syslog (1)

1
syslog (1)

• The purpose of syslog is to write system messages
  to a log
• Syslog messages can include everything from
  critical alarm conditions to ordinary debugging
  statement
• It provides a general trail of activities
• It provides the capability for the device to emit
  event messages without solicitation

2
syslog (2)

• Syslog message has 2 parts
• A message header and the message body
• The message body contains the content of the
  message itself (english text, unstructured)
• The message header contains minimal but essential
  information in structured manner

3
General syslog message

• 179.19.209.130 IP Address
• 000024 sequence number
• Apr 12 180155643 local time
• ENV_MON facility emitting the alarm
• 1 severity
• SHUTDOWN Event

4
syslog Protocol

• IETF is in process of passing a particular
  version of syslog as a standard
• RFC 3164 BSD syslog protocol
• RFC 3195 reliable delivery for syslog
• Refer to RFC3164 (RFC 5424)
• UDP is used as transport service
• Port 514

5
(No Transcript)
6
definition

• A machine that can generate a message will be
  called a "device".
• A machine that can receive the message and
  forward it to another machine will be called a
  "relay".
• A machine that receives the message and does not
  relay it to any other machines will be called a
  "collector". This has been commonly known as a
  "syslog server".

7
syslog message

• Consists of 3 parts PRI /HEADER/MSG
• Length Maximum 2048 bytes or less

8
PRI (Priority) part

• Priority combination of a facility and severity
  
• Facility category of a message (kernel message)
  , it is a numeric code
• Severity numeric code 0 -7 , 0 is the most
  severe
• Priority is formed by multiplying the numeric
  code of the facility by 8 and adding the severity
  
• Facility 7 and severity 3 , so priority 59

9
Example of Facility code
10
Example of Severity
11
HEADER part (1)

• The HEADER part contains a timestamp and an
  indication of the hostname or IP address of the
  device
• The HEADER part of the syslog packet MUST contain
  visible (printing) characters (7-bit Ascii)
• HOSTNAME field will contain the hostname or IP
  address
• Timestamp field will contain the local time and
  is in the format of Mmm dd hhmmss"

12
HEADER part (2)

• Mmm month of the year with the first character
  in uppercase and the other two characters in
  lowercase
• Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep,
  Oct, Nov, Dec
• dd -dd is the day of the month.
• If the day of the month is less than 10, then it
  MUST be represented as a space and then the
  number.
• For example,
• the 7th day of August would be represented as
  "Aug 7", with two spaces between the "g" and the
  "7

13
HEADER part (3)

• hhmmss is the local time.
• The hour (hh) is represented in a 24-hour format.
  
• Valid entries are between 00 and 23
• The minute (mm) and second (ss) entries are
  between 00 - 59

14
MSG part (1)

• It contains some additional information of the
  process that generated the message, and then the
  text of the message
• It has 2 fields TAG and CONTENT
• TAG field will be the name of the program or
• process that generated the message.(not
  exceed 32 chars)
• CONTENT field contains the details of the
  message.
• This has traditionally been a freeform message
  that gives some detailed information of the event

15
Example of syslog message

• lt34gt Oct 11 221415 mymachine su su root
  failed for lonvick on /dev/pts/8
• lt34gt - priority
• Oct 11 221415 timestamp
• mymachine hostname
• su TAG
• su root failed for lonvick on /dev/pts/8-
  Content

16
Security consideration (1)

• Authentication
• The syslog delivery mechanism does not strongly
  associate the message with the message sender
• a misconfigured machine may send syslog messages
  to a collector representing itself as another
  machine
• An attacker may transmit syslog messages to a
  collector.

17
Security consideration (2)

• Sequenced delivery
• the syslog process and protocol do not ensure
  ordered delivery.
• Reliable delivery
• no mechanism within either the syslog process or
  the protocol to ensure delivery
• May be maliciously intercepted or discarded
• Message Integrity
• syslog messages may be damaged in transit or an
  attacker may maliciously modify them.

18
Security consideration (3)

• Message observation
• No mechanisms to provide confidentiality of the
  messages in transit. (clear-text messages)
• Message Prioritization Differentiation
• No mechanism relating to priority message
• Critical message and non critical message can be
  treated as equal in term of reception

19
Security consideration (4)

• Misconfiguration
• The syslog message may go to untended receiver
• Load Considerations
• An attacker may perform a Denial of Service
  attack by filling the disk of the collector with
  false messages.

20
syslog deployment (1)

• Two roles are distinguished
• syslog sender (management agent)
• syslog receiver (management manager)
• Syslog receiver (1)
• Device itself writing the messages to a local log
  file
• use circular log file for a limit size
• Log files are created with a certain capacity

21
syslog deployment (2)
Circular log file
22
syslog deployment (3)

• syslog receiver (cont)
• Centralized logging host
• Receiving messages from several devices and
  logging those messages
• Applications access this logging host instead of
  individual devices
• It often function as a syslog relay , forwarding
  syslog messages to various apps.

23
syslog deployment (4)
Logging host
syslog relay
24
Netconf (1)

• Netconf is a network management protocol
  developed in the IETF by the Netconf working
  group.
• It was published as RFC 4741.
• The NETCONF protocol provides mechanisms to
  install, manipulate, and delete the configuration
  of network devices.
• It also can perform some monitoring functions.

25
Netconf (2)

• It uses an Extensible Markup Language (XML) based
  data encoding for the configuration data as well
  as the protocol messages.
• The NETCONF protocol operations are realized on
  top of a simple Remote Procedure Call (RPC)
  layer.

26
Netconf Datastore (1)

• The configuration information of devices can be
  thought of and handle as being contained in a
  datastore (like a file)
• The datastore resembles a MIB.
• Netconf provides the operations to manage those
  datastores.
• SNMP targets the individual managed object in
  side MIB
• Netconf targets the MIB as a whole or portion

27
Netconf Datastore (2)
A hierarchical datastore in Netconf
28
Netconf Datastore (3)

• Management operations can be applied to
  individual subtrees
• This capability feature is called as subtree
  filtering

29
Netconf and XML (1)

• Netconf uses XML as encoding for its management
  operations
• XML documents contain so-called tags to delimit
  different pieces of information
• Tags are defined by users such as
• ltemailgtalex_at_cisco.com(/email)

30
Netconf Architecture (1)
31
Netconf Architecture (2)

• Transport layer (using Netconf over)
• Secure Shell (SSH) RFC4742
• Block Extensible Exchange Protocol (BEEP) RFC4744
• Simple Object Access Protocol (SOAP) RFC4743
• Remote Procedure Call layer
• Allow manager to invoke function on agent
• rpc request / rpc reply

32
Netconf Architecture (3)

• The operation layer
• To manipulate configuration files
• Get-config / Edit-config
• The content layer
• Configuration data
• The management information will be transported
  and exchanged as XML documents

33
Netconf Message Structure

• Fig 8-14

34
A netconf request (1)

• Ex 8-4

35
A netconf request (2)

• RPC tag
• ltrpc message-id 101 gt . lt/rpcgt
• - frame the overall message
• Netconf operation get-config
• ltget-configgt lt/get-configgt
• ltsourcegt lt/sourcegt specifies the config being
  requested (running config)
• ltfiltergt lt/filtergt specifies the subtree within
  the config (all belongs in bgp)

36
A netconf reply

• Ex 8-5

37
Management operations

• Get-config to retrieve config file (default is
  running config)
• Get to retrieve state information
• Edit-config to modify or change a configuration
• Copy-config to copy new configuration
• Delete-config to remove a configuration
• Lock and unlock to protect configuration file

38
Netflow protocol /IPFIX (1)

• RFC 3954 (Netflow V.9)
• RFC 5101 (IPFIX- aka. Netflow V.10)
• Netflow was introduced by cisco to collect data
  about networking traffic from a device.
• Who are the top talker in the network
• How much traffic is being exchanged between two
  destination
• How are links in the network being used
• Where are the traffic bottlenecks in the network?

39
Netflow protocol /IPFIX (2)

• Netflow communicates statistical information
  about IP-based data traffic that flow over router
• The statistics are provided on a per-flow basis
• A flow consists of all traffic that belongs to
  the same communication context
• A filetransfer application ,all packets belong
  to the same transfer

40

• Fig 8-15

41
Flow

• Identified by the following information
• Source address/Source port
• Destination address/Destination port
• Protocol type (TCP or UDP)
• Type of service (TOS)
• Input logical interface (same index in SNMP MIB)
• Flow record includes the keys that identify the
  flow as well as the time when flow started
  /stopped /how many packets were transported

42
Benefit

• Allow network managers to account for detailed
  network use by individual users
• Charge based on actual traffic consumption
• Provide a wealth of data for traffic analysis,
  bottleneck and network planning
• Provide tool to spot and defend against attacks
  on a network

43
Netflow Protocol

• Netflow version5 is commonly used
• The newest version is RFC 3954 (version 9)
• Flow information is exported from the router in
  User Datagram Protocol (UDP) or Stream Control
  Transmission Protocol (SCTP) packets and
  collected using a netflow collector.
• Juniper Networks provides a similar feature for
  its routers called Jflow .
• Huawei Technology routers also support the same
  technology, but call it NetStream

44
Netflow packet structure
45
Packet structure

• Header
• Sequence number of the packet
• The number of flow records contained in the
  Netflow packet
• The version number of the netflow protocol itself
• Flow record
• keys to identify flow
• Start/finish time
• Statistical data

46
Finishing the flow

• No traffic has been detected on a flow for a
  certain time
• A packet is detected at the app-protocol level
  that the data transfer supported by the flow has
  completed
• If a flow has been going on for a long time (30
  minutes) ,the router simply declare the flow ends
  and start a new one

47
Management protocol positioning