Cryptography: Data traveling across the network can be encrypted for added security.
Outsourcing: Network monitoring is frequently outsourced, which has many bene- fits and issues, enough that it gets its own chapter in the next part.
Disaster prevention: Proper monitoring can help detect minor failures before they become major ones.
22 Network Security Illustrated
Proactive security: Data gathered while monitoring can make risk-management techniques and forensics much easier.
Determining identity: Access attempts, successes, and failures can be monitored to detect intrusions.
Preserving privacy: Data can be used to assemble profiles on users. This might be a benefit or a problem, depending on your organizational policies.
Networking hardware: Most network hardware is designed to provide information to monitoring systems, either through SNMP or some other system.
Firewalls/proxies: These devices are the first line of defense from the outside world and can help identify problems and abuse inside and outside the network.
Storage: Full disk drives, exceeded quotas, and file corruption can be detected by monitoring the local file systems of critical machines such as servers. Performance, data access problems, and corruption can be detected and fixed.
Detecting intrusions: Most intrusion-detection systems are built as part of a larger monitoring application or they are integrated with central monitoring applications. The two concepts are closely related.
Expediting recovery: A good monitoring system immediately indicates any prob- lem that requires disaster recovery. The faster a problem is identified, the faster a so- lution can be executed.
Best Practices
The biggest problem in implementing network monitoring is determining which command center software is right for your network. After all, you won’t find this type of software sitting in a shrink-wrapped box at your local computer store.
The current crop of network management systems falls into three classes. In first class, you’ll find extraordinarily expensive “solutions”3, such as IBM’s Tivoli,
HP’s OpenView, and CA’s Unicenter. In business class, you’ll find smaller vendors and consultants. Back in coach, you’ll find a bunch of open-source software developers eating peanuts and hacking into the in-flight entertainment system. They have cre- ated free systems called Nagios, Ganglia, and OpenNMS.
Which way you go depends on the size of your company. If your company is huge, with a network consisting of thousands of computers, you’ll want to look at the high-end solutions. If you’re a business that can free up time but not money, or if you have a savvy IT department with Unix skills, the open-source systems are a great place to start. It can also be helpful to talk to a few consulting firms that offer prod- ucts or services that fit your needs. Often the right consultants can implement and manage one of the open-source or low-cost solutions provided by niche vendors.
Part I Managing Security 23
Chapter 2 Managing Security: Systems and Network Monitoring
3By solution, we mean the product ⫹implementation consulting ⫹new servers ⫹new networking
hardware ⫹yearly licensing ⫹permanent operational consulting ⫹technical support contract ⫹ hardware maintenance contracts ⫹software upgrade contract.
You need to have a clear idea about what you’re looking for in order to effectively evaluate these applications. Otherwise, you’ll never be able to make sense of the var- ious marketing materials and feature sets. Here are some questions to consider:
• What do you want to know? Do you want to know about hardware and software problems? Do you want to be able to monitor individual users or aggregate usage patterns? Do you want to be able to detect intruders and vulnerabilities?
• What will you do with the information? Do you want the system to
automatically fix problems? Do you have procedures for escalating problems that need to be taken into account?
• Do you want to be able to remotely deploy or configure software? Do you want to centralize the management of user accounts?
• Will more than one person access the control system? Will different people accessing the system need different levels of access?
• Is the command system going to be on the network that it’s monitoring, or do you need to operate from a remote network?
• Information traveling to monitoring systems is sensitive. Is it properly encrypted to ensure safety?
• What happens if hackers get control of the command center?
Final Thoughts
If you are considering the high-end products, go to their Web sites. Confused by all the different products and solutions? It’s intentional. You’re supposed to get a sales rep to tell you what you need, but just in case you want to figure it out alone, here are a few pointers:
• Products such as Tivoli, OpenView, or Unicenter are not designed to work right out of the box. What you’re buying is a core product and lots of component modules that provide specific types of control and analysis. Components are also provided to connect to the various machines in your network for advanced operations. For example, one component might be specifically designed to interact with an Oracle database.
• These companies have cleverly designed their solutions such that every high-end product in their catalogue is a “necessary component.” Put some pressure on the sales rep and watch how quickly things become “optional.” • You might notice that things you thought were related (such as security and
network monitoring) are sold as separate products. Many vendors split up their software based on marketing potential, not technical functionality. So what should be a single system is actually five or more separate systems with overlapping functionality.
24 Network Security Illustrated
• Think twice about the third-party applications on your network. Are they all absolutely necessary? Running a tighter ship will simplify command center integration. With fewer unusual applications running, less interface customization will be required.
If you ask any of these high-end vendors about the smaller solutions (including open source), they may turn their nose up. Ask them to explain why their system is better and they’ll present three basic arguments: features, scalability, and support. All three are flawed arguments.
Many of the features the large systems offer will never be used in practice. Think about all the features in Microsoft Office that are hyped up but are unnecessary for conducting normal business in your organization. If the smaller software solutions do what you want them to do, why should you care about features you’ll never use?
The big players will tell you their products are much more scalable. They really aren’t; they just require really powerful equipment, and that same equipment will generally solve the scalability issues of most software.
Support is also a trick argument. If you use one of the major open-source appli- cations (Ganglia, Nagios, or OpenNMS), you may find cheaper consultants that can support the system. What you may not find is standards. Support might be a fraction of the cost that major vendors charge, but are you getting the same peace of mind and consistent service?
You might find that no single open-source system has all the features you want. The good news is you can try them all indefinitely, because they are free. That said, some aspects of these systems could create extra network traffic. Make sure you’re not congesting your network with overlapping functionality.
Open-source systems often require a degree of tinkering that is equivalent to giving the space shuttle a tune-up. Sometimes what is saved in licensing fees is lost in time. Be sure to have the right people working on the project who have specific experience with open-source network monitoring systems.
Part I Managing Security 25
Chapter 2 Managing Security: Systems and Network Monitoring 03_200423_CH02_Sonnenreich 9/2/03 2:00 PM Page 25