Network Monitoring - Network OS Management

advertisement
NETWORK MONITORING
DEFINITIONS
Network monitoring describes the use of a system
that constantly monitors a computer network for slow
or failing systems and that notifies the network
administrator in case of outages via email, pager or
other alarms. It is a subset of the functions involved in
network management.
 Network traffic measurement is the process of
measuring the amount and type of traffic on a
particular network. This is especially important with
regard to effective bandwidth management.

WHY NETWORK MONITORING IS
IMPORTANT

Needs of service providers:







Understand the behavior of their networks
Provide fast, high-quality, reliable service to satisfy
customers and thus reduce churn rate
Plan for network deployment and expansion
SLA monitoring, Network security
Usage-based billing for network users (like
telephone calls)
Marketing using CRM data
Needs of Customers:


Want to get their money’s worth
Fast, reliable, high-quality, secure, virus-free
Internet access
APPLICATIONS
Network Problem Determination and Analysis
 Traffic Report Generation
 Intrusion & Hacking Attack (e.g., DoS, DDoS)
Detection
 Service Level Monitoring (SLM)
 Network Planning
 Usage-based Billing
 Customer Relationship Management (CRM)
 Marketing

NETWORK MONITORING METRICS

CAIDA (The Cooperative Association for Internet Data Analysis)
Metrics Working Group (www.caida.org)






Latency
Packet Loss
Throughput
Link Utilization
Availability
IETF’s (Internet Engineering Task ) IP Performance Metrics
(IPPM) Working Group






Connectivity
One-Way Delay
One-Way Packet Loss
Round Trip Delay
Delay Variation
Bulk transfer capacity
MONITORING METHODS

Fraleigh et al, (2001) describe two techniques for
network measurement.
Active Monitoring
 Passive Monitoring

ACTIVE MONITORING

Performed by sending test traffic into network






Generate test packets periodically or on-demand
Measure performance of test packets or responses
Take the statistics
Impose extra traffic on network and distort its
behavior in the process
Test packet can be blocked by firewall or
processed at low priority by routers
Mainly used to monitor network performance
PASSIVE MONITORING
Carried out by observing network traffic
 Collect packets from a link or network flow from a
router
 Perform analysis on captured packets for various
purposes
 Network device performance degrades by mirroring or
flow export
 Used to perform various traffic usage/characterization
analysis/intrusion detection

NETWORK MANAGEMENT AND
MONITORING SOFTWARES












EPM
The ping program
SNMP servers
IBM AURORA Network Performance Profiling
System
Intellipool Network Monitor
Jumpnode
Microsoft Network Monitor 3
MRTG
Nagios (formerly Netsaint)
Netdisco
NetQoS
NetXMS Scalable network and application monitoring
system
NETWORK MANAGEMENT AND
MONITORING SOFTWARES














Opennms
PRTG
Pandora (Free Monitoring System) - Network and
Application Monitoring System
PIKT
RANCID - monitors router/switch configuration changes
RRDtool
siNMs by Siemens
SysOrb Server & Network Monitoring System
Sentinet3 - Network and Systems Monitoring Appliance
ServersCheck Monitoring Software
Cacti network graphing solution
Zabbix - Network and Application Monitoring System
Zenoss - Network and Systems Monitoring Platform
Level Platforms - Software support for network monitoring
WHAT CAN WE
USE THE TOOLS FOR?
Identifying unofficial services or servers
 Monitoring usage and traffic statistics
 Troubleshooting your network
 Investigating a security incident
 Keeping logs of users activities for accountability

HOW WE CAN CHOOSE THE BEST
TOOL
Who? What? Where? How? When?
 Who is accessing your network?



What are they accessing your network for?


internal, external
How are they accessing your network?


academic study, social use, business use, illegal use
Where are they accessing your network from?


students, academics, staff, visitors or others
remote user, local Ethernet, WAN, dial-up, Wi-Fi,
VPN
When did they access your network?

today, yesterday, last week, last month…
REMOTE NETWORK MONITORING

What is RMON?
RMON is the common abbreviation for Remote Monitoring,
a system defined by the IETF that allows you to monitor
the traffic of LANs or VLANs remotely.
RMON (Remote Network Monitoring) provides standard
information that a network administrator can use to
monitor, analyze, and troubleshoot a group of local area
networks (LANs) from central location.
Remote Monitoring (RMON) is an extension to the SNMP
MIB
REMOTE NETWORK MONITORING
Goals of RMON
primary goal is to provide information relating to
network errors and utilization. RMON data is
gathered as part of ten different monitoring
groups.

RMON GROUPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Statistics Ethernet stats
History snapshots based on stats(1)
Alarm ability to set threshold, generate alarm
on interesting event
Hosts host stats
HostTopN store/sort by top N hosts
Matrix X talks to Y
Filter filter pkts and capture/or cause event
Capture traditional pkt analyzer
Event table of events generated by probe
TokenRing maintains statistics and
configuration information for token ring subnets
CONFIGURING RMON
How to configure Remote Monitoring (RMON) on
the Catalyst 6500 series switches:
 RMON on the Catalyst 6500 switches
 Configuring RMON Alarm and Event Settings
from the Command Line Interface (CLI)
 Configuring RMON Alarm and Event Settings
from the Command Line Interface (CLI) - Cisco
Systems

ADVANTAGES



It improves your efficiency
It allows you to manage your network in a more
proactive
It reduces the load on the network and the management
Increases Productivity for administrators.
Permits monitoring on a more frequent basis and hence
faster fault diagnosis.
Needs no direct visibility by NMS; more reliable
information.
DISADVANTAGES

The amount of information it provides is insufficient for
network managers and administrators who need to solve
complex problems, often at a distance.
The mechanism employed for data retrieval to a central
management console are slow and very bandwidth
inefficient.
RMON values are stored in 32 bit registers which limit the
count value to 4,294,967,295. Although a seemingly large
value, this is actually quite small. In a 100 Mbps fast
Ethernet network running at just 10% loading, the
counters will be reset to zero after just one hour of acitivity.
Full RMON support in hardware typically requires
dedicated RISC processor technology and this is achievable
in sub -$1,000 routers, hubs
REFERENCES
NW monitoring and Measurement
 NW monitoring
 Remote NW monitoring
 RMON on the Catalyst 6500 switches
 Configuring RMON Alarm and Event Settings
from the Command Line Interface (CLI) - Cisco
Systems

Download