CARENET-SE. NOC Tools Review. Communication System Design Summer Project team. Champion Björn Pehrson Coach Hans Eriksson

Transcription

1 NOC Tools Review CARENET-SE Communication System Design Summer 2010 Project team IK2207 Alin Pastrama Champion Björn Pehrson Coach Hans Eriksson IK2207 Annika Holmgren IK2208 Jie Sun IK2208 Haresh Rajendran IK2209 Hieu Tran IK2209 Mohammed Shahriar Munir Identifier: REP-001 Revision: 0 Date:

2 Document History Revision Revision Summary of Changes Author(s) Number Date The document was created. Alin Pastrama 2

3 Table of Contents 1. Introduction Purpose Scope Audience Structure Nagios Description Implementation Advantages Disadvantages Proposal Cacti Description Implementation Advantages Disadvantages Proposal Weathermap4RRD Description Implementation Advantages Disadvantages Proposal RT Description Implementation Advantages Disadvantages Proposal MRTG Description Implementation Advantages

4 6.4. Disadvantages Proposal EasyIDS Description Snort Arpwatch BASE Ntop Nmap Implementation Advantages Disadvantages Proposal Summary

5 1. Introduction 1.1. Purpose The purpose of this document is to make a review of the current tools used in the CareNet- SE network operation center (NOC) as of June The reasoning behind this review is that the Summer 2010 Carenet-SE team intends to rebuild the NOC, in order to make it more adequate for the current network and service infrastructure, as well as more streamlined and easy to export and deploy. Reviewing the current setup is the first step in this process Scope This document covers the existing tools used for network monitoring, intrusion detection, graphing and tracking. The tool configurations are discussed, but they are not explicitly listed or attached. For each tool, suggestions are made on whether the tool should be kept as it is, modified or excluded from the future setup. This review does not cover network services, such as SIP or DNS, nor does it discuss issues pertaining to hardware configuration Audience This document is aimed at the members of the CareNet-SE team, who are the users of the NOC tools, and at the project owners, who will ultimately decide if there is a case for rebuilding the NOC or not Structure Each of the tools will have a section covering its general purpose and description, the way it is implemented and configured in the CareNet-SE network, its pluses and minuses and a proposal regarding its use in the future. After all the tools have been discussed, a final conclusion will be drawn in the form of a summary, which will stand as a basis for a proposal document[pro-001]. 5

6 2. Nagios 2.1. Description Nagios 1 is an open source network monitoring system (NMS) with capabilities for monitoring hosts and services via both remote polling and reporting agents. It provides and SMS alerts, as well as reporting and trending features. Being open source, it is highly extensible, with hundreds of community plugins and addons, which make it very popular in enterprise networks Implementation Nagios is implemented in the current NOC setup as one of the monitoring tools. It currently monitors the availability of the three routers located in Kista, Huddinge and at Valhallavägen. This is done by pinging the devices from the NMS machine. On the service side, only the Kista router is being monitored. Bandwidth usage is monitored with the check_mrtgtraf plugin, but the plugin is misconfigured, since the monitoring doesn t work and the standalone MRTG 2 tool works properly. Link status and uptime are monitored via SNMP, but again, the monitoring doesn t work. The SNMP daemon is up and running on the router, but there is no SNMP manager running on the NMS machine Advantages Nagios has many monitoring and reporting features out of the box, and it can be extended to monitor basically any service. It is also well supported and documented Disadvantages Nagios has limited graphing capabilities. Also, it does not have an auto discovery feature, so every monitored host and service has to be added to the configuration manually. Both of these issues can be addressed with existing community plugins Proposal Nagios should be at the core of the NOC, and other tools should be built around it and integrated

7 More of its features should be employed, particularly service monitoring, and devices other than routers (switches, servers, home extensions, HDVC clients) should also be monitored. It should also be extended with community plugins to monitor additional services, such as MiniSIP 3 and OpenVPN

8 3. Cacti 3.1. Description Cacti 5 is an open source graphing tool based on RRDTool 6. Cacti allows for polling of services at predetermined intervals and graphing of the resulting data. It also supports SNMP polling for network devices Implementation Cacti is implemented in the current NOC setup as one of the three graphing tools. It is configured to monitor the routers in Kista and at Valhallavägen via SNMP. The graphs, however, show NAN (not a number) values, which indicate that something is wrong with the monitoring. SNMP is up and running on the routers, but there is no SNMP manager running on the NMS machine Advantages Cacti can generate custom graphs from a number of different data sources. Its web interface allows for quick creation of graphs from templates. It is possible to integrate Cacti in Nagios Disadvantages Although Cacti comes with a set of templates, the graphs have to be configured from the web interface, along with the data sources. Cacti is dependent on RRDTool to function properly Proposal Cacti is a powerful graphing tool and it should be integrated with Nagios if the Nagios plugins for graphing cannot produce satisfactory graphics. Otherwise, it can be left out of the NOC build

9 4. Weathermap4RRD 4.1. Description Weathermap4RRD 7 is an open source PNG picture generator. It acquires data from sources such as RRDTool databases and plots it in the form of graphical elements (arrows, labels etc.). The graphs can be plotted on top of network topologies or geographical maps, in order to produce suggestive resource usage graphs Implementation In the current NOC build, Weathermap4RRD is used to plot the links in the CareNet-SE network on top of a map of Stockholm. The colors and labels of the links depend on values extracted with RRDTool. The map refreshes every minute Advantages The tool can be used to produce a suggestive physical topology of the network Disadvantages Weathermap4RRD has a very limited set of features. It is only useful for presentational purposes Proposal Weathermap4RRD should only be used as an overview graphic for the NMS interface, possibly on the login page. Otherwise, it has no obvious use and should be excluded from the NOC setup

10 5. RT 5.1. Description RT 8 (Resource Tracker) is an open source ticketing system used to manage tasks and requests submitted by a community of users. RT provides features for ticket identification, prioritization, assignment, resolution and notification Implementation The RT ticketing system seems to be hosted on a remote server, which is unreachable. The tool is installed on the NOC machine, but it is not configured Advantages RT offers, as described, advanced ticketing features; furthermore, it can integrate with Nagios so that Nagios alerts can automatically generate RT tickets and vice versa Disadvantages RT is a complex tool with many features, which is more adequate for a helpdesk or software development environment Proposal Although it is more than what the CareNet-SE staff currently needs for ticket tracking, RT should be kept in the NOC setup and integrated with Nagios. In the future, as the CareNet-SE network expands with more nodes, home extensions and clients, RT will prove to be very useful

11 6. MRTG 6.1. Description MRTG (Multi Router Traffic Grapher) is an open source tool that monitors SNMP network devices and produces traffic and resource usage graphs. It can also generate alerts when certain thresholds are reached Implementation In the current NOC setup, MRTG is used to monitor and graph data from the interfaces of the routers located in Kista and at Valhallavägen. It produces daily, weekly, monthly and yearly graphs Advantages MRTG is simple to configure and the data it collects can be used by Nagios Disadvantages MRTG does not offer much control of the graphics it generates, and is limited in options in features Proposal Being the third choice for graphics, after Nagios plugins and Cacti, MRTG should be excluded from the NOC setup. 11

12 7. EasyIDS 7.1. Description EasyIDS 9 is an intrusion detection software suite built around Snort 10 (presented below). It integrates a series of security analysis and general network monitoring tools, and is capable of producing graphs and alerts Snort Snort is an open source intrusion detection and prevention system (IDS/IPS). It is capable of performing signature-, protocol- and anomaly-based inspection. Snort s capabilities of passive detection and active blocking of various attacks and probes make it very popular in enterprise networks Arpwatch Arpwatch 11 is an open source tool that monitors ARP traffic and keeps a database of IP MAC address pairs. It is used to detect ARP spoofing 12 attacks and it supports notifications BASE BASE 13 (Basic Analysis and Security Engine) is an open source front-end for Snort. It provides a web-based interface to query and analyze alerts generated by Snort Ntop Ntop 14 (Network top) is an open source traffic probe that shows network usage. It is capable of producing and storing statistics and generating graphs Nmap Nmap 15 (Network Mapper) is an open source tool for network probing and security audit. Nmap can determine what hosts are available in a network and what services they are

13 offering. It provides a number of techniques for probing, port scanning and other reconnaissance attacks Implementation EasyIDS is configured as passive network-based IDS, monitoring activity on the link between the Kista router and the Kista LAN. The main backend component is Snort. Most of the preprocessors are enabled and the default rule sets are used. The configuration is modified to permit editing from the web interface.the Barnyard 16 addon is installed to store data generated by Snort in a database. alerts are not enabled and the rule set has never been updated. Along with Snort, a few additional tools are integrated. Arpwatch lists IP/MAC address associations, Nmap allows for scanning and probing and Ntop provides basic traffic information. BASE is the front end for Snort. The EasyIDS web interface integrates all of the tools and allows for setting and configuration modification Advantages EasyIDS is an integrated solution that is easy to deploy and configure. It requires minimal knowledge of the tools Disadvantages Some of the tools are redundant: Arpwatch and Ntop do not provide information that cannot be obtained by Nagios. The BASE interface is slow and loading time is in the order of minutes. EasyIDS is not updated at the same rate as the tools that it consists of. These tools need to be updated individually, which might cause incompatibilities and defeats the purpose of having a simple and intuitive all-in-one interface Proposal Snort should remain at the core of the IDS, and it should be tuned to match the CareNet-SE network configuration. The other tools should be excluded from the future build, as they do not provide significant advantages

14 For the front end, a faster alternative for BASE, such as Snorby 17, should be tested. If no suitable alternatives are found, then BASE should be kept as the interface for Snort. Overall, the EasyIDS suite should be replaced with its central components

15 8. Summary The current NOC setup is made up of two components: a network monitoring system (NMS) and an intrusion detection system (IDS). The NMS is made up of a number of tools that are accessible from a common web interface, but are otherwise not connected to each other.nagios is used for basic availability checks of the routers. Cacti, Weathermap4RRD and MRTG are used for graphs and diagrams. RT is used as a ticketing system. There are some configuration issues with the SNMP manager, which render Cacti useless and reduces Nagios functionality and the ticketing system is unreachable. The three graphing tools are redundant and their functionality overlaps. The IDS is made up of a set of closely integrated tools and is built around Snort. Snort provides the core functionality of traffic inspection; BASE is the front end for Snort, Arpwatch maintains a list of IP/MAC address pairs, Ntop provides basic traffic information and Nmap allows for scanning and probing of the network. Snort uses a basic configuration with an outdated rule set and the BASE interface loads very slowly. The functionality added by Arpwatch and Ntop can be implemented in Nagios, which makes the tools redundant. Upon reviewing the current NOC setup, a conclusion has been reached that a new setup is needed, based on the core tools of each of the two components: Nagios for monitoring and Snort for security. These two core tools should be configured and extended to match the CareNet-SE network configuration and better serve their purposes. Other tools should be added and integrated if they offer obvious advantages. Based on this review, a proposal for a NOC reconfiguration 18 [PRO-001] will be developed. 18 PRO-001 NOC Reconfiguration 15