Network Management Tools Presentations

Network Network Management ToolsManagement Tools

PresentationsPresentationsTuesday, September 18Tuesday, September 18thth & 25 & 25thth, 2007, 2007

CSE 552 – Network ManagementCSE 552 – Network ManagementFall 2007 (Term 071)Fall 2007 (Term 071)

Assignment 2Assignment 2

Schedule of PresentationsSchedule of PresentationsSpeakerSpeaker ToolTool

Muhamad Khaled AlhamwiMuhamad Khaled AlhamwiKarim Asif SattarKarim Asif Sattar NagiosNagios

Rizwan FarooqiRizwan FarooqiMohammad Rahil RafiqMohammad Rahil Rafiq Dude 2.2Dude 2.2

Syed Usama IdreesSyed Usama IdreesMuhammad Asif SiddiquiMuhammad Asif Siddiqui PRTGPRTG

Mojeeb Al-Rhman Al-KhiatyMojeeb Al-Rhman Al-KhiatyNaif Al-WadeaiNaif Al-Wadeai Firewall analyzerFirewall analyzer

Mohameed Moustafa Abou Mohameed Moustafa Abou GhalyounGhalyoun

Ahmad Salam AlRefaiAhmad Salam AlRefaiNetwork ViewNetwork View

NM Tool (Nagios)CSE-552 Assignment#2

Karim Asif SattarMuhamad Khaled Alhamwi

Outline Nagios

Hosts Services

Configuration files Configuration Example Snapshots Q & A

Nagios Free & open-source network management

tool Run under Linux Has web interface

Can be viewed remotely Can be used to monitor your host and

services Very flexible

Many plug-ins and add-ons

Nagios – cont’ Not SNMP-based NM tool Monitor Windows & Linux hosts Monitor any service

You just need to write the appropriate plug-in Monitor public services

HTTP, DNS, Email Monitor private services with the help of other

add-ons CPU, Memory, and Disk usage

Checking Private Services NSClient++

Add-on can be used to check Windows hosts

Daemon Plug-in Add-on

Hosts Hosts can be defined with parent-child

relation Useful to reflect the real topology

Hosts can be grouped in different groups Monitored host has several possible states

UP – The host is up and running DOWN – The host is not responding UNREACHABLE – The host can not be reached

because some other host in between is down

Services Services can be grouped in different services Monitored Service has several possible

states OK – The service is running and performance

metric is within the normal range WARNING – The service is running and

performance metric is above normal but below critical range

CRITICAL – The service is not running (crashed) or the performance metric is above critical threshold

UNKNOWN – Unknown error

Configuration files Main configuration file (includes other files)

nagios.cfg CGI configuration file (web interface)

cgi.cfg Check command configuration file

commands.cfg Hosts configuration

hosts.cfg Services configuration

services.cfg You can name the files as you like, and include them in main

configuration file cfg_file=<file_name>

Example Monitoring of two machines

Localhost (on which nagios is installed) – Linux Checks for private resources on the localhost

Number of processes, users, Disk usage, and CPU Another machine on the same subnet – Windows

XP Checks for HTTP service (running) Checks for DNS service (not installed) Checks for process “Explorer.exe”

Configuration Example define host {

use template host_name localhost address localhost ….

}

define host { use template host_name Windows host address 10.90.3.x ….

}

Configuration Example – cont’ define service {

service_description Total processes host_name localhost check_command check_proc!150!300 ….

}

Configuration Options We can define (with examples)

Normal check interval (5 min) Retry interval (3 min) Maximum check attempts (4) Check period (24x7) Contacts (admin) Contact groups (admin_group) Notification period (24x7) And more…

Snapshots (1) - Authentication Web interface authentication Open internet browser and type: http://localhost/nagios/ in URL field

http://localhost/nagios/

Snapshots (3) – Tactical overview

Snapshots (4) - Service details

Snapshots (5) – Host details

Snapshots (2) – Host Groups

Snapshots (6) – Host group grid

Snapshots (7) – Host Report

Thank you Q & A

The DudeThe DudeNetwork Management Tool Network Management Tool

PresentationPresentationCSE-552 Network ManagementCSE-552 Network Management

Term 071Term 071ByBy

M. M. Rizwan Farooqi (250501)M. M. Rizwan Farooqi (250501)Mohammad Rahil Rafiq (260308)Mohammad Rahil Rafiq (260308)

OverviewOverviewIntroductionIntroductionSystem RequirementsSystem RequirementsFeaturesFeaturesModes of OperationModes of OperationInterface LayoutInterface LayoutLogsLogsProbesProbesSnapshotsSnapshotsPros. & Cons.Pros. & Cons.ConclusionConclusionReferencesReferencesQ & A Q & A

IntroductionIntroduction

Network monitoring tool that incorporates map of Network monitoring tool that incorporates map of the network layoutthe network layoutIt helps you visualize the structure of your It helps you visualize the structure of your network network It also provides direct access to network It also provides direct access to network functions specific to each item. functions specific to each item. It can automatically discover your local network It can automatically discover your local network and draw a preliminary layout that can be further and draw a preliminary layout that can be further customized and saved.customized and saved.

System RequirementsSystem Requirements

RAM: minimum - 64MB, recommended minimum RAM: minimum - 64MB, recommended minimum - 128MB- 128MB

OS: Windows 2000/XP (does not work with OS: Windows 2000/XP (does not work with Windows 95/98/Me) with Administrator Windows 95/98/Me) with Administrator permissions permissions

Video: at least 800x600 resolutionVideo: at least 800x600 resolution

FeaturesFeaturesSupports various network monitoring tasks from Supports various network monitoring tasks from simple ping checks to port probes and service simple ping checks to port probes and service checks.checks.Individual Link usage monitoring and graphs. Individual Link usage monitoring and graphs. Direct access to remote control tools for device Direct access to remote control tools for device management.management.Helps in checking bandwidth to a device or Helps in checking bandwidth to a device or monitor its traffic in real-time. monitor its traffic in real-time.

Features Contd..Features Contd..

Automatically detects any existing subnets and Automatically detects any existing subnets and begins scanning them.begins scanning them.Detected devices are then probed to determine Detected devices are then probed to determine which IP-based services are supported (like which IP-based services are supported (like NetBIOS, HTTP, FTP, etc.), NetBIOS, HTTP, FTP, etc.), Additional probes for any services can also be Additional probes for any services can also be configured. configured. After discovery process, the results are plotted After discovery process, the results are plotted as icons on a map grid including which of its as icons on a map grid including which of its services are up, down, or unstable.services are up, down, or unstable.

Features Contd..Features Contd..How long to wait before timing out a How long to wait before timing out a devicedeviceWhich services are polled on which Which services are polled on which devicesdevicesWindow layout is stored on the server Window layout is stored on the server rather than the client, so everything set up rather than the client, so everything set up on the server can be viewed from multiple on the server can be viewed from multiple clients. clients.

Features Contd..Features Contd..

Supports remote Dude server and local clients.Supports remote Dude server and local clients.Supports SNMP, ICMP, DNS and TCP Supports SNMP, ICMP, DNS and TCP monitoring for devices that support it.monitoring for devices that support it.Easy installationEasy installationRuns on Linux, Mac OS, and Windows. Runs on Linux, Mac OS, and Windows. Best price/value ratio compared to other Best price/value ratio compared to other products (free of charge).products (free of charge).

Modes of OperationModes of Operation

LocalLocal – to connect to the local Dude server – to connect to the local Dude server

RemoteRemote – to connect insecurely (nothing is – to connect insecurely (nothing is encrypted, not even passwords) to a remote encrypted, not even passwords) to a remote Dude server (uses web based interface)Dude server (uses web based interface)

SecureSecure – to connect securely to a remote Dude – to connect securely to a remote Dude server (uses web based interface)server (uses web based interface)

Interface LayoutInterface Layout

http://wiki.mikrotik.com/images/5/51/Dudee.jpg

LogsLogs

Debug – shows all changes happening in the Debug – shows all changes happening in the system system

Action – lists manual operations performed by Action – lists manual operations performed by an administrator (for example, device an administrator (for example, device add/remove events) add/remove events)

Event – stores network events (for example, Event – stores network events (for example, information about failing services) information about failing services)

ProbesProbes

ICMP – regular ping. ICMP – regular ping. TCP – a test, which opens a regular TCP TCP – a test, which opens a regular TCP connection to a given port. connection to a given port. DNS – probe the given UDP port (usually, 53) DNS – probe the given UDP port (usually, 53) with a valid DNS request for the given domain with a valid DNS request for the given domain name. name. SNMP – check the specified OID( Object SNMP – check the specified OID( Object Identifier).Identifier).

Device propertiesDevice properties

Event LogEvent Log

Web Server Traffic Web Server Traffic

Local Network MapLocal Network Map

Local Network Map (zoom)Local Network Map (zoom)

Link SpeedLink Speed

Network SegmentsNetwork Segments

ProbesProbes

Link OutagesLink Outages

Service OutagesService Outages

Device Up/Down timeDevice Up/Down time

Pros:Pros:

FreewareFreewareLots of customizable optionsLots of customizable optionsUseful network mapping featuresUseful network mapping featuresSeparate Client & ServerSeparate Client & ServerUses ftp, http, NetBIOS & ping, SNMPUses ftp, http, NetBIOS & ping, SNMPExport and Import in PNG & PDF formatExport and Import in PNG & PDF formatEmail, popup and beep alertsEmail, popup and beep alertsSecure remote loginSecure remote login

Cons:Cons:

Rather unintuitive user interfaceRather unintuitive user interfaceDevice alerts not turned on by defaultDevice alerts not turned on by defaultMinimal and out of date documentation Minimal and out of date documentation Web based interface not comprehensive Web based interface not comprehensive compared to its windows based clientcompared to its windows based client

ConclusionConclusion

Good FreewareGood FreewareCannot work if firewall is enabled.Cannot work if firewall is enabled.Separate client and serverSeparate client and serverNo supportNo supportServer logout - Dude service closesServer logout - Dude service closes

ReferencesReferences

http://wiki.mikrotik.com/wiki/Dude_usage_http://wiki.mikrotik.com/wiki/Dude_usage_notes#Device_Representationnotes#Device_Representationhttp://www.steveatwal.com/the-dude-free-nhttp://www.steveatwal.com/the-dude-free-network-diagramming-tool/etwork-diagramming-tool/http://www.smallbusinesscomputing.com/whttp://www.smallbusinesscomputing.com/webmaster/article.php/3692871ebmaster/article.php/3692871

http://wiki.mikrotik.com/wiki/Dude_usage_notes#Device_Representation

http://wiki.mikrotik.com/wiki/Dude_usage_notes#Device_Representation

http://www.steveatwal.com/the-dude-free-network-diagramming-tool/

http://www.steveatwal.com/the-dude-free-network-diagramming-tool/

http://www.smallbusinesscomputing.com/webmaster/article.php/3692871

http://www.smallbusinesscomputing.com/webmaster/article.php/3692871

Q & AQ & A

Thank youThank you

May 24, 2007 MSR – A Comparative Analysis 52PRTG (Paessler Router Traffic

Grapher)

PRTGPRTG( Paessler Router Traffic Grapher )( Paessler Router Traffic Grapher )

By:By:Muhammad Asif SiddiquiMuhammad Asif Siddiqui

& Syed Usama Idrees& Syed Usama Idrees

May 24, 2007 MSR – A Comparative Analysis

OutlineOutline

PRTG (Paessler Router Traffic Grapher)

53


IntroductionIntroduction

54PRTG (Paessler Router Traffic

Grapher)


FeaturesFeatures


Grapher)


… … continuedcontinued


Grapher)


System RequirementsSystem Requirements


Grapher)

• Windows 2000/XP/2003 • 64 MB RAM (128 MB and more recommended)• 20 MB disk space for installation• TCP/IP Network Connection• IE 6.0+ or FireFox 1.0+• Protocols enabled on devices


InstallationInstallation


Grapher)




Grapher)


WorkingWorking


Grapher)

Supports the three most common methods of data acquisition:

• SNMP (Simple Network Management Protocol) to access traffic counters or other readings from SNMP enabled devices (most common)

• Packet Sniffing to look at incoming/outgoing network packets that pass through a network card of a compute

• NetFlow for analyzing Cisco NetFlow packets sent by Cisco routers


User InterfaceUser Interface


Grapher)

• Monitoring data can be accessed via a Windows GUI and/or a web based front end

• Integrated web server for remote access (no external web server necessary)

• Results are shown in various graphs & tables

• Graphs are always generated on-the-fly for live reporting


ReportsReports


Grapher)

• Configurable reports (graphs and data tables) in HTML, Excel, TIFF, RTF or PDF format

• Daily, monthly, and yearly reports can be exported via email or saved to file

• x% percentile calculation for any value, any interval, and any time frame

• Includes a billing system for bandwidth based billing


NotificationsNotifications


Grapher)

• For each sensor, individual email notifications can be configured for :

Errors (e.g. device is not reachable)

Reaching traffic limits (e.g. more than x MB transferred per day or month)

Reaching traffic or usage thresholds (e.g. more than 700kbit bandwidth for more than one hour)

May 24, 2007 MSR – A Comparative Analysis 64

Experimentation (Examples)Experimentation (Examples)


Generate reports Use web interface Specify thresholds Add and edit sensors Automatic Network Discovery Export data tables and graphs Add customized graphs / tables Customize graphs and tables view


Running the PRTGRunning the PRTG


Grapher)

•When we run PRTG for the first time, it does not have any sensor to read. So we need to add some sensors to collect the data

•After we have added some sensors, the main window looks like this:


Adding a standard traffic sensorAdding a standard traffic sensor



Adding a standard traffic sensor (continued)Adding a standard traffic sensor (continued)



Adding a standard traffic sensorAdding a standard traffic sensor





The above example clearly showed you how a Standard Traffic Sensor in PRTG is added and monitored


ConclusionConclusion

• The GUI of PRTG is user friendly for the installation and usage purpose

• Graphical view of the network and bandwidth usage provides better monitoring of networks

• Provides easily identifying network bottlenecks

• Better quality of service can be assured and plan according to the desired needs


Grapher)

May 24, 2007 MSR – A Comparative Analysis 76September 18, 2007September 18, 2007

PRTGPRTG

THANK YOU !THANK YOU !

Firewall Analyzer 4

By:-Mojeeb Al-Rhman Al-Khiaty-Naif Al-Wadeai

Outline:

Reasons for choosing this tool ! What is Firewall ? Firewall Analyzer 4 ( Quick description). Features, Characteristics and Areas. How can you use this tool? Examples Firewall Architecture. References.

Reasons for choosing this tool!

Our team members are interest in the security and security management in networks.

We attempt to achieve the highest benefits from this course and connect it with our thesis ides.

What is Firewall ?

A Firewall is an important perimeter defense tool that protects your network from attacks. Security tools like Firewalls and Proxy Servers generate a huge quantity of traffic logs, which can be mined to generate a wealth of security information reports.[2]

Firewall Analyzer 4.0 !!!

A web-based, cross-platform, log analysis tool that analyzes logs received from different firewalls and generates useful reports and graphs.

Helps network administrators in doing: Trend analysis Capacity planning Policy enforcement Security compromises. [3]

How can Firewall Analyzer help you? Analyze incoming and outgoing traffic/bandwidth

patterns Identify top Web users, and top websites accessed Project trends in user activity and network activity Identify potential virus attacks and hack attempts Determine bandwidth utilization by host, protocol,

and destination Alert on firewalls generating specific log events Analyze efficiency of firewall rules and modify them

if needed Determine the complete security posture of the

enterprise

Firewall Analyzer 4.0 (Cont.)

The reporting features available in this release include,

Pre-defined reports on bandwidth, protocol, users, etc.

Instant reports on firewall activity Scheduling of reports Custom report profiles Historical trend reports Export and save reports to PDF Custom alert settings.

Features and Benefits (cont.) Multiple firewall vendor support: Support for most

leading enterprise firewall appliances and servers. Automated syslog collection and processing :

Automatically collects and parses logs, and updates the database at user-defined intervals

Syslog archiving : Allows for archiving of log files at user-defined intervals

Built-in database: Stores and processes syslog data in the embedded MySQL database

Dashboard : Provides a quick view of current activity across all devices from a single place

Features and Benefits (cont.) Automatic alerting: Automatically notifies and

warns against specific events based on user-defined thresholds

Pre-defined device reports: Includes traffic analysis reports across all devices or specific to firewalls, proxy servers, and Radius servers

Historical trending : Allows you to analyze trends in bandwidth usage, protocol usage, etc. over varying time periods

Customizable report profiles: Allows you to build reports to meet your specific needs

Features and Benefits (cont.) Report scheduling: Automatically

generates reports at specified time intervals and delivers them as PDF reports via email.

Multiple report formats: Generates and exports reports in HTML, PDF, and CSV formats.

Advanced user management: Allows you to create different users and set appropriate access privileges

Multi-platform support : Runs on Windows and Linux platforms

Examples

Protocol-wise Distribution

Severity-wise Distribution

Selecting device and date

Selecting device

changing year

changing Month

Reporting

Reporting (Cont.)

Architecture

References:

1. “SNMP, SNMPv2, SNMPv3, AND RMON 1 and 2” by William Stallings, Addison-Wesley, Third Edition, 1996.

2. http//www.manageengene.com3. http// www.fwanalyzer.com

AT THE END

Thanks for your attention Team Members

Ahmad Salam AlRefaiMohamed Abu Ghalioun

What is Worm? Intrusion Detection System (IDS). Billy Goat System. Collaborative Distributed Attack

Detection. Theory of Attack Detection. Cooperative Messaging Protocol Questions & Answers.

101

Worm is a self replicating computer program similar to a virus.

A virus within another program, it executes when the other

program executes, it need a host program cause mischief: deleting data, altering display.

Worms move or propagate in network replicate themselves in machines before jumping to

others Create much network traffic that overwhelms

network (DOS)

102

Started in 1987 by Dorothy E. Denning, a computer scientist then

at SRI international, Menlo Park, Calif. In "An Intrusion detection Model" published in IEEE transactions on software engineering she describes how to model the statistical characteristics of a system operating normally so that deviations from the model could be taken as evidence that intruders were present.

IDS tries to detect illegal things, however legitimate and illegitimate activities look similar, the diagnoses depends heavily on the context.

103

A centralized system uses a single device to monitor the entire network. Centralized systems are designed primarily to protect enterprises by monitoring aggregate traffic at fixed locations in the network and responding by blocking or delaying observed malicious behavior.

Distributed systems model tracks anomalies more reliably but requires installation in each machine. In this model all events are generated on the local systems individually.

104

The main problem of previous intrusion detection systems is the many false alarms they produce, their lack of resistance to both malicious attacks and accidental failures, and the constant appearance of new attacks and vulnerabilities.

IBM Zurich Research Laboratory working in a remedy for worms that differs from other approaches in targeting worms specifically rather than trying to prevent all breaches of computer security.

Billy Goat system does the work extremely accurately. Billy Goat is specialized worm-detection system that runs on dedicated machine connected to the network and detects worm-infected machines anywhere in it. Billy Goat is designed to take advantage of the way worms propagate.

105

Computer connected to the network often received automated requests from other computers (service request).

Investigating these requests worms caused large fraction of them.

Because worms typically find new computers to target by searching through Internet addresses at random.

106

Strategy effective because the ever increasing number of infected machines in an attack can soon be generating hundreds of millions of addresses to try.

The machines are assigned unused and unadvertised addresses.

Because no one knew the existence of those machines so we can assume that the traffic would almost surely be illegitimate.

107

Billy Goat respond to machine

virtual environment. Feigned services provided

(many, sapphire MSQL) Connection attempts

recorded Helps Billy Goat Revealing

identity of worm. Allow system to know worm

infected machine. When worm try to infect Billy

Goat, its identity get recorded and reported to Administrator.

108

More than one address can be assigned to the same machine.

The machine provide many virtual services.

To ensure that Billy Goat keep working under heavy worm attack, we can use distributed architecture.

Extremely effective, discover infective machines in seconds.

109

Centralized Systems:Centralized Systems: Global view of the enterprise network.Global view of the enterprise network.

Which means a centralized decision maker.Which means a centralized decision maker. High quality (low false positive and low false High quality (low false positive and low false

negative).negative). Not scalable for large networksNot scalable for large networks

may not be sufficient trust between sub-domains to may not be sufficient trust between sub-domains to accept a centralized protection policy.accept a centralized protection policy.

large numbers of mobile nodes may exit and enter the large numbers of mobile nodes may exit and enter the network leaving them temporarily without protectionnetwork leaving them temporarily without protection

110

Distributed System: Scalable for large networks. Lack of global view Low quality

high false positive and high false negative.

111

It is a suggested solution: It uses a distributed system model, all

events are generated using software detection agents on individual hosts.

Solving the problem of the lack of global view

Sharing information between nodes.

112

Attack Detection Cooperative Messaging Protocols

113

collaborating sites maintain a decision table. It is constructed using the ratio of the

likelihood of features are a good indicator of the current worm attack to the likelihood for the features to occur at random.

When the observed behavior exceeds predetermined threshold, enough evidence has been accumulated to reach a correct decision with high probability.

114

let H1 to be the hypotheses that there is a worm.

and H0 be the hypotheses that there is no worm.

Let Yi be the random variable that says there is an attack or not at site i. Yi= 1 if there is an attack; could be a false positive

(fp) Yi= 0 if there is no attack; could be a false negative

(fn). The observation vector L(Y) = {Y1, Y2 · · · Yn} then

is the set of measurements obtained by n conditionally independent end-hosts.

115

the table is constructed using many random walks through a collection of local detectors.

The strength of the desired global detectors is specified by two quantities: Desired detection rate and desired false alarm rate.

Using these, one can calculate thresholds in the table of likelihood ratios: T0 = (1 − DD/1 − DF) and T1 = (DD/ DF).

116

Each host, then, implements a global intrusion detector that makes decisions as follows: if, after including the local detector state,

the calculated likelihood ratio, L(Y) < T0, accept the hypothesis that there is no worm (H0) and halt the query .

If L(Y) > T1, accept the worm hypothesis (H1) and raise a global alarm, otherwise continue the random walk among end hosts.

117

Cooperating hosts contain a random subset of the addresses of all nodes in the collection.

Nodes with new alerts from their local detectors choose m other end-hosts at random and send the message “{1, 1}”, which means, “One site has reported one alert”.

Hosts receiving this message add their local information (e.g. it would generate a “{2, 1}” if had not seen the activity, and a “{2, 2}” if had)

118

If no decision is reached, m new sites are selected at random and the message propagates. In this manner multiple sequences (chains) of evidence are spread randomly across cooperating end-hosts. If “normal behavior” decisions are reached in any chain, that chain halts. If a “likely worm attack” decision is reached at any point, a global warning is broadcast to all nodes.

119

References How to hook Worms, JAMES RIORDAN,

ANDREAS WESPI, DIEGO ZAMBONI, May 2005

A Distributed Host-based Worm Detection System, Senthilkumar G. Cheetancheri, John Mark Agosta, Denver H. Dash, Karl N. Levitt, ,JeffRowe, Eve M. Schooler,

Network Management Tools Presentations

Documents

Transcript of Network Management Tools Presentations