TOTAL VIEW ONE Technical FAQ



Similar documents
Network Visiblity and Performance Solutions Online Demo Guide

F-Secure Messaging Security Gateway. Deployment Guide

Chapter 8 Router and Network Management

F-SECURE MESSAGING SECURITY GATEWAY

Testing and Restoring the Nasuni Filer in a Disaster Recovery Scenario

Network Security Platform 7.5

System Admin Module User Guide. Schmooze Com Inc.

Observer Probe Family

WhatsUpGold. v3.0. WhatsConnected User Guide

Using WhatsUp IP Address Manager 1.0

Edge Configuration Series Reporting Overview

Chapter 15: Advanced Networks

Barracuda Link Balancer Administrator s Guide

Symantec Database Security and Audit 3100 Series Appliance. Getting Started Guide

Kaseya Server Instal ation User Guide June 6, 2008

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Best of Breed of an ITIL based IT Monitoring. The System Management strategy of NetEye

TANDBERG MANAGEMENT SUITE 10.0

Observer Probe Family

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

Barracuda IM Firewall Administrator s Guide

A Guide to New Features in Propalms OneGate 4.0

CounterACT 7.0 Single CounterACT Appliance

SSL-VPN 200 Getting Started Guide

Hosting more than one FortiOS instance on. VLANs. 1. Network topology

Guideline for setting up a functional VPN

How To Connect To Bloomerg.Com With A Network Card From A Powerline To A Powerpoint Terminal On A Microsoft Powerbook (Powerline) On A Blackberry Or Ipnet (Powerbook) On An Ipnet Box On

Barracuda Link Balancer

6.0. Getting Started Guide

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Virtual Web Appliance Setup Guide

User Guide. Cloud Gateway Software Device

Step-by-Step Configuration

NEFSIS DEDICATED SERVER

Observer Analysis Advantages

NETFORT LANGUARDIAN MONITORING WAN CONNECTIONS. How to monitor WAN connections with NetFort LANGuardian Aisling Brennan

Break Internet Bandwidth Limits Higher Speed. Extreme Reliability. Reduced Cost.

There are numerous ways to access monitors:

Cover. White Paper. (nchronos 4.1)

System Compatibility. Enhancements. Security. SonicWALL Security Appliance Release Notes

SuperLumin Nemesis. Administration Guide. February 2011

Network Management and Monitoring Software

Installing, Uninstalling, and Upgrading Service Monitor

NetSpective Global Proxy Configuration Guide

Password Reset PRO INSTALLATION GUIDE

Virtual Managment Appliance Setup Guide

Configuring PA Firewalls for a Layer 3 Deployment

Testing and Restoring the Nasuni Filer in a Disaster Recovery Scenario

Installation of the On Site Server (OSS)

iboss Enterprise Deployment Guide iboss Web Filters

Cisco IPS Manager Express

DEPLOYMENT GUIDE. This document gives a brief overview of deployment preparation, installation and configuration of a Vectra X-series platform.

Assignment One. ITN534 Network Management. Title: Report on an Integrated Network Management Product (Solar winds 2001 Engineer s Edition)

VMware Identity Manager Connector Installation and Configuration

SonicWALL PCI 1.1 Implementation Guide

Privileged Access Management Upgrade Guide

Configuration Information

Configuring the Edgewater 4550 for use with the Bluestone Hosted PBX

Dell SupportAssist Version 2.0 for Dell OpenManage Essentials Quick Start Guide

February Considerations When Choosing a Secure Web Gateway

Best Practices: Pass-Through w/bypass (Bridge Mode)

GlobalSCAPE DMZ Gateway, v1. User Guide

Chapter 9 Monitoring System Performance

OnCommand Performance Manager 1.1

Introduction to the EIS Guide

Palo Alto Networks User-ID Services. Unified Visitor Management

Gigabyte Content Management System Console User s Guide. Version: 0.1

Configuring SSL VPN on the Cisco ISA500 Security Appliance

UIP1868P User Interface Guide

Virtual Appliance for VMware Server. Getting Started Guide. Revision Warning and Disclaimer

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

HOMEROOM SERVER INSTALLATION & NETWORK CONFIGURATION GUIDE

VMware vsphere Data Protection

74% 96 Action Items. Compliance

Product Manual. MDM On Premise Installation Version 8.1. Last Updated: 06/07/15

Barracuda Web Filter Administrator s Guide

1. Product Information

Portal Administration. Administrator Guide

Online Backup Client User Manual Linux

Using iscsi with BackupAssist. User Guide

WatchGuard Dimension v1.1 Update 1 Release Notes

The Bomgar Appliance in the Network

Virtual Appliance Setup Guide

User Manual Version User Manual A20 / A50 / A100 / A250 / A500 / A1000 / A2000 / A4000

How To Configure A Kiwi Ip Address On A Gbk (Networking) To Be A Static Ip Address (Network) On A Ip Address From A Ipad (Netware) On An Ipad Or Ipad 2 (

Websense Support Webinar: Questions and Answers

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

About Firewall Protection

Mobile Device Management Version 8. Last updated:

Installation and Setup: Setup Wizard Account Information

Gigabyte Management Console User s Guide (For ASPEED AST 2400 Chipset)

Chapter 6 Using Network Monitoring Tools

Test Equipment Depot Washington Street Melrose, MA TestEquipmentDepot.com. Application Advisor

Chapter 6 Using Network Monitoring Tools

pt360 FREE Tool Suite Networks are complicated. Network management doesn t have to be.

WHITE PAPER September CA Nimsoft For Network Monitoring

Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure

Introweb Remote Backup Client for Mac OS X User Manual. Version 3.20

Configuring your client to connect to your Exchange mailbox

Fault & Performance Management

Transcription:

TOTAL VIEW ONE Technical FAQ System Overview What kind of data does TVO provide and how is it effectively delivered? TVO mirrors and records the state of every connection to deliver actionable real-time intelligence to management via an easy to use secure web portal (GUI). What is the key advantage of TVO s state based connection tracking data? All managers must know what is on their networks - what it is being used for. One original source - tracking the state of every connection - provides TVO owners with a wealth of fully correlated reporting at all levels; high multi level perspectives to drillable correlated reporting to the packet level to pinpoint problems. Will TVO s data stand up in a court of law? Most jurisdictions require that data is encrypted and the logs digitally signed; i.e. proof that the data has not been tampered with. This independent record of all transactions can be stored in real-time, off-site, with an independent third party for further integrity. Does TVO benefit the whole organization? For Management: TVO delivers bandwidth and performance, deep packet inspection (L7) and stateful connection tracking, without burdening the network, for advanced faster problem solving. Threshold alerts provide a practical way to address security threats, performance problems and usage policy infringements and management can get reports that relate specifically to their related division. For Directorship: TVO provides the means for complete network traffic record retention and covers managerial accountability as required by most regulatory audits. What type of automated reporting is provided for the organization? Automated correlated PDF reports include: Bandwidth by application & bandwidth user by: type, total, percentage, latency, spikes, connections. All segmented into inbound, outbound, and Version 1.1 Page 1

total bandwidth Throughput is also by time-based maximum and minimum averages. Latency by period and applications Connection totals: showing most used connections by time & volume most visited web sites P2P top web users/connections Irregular traffic new users From this reporting, threshold alerts verify networks are secure, performing and provide management the means to ensure usage policies are enforceable. Performance What kind of connection information is shown? Connection Details By source IP addresses (users, applications) and destination IP addresses Connection latency & Jitter & loads Bandwidth (usage, utilization and throughput) Connection State (dropped, unreplied, denied) Why is there connections per day in the spec? Exceeding the daily limit of number of lines (connections) in the database may slow down the queries especially during audits. It is important to ensure that the TVO model is correctly sized based on connection usage. Is it possible to drill into a specific time interval in the Latency by Time? Yes; the setting is 5 minute intervals. Click on each time interval to retrieve more details or download a CSV report for a specific hour, of all connections, for a complete audit. How can I break down the latency numbers into network vs. computing delays to identify the bottleneck of application performance? A feature named external latency offers good measures of application performance when monitoring internal servers. Version 1.1 Page 2

How does TVO identify usages of web-based email like yahoo or gmail? Webmail uses at least two destination ports, port 443 for authentication and port 80 for receiving and sending contents. Administrator can easily find out webmail users based on the domain names of both connections. Note: it is possible to search for specific sites usage. Can TVO detect P2P and applications using ports other than 80? Yes; TVO recognizes application signatures. Which TVO functions use network bandwidth? Web access to view the TVO data (port 80), DNS, whois lookup, NTP, update (HTTPS), communication with sensors (SSH), and alert emails etc. What impact does a sensor added to remote sites have on the bandwidth usage? There are a lot of issues that may affect these statistics but a rough number we use is 0.01%-.1%. Most sites are estimated at 0.05% How can I find throughput of each application? Three clicks: go to Bandwidth - Applications Clock Can I compare data between two different dates? Yes, go to multi-site for comparison by generating two sets of graphs with multiple options: dates, appliance(s), types (bandwidth, throughput, connections etc.) What is the primary key in the database if not user ID, MAC or IP? The database is keyed by a unique code rather than the data fields mentioned above and the main key is set by sensor/location. How does TVO identify devices in a DHCP enabled environment? TVO shows the devices names (synced up with DNS server) and MAC addresses. Network policy in a DHCP enabled environment is critical to ensure correct identification Can TVO identify user in addition to IP? Yes TVO uses Active Directory to show User Name. Note: Active Directory is only used for identifying the user when logged in - not the workstation. Version 1.1 Page 3

Can TVO identify users with same IPs but different MACs? Yes, administrator can get a list of all MACs corresponding to a particular IP. MAC collision alerts also add another level of security. When should I expect a possible alert email once I have setup a threshold? Starting from the following day once the specified threshold parameter has been exceeded. What is TVO s lag time from alert triggered to send out an email? From 1 to 6 minutes. Can TVO detect Trojan horses or attacks that often generate minimal traffic? Yes; TVO collects and records 100% of all connections. How does TVO differentiate applications in L7? TVO examines the first few packets of each connection to identify the signature of applications. How many L7 applications are identified? Currently around +50 and more to come through automatic software update Is it a security risk for PresiNet to access our TVO equipment with the SSH function? The administrator can disable username/password login via SSH. The SSH function is running at all times to allow sensors to send in its logs and get automatic updates. How secure is the data transferred from the sensor to the TVO appliance? The sensors only make two ports available to the network: Web and SSH. The website is protected by username and password, and totally disconnected from the areas of the sensor that involve client data. The SSH package runs highly secure software, Open SSH. TVO uses encryption to protect communications between sites. What is remote backup and how is it different from local backup? Remote backup supports NAS which data will be stored in client s own storage devices. There s no physical limit on how much data can be archived remotely (add as you grow) for TVO to operate. In addition, remote backup is beneficial in the rare case of any hard disk failure and is legally substantive. Version 1.1 Page 4

Will TVO loose data or stop collecting data during backup recovery? No data will be lost during recovery as TVO continues to collect data and all raw data files are backed up. The sensor will continue to collect data even if the database is offline and the log files are parsed in once the database is back online. What is the process for a local backup and via which interface? There is no interface needed for local backup, which is an archive process on the appliance that limits the database at approximately maximum of 90 days of data with normal usage (throughput can be gauged on the Capacity Planning report). Data older than 90 days may be retrieved from local backup and display on the secure portal (GUI) for viewing, for queries and for audits. Can I export my historical data before the HD in TVO is full? Yes, TVO supports direct attached external disk and windows file sharing. How long can a sensor store data locally in case of network outage? Usually up to 1 day. Upon network recovery, Sensor(s) will resume log transmission to the assigned TVO. When does TVO lookup to DNS? TVO does DNS lookup to display names on GUI or create daily report; note: the latter records the resolved domain names in PDF which is unaffected by any DNS changes. Does TVO collect and store content for forensic purposes? Yes - TVO is used for forensic purposes but TVO does not perform forensics per se. TVO instead offers the most cost and time effective solution for an operator to trace all connections and records network activities, which is the foremost critical step for security investigations, regulatory audits and managerial accountability. How does TVO legally help protect an organization? TVO s data is encrypted from TVO s Sensors to the main TVO Appliance. Furthermore, digitally signed logs provide a complete auditable record that can be used in a court as a legally substantive record. How do I know which TVO model is the right size for my network? With normal network usage, IP users (nodes) are a satisfactory guide. TVO s Version 1.1 Page 5

diagnostics information provides connections per day and peak usage statistics for accurate sizing equipment for a particular network. The total maximum number of concurrent connections in any given hour on a network determines minimum size of TVO appliance for the network. Does the TVO IP count include the number of IPs that TVO Sensors are also monitoring? Yes. Example: TVO M2000 (max., 256,000 connections/hr) on a core switch handling 1000 IPs and two S500 s with up to 500 IPs on each of the TVO Sensors (1000 + 500 + 500 = 2000 max IPs monitored). (Note: A TVO M1000 (128,000 connections/hr) will likely not handle the additional TVO Sensor s load) What is the definition of latency in TVO? Latency is RTT (round trip time), from sync-ack to ack. What is the definition of jitter? Jitter is the variation of latency How can I install TVO on an unmanaged edge switch or a core switch that has no SPAN ports available? Client may opt for the inline mode of sensor or insert a TAP. It should be noted that the Sensor does not have an automatic failover. How do I activate in-line mode on a TVO Sensor? Tick the in-line mode option via the web portal for the Sensor under Network. How can I detect IP and Mac addresses on my network with multiple layers of switches? Client may deploy additional Sensors to capture the detail of IPs and MAC addresses. May I use a hub if I m running out of ports for mirroring? Hub is not recommended. Instead use a Sensor set to operate inline. When replicating ports is there any packet lost caused by TVO? There is no packet loss caused by TVO. Note: There is always a small chance of some packet loss on a low quality switch. Version 1.1 Page 6

Can TVO support multiple network ports? Yes; TVO can support multiple subnets or use sensors to monitor multiple network ports from a single TVO. Multiple sensors communicate to one TVO and therefore only one TVO GUI. It is not possible to run multiple TVO s to one TVO (GUI). Note: there is not a consolidated reporting feature back to a single GUI. In some circumstances and on certain switches it is possible for multiple ports can be replicated to one mirror port on a switch. Can I reset the Appliance/Sensor remotely? No; security purposes demand that this is performed manually. Can the S100 operate in HA environment? No; the S100 will only collect traffic from one sensor port. This is available in TVO and S505 system. This will ensure tracking on the HA or load balanced traffic. Will the S100 be adequate in my 1Gig network? Yes; the S100 uses a Gigabit interfaces, but the buffering is rated at 300Mbs. Note: The S100 sensor will handle 32,000 simultaneous connections at any one time. How much backup storage is required or recommended per year? Usage volumes are heavily industry specific. A common guide is 3 to 4MB per IP address per day (or 1.2G per IP address per year) in a normal working environment. Can end-user add additional storage to TVO servers? Remote backup storage is advised. What is an example of total annual operating costs? Software maintenance and upgrades is 18%+ of listed price. How can I get the latest update? Once registered either turn on the auto-update function or update software manually. Can TVO decrypt data? TVO doesn t capture and/or decrypt content. Version 1.1 Page 7

Can TVO identify some specific applications, e.g. ERP? Yes when the Application is registered to a single fixed port it will be listed on Application page (L3). Note: Other L7 applications which hop ports can be found on Top p2p page. Custom applications developed by clients will typically be identified on Application page of TVO without any changes in setup or configuration. Does TVO support VLAN? Yes; VLAN IDs should be entered in Configuration -> Setup page in order for the connections with VLAN tags to be tracked appropriately. Can TVO see VPN packets? Yes, although VPN is shown without a port number. Client can identify the source and destination IP addresses but not encrypted local IP addresses. Does sensor support transparent mode in addition to inline mode? Yes; the Sensor will be transparent in the rare case of hardware failure. How will TVO and its Sensors respond when a network is completely down, e.g. TVO server and Sensors are unable to send or receive data? Use cross-cable access through the management port to access the TVO when the network is down. The TVO S100 and S500 will store data for 24 hours. Note: TVO S100 has 256MB of memory and TVO S500 1GB of memory. For more than a 24 hours network outage the sensors will retain the most current traffic. Will I be able to see proxy server traffic? TOTAL VIEW ONE utilizes its Layer7 engine to extract the URI's from all web requests, even if these web requests are via a proxy server. For optimal visibility, the proxy server must not be in the same monitored network as the users. Note: the proxy server in its own monitored network. Remember, TVO records traffic entering and leaving the monitored network. This ensured specific focus on required data. If the proxy server is in the monitored network, the sensor will not see the traffic to and from the users and proxy, but will see the traffic from the proxy to the internet. This is not optimal as it will not show which user went to the internet sites. Note: if the proxy is not in the monitored network, then TVO will record all Version 1.1 Page 8

the traffic (and URI s) for each user. Here are two scenarios involving proxy servers: I. Proxy Server: 10.10.100.254 Users: 10.x.x.x Monitored Network: 10.0.0.0/255.0.0.0 The result of this setup would be that all web traffic looks like it comes from the proxy server, and we will correctly show the destinations by their hostname. II. Proxy Server: 10.10.100.254 Users: 10.10.200.x Monitored Network: 10.10.200.0/24 Note: that the Users are in the Monitored Network, but the proxy server is not. On the web portal (GUI), you would see the traffic from each user as going to the proper web destination (i.e. www.google.com). Note: under some reports it will still show the destination as the proxy server (10.10.100.254). Why is there a page error during drilldowns (e.g. Apps, Time, and Audit)? Turn off pop-up blocking in the browser will allow new pages to pop up during audits or when Options are clicked. What should I do when I can t see the IP address of Total View One via crosscable LAN access? If there s no link light, attach TVO with monitor and keyboard to see if there is any setup procedure prompting for user input. Why is there a red status in Sensor Page and I m not seeing traffic when it is installed? There could be some lag time e.g. 15 to 25 minutes before traffic first shown up on GUI due to database management. How does TVO handle a dropped packet? Clients using an older switch may experience dropped packets which may not be able to be detected by TVO. Why do the network ports of TVO go down intermittently? Some software updates will cause this behavior. Any additions, e.g. new L7 applications, to TVO s network package called "totalview may shut down the TVO ports momentarily but the system will be back to normal after the update Version 1.1 Page 9

is completed. There is no impact to the actual client network. What happens if TVO is overloaded? There will be some impact on web interface performance depending on the seriousness of overloading. Following a normal temporary overloading, TVO will catch up and there should not be any packet loss. How can I find out if a Sensor is active or not? Go to Configuration - Sensor page. The Green button means active whereas yellow/red means inactive. In addition, SNMP traps are supported. An example using snmpwalk (a linux tool) is this: snmpwalk -v 1 -c public <TVO IP>.1.3.6.1.2.1.1.5 What are the meanings of eth0, eth1.1 and eth2 in CSV file? eth0 is the Management Port of TVO (or sensor), eth1.1 is TVO's Sensor port, and eth2 is Sensor's Sensor Port. What's the purpose of the "Mail Server IP/ Domain" settings? TVO has its own SMTP server so in most cases "localhost" or "127.0.0.1" is sufficient. In other cases, it is necessary for TVO to relay alerts to another email server when it can t look up the domain name of an email address. What to do if I suspect that the Main appliance/s500/s100 is not collecting log information from mirrored port? Look up the domain name of an email address. Make sure data is being replicated (mirrored) to the mirror port. Use the troubleshooting guide below to confirm this. https://secure.presinet.com/web/documents/port_mirroring_troubleshooting_g uide.pdf Version 1.1 10 Page

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information