Network security/monitoring

[mammador]

I'd imagine most of us who post here work for firms with their own LAN/WANS, or at the least their own in-house ICT infrastructure (if it's not networked).

But how does monitoring work on a corporate LAN/WAN? It's something I've wondered for a while, since I'd imagine there must be some program or even algorithm that monitors all network traffic (including Web traffic). I guess there would have to be, to know how many packets are being sent, what the QoS is, etc.

But typically how is it done?

 

[jlazzaro]

software (see http://forums.anandtech.com/showthread.php?t=212931 and http://forums.anandtech.com/showthread.php?t=272198) is configured to monitor each device in your network, be it server, router, firewall, switch, etc. the device's IP address is added to the software so it knows how to contact it. at specific intervals the software polls information from the device via SNMP, WMI, or basic ICMP. Typically every device is monitored via ICMP (aka ping). If a device stops responding to ICMP, an event such an email notification is trigger.

For windows servers, the monitoring software might poll server vitals (CPU, memory, disk I/O) every 60 seconds using WMI. these statistics are stored in a database and graphed for historical purposes. if these statistics violate a configured threshold (IE memory > 90&#37 an event such an email notification is trigger.

using your example, the monitoring software would poll each router interface using the SNMP MIB OID for inbound and outbound utilization (among others). once again, every polling result is stored in a database and graphed (such as http://www.stellarllc.net/Graph3.PNG). you could configure the software to send an email notification if the router interface has been >95% for at least 5 minutes. for monitoring ALL network traffic, you would use a specialized protocol like NetFlow.

there is much more to it, but that's the basic operation. read some of these links to get a better understanding:

http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol
http://en.wikipedia.org/wiki/Network_monitoring
http://en.wikipedia.org/wiki/Netflow
http://en.wikipedia.org/wiki/Windows_Management_Instrumentation

 

[Emulex]

could use host based IPS and/or IPS units to manage flow and threat monitoring. If you want to measure pure network traffic easier to setup nagios to your decent switches (or solarwinds if you like to spend lots of money).

 

[sactwnguy]

Solarwinds is a lot of money? Its a bargain for what it does. My company started a new monitoring group two years ago and so far they have dropped over two million in software and man hours trying to get HP Openview to do what my group did in a couple of days on Solarwinds. Nagios is ok but commercial support is not that great and in large environments that is a hard sell to management. For security management Archsight is a good product but it is expensive.