Network Management and Administration                                     3-173

              In typical management environments, management frameworks are protected by using a combina-
            tion of the following security services.
              •   Identification of users: Unique representation of a user, computer, application, or remote system
                 designed to provide accountability and record the actions of the identified entity.
              •   Access control: Allows the requesting party to actually access the system and networking resources if
                 the party is authorized to do so. It is supported by log-in functions in which passwords are built in.
              •   Authentication: Verification of the entity prior to accessing the system and networking resources.
                 In this case, the entity should prove its identity by using various techniques such as personal attri-
                 butes, digital signatures, and others.
              •   Data privacy: An encryption mechanism using trusted third-party secret keys. Through a com-
                 bination of private and public keys, the encrypted information can be verified for integrity and
                 accessed for processing.
              •   Data  integrity:  A  security  feature  that  allows  verification  of  cryptographic  data  checksums.
                 Correctness of this verification represents proof that the data was not tampered with or corrupted
                 through network transmission.
              •   Security auditing: Allows the generation of audit logs. These logs should be encrypted and pro-
                 tected against unauthorized access attempts.

            3.7.2.2  Management Services
            Management services address more specific items associated with management applications. The most
            important features are listed below.

            3.7.2.2.1  Communication Services
            3.7.2.2.1.1  Network Architectures  There are significant differences in the various types of targeted net-
            works to be managed. Many products are expected to manage legacy networks and more IP-based open
            networks at the same time.

            3.7.2.2.1.2  Network Management Protocols  Products are expected to provide at least Simple Network
            Management Protocol (SNMP) support, and it is an additional advantage when they can do more. SNMP
            support may include the capability of working with proxy agents capable of converting non-SNMP into
            SNMP.  Protocols  to  be  supported  include  CMIP,  CMOT,  LNMP,  NMVT,  ReMONitoring  (RMON),
            SNMPv1, SNMPv2, and eventually Desktop Management Interface (DMI) to manage desktops.
              The management platform provides SNMP support in several ways. First and foremost is the ability to
            poll SNMP devices and receive SNMP traps, as described previously in Section 3.3. However, in order to
            configure polls on the management information (MIB) variables of various devices, one must first know
            what those variables are. Management platforms provide MIB “browsers” for this purpose. An MIB browser
            queries user-selected SNMP network devices and displays their MIB values. In addition, most platforms can
            display line or bar graphs of these MIB values, provided they are in numeric form (e.g., counters).
              MIB browsers display raw and often cryptic, low-level device information. For this reason, platforms
            also provide MIB application builders that allow users to quickly create applications for displaying
            information on MIB objects in a more meaningful way. MIB applications may include graphing real-
            time information on selected network nodes. However, even MIB application builders are limited in
            supporting the high-level analyses more openly provided by third-party applications.
              MIB compilers allow users to bring in third-party, device-specific MIBs (also called private or extended
            MIBs) and register them with the management platform. While most platforms ship with a number of
            third-party MIBs, they do not include all possible MIBs from all vendors. An MIB compiler is necessary
            for adding support for third parties whose MIBs are not shipped as part of the standard platform.
              Some MIB compilers are more robust than others. Some will fail or abort processing if there is an
            error in the MIB being compiled. Unfortunately, errors in third-party MIBs are not rare. Therefore, it is
            desirable to have an MIB compiler that can flag errors and recover rather than stop immediately.