There are many different ways to monitor the processes running across your network. In this video, you’ll learn about log management, port scanning, patch management, and much more.
<< Previous Video: Backup and Recovery Next: Event Management >>
The routers, firewalls, switches, servers, and other devices on our network gather an enormous amount of information. And that’s usually provided to you by the way of a log file. It’s very common to collect all of this log data so you’re able to understand exactly what may have happened in the past.
There’s usually a central point where all of this log file is consolidated. It’s usually sent from all of these different devices using a standard syslog protocol. This means that you’re going to be collecting a lot of log files in this consolidated server. That means you need to make sure you have as much storage space as possible. As a way to better manage this storage space, some people will roll up the data into larger sections as time goes on.
For example, you may be gathering performance information across all of your devices every minute. This allows you to create a very detailed graph of exactly what happened every 60 seconds at the end of the day. But after 30 days, the granularity of that 1-second data point may not be as important to you. So at the end of 30 days, you may roll up the information into 5-minute samples. This means you no longer have to store that 1-minute interval, and can simply store the 5-minute break down. And then at the end of 30 days, you can take an average of the entire period for an hour and simply store a single hourly value for that period.
It’s very common to take all of this text-based log information and create a graphical representation of what you’re storing. Some of this information may come from raw logs. So it’s up to you to parse through the information to find what you need. Or the data may be already summarized into a metadata form, which makes it very easy to graph.
Some organizations will use SIEM software. SIEM is the Security Information and Event Management. And this allows you to consolidate data and create reports on the information that you’ve stored.
Creating these reports, though, can take a lot of resources on the server. So you need to make sure that you’re building a machine that can handle the requirements for the information you need to be able to report on. This can also have some built-in graphing capability. So there may be very little that you would need to develop or program. You simply tell the SIEM the type of graph you’d like over the particular frame, and it will create that graph and provide you with those details.
One of the ways to monitor what’s happening on your network is to proactively monitor the devices that are connected. One way to do this is by using a piece of software called Nmap. Nmap stands for network mapper. One of the more popular features of Nmap is a port scanner. Nmap will query a device and tell you exactly what ports may be open and what ports may be closed.
But Nmap goes well beyond just a simple port scanner. It can analyze what operating system a device may be using without having to authenticate or log in to any component that’s on that particular server. Nmap map can also query a device to determine exactly what services may be running. Nmap can determine the name, version number, and other details about the application running on that server. And Nmap includes the NSE, or the Nmap Scripting Engine, which allows you to create your own scripts to extend the capabilities of this very popular security scanner.
It’s also common to periodically monitor your devices to see if they may have any vulnerabilities. One way to do this is with a vulnerability scanner, which will look at an operating system and be able to tell you if there’s any components that may be vulnerable. Vulnerability scanners are very good at finding unknown devices on the network. So if you’re looking for a server or a security device that’s been added without your knowledge, a vulnerability scan may be a good way to find it.
It’s very common to run these vulnerability scans not only from the inside of your network, but also from the outside of your network. It’s useful to know what anyone outside of your organization may see when they try to access your systems through the internet. Vulnerability scanners are not 100% perfect, but they do give us a list of things to look through. So after we have run the vulnerability scan, it’s common to step through all of the results and determine what may be a real vulnerability versus a false positive.
Vulnerability scans are very good at pointing out when security doesn’t exist. So when you scan a device and it says a firewall isn’t running, there’s no anti-virus and no anti-spyware, you can then address that with the results of your vulnerability scan. There may be also situations where a device is misconfigured. For example, there may be a share that is open on that device without any type of security. Or perhaps someone has turned on guest access to a particular system and not realized it. A vulnerability scan will identify that and provide those details in the report.
And of course, our operating systems and applications have vulnerabilities that are found all the time. Vulnerability scanners are usually updated constantly with the latest set of signatures, so you’ll be able to find even the newest vulnerabilities that may be associated with your services. If a vulnerability is discovered on a device, then it may be time to patch. Of course, you can always apply patches when they’re released to provide additional stability to an operating system or an application, as well.
With Microsoft Windows, a number of patches can be combined together to create a service pack. It makes it very easy to apply a large number of patches at a single time to bring the operating system up to a particular state. So you could install service pack 1 or service pack 2 and have all of those patches applied up to that point.
Microsoft and other organizations will release patches every month. So you’ll want to look through all of the notes associated with that monthly update and make sure that all of your systems are patched. On rare occasions, you may find that a patch does not follow the monthly update, and it’s more of an emergency patch that needs to be pushed out immediately. The zero-day patches are usually created to address a very significant security concern. So if you see an emergency or out-of-band update appear, you should find out more information about that immediately.
Sometimes the installation of a security patch can unfortunately create other problems with your operating systems or your applications. Most operating systems will provide you with a list of all of the patches that have been installed. And then you can choose a particular patch to uninstall or roll back to a previous configuration.
Once you have collected all of this monitoring information back to a central point, you can begin creating baselines. This allows you to understand what the normal operation of your network might be over time. If any of these reports indicate a change to the baseline, then you may need to do additional investigation to find out what may be happening on your network.
Sometimes you need to get into the details of what an application may be doing over the network. And there’s nothing more detailed than a protocol analysis. A protocol analyzer is going to capture every frame going through the network and then provide a decode that gives you more information about the network and the application performance. These protocol analyzers can capture data from an Ethernet connection. Or they can capture directly from your wireless network.
Some of the infrastructure devices and security components on your network can also capture packets. And then you can open those packet captures in a protocol analyzer. These protocol decodes make it very easy to see everything that’s happening across the network. You can identify unknown traffic patterns. You can see the application performance of traffic across the network. Or you can create filters that will narrow down the view to exactly what you’re looking for.
Some large-scale protocol analyzers allow you to capture information over days of time. That allows you to then perform some big data analytics and be able to determine more information about what’s really happening with the applications on your network.