring, IoT sensor data etc. We used Grafana for plotting the graphs based on the data available in the InfluxDB. Grafana is a web application which supports InfluxDB as backend service. As a Bank, we gathered data, focusing on security and performance. The data is as follows: 1.

Match Count: We counted the number of packets which matched the rules defined in ACLs. If some of the rules have never been used for a long period of time (in real time), then there are chances of misconfiguration which can lead to have security hole in the system. If some rules are never been used and is configured properly, then there is wastage of memory in the router, so removing those rules will help in boost of performance. 2. Packets In/Out: We count the number of packets coming into the interface and going out of the interface as well. This can be used in determining and preventing DDOS attacks. 3. Interface Status: We retrieve the status of each interface where ACLs are used. Using the Packets In/Packets Out, and match count, Interface status becomes crucial part for security.

8

Figure 9: The Access List Of The Router

Figure 10: The Grafana plot for ‘match count’ and ‘packet in/out’

Figure 11: The Grafana Table For ‘match count’ & ‘packet in/out’

9

From figure 8 and 9, we can see that the ‘packet out’ is always lower than ‘packet in’, which indicates that some of the packets has been filtered according to our ACL rules.

Figure 12: Grafana Status of two Interfaces: ‘GigabitEthernet1’ (green) and ‘GigabitEthernet2’ (yellow) As we can see, ‘GigabitEthernet1’ was up while ‘GigabitEthernet2’ was down. The success of applying ACL rules can also be proved by the command-line output when we ping 10.10.20.48 from 10.10.20.20, the generated packets was filtered as expected, since we config one of the ACL rules as ‘deny ip host 10.10.20.20 host 10.10.20.48’, see ping results as below.

Figure 13: Ping Results From 10.10.20.20 to 10.10.20.48 Process Of Configuring SNMP & NETCONF The processes are basically to connect to influx, connect to the router, retrieve the data, save to database, please see the detailed steps below. Step 1: Connect to Influx (SNMP and Netconf)

SNMP Step2: Connect to the Router and Retrieve Data

10

SNMP Step 3: Print the Data and Publish Data to Influx

Netconf Step 2: Define Router Details , Data Path and Connect to Router

11

Netconf Step 4: On Response from Router, Print the Data, Publish Data to Influx and Check Result

Conclusion In this project we have learnt about network monitoring and performance monitoring. In the first part, we designed a bank network in conceptdraw pro, considering ATMs and branch office associated with our bank. After that we configured the core router of the bank which is reserved present in Cisco Devnet with several ACLs and interface status. We used YANG explorer to GET the information from the router. Netconf helped us to push the python script for several functions where as in SNMP/MIB, we had to remember the OID . The second part was performance monitoring, we monitored our core router’s performance with three aspects 1. Match count of ACLs 2.Packetin and packet out and 3.Interface status. We used influxdb to dump the data from the router by creating an Xpath to the workstation and we added a query in grafana to display the results. These tools helped us to monitor if there is any malicious activity in our network and generate an alert to the network administrator immediately. Context for the network and design done by Abhishek Chandrasekar, Nihitha Sampath Sudaran, Archana Govindarajulu, Simrandeep Rana & Hetalben Tarunkumar Patel. Configuration of network was done by Natthaporn Phaoseree, Devang Chheda, Yansong Xu, Anish Anbalagan & Naveen Daniel Telemetry and performance evaluation was done by Nattaporn Phaoseree, Yansong Xu & Naveen Daniel

12...