Introduction It will come as no surprise to readers of this white paper that Microsoft currently dominates the IT marketplace. The company has been able to leverage the vast number of computers using its operating systems to expand its market share of applications including e-mail servers, databases, office application suites and infrastructure services. Unfortunately, this makes the company and its products attractive targets for attacks such as MS Blast, Sasser, Code Red, Nimda and other threats. The harsh reality is that Microsoft operating systems and products need proactive monitoring and management to keep them running properly. This paper describes a network management strategy and a multifunction system to support that strategy using a variety of tools, information gathering techniques and reporting options. The strategy and system proposed are intended to help IT administrators manage both the Microsoft and non-microsoft products that are likely to be deployed in a typical network. Manageability The management of Microsoft Windows, as well as non-windows network devices, is at the heart of getting the most out of a network. Good management means the IT department knows what it has and that it is functioning properly; is using hardware, software and human resources in an optimal manner; and assets are being properly protected. So the broad area of manageability involves subcategories which for the purposes of this white paper are reliability, availability and security. By more effectively managing computing systems businesses can realize increases in efficiency, reduce business overhead and empower IT managers to spend more time making computers create real business value. The goals of efficient and effective IT infrastructure management are to improve reliability, availability and security while lowering the total cost of ownership. Improving the delivery of services, in particular the Information Technology Infrastructure Library (ITIL) topic area of Service Management, is also a key concept but one that will be dealt with in another white paper. What is needed? With the right management systems in place IT administrators can improve business performance and streamline IT operations by continually monitoring network health issues, quickly identifying trouble spots and efficiently solving problems. To ensure the health and performance of Windows computers, while continuing to use existing systems, requires a management strategy based on processes, procedures and tools that look at a business' network as a whole not as isolated technology islands. This white paper will develop a management strategy that will allow IT administrators to efficiently deploy and manage IT infrastructure in a systematic way and get away from individually checking servers, PCs and network devices to ensure that they are functioning properly, are up to date with the right set of software and software patches and don't have security holes. Within the scope of this manageability white paper each of the three subtopics - availability, reliability or performance and security will be defined (simplistically) as follows: Availability is the amount of time a node or service is available for processing transactions. This includes both the hardware supported and services such as LDAP, SMTP, DNS and DHCP. Reliability is a measure of how dependable a system is once you actually use it. Performance deals with how well a node or service achieves its various tasks. Security, a broad topic that covers a multitude of sins, is concerned with making sure access to information and systems is restricted to only those who are authorized to have access. Being able to monitor these attributes is key to managing an IT network. Without a view of a network s availability, reliability or performance and security it is virtually impossible to effectively manage the network for safe and efficient day-to-day operations, let alone effectively planning for network upgrades and changes. Page 2
Where does WMI fit in? Windows Management Instrumentation (WMI) reporting is a useful tool that provides a wealth of information on Windows platforms. What it doesn't do is pull together information from non-windows platforms and, since virtually every Windows-based network also includes at least some non-windows devices, WMI does not provide one central location for all the information that is required to properly manage a network. Since WMI is limited to just Microsoft Windows platforms, those IT departments that also run Linux or want information on other devices that could be captured with SNMP need additional solutions. Also, there are the efficiency advantages that would be gained by having one single, integrated system that can gather all the needed information in one location and present the information in a variety of formats and user-friendly reports. This makes climbing the learning curve faster, finding the information needed in a timely manner easier and compiling the information in reports and charts more meaningful. These sorts of benefits can be difficult to quantify in hard dollars, but that makes them no less significant. Managing availability Microsoft server platforms, and the applications that run on them, occasionally stop functioning: Exchange stops exchanging or SQL Server stops serving. Often, these problems can be cleared and resolved by stopping and restarting an underlying service. A polling engine can watch these services and could provide options to the users like: 1) stop/start the remote service, 2) provide current updated status information, or 3) configure the service to be automatically restarted. The capability to automatically restart a service means that the appliance can repair problems as they occur and simply advise IT staff that a problem happened and was solved. A list of critical Microsoft products to be monitored and managed includes the following: Operating systems including Windows XP, Windows 2000 and server class operating systems such as Windows Server 2003 Microsoft Exchange Microsoft Active Directory and DNS Server Microsoft Terminal Services Microsoft SQL Server The "internal services" related to these platforms What is needed is a system that can identify and alleviate some of the common problems that occur with Microsoft products. The scope of such a system ought to include the discovery, monitoring and management of Microsoft applications (See Figures 1a and 1b) and provide all the meaningful and relevant information. Page 3
Figure 1a. Example of Installed Application List Figure 1b. Example of Installed Application List. Note that in this example "Doom 3" is installed on 4 machines, which may represent a potential security issue. Some meaningful and relevant information gathering requirements for a few key Microsoft products are outlined below. Microsoft Environment Memory metrics including physical, virtual and page files Hard drive metrics both logical and physical CPU metrics including utilization and queue for multiple processors Network metrics The operational state of internal processes Important event log entries Page 4
Microsoft Exchange Domain information Mail queue metrics Process and resource states Microsoft SQL Clustering information Name, file system and size information Database metrics, including lock rates, cache hit rates, etc. Various state metrics for each configured database Microsoft Terminal Services Terminal name and description Protocol/transport information Active/inactive/total session counts Microsoft Active Directory Lookup/response metrics WINS metrics Zone transfer metrics Replication partners and status DNS statistics Managing reliability It would be helpful if the same system could provide infrastructure management and security administration throughout a network including firewalls, routers, switches and any other device connected to a network. The system should gather a comprehensive set of hardware, software and configuration information including the requirements outlined below. Microsoft servers and workstations SNMP-enabled devices supporting the Host Resources MIB including Mac OS X, Linux, UNIX, Novell and others Installed applications/packages Installed "hotfixes" Hardware configuration Operating system configuration metrics Hard drives and network "share" information Printer information BIOS serial number Page 5
This information should be presented as a set of standard reports as well as reports that can be customized. Such a set of reports should include management reports: network report card, availability report and outage report; performance reports: SNMP performance reports and Windows management performance reports; and inventory reports. (See Figure 2) Figure 2, Example List of Available Reports. Additional reports can be created and customized. Page 6
Performance data is also important. Shown below is a CPU usage chart (See Figure 3) Figure 3, Example CPU Usage Charts Managing security The solution should have an intrusion management capability specifically designed for easy configuration, even by those with little security training. The device should provide an in-depth analysis of "weak spots" in the network - what needs to be upgraded, what needs to be patched, what needs to be shut off altogether - complete with recommendations and a description of the appropriate solution all via the same interface. Are there applications installed that require a patch? Are there some keys in the registry that identify applications that don't belong there? These are questions that typically can only be answered with a visit to the desktop, and those visits require time most administrators don't have. Or alternatively, with a system that can gather information remotely thereby reducing mean time to repair and improving uptime. This information should be presented as a set of standard reports as well as reports that can be customized. The example below provides the following reports: (See Figure 4) Security Reports Intrusion Detection Reports Vulnerability Report Software solutions are useful but typically deal with only one specific area of concern, so multiple programs must be installed, learned, operated and managed. An appliance that does it all in one box is easier to install, operate and manage and presents just one interface and one set of instructions to learn. Page 7
Figure 4. Example List of Security Threats Vulnerability reports should include data on all devices scanned and inventory reports should include all inventory information including Windows Systems inventory data, asset records and Host Resource Management Interface Base (MIB) information. Such a report should be available in XML format for export into other reporting tools and other applications. (See Figures 5, 6 and 7.) Figure 5. Example Search Criteria Page 8
Figure 6. Example Vulnerability Scans Figure 7. Example Open Vulnerability Report Page 9
How can such a system be created? The appliance envisioned by this white paper would leverage various complex mechanisms for collecting information from managed devices, including Windows Management Instrumentation (WMI), Simple Network Management Protocol (SNMP) and synthetic transactions with managed services. WMI As mentioned earlier, WMI is a facility that encompasses various components. WMI provides a way for remote systems to communicate with Microsoft platforms and login and access a complex tree of data about the current system status, as well as invoke actions. WMI is a set of specifications from Microsoft for consolidating the management of devices and applications in a network from Windows computing systems. WMI is installed on all computers with Windows Millennium Edition (Me), Windows 2000, Windows XP, or Windows Server 2003. It can be downloaded for computers using Windows 98 or Windows NT 4.0. WMI is the Microsoft implementation of Web Based Enterprise Management (WBEM), which is built on the Common Information Model (CIM), a computer industry standard for defining device and application characteristics so that system administrators and management programs can control devices and applications from multiple manufacturers or sources in the same way. WMI provides users with information about the status of local or remote computer systems. It also supports such actions as the configuration of security settings, setting and changing system properties, setting and changing permissions for authorized users and user groups, assigning and changing drive labels, scheduling processes to run at specific times, backing up the object repository and enabling or disabling error logging. Windows management performance reports should be standard. SNMP Since WMI is a Microsoft-proprietary interface, non-windows systems would be managed via SNMP agents with support for MIB II, the Host Resources MIB and a large number of enterprise MIBs. With such support, system management information could be gathered for most server-class systems. Ideally, a large number of standard and vendor SNMP traps would be supported as well as notifications to IT administrators. SNMP performance reports should also be part of the standard reports provided. SNMP is the most common method by which network management applications can query a management agent using a supported MIB. SNMP operates at the OSI application layer. IP-based SNMP is the basis of most network management software, to the extent that today the phrase "managed device" implies SNMP compliance. SNMP can now manage virtually any network type and has been extended to include non-tcp devices. Synthetic solutions with managed services Synthetic transaction modules can monitor and measure the availability of services remotely. The modules use synthetic (dummy) transactions to simulate use of the service. These modules send service requests to the services periodically, according to defined settings, and simulate usage to monitor the service. Examples of response times that can be reported are connect time and total transaction time. Synthetic transactions detect and monitor specific services on host systems. Synthetic transactions provide more extensive and reliable validation of service availability. A synthetic transaction can be a simple code fragment that checks the banner returned on a specific TCP port to determine the presence and availability of a TCP-based service, e.g., SSH service. Synthetic transactions can also be more complex requiring real service requests to be sent, e.g., a DNS look-up request to a DNS Server to monitor service availability. Service availability information can be provided with a great deal of precision by making use of synthetic transactions at regular intervals for key services. Manageability solution Manageability can mean many different things and a variety of topics and issues could fall under such a general subject. But for the purposes of this white paper, a reasonable way to think about manageability was to break it down into three subtopics - availability, reliability and security. Page 10
As stated at the beginning of this paper, the manageability of Microsoft Windows, as well as non-windows network devices, is at the heart of getting the most out of a network. A system for managing Microsoft products really needs to manage non-microsoft products too since almost any network is likely to have a variety of platforms deployed. An approach to IT network management was presented that addressed the three elements of manageability with the goal of more effectively managing computing systems. The bottom line result being greater efficiency, reduced business overhead and empowered IT managers who are able to spend more time making computers create real business value. Achieving this goal can be made possible by giving IT managers both a way to access the items that make up their network as well as the data needed to make informed decisions in easy to deploy, learn and use appliances. Raritan's solution Raritan s approach to manageability is rooted in the availability and performance monitoring of IT networks. Monitoring should be robust. You should have access to all the information needed to make the right decisions. The actual users real-world needs should be considered so that what is provided is useable information, not a lot of raw data. Finally, tools should be simple to deploy. IT administrators and directors have lots of complexity with which to deal. The deployment of a solution to make life easier and more efficient ought not to be so complicated that the remedy is worse than the problem. Enter CommandCenter NOC. It is designed to provide you with the information necessary to support critical decisions in your environment. Depending on your role, the nature of those decisions may vary from a help desk technician analyzing memory usage to determine if upgrades are appropriate, to a network designer using router buffer failures to support sizing decisions in equipment acquisitions. Raritan's CommandCenter NOC family is a set of multifunction IT infrastructure management appliances which enable IT departments to address Microsoft and other IT infrastructure management issues. It is designed for businesses or business units of larger enterprises with up to 250 servers, 250 network devices and 2500 client PCs. The CommandCenter NOC high-level "dashboard" (See Figure 8) provides easy and efficient access to a wealth of information. The following areas provide the information that is probably most useful to IT administrators monitoring and managing a typical midsize network: Reliability and Availability Network Management (Center cluster: Network Devices, Servers, General) - Proactively monitors, collects, and maintains all devices and services on a network Windows Management (Middle right) - Manages Windows system servers and workstations by providing a single repository for event, performance and inventory data. Availability Traffic Analysis (Lower right) - Analyzes network traffic flow and creates reports showing the presence, absence, amount, direction, and frequency of network traffic. Security Intrusion Detection (Upper right) - Monitors and analyzes system events for attempts to access system resources in an unauthorized manner. Vulnerabilities (Lower left) - Scans and assesses the network for vulnerabilities and assists network administrators to resolve security concerns. Page 11
Figure 8. CommandCenter NOC Dashboard CommandCenter NOC provides world-class network and systems management, traffic analysis, vulnerability scanning, intrusion detection, asset management and reporting functionality in easily deployed appliances. In addition to helping IT departments ensure application availability and network optimization, when deployed with CommandCenter Secure Gateway, these appliances also provide remote capabilities that enable external vendors to provide a full range of outsourced management services. CommandCenter NOC provides flexible rules-based event notification tools that support user-defined workflow processes - ensuring that appropriate team members receive any necessary alerts based on their roles and responsibilities. Multiple units can be deployed in a distributed architecture to provide complete coverage of the enterprise or multiple business units. Because CommandCenter NOC provides such complete management functionality in an economical-to-deploy package, it offers a particularly attractive value proposition to IT departments seeking to fill functional gaps in their management toolkits. Using CommandCenter Secure Gateway's single sign-on remote access to troubled servers leads to further efficiencies because IT administrators can restore service and fix problems without leaving their chairs. Raritan's solutions are fundamentally about helping customers optimize their IT investments, while simplifying, and lowering total cost of ownership. We are committed to delivering value through appliances that enable customers to manage their own environments and help them optimize their IT investments. Page 12
About Raritan Raritan is a leading supplier of solutions for managing IT infrastructure equipment and the mission-critical applications and services that run on it. Raritan was founded in 1985, and since then has been making products that are used to manage IT infrastructures at more than 50,000 network data centers, computer test labs and multi-workstation environments around the world. From the small business to the enterprise, Raritan's complete line of compatible and scalable IT management solutions offers IT professionals the most reliable, flexible and secure in-band and out-of-band solutions to simplify the management of data center equipment, applications and services, while improving operational productivity. More information on the company is available at. Call: +61 3 9866 6887/ +61 2 9029 2558/ +64 9 889 3136 E-mail: sales.au@raritan.com, sales.nz@raritan.com 2006 Raritan, Inc. All rights reserved. Raritan and CommandCenter are registered trademarks of Raritan, Inc. All other marks are trademarks or registered trademarks of their respective manufacturers.