Network Management and Monitoring



Similar documents
Detecting rogue systems

ITRAINONLINE MMTK WIRELESS TROUBLESHOOTING HANDOUT

ITRAINONLINE MMTK ADVANCED NETWORKING HANDOUT

Load Balance Router R258V

Minimal network traffic is the result of SiteAudit s design. The information below explains why network traffic is minimized.

Using WhatsUp IP Address Manager 1.0

Security Type of attacks Firewalls Protocols Packet filter

Securing Cisco Network Devices (SND)

OSBRiDGE 5XLi. Configuration Manual. Firmware 3.10R

Overview. Packet filter

Network Management and Monitoring Software

Cconducted at the Cisco facility and Miercom lab. Specific areas examined

Funkwerk UTM Release Notes (english)

WhatsUpGold. v3.0. WhatsConnected User Guide

Question: 3 When using Application Intelligence, Server Time may be defined as.

CompTIA Exam N CompTIA Network+ certification Version: 5.1 [ Total Questions: 1146 ]

Final for ECE374 05/06/13 Solution!!

Bandwidth Management and Optimization System Design (draft)

Technical Note. ISP Protection against BlackListing. FORTIMAIL Deployment for Outbound Spam Filtering. Rev 2.2

Monitoring Cisco IOS Firewall Inspection Activity with Multi- Router Traffic Grapher (MRTG)

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Content Scanning for secure transactions using Radware s SecureFlow and AppXcel together with Aladdin s esafe Gateway

How To Understand and Configure Your Network for IntraVUE

Pre Sales Communications

BusinessCom Traffic Engineering Server (TES) Application Package. Ver User Guide. BusinessCom TES Platform User Guide, Page 1

Ranch Networks for Hosted Data Centers

Firewall Server 7.2. Release Notes. What's New in Firewall Server 7.2

Security. TestOut Modules

Lab VI Capturing and monitoring the network traffic

SSVP SIP School VoIP Professional Certification

Tomás P. de Miguel DIT-UPM. dit UPM

Penetration Testing with Kali Linux

LOHU 4951L Outdoor Wireless Access Point / Bridge

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

IP Networking. Overview. Networks Impact Daily Life. IP Networking - Part 1. How Networks Impact Daily Life. How Networks Impact Daily Life

Vantage Report. User s Guide. Version /2006 Edition 1

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

NetFlow Tracker Overview. Mike McGrath x ccie CTO mike@crannog-software.com

Secure Networks for Process Control

8.2 The Internet Protocol

Best practice for SwiftBroadband

SiteCelerate white paper

PROFESSIONAL SECURITY SYSTEMS

Open Source Bandwidth Management: Introduction to Linux Traffic Control

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0

Transport and Network Layer

Using Ranch Networks for Internal LAN Security

ICND2 NetFlow. Question 1. What are the benefit of using Netflow? (Choose three) A. Network, Application & User Monitoring. B.

Technical Support Information Belkin internal use only

FAQs for Oracle iplanet Proxy Server 4.0

Outline VLAN. Inter-VLAN communication. Layer-3 Switches. Spanning Tree Protocol Recap

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Data Networking and Architecture. Delegates should have some basic knowledge of Internet Protocol and Data Networking principles.

The ntop Project: Open Source Network Monitoring

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

SSVVP SIP School VVoIP Professional Certification

Fortigate Features & Demo

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity

Basic & Advanced Administration for Citrix NetScaler 9.2

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

SolarWinds Certified Professional. Exam Preparation Guide

Securing end devices

Using over FleetBroadband

Gigabit Multi-Homing VPN Security Router

SESA Securing with Cisco Security Appliance Parts 1 and 2

MailFoundry Users Manual. MailFoundry User Manual Revision: MF Copyright 2005, Solinus Inc. All Rights Reserved

Government of Canada Managed Security Service (GCMSS) Annex A-5: Statement of Work - Antispam

A Brief Overview of VoIP Security. By John McCarron. Voice of Internet Protocol is the next generation telecommunications method.

Enterprise VoIP Services over Mobile Ad-Hoc Technologies

Gigabit Content Security Router

Understanding Slow Start

IT4405 Computer Networks (Compulsory)

McAfee Web Gateway 7.4.1

COMPUTER NETWORK TECHNOLOGY (300)

FatPipe Networks Network optimisation and link redundancy for satellite communications

Quality of Service in the Internet. QoS Parameters. Keeping the QoS. Traffic Shaping: Leaky Bucket Algorithm

Cisco CCNP Optimizing Converged Cisco Networks (ONT)

Analysis of QoS parameters of VOIP calls over Wireless Local Area Networks

Network Management Functions - Performance. Network Management

Review: Lecture 1 - Internet History

IPv6 SECURITY. May The Government of the Hong Kong Special Administrative Region

SOLARWINDS ENGINEER S TOOLSET FAST FIXES TO NETWORK ISSUES

Active Management Services

Network Management. Jaakko Kotimäki. Department of Computer Science Aalto University, School of Science. 21. maaliskuuta 2016

FortiOS Handbook WAN Optimization, Web Cache, Explicit Proxy, and WCCP for FortiOS 5.0

CTS2134 Introduction to Networking. Module Network Security

CMPT 471 Networking II

Denial of Service Attacks

VXLAN: Scaling Data Center Capacity. White Paper

Network Security. Protective and Dependable. 52 Network Security. UTM Content Security Gateway CS-2000

PAVING THE PATH TO THE ELIMINATION OF THE TRADITIONAL DMZ

Assignment One. ITN534 Network Management. Title: Report on an Integrated Network Management Product (Solar winds 2001 Engineer s Edition)

Solido Spam Filter Technology

Allocating Network Bandwidth to Match Business Priorities

Firewalls. Chapter 3

Measuring IP Performance. Geoff Huston Telstra

Recommended IP Telephony Architecture

Game changing Technology für Ihre Kunden. Thomas Bürgis System Engineering Manager CEE

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Transcription:

Alberto Escudero Pascual aep@it46.se 1

Goals We need to know what we want, to be able to know what we need Are Monitoring and Network Management the same thing? Do not follow tools, follow methods! 2

Table of Contents Methodology of this unit Goals versus Data Monitoring Monitoring Service Goals Technical Principles SNMP/MIB Traffic Accounting Traffic Shaping Bayesian filters Virus Fingerprints Tools (MRTG, Ntop, SpamAssassin, Clam AV) 3

Methodology Focus on goals, not tools Understand the technical principles behind the tools Understand which technical principles we need to achieve our goals 4

Goals versus Data monitoring Technical principles Goals Tools Decisions 5

Monitoring Service Goals Three examples: Save cost by reducing International bandwidth use Provide better QoS for VoIP Manage Service and Network growth 6

Goal 1: Save costs in International Bandwidth Layer Technical principle 4 Caching, Detect/Block Spam/Viruses (Bayesian Filters) 3 Traffic shaping (Queueing Principles) Traffic accounting (SNMP, Promisc) 2 Network Access Control (Firewalling) Traffic shaping Traffic accounting (SNMP, Promisc) 1 Wireless Access Control Collect Wireless Layer 2 Data (SNMP) 7

Goal 2: QoS for VoIP Layer Technical principle 4 3 Traffic shaping (Queueing Principles) Traffic accounting (SNMP, Promisc) 2 Traffic shaping (Queueing Principles) Traffic accounting (SNMP, Promisc) 1 Collect Layer 2 Data (SNMP) Reduce wireless latency 8

Goal 3: Managing service and Network Growth Layer Technical principle 4 Virus/Spam, SQL (Service Balancing) 3 Collect TCP/UDP Statistics, Firewall Balancing 2 Collect IP Layer Statistics, Routing principles 1 Collect Layer 2 Data (SNMP) 9

Technical Principles Five technical principles: SNMP/MIB Traffic Accounting Traffic Shaping Bayesian Filters Virus fingerprints 10

SNMP/MIB Operation and maintenance protocol for network computer networks and network devices Server/client architecture Client queries remote network devices Statistical information, private data SNMP enabled device contains a statistical information database (MIB) Interoperability and ability to be extended Complex encoding rules, inefficient coding 11

SNMP/MIB SNMP is also traffic in your network Minimize overhead by asking smart queries SNMPv1 does not provide encrypted authentification Mind your passwords SNMP consumes CPU 12

SNMP/MIB Wireless vendors implement proprietary sets of wireless information in MIBs The mechanism to retrieve certain kind of wireless data varies Wireless devices are equipment with own Management tools Integration of different management tools is normally complicated as the code seldom is open source Write your own wireless management system! 13

Traffic Accounting General principal for monitoring traffic statistics: Network decisions Troubleshooting Monitoring host activities 14

Traffic Accounting Packet and byte counts Protocol distribution statistics IP checksum errors Discovery of active hosts Data activity among host 15

Traffic Accounting Active Enable SNMP in all routers/bridges of the network Passive Promiscuous mode Requires direct acces to channel and CPU to gather and digest information 16

Traffic Shaping Control traffic flow Guarantee certain performance Queueing disciplines in IP layer Latency and congestion Bandwidth and fairness 17

Traffic Shaping Modification of IEEE 802.11 MAC layer in IEEE 802.11 based products to implemet similar behaviour using proprietary mechanisms that does not ensure interoperability Proxim has implemented a proprietary polling mechanism (WORP) to allocate network capacity by using time slots 18

Queuing disciplines and latency Applied on outgoing traffic Outgoing is normally bottleneck Buffert overflow Dropping TCP packets >Retransmission Latency Prioritization of packets User interaction (ssh, rtp) Bulk traffic (ftp, http) 19

Bandwidth management by packet queuing Can ensure: QoS A certain bitrate to a specific host Limited throughput for a specific service Fair network Customer gets what he/she paid for 20

Bandwidth management by packet queuing Classful queuing disciplines Hierarchical structure Class specifies queueing algoritm, bitrate, ceiling limit (depending on protocol, IP, subnet) HTB (classful) Controlling bandwidth by simulating slow links SFQ (classless) Fairness with saturated link 21

Bayesian Filters Content based anti spam filter Header (sender and message paths) Embedded HTML code Word pairs and phrases Meta information Adaptive self lerning by error reports No manual wordlist Initial list created by analysing content 22

Bayesian Filters Place your anti spam filter before the mails enter your wireless infrastructure Placing mail rely agent with anti spam filters on the other side of you international link can save 10 20% of your international bandwidth costs 23

Virus Fingerprints (signatures) Fingerprints: Computer instructions or derivatives of them used by knows viruses Antivirus programs Uses virus fingerprints to scan code Online constantly updated databases Heuristic scanning algorithms Creates permutations of known viruses to predict future mutated viruses 24

Monitoring Tools Free and open source tools: MRTG Ntop SpamAssassin Clam Antivirus (Clam AV) 25

Monitoring the wireless Vendor specific monitoring tools (for certain operating system) Brings limited usage N vendors implies n network monitoring tools Single interface by integration (SNMP/MIB > MRTG) 26

MRTG Multi Router Traffic grapher Monitor and display network parameters (CPU, traffic load) Uses data from SNMP enables devices Graphical web based interface 27

MRTG Configuration of MRTG: Pre requirements: web server, MRTG installed, IP addres and SNMP password of deviece you want to monitor Create configuration file for MRTG (cfgmaker) Create a cron process that runs MRTG 28

MRTG: Bandwidth monitoring 1. Create default config file for mrtg > cfgmaker password@ip > /etc/mrtg_b.cfg 2. Change working directory of MRTG in mrtg_b.cfg WorkDir: /var/www/mrtg 3. Create periodic task by adding the following line in /etc/crontab */5 * * * * root /usr/bin/mrtg /etc/mrtg_b.cfg 29

MRTG: SN/R monitoring Need data from MIB of wireless device How to find the right queries (OID)? Reverse engineering! Use proprietary network manager to monitor traffic (link test) 30

MRTG: SN/R monitoring 19:41:21.448323 10.10.10.12.1260 > 10.10.10.254.snmp: GetRequest(29).1.3.6.1.4.1.762.2.1.7.0 0x0000 4500 0048 77b2 0000 8011 99d5 0a0a 0a0c E..Hw... 0x0010 0a0a 0afe 04ec 00a1 0034 64bb 302a 0201...4d.0*.. 0x0020 0004 0670 7562 6c69 63a0 1d02 0201 0302...public... 0x0030 0100 0201 0030 1130 0f06 0b2b 0601 0401...0.0...+... 0x0040 857a 0201 0700 0500.z... 19:41:21.448854 10.10.10.254.snmp > 10.10.10.12.1260: GetResponse(30).1.3.6.1.4.1.762.2.1.7.0=2 (DF) 0x0000 4500 0049 0037 4000 4011 1150 0a0a 0afe E..I.7@.@..P... 0x0010 0a0a 0a0c 00a1 04ec 0035 62b5 302b 0201...5b.0+.. 0x0020 0004 0670 7562 6c69 63a2 1e02 0201 0302...public... 0x0030 0100 0201 0030 1230 1006 0b2b 0601 0401...0.0...+... 31

Connected users to AP Write Integer 50 in OIDs: 1.3.6.1.4.1.762.2.5.5.1, 1.3.6.1.4.1.762.2.5.5.1, 1.3.6.1.4.1.762.2.5.5.3 Write Integer 3 in OIDs: 1.3.6.1.4.1.762.2.5.4.1, 1.3.6.1.4.1.762.2.5.4.2, 1.3.6.1.4.1.762.2.5.4.3 Retrieve the OID: 1.3.6.1.4.1.762.2.5.1.0 32

Signal & noise parameters Write Integer 1500, 25, 80 in OID 1.3.6.1.4.1.762.2.5.2.1.27.n 1.3.6.1.4.1.762.2.5.2.1.26.n 1.3.6.1.4.1.762.2.5.2.1.25.n Retrieve signal by reading: 1.3.6.1.4.1.762.2.5.2.1.32.n Retrieve noise by reading: 1.3.6.1.4.1.762.2.5.2.1.33.n where <n> refers to the integer assigned to the wireless device 33

Wireless with MRTG MRTG IP information (Layer 3) and wireless information (Layer 2) 34

Ntop Free and open source (GPL) Traffic measurement Traffic characterization and monitoring Detection of network security violations Network optimization and planning 35

Traffic measurement Sent and received data per protocol IP multicast TCP session history TCP/UDP services used and traffic distribution Bandwidth utility (actual, average, peak) Traffic distributions (among subnets) 36

Traffic characterization and monitoring Identifying situations where netowrk rules and thresholds are not followed by detecting: Duplicated use of IP addresses NICs in promiscuous mode Misconfigurations in software Service misuse (proxy servers etc.) Excessible bandwidth utilization 37

Detection of network security violations Detection of network attacs such as: Portscan Spoofing Spyes Trojan horses Denial of Service (DoS) 38

Network and optimization and planning Identify suboptimal configurations and non efficient utilization of available bandwidth Unnecessary protocols Suboptimal routing (ICMP redirect) Traffic patters and distribution 39

Ntop 40

SpamAssassin Don't block, just tag! Gives each message a score based on: Header and body phrases Bayesian filter Whitelists/blacklists Collaborative spam identification databases DNS blocklists Character sets and locales 41

Clam Antivirus Does not delete or clean infected file, just tags it Fast scanning of directories and file Detection of over 30 000 viruses, worms and trojan horses Scans archives and compressed files Contains advanced database updater with support for virus signatures 42

Flooding the network 18:12:36.432838 172.168.0.36.2231 > 172.168.82.53.445: S 1068540375:1068540375(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) 0x0000 4500 0030 119f 4000 8006 3d7f aca8 0024 E..0..@...=...$ 0x0010 aca8 5235 08b7 01bd 3fb0 a1d7 0000 0000..R5...?... 0x0020 7002 faf0 f088 0000 0204 05b4 0101 0402 p... 18:12:36.441460 172.168.0.23.1433 > 172.168.227.122.445: S 2018273998:2018273998(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) 0x0000 4500 0030 8a9c 4000 8006 3349 aca8 0017 E..0..@...3I... 0x0010 aca8 e37a 0599 01bd 784c 6ace 0000 0000...z...xLj... 0x0020 7002 faf0 60db 0000 0204 05b4 0101 0402 p...`... 18:12:36.441731 172.168.0.23.1435 > 172.168.196.106.445: S 2018316905:2018316905(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) 0x0000 4500 0030 8a9d 4000 8006 5258 aca8 0017 E..0..@...RX... 0x0010 aca8 c46a 059b 01bd 784d 1269 0000 0000...j...xM.i... 0x0020 7002 faf0 d84d 0000 0204 05b4 0101 0402 p...m... 18:12:36.443252 arp who has 172.168.0.247 tell 172.168.0.27 0x0000 0001 0800 0604 0001 0006 5ba6 3815 aca8...[.8... 0x0010 001b 0000 0000 0000 aca8 00f7 0000 0000... 0x0020 0000 0000 0000 0000 0000 0000 0000... 18:12:36.445470 172.168.0.27.2367 > 172.168.160.143.445: S 767169456:767169456(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) 0x0000 4500 0030 3f8b 4000 8006 c141 aca8 001b E..0?.@...A... 0x0010 aca8 a08f 093f 01bd 2dba 13b0 0000 0000...?..... 0x0020 7002 faf0 41cd 0000 0204 05b4 0101 0402 p...a... 18:12:36.447728 172.168.0.36.2235 > 172.168.217.194.445: S 1068598455:1068598455(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) 0x0000 4500 0030 11a0 4000 8006 b5f0 aca8 0024 E..0..@...$ 0x0010 aca8 d9c2 08bb 01bd 3fb1 84b7 0000 0000...?... 0x0020 7002 faf0 8616 0000 0204 05b4 0101 0402 p... 18:12:36.448124 172.168.0.36.2232 > 172.168.97.176.445: S 1068654094:1068654094(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) 0x0000 4500 0030 11a1 4000 8006 2e02 aca8 0024 E..0..@...$ 0x0010 aca8 61b0 08b8 01bd 3fb2 5e0e 0000 0000..a...?.^... 0x0020 7002 faf0 24d4 0000 0204 05b4 0101 0402 p...$... 43

Conclusions Monitoring raw data will not help You need to monitor to have a good network managment Set your goals, find the technical principles and then choose your tools If a tool does NOT do what you want or does far more of what you need, consider building one. 44

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information