NETWORK MANAGEMENT & SECURITY

(CIT4035)&
MAINTENANCE
LECTURE 2 – NETWORK MONITORING AND
MAINTENANCE

PRESENTER: KEVIN JOHNSON

SCHOOL OF COMPUTING AND INFORMATION TECHNOLOGY, JAMAICA (SCIT)

LEARNING OBJECTIVES

 Understand the International Standards for Monitoring Networks

 Understand the importance of Baseline Configuration
 Implement SNMP as a monitoring tool
 Explain the types of network maintenance
 Explain the best practices in network monitoring and maintenance
 INTRODUCTION

 Many businesses today depend heavily on its IT systems to run at optimal

levels.
 Frustration or sometimes panic sets in whenever a computer, a web server,
or your network goes down.
 When this happens people are unable to complete their daily tasks, which
adds to the cost of operations, and the cost of repairing the problem.
 Rigorous monitoring and management keep network systems up and
running 24/7/365.
 Constant Network Monitoring and Maintenance is therefore critical to the
success of any technology driven organization because every hour of
downtime of a resource or service, the company will lose millions of dollars
and valuable hours of productivity.
 WHAT IS NETWORK MONITORING?
 Network monitoring is the collecting of useful information using technology tools to
log, analyse traffic flow, latency, utilization and other performance indicators that affects
a network.
 Various tools are available that provides numerical statistics and graphical
representations of what is happening on the network.
 These tools can help you answer critical questions, such as:
o What are the most frequently used services on the network?
o Who are the heaviest network users?
o What other wireless channels are in use in my area?
o Are users installing wireless access points on my private wired network?
o At what time of the day is the network most utilised?
o What sites do your users frequent?
o Do the observed traffic patterns fit our expectations?
 NETWORK MONITORING COMPONENTS
What exactly do we monitor?
 Latency
 Network Utilization and Bandwidth
 Wireless Network Connections
 Log Files
 Network Hardware Devices ex.
Firewalls, Routers, Switches, Servers
 Software ex. Operating Systems,
Enterprise Software, Application
 Website Availability

NETWORK MONITORING CONT’D

 BENEFITS OF NETWORK MONITORING

There are several benefits to implementing a good monitoring system for your network
 Network budget and resources are justified.
o Good monitoring systems can demonstrate that the network infrastructure (bandwidth, hardware,
and software) is suitable and able to handle the requirements of network users.
 Malicious network users can be detected and handled.
o By watching your network traffic, you can detect attackers and prevent access to critical internal
servers and services.
 Network Malware can be easily detected.
o You can be alerted to the presence of network viruses, and take appropriate action before they
consume Internet bandwidth and destabilise your network
 BENEFITS OF NETWORK MONITORING CONT’D
 Troubleshooting of network problems can be simplified.
o Rather than attempting "trial and error" to debug network problems, you can be instantly notified
of specific problems. Some kinds of problems can even be repaired automatically.
 Network performance can be highly optimised.
o Without effective monitoring, it is impossible to fine tune your devices and protocols to
achieve the best possible performance.
 Capacity planning is much easier.
o With solid historical performance records, you do not have to "guess" how much
bandwidth you will need as your network grows.
 Proper network usage can be enforced.
o When bandwidth is a scarce resource, the only way to be fair to all users is to ensure that
the network is being used for its intended purpose.
 TYPES OF NETWORK MONITORING

Typically, there are two types of networking monitoring;

 Human operated vs Automatic
o Human operated monitoring requires a human to be monitoring network devices and services
which is really impractical.
o Automatic networking monitoring utilizes software tools
 Active vs Passive
o Active human operated monitoring often gives good insight, but is not feasible 24/7
o Automatic monitoring can run 24/7, but needs to trigger warnings, error messages, notifications,
alerts and file service tickets in order to be useful. Often the combination of both is needed.
 FIVE BASIC GOALS OF NETWORK MONITORING
(FCAPS)

The International Standards Organization (ISO) defines five basic network monitoring goals
F-C-A-P-S
 Fault Monitoring
 Configuration Monitoring
 Accounting Monitoring
 Performance Monitoring
 Security Monitoring

GOALS OF NETWORK MONITORING

 FAULT MONITORING

Fault Monitoring– The efficient management of network faults such as high CPU/Memory
utilization, Quality of Services (QoS) issues, hardware related issues.
Fault Systems Functions
 Check devices availability by using Ping Command
 Use SNMP to check device(s) status
 Send fault alerts
 Display network issues on a graph
Fault Monitoring Tools
 HP Ovenview

GOALS
 Zenoss
 IpMonitor
OF NETWORK
MONITORING CONT’D
 CONFIGURATION MONITORING
Configuration Monitoring – Management of network device configuration
and changes.
Configuration System Functions
 System configuration monitoring or management can be done locally
or remotely
 Software is used to track changes made to system such as updating the
OS of a computer, adding a new hardware device.
 Errors and incompatibilities in system configuration can be readily
identified and remedied.
Configuration Management Tools
GOALS OF NETWORK
 HP Network Automation
 Solarwinds
MONITORING CONT’D
 ACCOUNTING MONITORING
Accounting Monitoring- Managing network resources and utilization such that
departments, individual users can be charged/billed.
Accounting Monitoring Functions
 Monitoring software is used to keep track of utilization of network resources
such as disk usage, printing etc.
 Software produces a graph of the utilization which can then be analyzed to
determine billing information.
Accounting Management Tools
 RADIUS – Remote Authentication Dial-In User Service
 TACACS – Terminal Access Controller Access Control System
GOALS OF NETWORK
 Diameter

MONITORING CONT’D
 PERFORMANCE MONITORING
Performance Monitoring – Management of the efficiency and utilization of network
such as capacity, bandwidth and response time etc.
Performance Monitoring Functions
 Network Performance information is usually provided by SNMP which alerts
administrators of the status of utilization of a resource. (Ex. Network Traffic)
 Performance thresholds can be set so that the monitoring system sends a
notification in the event a critical resource specified limit is reached.
Performance Monitoring Tools
 Solarwinds

GOALS OF NETWORK
 SNMP

MONITORING CONT’D
 SECURITY MONITORING
Security Monitor – Management of network and its resources by controlling access
using a predefined policy.
Security Monitoring Functions
 Protection of company data is often achieved through encryption and
authentication.
 Software provide features that facilitates the protection of network data through
access control mechanisms
Security Monitoring Tools
 Solarwind

GOALS OF NETWORK
 GFI LanGuard

MONITORING CONT’D
 BASELINE CONFIGURATION
Network Performance Baselining
o In the simplest terms, a network performance baseline is a set of metrics used
in network performance monitoring to define the normal working conditions of an
enterprise network infrastructure.
o Engineers use network performance baselines for comparison to catch changes in
traffic that could indicate a problem.
o Because SNMP is a very popular industry monitoring protocol many vendors
provide recommendations or best practices for monitoring and defining thresholds
for their products using this protocol.
Example
Cisco, for example, recommends not exceeding 60% of CPU utilization on its
routers and has published an SNMP message to monitor that statistic.
BASELINE CONFIGURATION
BASELINE CONFIGURATION
CONT’D
NEED FOR BASELINE CONFIGURATION
 Understand Healthy network pattern and traffic trends
 Evaluate network management policies compliance
 Understand how the network resources are allocated
 Accelerate to troubleshoot network issues i.e. spike in network traffic
 Provide data on network and security management to support decision making
 Provide history statistics on network upgrade
NETWORK BASELINING STEPS

Step 1: Compile a Hardware, Software, and Configuration Inventory

Step 2: Verify that the SNMP MIB is Supported in the Router
Step 3: Poll and Record Specific SNMP MIB Object from the Router
Step 4: Analyze Data to Determine Thresholds
Step 5: Fix Identified Immediate Problems
Step 6: Test Threshold Monitoring
Step 7: Implement Threshold Monitoring using SNMP or RMON
BASELINING METRICS

Things to Baseline
 CPU / Memory Utilization
 Server Utilization
 Application Performance
 Network Congestion
 User Reported Issues

BASE LINE CONFIGURATION

CONT’D
 SIMPLE NETWORK MANAGEMENT PROTOCOL
(SNMP)

 SNMP is an application–layer protocol for exchanging management information between

network devices. It is a part of Transmission Control Protocol / Internet Protocol
(TCP⁄IP) protocol suite.
 It Operates on UDP 161 and UDP 162
 Provided the device is SNMP capable, you can configure SNMP, collect information, and
monitor any number of devices from a single system
 SNMP basic components and their functionalities consists of;
o SNMP Manager
o Managed devices
o SNMP agent
o Management Information Database Otherwise called as Management Information Base (MIB)
SNMP PROTOCOL
SIMPLE NETWORK MANAGEMENT PROTOCOL (SNMP)
 SNMP MANAGER

SNMP Manager:

 A manager or management system is a separate entity that is responsible to

communicate with the SNMP agent implemented network devices. This is typically a
computer that is used to run one or more network management systems.

 SNMP Manager’s key functions

o Queries agents
o Gets responses from agents
o Sets variables in agents
o Acknowledges asynchronous events from agents

SNMP PROTOCOL
SIMPLE NETWORK MANAGEMENT PROTOCOL (SNMP)
 SNMP MANAGED DEVICES
Managed Devices:
 A managed device or the network element is a part of the network that requires
some form of monitoring and management
Examples
o Routers
o Switches
o Servers
o Workstations
o Printers
o UPSs

SNMP PROTOCOL
 SNMP AGENT

 The agent is a program that is packaged within the network element. Enabling the agent
allows it to collect the management information database from the device locally and
makes it available to the SNMP manager, when it is queried for. These agents could be
standard (e.g. Net-SNMP) or specific to a vendor (e.g. HP insight agent)
SNMP agent’s key functions
 Collects management information about its local environment
 Stores & retrieves management information as defined in the MIB.
 Signals an event to the manager.
 Acts as a proxy for some non–SNMP manageable network node.

SNMP PROTOCOL
 MANAGEMENT INFORMATION BASE (MIB)
 A MIB is a formatted text file that lists all of the data objects used by a particular piece
of equipment.
 How the MIB works in 3 steps: (i.e. Case of a new device being added to
network)
o The manufacturer of your device will supply you with a MIB file.
o You'll load the MIB into your SNMP manager.
o Your SNMP manager will use the MIB to interpret the incoming messages from your
new device
 SNMP VERSIONS

SNMP versions
 Since the inception SNMP, has gone through significant upgrades. However SNMP
v1 and v2c are the most implemented versions of SNMP. Support to SNMP v3 has
recently started catching up as it is more secured when compare to its older
versions, but still it has not reached considerable market share.
SNMPv1:
 This is the first version of the protocol, which is defined in RFCs 1155 and 1157

SNMP PROTOCOL
 SNMP VERSIONS CONT’D

SNMPv2c:
 This is the revised protocol, which includes enhancements of SNMPv1 in the areas
of protocol packet types, transport mappings, MIB structure elements but using the
existing SNMPv1 administration structure ("community based" and hence
SNMPv2c).
SNMPv3:
 SNMPv3 defines the secure version of the SNMP. SNMPv3 also facilitates remote
configuration of the SNMP entities.

SNMP PROTOCOL
SNMP VERSIONS SUMMARY

SNMP PROTOCOL
 SNMP TRAPS
SNMP Manager - Polls the management information base (MIB) of network devices to obtain performance
statistics.
 An SNMP trap allows a network device to notify a network management system of an event by sending a
message i.e. an error is sent to alert administrator of an error.
 What are SNMP "Trap" messages?
 SNMP Traps are alert messages sent from a remote SNMP-enabled device to a central collector, the "SNMP
manager".
 A Trap might tell you that a device is overheating, for example. Trap messages are the main form of
communication between an SNMP Agent and an SNMP Manager. They are used to inform an SNMP manager
when an important event happens at the Agent level. A benefit of using Traps for reporting alarms is that they
trigger instantaniously, rather than waiting for a status request from the manager.

SNMP PROTOCOL
 NETWORK MONITORING APPLICATIONS
 Nagios
 Monitors servers, switches, devices, services & anything that can take IP and/or SNMP
NETWORK MONITORING APPLICATIONS CONT’D
 WireShark
 Is an open source tool for profiling network traffic and analyzing packets
 NETWORK MONITORING APPLICATIONS CONT’D
 Smokeping
 connections, quality, ping rtt, latency, jitter
NETWORK MONITORING APPLICATIONS CONT’D
 Cacti
 resources, traffic, interfaces, transactions, ..almost anything that is accessible via SNMP, e.g.
temperature, power, ... Sensor data
Monitoring network traffic
 WIRESHARK – PROTOCOL ANALYSER

 Wireshark is a network packet/protocol analyser and is the main tool used in the
capturing and analysis of network traffic
 The packets of data captured are displayed in sections of the application in great detail
to assist administrators in their analysis and troubleshooting of their systems
 Wireshark requires WinPcap to be installed on the machine in which it will be used.
[Note. WinPcap is a program that allows Wireshark to capture network traffic on the
communication medium]
 Wireshark is not a Malware. It does not inject code unto the network.
 It is a tool to capture and analyse what is happening on the network
WIRESHARK DASHBOARD
 SHARK ATTACK – WIRESHARK ANALYSIS
Apply Filters
 ip.addr == 10.0.0.1 [Sets a filter for any packet with 10.0.0.1, as either the source or
dest]
 ip.addr==10.0.0.1 && ip.addr==10.0.0.2 [sets a conversation filter between the
two defined IP addresses]
 http or dns [sets a filter to display all http and dns]
 tcp.port==4000 [sets a filter for any TCP packet with 4000 as a source or dest port]
 tcp.flags.reset==1 [displays all TCP resets]
 http.request [displays all HTTP GET requests]
 tcp contains rviews [displays all TCP packets that contain the word ‘rviews’. Excellent
when searching on a specific string or user ID]
 !(arp or icmp or dns) [masks out arp, icmp, dns, or whatever other protocols may be
background noise. Allowing you to focus on the trafficof interest]