Network Monitoring
- SNMP (Simple Network Management Protocol)
- SNMP uses (listens on) UDP port 161 or port 10161 when using TLS.
- SNMP–managed devices run an agent that talks with a N.M.S. (Network Management Station) (Note: A NMS can run on a virtual machine.)
- N.M.S. (Network Management Station)
- SNMPv1 is unencrypted, SNMPv2 added basic encryption, SNMPv3 added TLS encryption.
- (It’s ok if there are different versions on the same setup.)
- SNMP allows us to administer & manage network devices from a single source.
- SNMP Manager is the device that “talks with” SNMP devices.
- The SNMP Manager (usually a computer) runs the NMS (the interface that talks with the managed devices).
- The NMS will listen on UDP port 162 or TLS port 10162.
- M.I.B.–Management Information Base (built into every managed device)
- a database that we query to be able to talk to that particular device.
- * “Get“–the standard query we use with SNMP. Consists of the NMS sending a “Get” signal to a managed device, & then that device in return, sends a “Response” back.
- “Trap“–a type of failsafe set up on the managed device itself.
- ex’s: What if the printer overheats? What if it gets overloaded with data?
- The managed device will send a “trap” signal.
- SNMPWalk or “Walk”–kind of like a batch process of “gets”. More commonly known as an “SNMPWalk”.
- A SNMP community is an organization of managed devices. “Community” command:
- “RO”–Read Only command
- “RW”–Read Write command
- Ex: “Cacti” is an open-source NMS for graphing SNMP data.
- Others are “Nagios”, “Zabbix”, & “Spiceworks” and “SolarWinds”.
- Documenting Logs
- Review the different types of logs. (Logs keep track of things that have happened.)
- “Event Viewer” is a Windows tool that displays various types of logs.
- Note: Windows does NOT log Network events.
- Many UNIX systems use “syslog”, which works with SNMP.
- System or general logs
- MS “Event Viewer” has Application logs, Security logs; Setup logs; & System logs.
- “Syslog” errors go from 0 (high panic) to 7.
- A “trap” and “an event” have some degree of similarity.
- Other logs are History logs or Change logs.
- System Monitoring
- Abnormal warnings of high error rate or utilization might signify security breaches or broken equipment.
- A baseline helps identify irregular activity that needs to be investigated.
- * File integrity is an important part of a monitoring program.
- * Error rate–signals a problem with some incoming packets (Error rate is a BIG ISSUE!)
- indicates what % or what amount of frames and/or packets coming into the device are physically mauled up or not correct.
- Utilization–really talking about CPUs
- Notification—
- Packet Drops–measure the amount of packets that a particular device can handle.
- Bandwidth–how much data am I moving per second.
- Note: All monitoring tools will have baselines & metrics, which makes sense when you think about it.
- S.I.E.M. (Security Information & Event Management)
- SIEM tools aggregate & correlate data, allowing organization into valuable info.
- A SIEM tool assess & correlates across logs to review an event.
- SIEMs have alerts & the ability to notify based on a configurable trigger.
- 2 important SIEM things are:
- Aggregation–grabbing data from different places and storing it.
- Correlation
- W.O.R.M. (Write once, read many)
- Correlation requires:
- Alerts for notification if something goes bad.
- Triggering–what sets an alert off? ex: exceeding thresholds
- Network Troubleshooting Theory
- Find the problem, gather information, identify the symptoms of the problem, question users, & see if there have been changes.
- Establish the theory of probable cause, use the OSI model to help identify location & problem, and consider future prevention methods.
- Test the theory, isolate variables, establish a plan of action, plan out steps, implement, verify, & test.
- Using the network model as a starting place to troubleshoot network issues is an effective approach & can be performed using a top-to-bottom, bottom-to-top, or “most-likely layer to least-likely layer” (aka divide & conquer) methodology.
