home | O'Reilly's CD bookshelfs | FreeBSD | Linux | Cisco | Cisco Exam  

Building Internet Firewalls

Building Internet FirewallsSearch this book
Previous: 2.9 Name Service Chapter 2
Internet Services
Next: 2.11 Time Service

2.10 Network Management Services

There are a variety of services that are used to manage and maintain networks; these are services that most users don't use directly - indeed, that many of them have never even heard of - but they are very important tools for network managers.

The two most common network management tools are ping and traceroute . Both are named after the UNIX programs that were the first implementations, but both are now available in some form on almost all Internet-capable platforms. They do not have their own protocols, but make use of the same underlying protocol, the Internet Control Message Protocol ( ICMP ). Unlike most of the programs we've discussed, they are not clients of distinguishable servers. ICMP is implemented at a low level as a required part of the TCP/IP protocols all Internet hosts use.

ping simply tests reachability; it tells you whether or not you can get a packet to and from a given host, and often additional information like how long it took the packet to make the round trip. traceroute tells you not only whether you can reach a given host (and whether it can answer), but also the route your packets take to get to that host; this is very useful in analyzing and debugging network trouble somewhere between you and some destination.

Because there aren't servers for ping and traceroute , you can't simply decide not to turn the servers on. It's possible to use packet filtering to prevent the packets from being transmitted from your site or received at your site, but it's usually not necessary. There are no known risks for outbound ping or traceroute , and very few for inbound ping and traceroute. They can be used for denial of service attacks, but no more so than other protocols. More threateningly, they can be used to determine which hosts at your site exist, as a preliminary step to attacking them. For this reason, many sites either prevent or limit the relevant packets inbound.

Simple Network Management Protocol ( SNMP ) is a protocol designed to make it easy to centrally manage network equipment (routers, bridges, concentrators, hubs, and, to a certain extent, even hosts). SNMP management stations can request information (whether a given interface is up or down, how many bytes have been moved through that interface, how many errors there have been on that interface, etc.) from network equipment via SNMP . SNMP management stations can also control certain functions of the network equipment (taking an interface up or down, setting its parameters, and so on). The network equipment can also report urgent information (for example, that a line has gone down, or that there are a significant number of errors occurring on a given line) to SNMP management stations via SNMP . The major security risk with SNMP is that someone else might be able to take over control of your network equipment and reconfigure it for their purposes (disabling packet filtering, changing routing, or simply trashing your configuration).