---
tags: apnic, management
---
# APNIC Network Management Courses
[TOC]
## Linux Virtual Lab
> [Course Link](https://academy.apnic.net/en/virtual-labs?labId=87395)
- Version 0.0.1 released in 1991
- Features
- Kernel as Core Component
- Multiuser Capability and Multicasting
- Open Source
- Hierarchical File System
- Portable
- Linux Distributions
- Shell - the command interpreter
- BASH, CSH, KSH, ZSH...etc.
- `echo $SHELL`
- Linux based OS Architecture
> Hardwares talk through the kernel up to the user space.
- Directory Structure
- The Filesystem Hierarchy Standard(FHS) defines the directory structure and contents in Linux distributions.
:::info
**Default directories and their meaning**
:::
- Types of Users
- System Users & Regular Users
- Super Users
- Known as root user.
- Can override any file ownership, permission restrictions.
- Make system-wide changes.
- `/etc/passwd`
- `/etc/group`
- Access permissions control(`rwx` for owner, group, other)
- Commands: `chown`, `chgrp`, `chmod`
- Bash Scripts
- A plain text file contains a series of commands.
- CRON - task scheduler(a daemon)
- Crontab syntax generators:
- https://crontab.guru/
- https://crontab-generator.org/
- Text Editors
- Most configuration of Linux systems is done by editing text files.
- Command Line
- vi, nano, pico...etc.
- GUI
- gedit(GNOME), KWrite(KDE)
- Manual Page: `man <command>`
- Check the listening ports and applications on Linux:
- `sudo lsof -i -P -n`
- `sudo netstat -tulpn`
- Bash script to ping nameserver ip addresses from file */etc/resolv.conf* and display the output:
```bash=
#!/bin/bash
for DNSip in $(grep -w nameserver /etc/resolv.conf | gawk -F" " '{print $2}'); do ping -c5 $DNSip && echo ; done
```
## Network Security Fundamentals
> [Course Link](https://academy.apnic.net/en/webinar-courses/network-security-fundamentals)
### Security Breaches
- [World's Biggest Data Breaches & Hacks](https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/)
- Data breaches and leaks are happening.
- Different colors show different sensitivity.
- [Have I Been Pwned (HIBP)](https://haveibeenpwned.com/)
- Track accounts and credentials that have been compromised and released into the public.
> The password may be extracted and broken.
> If you use the same password on other websites, all of your accounts will be hacked once the hacker gets your password.
- [zone-h](http://www.zone-h.org/archive)
- Tracks and archives website defacements.
- White hat hackers hacked web pages and remind you there is vulnerability.
:::spoiler Funny reminding pages
:::
- Common vulnerability can lead to mass compromises.
- SQL injection attack
- [Event - the cyber-attack on Ticketmaster website](https://www.riskiq.com/blog/external-threat-management/magecart-ticketmaster-breach/)
### InfoSec Definitions
- **Information Security**
- **Asset** - what we are trying to protect.
- Physical Resources: servers, routers, switches.
- Virtual Resources: CPU, memory, bandwidth, network connections.
- **Threat**
- Intentional: Hacking, malware, DDoS, company insiders.
- Accidental: Malfunction, user error.
- Natural Disaster
- **Vulnerability** - weakness in an asset's design or implementation.
- Software bugs (in applications or services)
- Protocol design flaws
- SYN flood, ASN.1, NTLM
- Misconfiguration
- Insecure authentication
- Weak passwords, lack of 2FA/MFA
- Unvalidated inputs
- SQL injection, Cross Site Scripting(XSS)
- Poor physical security
- [The brazen airport computer theft that has Australia's anti-terror fighters up in arms](https://www.smh.com.au/national/the-brazen-airport-computer-theft-that-has-australias-anti-terror-fighters-up-in-arms-20030905-gdhc5q.html)
- **Risk**
- ==Risk = Asset(or Impact) x Threat x Vulnerability==
- **Risk Matrix** - risk assessments
- **CVSS** - Common Vulnerability Scoring Systems
- Translate the characteristics and impacts of a vulnerability into a numerical score.
- [Interactive calculator](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator)
- **Mitigate** - to reduce the severity
- Done by applying **Security Controls**
- Time of impact
- Preventative
- Detective
- Corrective
- Type of control
- Legal and regulatory compliance
- Physical
- Procedural/Administrative
- Technical
- **Defence In Depth** - the **layering** of security controls
- Provide redundancy in case of a failure or vulnerability.
- Referred to as **Castle Approach**.
> 
> 像塔防遊戲一樣構築多層防禦。
- Threat actor - who maliciously cause harm
- Commonly called attacker or hacker.
- Categories: Opportunistic, Hacktivists, Cybercriminals, Insiders...etc.
### CSIRT/CERT
- CSIRT(Computer Security Incident Response Team)
- CERT(Computer Emergency Response Team)
- **Constituency** - who is the CSIRT/CERT serving
- National/Country
- Enterprise/Organization/Sector
- Critical Infrastructure
- Product/Customer
### Infrastruture Security Fundamentals
#### Device Access Control(Physical)
- Equipment is kept in highly restrictive environments.
- Lock up, surveillance, backup, engineer training...etc.
#### Fundamental Device Protection(Logical)
- Management Plane Filters
> Here shows some commands for CISCO IOS.
- Secure access with **password** and **timeout**.
- **Authenticate** individual users.
- Restrict access to **specified trusted hosts**.
- Allow remote **VTY**(Virtual Teletype Terminal) access only through **SSH**.
- Protect **SNMP** if used.
- Shut down unneeded interfaces and services.
:::spoiler Recommend disable services
:::
- Ensure accurate timestamps for all **logging**.
- Define explicit access to management stations.
- SSH, SNMP, Syslog, TFTP, NTP, AAA Protocols
- **RADIUS Authentication(AAA)**
> [RADIUS --> Remote Authentication Dial-In User Service](https://en.wikipedia.org/wiki/RADIUS)
> **AAA** --> Authentication, Authorization, Accounting.
- Create warning banners.
- Date Plane(Packet) Filters
- Scaling and maintainability issues with filters are commonplace.
- Take into consideration alternate routes.
- Backdoor paths due to network failures.
- Filtering Recommendation
- Log filter port messages properly.
- Allow only internal addresses to enter the router from the internal interface.
- Block packets from outside(untrusted) that are obviously fake or commonly used for attacks.
- Block packets that claim to have a source address of any internal(trusted) network.
--> prevent **IP spoofing**
- Block incoming loopback packets and RFC 1918 networks(private IP addresses).
- Block multicast packets if not used.
- Block broadcast packets if they are not DHCP or BOOTP users.
- [RFC 2827](https://datatracker.ietf.org/doc/html/rfc2827) (BCP 38)
- **Network Ingress Filtering** - Defeating Denial of Service Attacks which employ IP Source Address Spoofing
> The ONLY valid source IP address for packets originating from that PC is the one assigned by the ISP (whether statically or dynamically assigned).
> 
- Techniques for BCP 38
- Static ACLs on the edge of the network.
- Unicast RPF strict mode.
- [Reverse-path forwarding(RPF)](https://en.wikipedia.org/wiki/Reverse-path_forwarding)
- IP source guard.
### VPN and IPsec
#### VPN - Virtual Private Network
- Create a **secure tunnel** over public network.
- Uses the Internet as the public backbone to access a secure private network.
- VPN Protocols
- **PPTP**
- **L2TP**
- **IPsec**
- **TLS**
- Different layers of encryptions
#### IPsec
- [RFC 4301](https://datatracker.ietf.org/doc/html/rfc4301)
- Provide **Layer 3** security.
- Confidentiality
- Data Integrity
- Source Authentication
- Signatures and certificates.
- Combines different components
- **SA** - Security Associations
- **IKE** - Internet Key Exchange
- **AH** - Authentication Headers
- **ESP** - Encapsulating Security Payload
- **Key** management
- Session negotiation and establishment via **IKE**.
- Sessions are rekeyed and deleted automatically.
- Secret keys are security established and authenticated.
- **AH - Authentication Headers**
- Provide source authentication and data integrity.
- Protection against **source spoofing** and **replay attacks**.
- Authentication is applied to the entire packet, with the mutable fields in the IP header zeroed out.
- If both AH and ESP are applied to a packet, **AH follows ESP**.
- Operates on top of IP using **protocol 51**.
- **ESP - Encapsulating Security Payload**
- Using IP **protocol 50**.
- Provide all that is offered by AH, plus **data confidentiality** (symmetric key encryption).
- Encryption occurs before authentication.
- **Authentication** is applied to data in **both IPsec header and payload**.
:::info
**Architecture**
:::
:::info
**Working Process**
:::
- **Tunnel Mode** vs. **Transport Mode**
- Best Practices
- Use IPsec to provide integrity in addition to encryption.
- Use strong encryption algorithms like 3DES and AES instead of DES.
- Use good hashing algorithms like SHA instead of MD5.
### DoS and DDoS
## Routing Fundamentals
> [Course Link](https://academy.apnic.net/en/course/routing-fundamentals-course)
## SNMP Fundamentals
> [Course Link](https://academy.apnic.net/en/events?id=a0B2e000000WpyXEAS)
> [Agenda and docs](https://wiki.apnictraining.net/snmp-20220607-online/agenda)
> [My note about SNMP](https://hackmd.io/@Phoebe61G/SNMP)
### What is SNMP
- **Simple Network Management Protocol**
- Application layer protocol
- Uses the UDP as transport protocol
- What SNMP does
- Detect issues and fault early
- **Monitor** device throughout(direction,service...etc)
- Remote **configuration and control**
### SNMP Components
- **Manager**
- A central software application, logs to a central database
- Polls devices to obtain information and alerts
- Polling happens over UDP port 161(default)
:::info from Solomon
Telnet/SSH supports an interactive session that you can issue a series of commands, or edit a file. On the contrary, SNMP only allows you to a simple request/response.
:::
- **Agent**
- Process running on a monitored device
- Information sent as response to polling
- Ubnsolicited message(traps) also
- Information sent over UDP port 162(default)
- **Management Information Base(MIB)**
- Collection of definitions defines the properties of the managed object
- Each managed devices keeps a database of definitions written in MIB
- A hierarchical structure that forms a tree, contains object identifiers or **OIDs**
- An OID is an object identifier value, an address used to identify a particular device and its status
- SNMP-enabled network devices maintains database of system status, availability and performance information as objects, identified by OIDs
- [Tree display](http://oid-info.com/cgi-bin/display?tree=)
> [OID Repository](http://oid-info.com/index.htm)
- An agent may implement many MIBs, but all agents implement a particular MIB called **MIB-II**(see [RFC 1213](https://datatracker.ietf.org/doc/html/rfc1213))
:::info
- [Cisco MIB](https://cfnng.cisco.com/mibs)
- [Juniper MIB](https://apps.juniper.net/mib-explorer/)
:::
- **Devices**
- Controlled by agent
- SNMP information source
:::spoiler QA
Q: last time is was use one of the NMS which can query and also can do configuration. Is that can assume Telnet/SSH + SNMP? I was used for DWDM network monitering.
A: SNMP can support some simple configuration. However, if you want to do something very complicated, probably an SSH session or HTTPS web configuration will be needed.
Telnet is certainly not recommended, because it is not secure. Please use SSH, at least.
:::
### SNMP Protocol Commands
### Exchange Mechanism
### SNMP Version
- SNMPv1
- RFC 1157
- No inform-request option
- Use community string for security, and is passed in clear text
- SNMPv2
- SNMP v2c
- Addition of the inform-request option
- Community string used for authentication
- 64-bits counters
:::info
- Both v1 and v2 use communities to establish trust between managers and agents.
- An agent is configured with three community names
- read-only
- read-write and
- trap
- Community names are essentially passwords
:::
- SNMPv3
- Addition of
- unique EngineIDs for SNMP devices
- authentication based on MD5 or SHA
- encryption through DES, 3DES or AES
- Ensure confidentiality, authentication and access control
### Configuration Examples
### SNMP Lab
> [doc](https://wiki.apnictraining.net/_media/nmm-20210531-online/03.snmp_lab_netsnmp.pdf)
- Login to vm
```bash=
ssh lab@202.125.97.72
ssh apnic@172.18.30.20
```
> ssh lab@202.125.97.72 -L 8090:172.18.30.20:80
> Password: "訓練" in English
- Install packages
```bash=
sudo apt update
sudo apt install snmpd snmp snmp-mibs-downloader
```
- Edit config files
```bash=
sudo vi /etc/snmp/snmp.conf
sudo vi /etc/snmp/snmpd.conf
```
> `snmp.conf` for manager
> `snmpd.conf` for agent
- After configuration, restart the `snmpd`
```bash=
sudo systemctl restart snmpd
```
- SNMP Packet Capture
```bash=
snmpwalk -v 2c -c {community} <device-address>
snmpwalk -v2c -c training 192.168.1.10 system.sysUpTime.0
snmpwalk -v2c -c training 192.168.20.1 IfName
```
> Different MIBs to use plz see in `/etc/snmp-mibs-downloader/ianalist`
> 
- Login to Router
```bash=
ssh 192.168.20.1
```
:::spoiler QA
Q: Can SNMP deliver data to server per second basis
We are seeing Model driven Telemetry is now introduced which stream data more effectively than SNMP.
SDN is replacing control plane and data plane of routers. Controllers like OpenDaylight, ONOS are introduced to manage control plane.
Will we still be using SNMP?
:::
### LibreNMS Lab
> [doc](https://wiki.apnictraining.net/_media/nmm-20210531-online/04.snmp_lab_librenms-20210519-remote.pdf)
> [My note about LibreNMS](https://hackmd.io/@Phoebe61G/LibreNMS)
- What is [LibreNMS](https://www.librenms.org/)?
- A Fully Featured Network Monitoring Tool for Linux(base on SNMP)
- A fork of [Observium](https://www.observium.org/). But it's an open source!
- Supports API, traffic billing system
- Auto-discovers a whole network by using SNMP, CDP, FDP, LLDP, OSPF, BGP, ARP
- Intergration with Graylog, Nagios, NFSen, SmokePing, Oxidized, collectd...etc
- [Nagios Plugins - Services](https://docs.librenms.org/Extensions/Services/)
- Multiple authentication methods like MySQL, HTTP, LDAP, Radius, Active Directory
- [Download](https://www.librenms.org/#downloads)
- [Network-WeatherMap](https://docs.librenms.org/Extensions/Weathermap/)
- [Metric storage](https://docs.librenms.org/Extensions/Metric-Storage/)
:::spoiler QA
Q: If I want to transfer matrix from libreNMS to TSDB like InfluxDB, will I get real time data collected from devices or data will pass latter in TSDB after storing in RRD database?
Q: IS there any limitation of threading at linux server end for LibreNMS? In cacti we face those threading issues so sometimes RRD database gets None values from devices.
A: We have been using it for few hundred devices for few years now and have not seen any such issue.
:::
Sign in with Wallet
Connect another wallet