Patent Application
20090092126
Undoubtedly, the Internet has revolutionized personal and business communication by providing a global medium with powerful services such as the World Wide Web, e-mail, and Voice over Internet Protocol (VoIP). The Internet is a conglomeration of numerous heterogeneous networks, which are linked through internetworking devices, without restriction on the systems that can be a part of this global network. Because of the unrestricted nature, network security issues have garnered significant attention, particularly by service providers that need to ensure timely and secure communications for their customers. For example, in offering telecommunication services, service providers are continually faced with the challenge of balancing efficiency and cost versus security concerns. One important area involves the maintenance of customer premise equipment (CPE) devices configured to support services such as Internet access and VoIP. Conventionally, the retrieval of status information and alerts about a particular CPE device over the Internet can compromise the receiving system as well as the confidentiality of the information. Furthermore, the service providers need to be mindful of the protocols involved in such a service, as non-conformance to standards can result in a failed service.
Therefore, there is a need for securely obtaining information from CPE devices, while ensuring operations with current and developing standards.
Various exemplary embodiments are illustrated by way of example, and not by way of limitation, in the figures of the accompanying drawings in which like reference numerals refer to similar elements and in which:
An apparatus, method, and software for providing secure retrieval of system log information are described. In the following description, for the purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the various exemplary embodiments. It is apparent, however, that the various exemplary embodiments may be practiced without these specific details or with an equivalent arrangement. In other instances, well-known structures and devices are shown in block diagram form in order to avoid unnecessarily obscuring the exemplary embodiments.
Because the PSTN 107 is connected to the Internet 109, communication among voice stations (e.g., IP phone 105a) that are serviced through the PSTN 107, and personal computers (not shown) that are attached to the Internet 109 can be established (e.g., VoIP). A telephony gateway (not shown) within the network 109 converts the packetized voice information into a POTS (Plain Old Telephone Service) electrical signal, which is circuit switched to a voice station served by the PSTN 107. In an exemplary embodiment, the CPE device 105a employs Session Initiation Protocol (SIP) to exchange messages. A detailed discussion of SIP and its call control services are described in IETF RFC 2543 and IETF Internet draft “SIP Call Control Services”, Jun. 17, 1999; both of these documents are incorporated herein by reference in their entireties.
By way of example, in an enterprise scenario, the CPE devices 105a-105n are a bank of IP phones behind an IP private branch exchange (IP PBX). Unlike traditional circuit-switched PBX troubleshooting, in which phones are connected to physical ports so that narrowing problem areas is a relatively straightforward task, IP telephony involves a multitude of network elements working in concert (e.g., the IP phone itself, the various gateways, as well as the numerous routers transporting the traffic). The telephone connections are virtual, and thus, introduce more complexity in the troubleshooting process. Timely and accurate troubleshooting of the CPE devices 105a-105n, thus, plays a vital role in ensuring users are satisfied with their communication service.
Traditionally, obtaining information (e.g., system log information) from CPE devices 105a-105n to assist with debugging or troubleshooting, without compromising network security, has been difficult, largely because of the network address translation (NAT) aspect of the connections. NAT provides Internet connection sharing by permitting an Internet Protocol (IP) network to maintain public IP addresses separately from private IP addresses. In other words, NAT maps all of the private IP addresses to a single globally recognized IP address. NAT operates by modifying the source or destination address in the IP header to reflect the configured address mapping. The NAT protocol is more fully described in RFC 1631, which is incorporated herein by reference in its entirety.
According to certain embodiments, the system 100 provides an approach for retrieving system log messages from the CPE devices 105a-105n, in a manner that protects the privacy and confidentiality of the customer's system log messages without exposing network systems or infrastructure. This approach ensures the integrity of the system administrator platform 203 that receives these messages, and protects the network elements of the network 101 from potential attack. This allows safe and secure delivery of system log messages without being vulnerable to a hostile host located on the data network 109.
In one embodiment, a generic packet sniffer 111 is provided to capture system log information from the CPE devices 105a-105n. The packet sniffer 111 serves as a network analyzer or protocol analyzer for various types of network traffic, and can be implemented in software and/or hardware; details of an exemplary packet sniffer 111 is explained with respect to
The service provider network 101 includes a network firewall 119 that filters out the system log message before reaching the platform 103. The system administrator platform 103, in one embodiment, is a network management system.
As mentioned, the direct transmission of the system log by the CPE device 105a to the platform 103 poses a security risk for the service provider network 101. In recognition of this problem, the system 100 employs a packet sniffer 111, as next described.
Having a location to send syslog and debug logs is vital to the troubleshooting process. Under this scenario, the CPE device 105a behaves as a syslog source 301, and the platform 103 serves as a syslog collector 303. The syslog protocol provides an approach by which system messages are formatted and sent to remote systems for centralized archive/logging purposes (e.g., database 117). The syslog protocol uses a user datagram protocol (UDP) as the underlying transport layer mechanism; e.g., the UDP port that has been assigned to syslog is 514. The syslog protocol does not provide acknowledgement of message delivery. In this manner, senders transmit messages to receivers with no knowledge of whether they are acting for originators, collectors or relays.
It is noted that use of an actual server on the Internet 109 and allowing UDP traffic using port 514 from any device on the Internet 109 would be a breach of security protocols. Because of this drawback, service providers generally do not enable capture of system log events on a regular basis. This limits the amount of information that can be utilized in support of troubleshooting customers' issues relating to the CPE devices 105a-105n. Consequently, such limitation lengthens the troubleshooting process, and thus, the potential outage intervals experienced by the customers.
In one embodiment, the packet sniffer 111 is located on a protected virtual local area network (VLAN) behind the network firewall 119 to capture UDP packets destined to an IP address (e.g., the IP address of the platform 103). Specifically, the packet sniffer 111 can be configured to capture all packets destined for that protected IP address and UDP port 514.
As shown, a UPD packet 307 contains a syslog message 309 that specifies troubleshooting data generated by the CPE device 105a. The syslog message 309 includes a PRI part 309a, a HEADER part 309b, and a MSG part 309c. Generally, the length of the syslog message 309 is 1024 bytes or less. The PRI part 309a includes a number denoted as a “Priority value.” This priority value represents both the Facility and Severity. These parameters are detailed in RFC 3164. For example, Table 1 lists the syslog message severities.
The HEADER part 309b contains a timestamp and an indication of the hostname or IP address of the device. The MSG part 309c specifies the system log information within a CONTENT field, as well as the process that generated the system log information within a TAG field.
The operation of the packet sniffer 111 is explained with respect to
In step 401, packets originating from the CPE device 105a are examined by a router (e.g., the router 113 of
According to one embodiment, the packets are output as text file by the packet sniffer 111 via a file generator 311 (step 407). The network firewall 119 can then discard, per step 409, these packets before they reach the destination—i.e., platform 103. The text file can then be supplied to the debugger/troubleshooting application 115 of the system administrator platform 103 for debugging or troubleshooting.
Returning to step 403, if the packets are not to be captured the packet sniffer 111, they are simply forwarded, as in step 411, to the firewall 119, which will filter the packets accordingly.
Under the above process, because the packets are not reassembled and only the contents are set for viewing only, there is no security threat to the service provider network 101. Also, there is no need to have a system listening on the unprotected Internet segment for syslog messages. Moreover, any system probing for active UDP port 514 services would not be able to detect the presence of this service within any network segment.
Although retrieval of the system log information is described using the syslog protocol, the above approach can be utilized for any stream (using any equivalent protocol) to log function.
The packet sniffer 111 can also include a presentation module 509 for presenting a graphical user interface (GUI) configured to display the system log information to a display 511. Alternatively, this GUI can be utilized by the system administrator system 103 to view the log information.
Also, the user can activate a network statistics pane 605, which displays various statistical data for the received packets. In addition, a filters pane 607 is provided to apply filters associated with the system log information. These filters can include hardware filters and software filters. The filters, for instance, can include protocol types (e.g., physical layer, network layer, transport layer, etc.), transmission type (e.g., broadcast, multicast, unicast, etc.), traffic type (e.g., HyperText Transfer Protocol (HTTP) traffic and text), etc. Filters are particularly useful when the packet sniffer 111 is used to isolate packets for further analysis.
Furthermore, a pane 609 permits selection of various traffic reports or customization of reports.
Although not depicted, the screen 600 can additionally provide various navigational elements, e.g., scrollbars, tabs, etc. to allow users to traverse or navigate the screen 600.
The above described processes relating to system log information retrieval and associated CPE troubleshooting may be implemented via software, hardware (e.g., general processor, Digital Signal Processing (DSP) chip, an Application Specific Integrated Circuit (ASIC), Field Programmable Gate Arrays (FPGAs), etc.), firmware or a combination thereof. Such exemplary hardware for performing the described functions is detailed below.
The computer system 700 may be coupled via the bus 701 to a display 711, such as a cathode ray tube (CRT), liquid crystal display, active matrix display, or plasma display, for displaying information to a computer user. An input device 713, such as a keyboard including alphanumeric and other keys, is coupled to the bus 701 for communicating information and command selections to the processor 703. Another type of user input device is a cursor control 715, such as a mouse, a trackball, or cursor direction keys, for communicating direction information and command selections to the processor 703 and for controlling cursor movement on the display 711.
According to one embodiment of the invention, the processes described herein are performed by the computer system 700, in response to the processor 703 executing an arrangement of instructions contained in main memory 705. Such instructions can be read into main memory 705 from another computer-readable medium, such as the storage device 709. Execution of the arrangement of instructions contained in main memory 705 causes the processor 703 to perform the process steps described herein. One or more processors in a multi-processing arrangement may also be employed to execute the instructions contained in main memory 705. In alternative embodiments, hard-wired circuitry may be used in place of or in combination with software instructions to implement the exemplary embodiment. Thus, exemplary embodiments are not limited to any specific combination of hardware circuitry and software.
The computer system 700 also includes a communication interface 717 coupled to bus 701. The communication interface 717 provides a two-way data communication coupling to a network link 719 connected to a local network 721. For example, the communication interface 717 may be a digital subscriber line (DSL) card or modem, an integrated services digital network (ISDN) card, a cable modem, a telephone modem, or any other communication interface to provide a data communication connection to a corresponding type of communication line. As another example, communication interface 717 may be a local area network (LAN) card (e.g. for Ethernet or an Asynchronous Transfer Model (ATM) network) to provide a data communication connection to a compatible LAN. Wireless links can also be implemented. In any such implementation, communication interface 717 sends and receives electrical, electromagnetic, or optical signals that carry digital data streams representing various types of information. Further, the communication interface 717 can include peripheral interface devices, such as a Universal Serial Bus (USB) interface, a PCMCIA (Personal Computer Memory Card International Association) interface, etc. Although a single communication interface 717 is depicted in
The network link 719 typically provides data communication through one or more networks to other data devices. For example, the network link 719 may provide a connection through local network 721 to a host computer 723, which has connectivity to a network 725 (e.g. a wide area network (WAN) or the global packet data communication network now commonly referred to as the “Internet”) or to data equipment operated by a service provider. The local network 721 and the network 725 both use electrical, electromagnetic, or optical signals to convey information and instructions. The signals through the various networks and the signals on the network link 719 and through the communication interface 717, which communicate digital data with the computer system 700, are exemplary forms of carrier waves bearing the information and instructions.
The computer system 700 can send messages and receive data, including program code, through the network(s), the network link 719, and the communication interface 717. In the Internet example, a server (not shown) might transmit requested code belonging to an application program for implementing an exemplary embodiment through the network 725, the local network 721 and the communication interface 717. The processor 703 may execute the transmitted code while being received and/or store the code in the storage device 709, or other non-volatile storage for later execution. In this manner, the computer system 700 may obtain application code in the form of a carrier wave.
The term “computer-readable medium” as used herein refers to any medium that participates in providing instructions to the processor 703 for execution. Such a medium may take many forms, including but not limited to non-volatile media, volatile media, and transmission media. Non-volatile media include, for example, optical or magnetic disks, such as the storage device 709. Volatile media include dynamic memory, such as main memory 705. Transmission media include coaxial cables, copper wire and fiber optics, including the wires that comprise the bus 701. Transmission media can also take the form of acoustic, optical, or electromagnetic waves, such as those generated during radio frequency (RF) and infrared (IR) data communications. Common forms of computer-readable media include, for example, a floppy disk, a flexible disk, hard disk, magnetic tape, any other magnetic medium, a CD-ROM, CDRW, DVD, any other optical medium, punch cards, paper tape, optical mark sheets, any other physical medium with patterns of holes or other optically recognizable indicia, a RAM, a PROM, and EPROM, a FLASH-EPROM, any other memory chip or cartridge, a carrier wave, or any other medium from which a computer can read.
Various forms of computer-readable media may be involved in providing instructions to a processor for execution. For example, the instructions for carrying out at least part of the various exemplary embodiments may initially be borne on a magnetic disk of a remote computer. In such a scenario, the remote computer loads the instructions into main memory and sends the instructions over a telephone line using a modem. A modem of a local computer system receives the data on the telephone line and uses an infrared transmitter to convert the data to an infrared signal and transmit the infrared signal to a portable computing device, such as a personal digital assistant (PDA) or a laptop. An infrared detector on the portable computing device receives the information and instructions borne by the infrared signal and places the data on a bus. The bus conveys the data to main memory, from which a processor retrieves and executes the instructions. The instructions received by main memory can optionally be stored on storage device either before or after execution by processor.
In the preceding specification, various preferred embodiments have been described with reference to the accompanying drawings. It will, however, be evident that various modifications and changes may be made thereto, and additional embodiments may be implemented, without departing from the broader scope of the invention as set forth in the claims that flow. The specification and the drawings are accordingly to be regarded in an illustrative rather than restrictive sense.
