With the advent of distributed networking systems, there has been a growing need for systems that manage (referred to hereinafter as “management systems”) the devices (referred to hereinafter as “nodes”) of networks and applications (referred to hereinafter as “agents”) that may run on those devices. A managed system may include, among other things, the nodes and agents the system manages and a server (referred to hereinafter as a “management server”) that manages the nodes and agents.
Examples of nodes include operating system based computers that are capable of running agents (referred to hereinafter as “operating systems based nodes”) and devices, such as routers, firewalls, load balances, that are not capable of running agents (referred to hereinafter as “non-operating systems based nodes”). Since the agents on “operating systems based nodes” not only send information about the system but can also actively and flexibly manage the nodes, the operating systems based nodes with agents are referred to hereinafter as “managed” nodes. On the other hand, even though “non-operating systems based nodes” also send information about the system, for example using SNMP, the amount of flexibility in managing the system is limited; hence the non-operating systems nodes are also known as “external” nodes, even though they may be managed indirectly, as will be described in more detail.
Examples of managing include, among other things, determining whether processes, nodes, and/or agents are running, how much memory a node has, the Computer Processing Unit (CPU) utilization of the node, whether a firewall has been intruded, correlating received messages either on the agent or the management server side to determine that a firewall has been intruded and taking action based on these determinations. Examples of taking action may include, among other things, adding more memory to a node, re-balancing a workload, or terminating reception of communications from a network behind a firewall that is failing.
One such application and network management system is Hewlett Packard's Openview Operations (OVO). Typically, in OVO, the nodes and/or agents associated with the application and network monitoring system communicate, directly or indirectly, information about their status with a management server. The server uses the communications to manage the nodes and/or agents associated with the network. For example, an agent executing on a particular managed node may generate a message including information about the status of the agent or the node the agent is running on. Similarly, a non-managed node may generate an SNMP trap (the term “messages” shall be used hereinafter to refer to, among other things, messages, which are generated with Application Programming Interfaces (APIs), opcmsg, or opcmon, events, alerts, Simple Network management Protocol (SNMP) traps, and system logs). An interceptor, also running on the node, receives the message (referred to hereinafter as a “received message”) and analyzes the received message with a template. Applications may be configured to be agents by associating templates and interceptors with the applications.
Typically a network administrator distributes templates to the various nodes that are being managed within a particular management system. Usually, templates are configured by more than one person or by more than one group of people. For example, application developers know more about the agents and network administrators know more about networks. Therefore, the applications developers may initially configure the templates based on the application developers' knowledge of their applications. Then network administrators may modify the templates or add templates based on their knowledge of networks and distribute the templates to the appropriate nodes.
One problem with configuring templates is that developers have varying knowledge about security in general and about other agents. For example, since the developer of application A on an agent does not know the code of application B on the same agent, the developer of application A may develop templates that create messages that will be received by the templates associated with application B (referred to herein as “proliferation of messages”).
Another problem with configuring templates is the complexity involved in configuring the templates. Furthermore, there is a lack of expertise on the part of people configuring the templates. For example, frequently network administrators and/or application developers try erroneously to configure the templates as openly as possible. This may result in inappropriate actions being performed, either by mistake or owing to malicious intent.
An example of one inappropriate action is removing directories on a node that did not request the action. In this case, a user on node A creates a message requesting that a yet unspecified action be performed on node B. A template on node A intercepts the message and appends a request for an action, such as the deletion of directories. The message is forwarded to the server. Since the message designates that the action should be performed on node B, the server forwards the message to node B. Since the message is from the server, node B assumes that it has to perform the action and deletes all of its directories. As can be seen, a malicious user may use this inappropriate action to delete directories on a node the user is not even allowed access to.
In the above example, node A is an example of a “local node” because it is the node that requested, by creating the message, to delete the directories. Node B is an example of a “remote node” because it is not the node that requested the deletion of its directories. The deletion of the directories is an example of a “remote action” because the action of deleting directories was performed on a remote node. A “target node” is the node that an action is performed on. In this case, Node B is the target node. However, if the action had been performed on Node A, then Node A would have been the target node. Further, if the Node A's directories had been deleted, then the action would have been a “local action” because the action would have been performed on the local node. As the agent runs with root type of privileges and the message received by the agent can be created by a non-privileged user, even local actions may be used with malicious intent, for example, by getting around user account privilege enforcement mechanisms.
Another example of an inappropriate action is the proliferation of messages (also known as a “message storm”). In this case, an improperly configured template erroneously generates messages based on received messages.
The Advance Network Security (ANS) module may be used for securing the communications aspect of an OVO based solution. ANS may be used to assure that only authenticated agents communicate with an authenticated server, and the traffic between them meets integrity and confidentiality requirements. However, ANS does not address the problems already described herein.
For these and other reasons, a method and/or a system that provides security for a network would be valuable. Further a method and/or system that increases overall performance of a network would also be of value. A further a method and/or a system that provides enhanced usability and robustness of a application and network management system would also be of value.