Network Monitoring As a Layer of Securitycs.uccs.edu/~cs691/studentproj/projM2009/jmiller3/doc/Jeff...

Network Monitoring As a Layer of Security Page 1

August 4, 2009

CS 691 – Advanced System Security Design

Security Project Documentation

Network Monitoring

As a Layer of Security

Jeff Miller

University of Colorado – Colorado Springs


Table of Contents Table of Figures ............................................................................................................................................. 2

1 Introduction .......................................................................................................................................... 3

1.1 What networking monitoring in not ............................................................................................. 3

1.2 What to Monitor ........................................................................................................................... 5

1.3 Practical Application ..................................................................................................................... 6

2 Monitoring Concepts ............................................................................................................................ 7

2.1 SNMP ............................................................................................................................................. 8

2.2 Other Passive Techniques ........................................................................................................... 12

3 Monitoring Solutions .......................................................................................................................... 13

4 Nagios .................................................................................................................................................. 14

4.1 Preparation ................................................................................................................................. 15

4.2 Installation .................................................................................................................................. 16

4.3 Configuration .............................................................................................................................. 22

4.3.1 Windows XP Clients............................................................................................................. 22

4.3.2 Linksys WRT54GS Router .................................................................................................... 26

4.3.3 HP LaserJet 4 ....................................................................................................................... 28

4.4 Monitoring .................................................................................................................................. 30

4.5 Recommendations ...................................................................................................................... 33

5 Conclusion ........................................................................................................................................... 33

6 References .......................................................................................................................................... 34

Table of Figures Figure 1 – Items to Monitor .......................................................................................................................... 5

Figure 2 - Smart Grid Monitoring .................................................................................................................. 6

Figure 3 - Military Monitoring ....................................................................................................................... 7

Figure 4 - MIB Storage Structure .................................................................................................................. 9

Figure 5 - Oracle DB MIB Hierarchy ............................................................................................................ 10

Figure 6 - SNMP Overview .......................................................................................................................... 11

Figure 7 - NSClient++ ................................................................................................................................... 14

Figure 8 - Test Bed Lab ................................................................................................................................ 15

Figure 9 - Nagios Portal ............................................................................................................................... 22

Figure 10 - Synaptic Package Manager ....................................................................................................... 28

Figure 11 - Tactical Overview ...................................................................................................................... 30

Figure 12 - Current Status by Group ........................................................................................................... 31

Figure 13 – Service Status ........................................................................................................................... 32

Figure 14 - Service Status Trap Warning ..................................................................................................... 32


1 Introduction

The concept of network monitoring is not new nor is it as simplistic as the name might

imply. Today’s networks are astoundingly large and complex. As a company grows, so does its

reliance on the network for communication and collaboration. Some companies such as e-

businesses could not exist without technology. So what then is network monitoring? In its most

basic form network monitoring is a vital activity where one or more systems constantly monitor

network status information from network devices, services, servers and various applications.

When a problem exists the administrator is alerted to the nature and source of the problem.

Typical networking management/monitoring systems can send alert messages in various forms

such as text message (SMS), email, cell phone, pager, etc.

CIO Magazine recently published an article that provides an excellent high level definition

of network monitoring. The article describes monitoring as follows: “Your doctor is watching for

danger signs as blood flows through vessels, valves and chambers of the heart, while your

network monitoring systems are tracking data moving along cables and through servers,

switches, connections and routers.” The comparison of a physician monitoring the health of a

human body to that of a network administrator monitoring his or her network paints a much

more realistic picture of the goals of network monitoring. Just like the human body, enterprise

networks and data centers are comprised of many subsystems each with a differening degree

of criticality and separate thresholds that indicate the health of the organization [1].

With the increasing threat of cyber attack, network monitoring takes on a whole new

challenge. Some of the security challenges facing networking administrators include hackers,

Denial of Service (DoS) attacks, viruses, and information theft. The remainder of this document

provides and overview of networking monitoring, common techniques, potential application, a

list of common monitoring products, and a walk through of the implementation and

configuration of a free open source monitoring system called Nagios.

1.1 What networking monitoring in not

In addition to discussing the general concepts of networking monitoring, it is also

important to understand what networking monitoring isn’t. Network monitoring is not an


intrusion prevention (IPS) or intrusion detection system (IDS) nor is it a substitute for these

kinds of systems even though it provides valuable information about the activity on the

network. As with any security design a layered approach is best. With respect to security, the

monitoring system should be considered as another layer of security used to augment an

existing security design rather than a fix all for security issues.

No IDS, IPS, or Firewall can guarantee 100 percent prevention or detection of attacks;

however, historic and real-time data from the monitor can help identify troubled areas. That

being said, how can a monitoring system help increase system security?

General benefits include:

� Spot overloaded equipment before it can bring down a network

� Help determine employee productivity

� Identify weak wide-area-network links and other bottlenecks

� Measure latency or the delayed transfer of data

� Provides executives the ammo they need to justify network upgrades

� Prove SLA are being met

Security specific benefits include:

� Increased overall awareness of the enterprise

� Detect anomalous or heuristic internal traffic that might indicate a security threat such

as a DDOS attack – historical data compared to real-time actual data

� Detect compromised computers being used as part of a bot-net in a DDOS attack by

increased CPU cycles when no user is logged in

� Detect overloaded systems, crashed servers, lost network connections, virus or malware

infections, and power outages

� Detect remote systems that are unavailable that may have been compromised or

vandalized


1.2 What to Monitor

Monitoring tools are customizable and can monitoring a range of items. Most systems

come with a predefined set of devices but also support custom devices through updates. Figure

1 – Items to Monitor is a list provided by IPSwitch, Inc. as a list of potential items and

justification for why they should be monitored [2].

Figure 1 – Items to Monitor


1.3 Practical Application

Business domains or deployment locations for network monitoring systems can be as

diverse as the individual devices they monitor. Organizations or domains that would most likely

benefit from real-time monitoring include but not limited to the following: internet service

providers, utility companies, hospitals, military networks, and large corporations the rely

heavily on networked computer systems.

Figure 2 - Smart Grid Monitoring represents a Landis+Gyr Advanced Metering Infrastructure

(AMI) smart grid deployment [3]. By utilizing network monitoring the utilities company network

administrator would be more likely to detect potential threats such as vandalism, tampering,

denial or service (DoS), and compromised systems that are controlled by rouge process.

Figure 3 represents how a monitoring system could be applied to the infrastructure devices

of a military communication system [4]. In this example the administrator would receive an

Figure 2 - Smart Grid Monitoring


alert that a tracked “blue force” vehicle becomes unavailable. This would be a signal to other

troops that something bad may have happened to this unit. The other scenario displayed below

is a compromised command post. If the networking monitoring system determined that

anomalous activity had occurred or that multiple incorrect password attempts were tried on

the system this could indicate that further investigation be conducted.

2 Monitoring Concepts

Monitoring methodologies can be categorized into the two major sub sets of active and

passive. Passive monitoring is the most basic and most common. Passive monitoring devices

Figure 3 - Military Monitoring


watch and record real time traffic as it passes by. Passive techniques include traffic sniffers such

as Wireshark or agents that are built into network devices and operating systems. Examples of

passive technologies that are built into devices are Simple Network Monitoring Protocol

(SNMP), Remote Monitoring (RMON), and Netflow/JFlow. It is important to note that passive

monitoring does not create additional traffic besides the minimal amount required to collect

information and send alerts [5].

Passive Techniques

� SNMP

� RMON

� NetFlow/JFlow – Flow analysis

� Packet Sniffer (Wireshark)

Active networking monitoring involves the generation and injection of test packets into the

network. This generated test data is send to devices, servers, and or applications.

Measurements are taken to ensure that the data reached its intended destination. Another

name or active monitoring is end-to-end as test data is generated and tracked from creation to

consumption. Although the volume of active monitoring traffic is much higher than passive it is

fully adjustable because it is controlled by the monitoring system. Stanford University points

out that active monitoring is best for the emulation of scenarios used to ensure Quality of

Service (QoS) or Service Level Agreements (SLAs) [5].

2.1 SNMP

Simple Network Management Protocol is the easiest passive monitoring technique to use

because most devices support it out of the box. SNMP follows defined standards that are

controlled by the Internet Engineering Taskforce (IETF) and the IEEE. SNMP uses a

manager/agent architecture. The monitoring system would host the manager while all SNMP

enabled devices would run a background agent to gather information.

At the core SNMP is a set of commands and a hierarchal collection of enabled devices

called the Management Information Base (MIB). The MIB contains unique object identifiers


(OIDs) used to identify and store and retrieve information about the devices. Figure 4

represents the MIB structure and shows how data about each object is stored [6].

Figure 4 - MIB Storage Structure


Figure 5 represents the MIB – Object hierarchy of the Oracle Relational Database

Management System (RDBMS). Objects that support the trapping of events would be located

under 3.6.1.2.1.55.2 (rdbmsTraps).

Figure 5 - Oracle DB MIB Hierarchy

Network Monitoring As a Layer of Security

The manager polls each agent using

SNMP also supports setting traps. Traps allow the agents to report unexpected events and error

conditions to the monitor. Traps could include memory/cp

from an operating system or printer

Figure 6 show the flow of SNMP polling requests from the SNMP Manager to various

SNMP enabled devices. Polling request

devices can also be configured to send SNMP Traps to the Manager. Trap messages are sen

UDP port 162. In the figure below the Server OS or server application is configured to send trap

messages.

oring As a Layer of Security

The manager polls each agent using an SNMP request to retrieve current information.

setting traps. Traps allow the agents to report unexpected events and error

conditions to the monitor. Traps could include memory/cpu thresholds or even notification

printer [7].

show the flow of SNMP polling requests from the SNMP Manager to various

SNMP enabled devices. Polling requests are send on UDP port 161. As noted early

devices can also be configured to send SNMP Traps to the Manager. Trap messages are sen

In the figure below the Server OS or server application is configured to send trap

Figure 6 - SNMP Overview

Page 11

SNMP request to retrieve current information.

setting traps. Traps allow the agents to report unexpected events and error

u thresholds or even notifications

show the flow of SNMP polling requests from the SNMP Manager to various

noted early, some

devices can also be configured to send SNMP Traps to the Manager. Trap messages are sent on

In the figure below the Server OS or server application is configured to send trap


2.2 Other Passive Techniques

Other common passive monitoring techniques include RMON, NetFlow/JFlow, and the

use of traffic sniffers. RMON is a special form of SNMP that uses a specific MIB. RMON is not

supported by every SNMP enabled device because it requires more expensive hardware. More

expensive hardware provides more CPU cycles and more memory compared to standard SNMP

enabled devices. The RMON architecture consists of a monitor console and probes.

NetFlow is another effective way to monitor the network. NetFlow was developed by

CISCO Systems and uses collector/probe architecture to monitoring traffic flow. Juniper

networks created a similar version called JFlow. Although very useful, these flow based

monitoring techniques are proprietary and not supported by all devices.

Network traffics sniffers are the last technique that will be discussed in this paper. Traffic

sniffers like Wireshark record real-time network packets and display results for analysis. By

using a traffic sniffer one can determine exactly what network traffic is being sent, what ports

are being used, who the intended destination is, and what is in the payload.


3 Monitoring Solutions

When selecting a monitoring system for your network infrastructure there are many

solutions available. Commercial solutions come in a variety of forms: hardware appliances,

software solutions, and even outsourced service solutions. Commercial products range from

thousands of dollars to hundreds of thousands of dollars. The following are some of the most

common commercial monitoring solutions with dollar signs to represent very high level price

comparisons:

� HP OpenView - $$$

� CISCOWorks - $$$

� SolarWinds Orion $$

� OpManager - $

� WhatsUpGold - $

� PRTG - $

Besides commercial products there are many open source products available as well. Open

source products are innovative, inexpensive, and numerous. Because open source products are

free, support is limited or non-existent. They are often much more difficult to install and

configure. Open source provides greater flexibility at the cost of easy configuration. The more

customization required the more coding and configuration must be done. Two common open

source monitoring products are Nagios and MRTG. Nagios was chosen for the lab portion of this

project and is demonstrated in Section 4. Wikipedia has a good side by side comparison of

common networking monitoring systems [8].


4 Nagios

Nagios was chosen as the monitoring system to demonstrate in this paper for two reasons:

first Nagios is free under the GPL license and second Nagios came highly recommended from

co-workers and other network security professionals. The current release is version 3.1.2 and

will be deployed on the latest Ubuntu Linux Desktop operating system. Network services like

smtp, http, dns, and ftp can be easily monitored without the use of client add-ons; however,

additional information can be retrieve from Windows client devices with the use and the Nagios

client NSClient++.

The Nagios program consists of three elements or parts: first the core application or the

monitor system, second the plug-ins that support the gathering of information (Figure 7

represents how the NSClient++ hooks into a windows client to retrieve more detailed

information), and third add-ons which include things like Perl scripts and MIB object

information for monitoring specific devices [9].

Nagios Elements

� Core

� Plug-ins – NSClient++ [10]

� Add-ons – Perl Scripts/MIB Objects

Figure 7 - NSClient++


4.1 Preparation

In preparation for the Nagios 3.1.2 demonstration a sample test bed environment was

created that would allow for the monitoring of four client devices. Figure 8 shows the actual

environment with the planned software for each device.

The Test Bed Lab Environment for Nagios consisted of the following devices:

� 1 Pentium 4 Ubuntu Linux Desktop for hosting the Nagios Network

Management/Monitoring System

� 2 Pentium 4 Windows XP Laptops for testing the NSClient++ Plug-in

� 1 Networked Printer (with HP Jet direct Card) for testing SNMP traps

� 1 Linksys WRT54GS Router (with modified DD-WRT Linux Firmware allowing SNMP) for

testing general SNMP polling

� 1 Unmanaged Network Switch for extra connectivity

The preparation phase ended once Ubuntu Desktop 9.04 was successful installed on the

desktop machine.

Figure 8 - Test Bed Lab


4.2 Installation

The installation of Nagios required the following steps on Ubuntu:

� Install Apache 2

� Install PHP 5

� Install GCC Compiler and development libraries

� Install GD graphics library v2 for drawing

� Create of Nagios User/Groups/Permissions

� Download Nagios 3.1.2 source code and Plug-in Source code

� Compile and Install Nagios

� Basic server configuration

� Compile and install plug-in source code

The Nagios/Ubuntu quick start guide was followed for most of this installation; however,

the guide was written for Ubuntu 6.10 so some changes are reflected below. For more

information on the Nagios Quick Start installation guide visit http://nagios.sourceforge.net [11].

Apache 2 Install

jeff@jeff-desktop:~$ sudo apt-get install apache2

Reading package lists... Done

Building dependency tree

Reading state information... Done

The following packages were automatically installed and are no longer required:

linux-headers-2.6.28-11 linux-headers-2.6.28-11-generic

Use 'apt-get autoremove' to remove them.

The following extra packages will be installed:

apache2-mpm-worker apache2-utils apache2.2-common libapr1 libaprutil1

libmysqlclient15off libpq5 mysql-common

Suggested packages:

apache2-doc apache2-suexec apache2-suexec-custom

The following NEW packages will be installed:

apache2 apache2-mpm-worker apache2-utils apache2.2-common libapr1

libaprutil1 libmysqlclient15off libpq5 mysql-common

0 upgraded, 9 newly installed, 0 to remove and 0 not upgraded.

Need to get 3607kB of archives.

After this operation, 10.3MB of additional disk space will be used.

Do you want to continue [Y/n]? y

PHP 5 Install

jeff@jeff-desktop:~$ sudo apt-get install libapache2-mod-php5









apache2-mpm-prefork php5-common

Suggested packages:

php-pear

The following packages will be REMOVED:

apache2-mpm-worker


apache2-mpm-prefork libapache2-mod-php5 php5-common



After this operation, 6287kB of additional disk space will be used.


G++ Compiler and Dependencies Install

jeff@jeff-desktop:~$ sudo apt-get install build-essential








dpkg-dev g++ g++-4.3 libstdc++6-4.3-dev patch

Suggested packages:

debian-keyring g++-multilib g++-4.3-multilib gcc-4.3-doc libstdc++6-4.3-dbg

libstdc++6-4.3-doc diff-doc


build-essential dpkg-dev g++ g++-4.3 libstdc++6-4.3-dev patch





GD Graphics Library ver. 2 Package

jeff@jeff-desktop:~$ sudo apt-get install libgd2-xpm-dev








libexpat1-dev libfontconfig1-dev libfreetype6-dev libgd2-xpm libjpeg62-dev


libpng12-dev libpthread-stubs0 libpthread-stubs0-dev libx11-dev libxau-dev

libxcb1-dev libxdmcp-dev libxpm-dev x11proto-core-dev x11proto-input-dev

x11proto-kb-dev xtrans-dev zlib1g-dev

Suggested packages:

libgd-tools

The following packages will be REMOVED:

libgd2-noxpm


libexpat1-dev libfontconfig1-dev libfreetype6-dev libgd2-xpm libgd2-xpm-dev

libjpeg62-dev libpng12-dev libpthread-stubs0 libpthread-stubs0-dev

libx11-dev libxau-dev libxcb1-dev libxdmcp-dev libxpm-dev x11proto-core-dev

x11proto-input-dev x11proto-kb-dev xtrans-dev zlib1g-dev





Create User/Groups/Permissions

jeff@jeff-desktop:~$ sudo -s

root@jeff-desktop:~# /usr/sbin/useradd -m -s /bin/bash nagios

root@jeff-desktop:~# passwd nagios

Enter new UNIX password:

Retype new UNIX password:

passwd: password updated successfully

root@jeff-desktop:~#

<<Note I entered cs691 as the password>>

root@jeff-desktop:~# /usr/sbin/groupadd nagcmd

root@jeff-desktop:~# /usr/sbin/usermod -a -G nagcmd nagios

root@jeff-desktop:~# /usr/sbin/usermod -a -G nagcmd www-data

Download Nagios Source Code

root@jeff-desktop:~# mkdir ~/downloads

root@jeff-desktop:~/downloads# wget http://prdownloads.sourceforge.net/sourceforge/nagios/nagios-

3.1.2.tar.gz

--2009-07-21 21:27:18-- http://prdownloads.sourceforge.net/sourceforge/nagios/nagios-3.1.2.tar.gz

Resolving prdownloads.sourceforge.net... 216.34.181.59

Connecting to prdownloads.sourceforge.net|216.34.181.59|:80... connected.

HTTP request sent, awaiting response... 302 Found

Location: http://softlayer.dl.sourceforge.net/sourceforge/nagios/nagios-3.1.2.tar.gz [following]

--2009-07-21 21:27:18-- http://softlayer.dl.sourceforge.net/sourceforge/nagios/nagios-3.1.2.tar.gz

Resolving softlayer.dl.sourceforge.net... 74.86.229.28

Connecting to softlayer.dl.sourceforge.net|74.86.229.28|:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 3172982 (3.0M) [application/x-gzip]

Saving to: `nagios-3.1.2.tar.gz'

100%[======================================>] 3,172,982 126K/s in 20s


2009-07-21 21:27:39 (152 KB/s) - `nagios-3.1.2.tar.gz' saved [3172982/3172982]

root@jeff-desktop:~/downloads# wget http://prdownloads.sourceforge.net/sourceforge/nagiosplug/nagios-

plugins-1.4.13.tar.gz

--2009-07-21 21:32:33-- http://prdownloads.sourceforge.net/sourceforge/nagiosplug/nagios-plugins-1.4.13.tar.gz

Resolving prdownloads.sourceforge.net... 216.34.181.59

Connecting to prdownloads.sourceforge.net|216.34.181.59|:80... connected.

HTTP request sent, awaiting response... 302 Found

Location: http://softlayer.dl.sourceforge.net/sourceforge/nagiosplug/nagios-plugins-1.4.13.tar.gz [following]

--2009-07-21 21:32:33-- http://softlayer.dl.sourceforge.net/sourceforge/nagiosplug/nagios-plugins-1.4.13.tar.gz

Resolving softlayer.dl.sourceforge.net... 74.86.229.28

Connecting to softlayer.dl.sourceforge.net|74.86.229.28|:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 2279556 (2.2M) [application/x-gzip]

Saving to: `nagios-plugins-1.4.13.tar.gz'

100%[======================================>] 2,279,556 131K/s in 15s

2009-07-21 21:32:48 (150 KB/s) - `nagios-plugins-1.4.13.tar.gz' saved [2279556/2279556]

root@jeff-desktop:~/downloads#

root@jeff-desktop:~/downloads# tar xzf nagios-3.1.2.tar.gz

Compile and Install

root@jeff-desktop:~/downloads# cd nagios-3.1.2/

root@jeff-desktop:~/downloads/nagios-3.1.2# ls

base configure.in install-sh nagios.spec t

cgi contrib LEGAL OutputTrap.pm tap

Changelog daemon-init.in LICENSE p1.pl THANKS

common functions Makefile.in pkginfo.in t-tap

config.guess html make-tarball README update-version

config.sub include mkpackage sample-config UPGRADING

configure INSTALLING module subst.in xdata

root@jeff-desktop:~/downloads/nagios-3.1.2# ./configure --with-command-group=nagcmd

…

** Configuration summary for nagios 3.1.2 06-23-2009 ***:

General Options:

-------------------------

Nagios executable: nagios

Nagios user/group: nagios,nagios

Command user/group: nagios,nagcmd

Embedded Perl: no

Event Broker: yes


Install ${prefix}: /usr/local/nagios

Lock file: ${prefix}/var/nagios.lock

Check result directory: ${prefix}/var/spool/checkresults

Init directory: /etc/init.d

Apache conf.d directory: /etc/apache2/conf.d

Mail program: /bin/mail

Host OS: linux-gnu

Web Interface Options:

------------------------

HTML URL: http://localhost/nagios/

CGI URL: http://localhost/nagios/cgi-bin/

Traceroute (used by WAP):

Review the options above for accuracy. If they look okay,

type 'make all' to compile the main program and CGIs.

…

<<Compile the Nagios source code.

make all

…

<<Install binaries, init script, sample config files and set permissions on the external command directory.>>

make install

make install-init

make install-config

make install-commandmode

The Nagios installation guide suggests a few configuration changes before starting the server.

<<Edit the /usr/local/nagios/etc/objects/contacts.cfg config file and change the email address associated with the

nagiosadmin contact definition to the address you'd like to use for receiving alerts. >>

vi /usr/local/nagios/etc/objects/contacts.cfg

<<Install the Nagios web config file in the Apache conf.d directory. >>

make install-webconf

<<Create a nagiosadmin account for logging into the Nagios web interface. This will be password you will use to log

into the nagiosadmin webpage.>>

htpasswd -c /usr/local/nagios/etc/htpasswd.users cs691password

<<Restart Apache to make the new settings take effect. >>

/etc/init.d/apache2 reload

Compile and Install Plugin-Source Code

cd ~/downloads

tar xzf nagios-plugins-1.4.13.tar.gz

cd nagios-plugins-1.4.13


./configure --with-nagios-user=nagios --with-nagios-group=nagios

…

make

…

make install

…

Start Nagios

<<Configure Nagios to automatically start when the system boots>>

ln -s /etc/init.d/nagios /etc/rcS.d/S99nagios

<<Verify the sample Nagios configuration files>>

/usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg

<<If there are no errors, start Nagios>>

/etc/init.d/nagios start

Other Very Helpful Commands

Before starting the server verify that the devices that are being monitoring are configured

properly by running the following:

/usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg

This command restarts the server after you make changes to configuration files:

sudo /etc/init.d/nagios restart

Open Web Browser and go to http://localhost/nagios/

Username: nagiosadmin

Password: cs691 <<or whatever password you used earlier>>

Figure 9 shows the Nagios portal as viewed upon login.


4.3 Configuration

Section 4.3 describes how to add devices for Nagios to monitor.

file resides in /usr/local/nagios/etc/nagios.cfg. The main nag

object configuration files within the objects directory.

4.3.1 Windows XP Clients

Download and install NSClient++

runs the app in the system tray

(Note: I experienced problems with running

commands:


Figure 9 - Nagios Portal

Section 4.3 describes how to add devices for Nagios to monitor. The main configuration

file resides in /usr/local/nagios/etc/nagios.cfg. The main nagios.cfg file points to several other

object configuration files within the objects directory.

NSClient++ on workstations [11]. There is an install option that

app in the system tray. Ignore this option and run the regular “/install

problems with running in the system tray). The following are basic

Page 22

The main configuration

ios.cfg file points to several other

here is an install option that

/install” command

The following are basic


NSClient++ /install

NSClient++ /uninstall

NSClient++ /start

NSClient++ /stop

NSClient++ /test

Note: Firewall port 12489 must be open – Refer to the NSClient++ users manual for setting up

client authentication. For the sake of simplicity this step was not included [11].

On Nagios server add the clients to the config files - edit the

/usr/local/nagios/etc/objects/windows.cfg

##############################################################################

###############################################################################

#

# HOST DEFINITIONS

#

###############################################################################

###############################################################################

# Define a host for the Windows machine we'll be monitoring

# Change the host_name, alias, and address to fit your situation

define host{

use windows-server;

host_name client1;

alias Dell Laptop;

address 10.0.0.103;

}

define host{

use windows-server;

host_name client2;

alias HP Laptop;

address 10.0.0.102;

}

###############################################################################

###############################################################################

#

# HOST GROUP DEFINITIONS

#

###############################################################################

###############################################################################

# Define a hostgroup for Windows machines

# All hosts that use the windows-server template will automatically be a member of this group

define hostgroup{

hostgroup_name windows-servers ; The name of the hostgroup

alias Windows Servers ; Long name of the group


}

###############################################################################

###############################################################################

#

# SERVICE DEFINITIONS

#

###############################################################################

###############################################################################

# Create a service for monitoring the version of NSCLient++ that is installed

# Change the host_name to match the name of the host you defined above

define service{

use generic-service

host_name client2

service_description NSClient++ Version

check_command check_nt!CLIENTVERSION

}

define service{

use generic-service

host_name client1

service_description NSClient++ Version

check_command check_nt!CLIENTVERSION

}

# Create a service for monitoring the uptime of the server


define service{

use generic-service

host_name client2

service_description Uptime

check_command check_nt!UPTIME

}

define service{

use generic-service

host_name client1


check_command check_nt!UPTIME

}

# Create a service for monitoring CPU load


define service{

use generic-service

host_name client2

service_description CPU Load

check_command check_nt!CPULOAD!-l 5,80,90


}

define service{

use generic-service

host_name client1

service_description CPU Load

check_command check_nt!CPULOAD!-l 5,80,90

}

# Create a service for monitoring memory usage


define service{

use generic-service

host_name client2

service_description Memory Usage

check_command check_nt!MEMUSE!-w 80 -c 90

}

define service{

use generic-service

host_name client1

service_description Memory Usage

check_command check_nt!MEMUSE!-w 80 -c 90

}

# Create a service for monitoring C:\ disk usage


define service{

use generic-service

host_name client2

service_description C:\ Drive Space

check_command check_nt!USEDDISKSPACE!-l c -w 80 -c 90

}

define service{

use generic-service

host_name client1

service_description C:\ Drive Space

check_command check_nt!USEDDISKSPACE!-l c -w 80 -c 90

}

# Create a service for monitoring the Explorer.exe process


define service{

use generic-service

host_name client2

service_description Explorer

check_command check_nt!PROCSTATE!-d SHOWALL -l Explorer.exe

}


define service{

use generic-service

host_name client1

service_description Explorer

check_command check_nt!PROCSTATE!-d SHOWALL -l Explorer.exe

}

4.3.2 Linksys WRT54GS Router

Add custom defined commands for monitoring SNMP on Linksys Router (CPU and Ram

Check). To add the commands edit the /usr/local/nagios/etc/objects/command.cfg and add the

following:

define command{

command_name check_linksys_cpu

command_line $USER1$/check_snmp -H $HOSTADDRESS$ -C public -o 1.3.6.1.4.1.2021.10.1.5.1 -u % -

w 60 -c 70

}

define command{

command_name check_linksys_ram

command_line $USER1$/check_snmp -H $HOSTADDRESS$ -C public -o 1.3.6.1.2.1.25.2.3.1.6.101 -u kb -w 27000 -c 28000

}

Next edit the /use/local/nagios/etc/objects/switch.cfg and add the following lines:

##############################################################################

###############################################################################

#

# HOST DEFINITIONS

#

###############################################################################

###############################################################################

# Define the switch that we'll be monitoring

define host{

use generic-switch ; Inherit default values from a template

host_name dd-wrt ; The name we're giving to this switch

alias Linksys WRT54GS ; A longer name associated with the switch

address 10.0.0.1 ; IP address of the switch

hostgroups switches ; Host groups this switch is associated with

}

###############################################################################

###############################################################################


#


#

###############################################################################

###############################################################################

# Create a new hostgroup for switches

define hostgroup{

hostgroup_name switches ; The name of the hostgroup

alias Network Switches ; Long name of the group

}

###############################################################################

###############################################################################

#


#

###############################################################################

###############################################################################

# Create a service to PING to switch

define service{

use generic-service ; Inherit values from a template

host_name dd-wrt ; The name of the host the service is associated with

service_description PING ; The service description

check_command check_ping!200.0,20%!600.0,60% ; The command used to monitor the service

normal_check_interval 5 ; Check the service every 5 minutes under normal conditions

retry_check_interval 1 ; Re-check the service every minute until its final/hard state is

determined

}

# Monitor uptime via SNMP

define service{


host_name dd-wrt


check_command check_snmp!-C public -o sysUpTime.0

}

define service{

use generic-service

host_name dd-wrt

service_description Check Linksys CPU

check_command check_linksys_cpu

}

define service{

use generic-service

host_name dd-wrt

service_description Check Linksys RAM


check_command check_linksys_ram

}

4.3.3 HP LaserJet 4

Note: You must enable SNMP on

Lesson Learned: Monitoring printers requires

reinstallation of the Nagios Plug-

Figure 10 shows adding the net-snmp libraries using the synaptic package manager.

& snmpd.

Once the net-snmp packages/libraries are installed and Nagios

scripts for monitoring printers will be in the /usr/local/nagios/etc/objects/printer.cfg. Edit

printer.cfg and add the following information:

######################################

###############################################################################

#

# HOST DEFINITIONS

#


check_linksys_ram

Note: You must enable SNMP on the printer first.

Monitoring printers requires a missing net-snmp package/library

-in scripts.

snmp libraries using the synaptic package manager.

Figure 10 - Synaptic Package Manager

snmp packages/libraries are installed and Nagios plug-ins reinstalled


printer.cfg and add the following information:

###############################################################################

###############################################################################

Page 28

library and

snmp libraries using the synaptic package manager. Add snmp

reinstalled, the



###############################################################################

###############################################################################

# Define a host for the printer we'll be monitoring

# Change the host_name, alias, and address to fit your situation

define host{

use generic-printer ; Inherit default values from a template

host_name JMHP4 ; The name we're giving to this printer

alias HP LaserJet 4 ; A longer name associated with the printer

address 10.0.0.135 ; IP address of the printer

hostgroups network-printers ; Host groups this printer is associated with

}

###############################################################################

###############################################################################

#


#

###############################################################################

###############################################################################

# A hostgroup for network printers

define hostgroup{

hostgroup_name network-printers ; The name of the hostgroup

alias Network Printers ; Long name of the group

}

###############################################################################

###############################################################################

#


#

###############################################################################

###############################################################################

# Create a service for monitoring the status of the printer


# If the printer has an SNMP community string other than "public", change the check_command directive to reflect that

define service{


host_name JMHP4 ; The name of the host the service is associated with

service_description Printer Status ; The service description

check_command check_hpjd!-C public ; The command used to monitor the service

normal_check_interval 10 ; Check the service every 10 minutes under normal conditions

retry_check_interval 1 ; Re-check the service every minute until its final/hard state is determined

}

# Create a service for "pinging" the printer occassionally. Useful for monitoring RTA, packet loss, etc.

define service{

use generic-service


host_name JMHP4

service_description PING

check_command check_ping!3000.0,80%!5000.0,100%

normal_check_interval 10

retry_check_interval 1

}

4.4 Monitoring

Figure 11 show the Nagios 3.1.2 tactical overview. The overview screen shows a summary

of all devices and provides an indication of overall enterprise health. Summary categories

include number of services, active hosts, flap detection, notifications, events, active, and

passive checks.

Figure 11 - Tactical Overview


Figure 12 shows current status by group. This screen offers a “drill down” view from the

tactical overview where every monitored service is assigned to a category based on the Nagios

configuration files.

Figure 12 - Current Status by Group


Figure 13 details each monitored service status by host or device.

Figure 13 – Service Status

Figure 14 shows an SNMP trap that was caught when the printer tray was removed from the HP

LaserJet printer.

Figure 14 - Service Status Trap Warning


4.5 Recommendations

This paper serves as an introduction to network monitoring because there is much more to

learn regarding the topic. Before deploying a Nagios system in a production environment

additional security measures must be taken into consideration. For example HTTP/SSL must be

enabled. For additional information regarding security and production deployment visit

http://nagios.sourceforge.net/docs/3_0/cgisecurity.html.

5 Conclusion

Whether you work at a large company with an established yearly budget for network

enhancements or a struggling startup, network monitoring makes sense as an added layer of

protection. In large companies it makes sense to implement a commercial network monitoring

system as opposed to an open source solution. Commercial products tend to be easier to

configure and come with support agreements. Small to medium size companies with a limited

budget or companies that need the total control and the ability to customize (via source code)

should not be afraid to consider Nagios or other open source products.

Overall Nagios is a very powerful and flexible monitoring system; however, it requires

much more in-depth installation and configuration when compared to some of the commercial

of the shelf products such as WhatsUpGold. Additionally, Nagios may be much more difficult

and even require custom scripting to support specific devices.

As general guidance to all, it is strongly recommended that every organization implement a

monitoring system not only for the benefits of simplifying network administration but as an

added layer of security with direct insight into the health of the system. In the end, as with any

other investment in technology, justification will be based on cost benefit analysis and the

calculated return on investment. The difficult part of this decision is trying to placing a price on

the hypothetical costs savings in the event of an outage or cyber attack. When we view the

costs of network monitoring in the same light as our willingness to pay for medical check-ups

and preventative medicine for the physical body, our perspective of it importance is brought

into the light. Having notification of current and potential problems is a guaranteed way to save

time and money.


6 References

[1] CIO Magazine (5 Jun 2009) Network Monitoring Definition and Solutions. Retrieved Jul 13,

2009 from http://www.cio.com/article/133700/Network_Monitoring_Definition_and_Solutions

[2] Ipswitch (14 Nov 2007) White Paper: THE VALUE OF NETWORK MONITORING: Why It’s

Essential to Know Your Network. Retrieved Jul 29, 2009 from

http://www.whatsupgold.com/resources/whitepapers/Value_of_Network_Monitoring.pdf

[3] Landis +Gyr (2009) White Paper: Securing the Smart Grid: Gridstream Security Architecture.

Retrieved June 6, 2009 from http://www.landisgyr.com/en/pub/home.cfm

[4] EMS Satcom (2008) Blue Force Tracking: System Nuances and EMS SATCOM’s Contributions.

Retrieve Jul 20, 2009 from http://www.emssatcom.com/newsletters/2008/Nov/bus2.aspx

[5] Stanford SLAC (11 Mar 2001) Passive vs. Active Monitoring. Retrieved Jul 13, 2009 from

http://www.slac.stanford.edu/comp/net/wan-mon/passive-vs-active.html

[6] TCPIP Guide (?) SNMP MIB Graphic. Retrieved Jul 29, 2009 from www.tcpipguide.com

[7] HP Website

[8] Wikipedia (27 Jul 2009) Comparison of network monitoring systems. Retrieved Jul 29, 2009

from http://en.wikipedia.org/wiki/Comparison_of_network_monitoring_systems

[9] Nagios (2009) Nagios. Retrieved July, 13 2009 from http://www.nagios.org/

[10] NSClient++ () Installing NSClient++. Retrieved July 23, 2009 from http://nsclient.org/nscp/

[11] Nagios () Nagios Quickstart Installation Guides. Retrieve July 23, 2009 from

http://nagios.sourceforge.net/docs/3_0/quickstart.html

Date post:	31-Mar-2018
Category:	Documents
Upload:	vuongtu
View:	215 times
Download:	0 times

Network Monitoring As a Layer of Securitycs.uccs.edu/~cs691/studentproj/projM2009/jmiller3/doc/Jeff...

Documents