PRTG ( Paessler Router Traffic Grapher )

Download Report

Transcript PRTG ( Paessler Router Traffic Grapher )

Network Management
Tools Presentations
Tuesday, September 18th & 25th, 2007
CSE 552 – Network Management
Fall 2007 (Term 071)
Assignment 2
Schedule of Presentations
Speaker
Tool
Muhamad Khaled Alhamwi
Karim Asif Sattar
Nagios
Rizwan Farooqi
Mohammad Rahil Rafiq
Dude 2.2
Syed Usama Idrees
Muhammad Asif Siddiqui
PRTG
Mojeeb Al-Rhman Al-Khiaty
Naif Al-Wadeai
Firewall analyzer
Mohameed Moustafa Abou Ghalyoun
Ahmad Salam AlRefai
Network View
NM Tool (Nagios)
CSE-552
Assignment#2
Karim Asif Sattar
Muhamad Khaled Alhamwi
Outline
Nagios
Hosts
Services



Configuration files
Configuration Example
Snapshots
Q&A




Nagios
Free & open-source network management
tool
Run under Linux
Has web interface
Can be viewed remotely



Can be used to monitor your host and
services
Very flexible
Many plug-ins and add-ons




Nagios – cont’
Not SNMP-based NM tool
Monitor Windows & Linux hosts
Monitor any service
You just need to write the appropriate plug-in



Monitor private services with the help of other
add-ons
CPU, Memory, and Disk usage


Monitor public services
HTTP, DNS, Email



Checking Private Services
NSClient++
Add-on can be used to check Windows hosts
Daemon
Plug-in
Add-on


Hosts
Hosts can be defined with parent-child
relation
Useful to reflect the real topology

Hosts can be grouped in different groups
Monitored host has several possible states
UP – The host is up and running
DOWN – The host is not responding
UNREACHABLE – The host can not be reached
because some other host in between is down






Services
Services can be grouped in different services
Monitored Service has several possible
states
OK – The service is running and performance
metric is within the normal range
WARNING – The service is running and
performance metric is above normal but below
critical range
CRITICAL – The service is not running (crashed)
or the performance metric is above critical
threshold
UNKNOWN – Unknown error






Configuration files
Main configuration file (includes other files)
nagios.cfg 
CGI configuration file (web interface)
cgi.cfg 
Check command configuration file
commands.cfg 
Hosts configuration
hosts.cfg 
Services configuration
services.cfg 
You can name the files as you like, and include them in main
configuration file
cfg_file=<file_name> 






Example
Monitoring of two machines
Localhost (on which nagios is installed) – Linux
Checks for private resources on the localhost
Number of processes, users, Disk usage, and CPU



Another machine on the same subnet – Windows
XP
Checks for HTTP service (running)
Checks for DNS service (not installed)
Checks for process “Explorer.exe”





Configuration Example
template
localhost
localhost
template
Windows host
10.90.3.x
define host {
use 
host_name 
address 
…. 
}

define host {
use 
host_name 
address 
…. 
}



Configuration Example – cont’
define service {
Total processes
localhost
check_proc!150!300
service_description
host_name
check_command
….





}

Configuration Options
We can define (with examples)
Normal check interval (5 min)
Retry interval (3 min)
Maximum check attempts (4)
Check period (24x7)
Contacts (admin)
Contact groups (admin_group)
Notification period (24x7)
And more…









Snapshots (1) - Authentication
Web interface authentication
Open internet browser and type:
http://localhost/nagios/ in URL field



Snapshots (3) – Tactical
overview
Snapshots (4) - Service details
Snapshots (5) – Host details
Snapshots (2) – Host Groups
Snapshots (6) – Host group
grid
Snapshots (7) – Host Report
Thank you
Q&A

The Dude
Network Management Tool
Presentation
CSE-552 Network Management
Term 071
By
M. M. Rizwan Farooqi (250501)
Mohammad Rahil Rafiq (260308)
Overview
Introduction
System Requirements
Features
Modes of Operation
Interface Layout
Logs
Probes
Snapshots
Pros. & Cons.
Conclusion
References
Q&A
Introduction
Network monitoring tool that incorporates map of
the network layout
It helps you visualize the structure of your
network
It also provides direct access to network
functions specific to each item.
It can automatically discover your local network
and draw a preliminary layout that can be further
customized and saved.
System Requirements
RAM: minimum - 64MB, recommended minimum
- 128MB
OS: Windows 2000/XP (does not work with
Windows 95/98/Me) with Administrator
permissions
Video: at least 800x600 resolution
Features
Supports various network monitoring tasks from
simple ping checks to port probes and service
checks.
Individual Link usage monitoring and graphs.
Direct access to remote control tools for device
management.
Helps in checking bandwidth to a device or
monitor its traffic in real-time.
Features Contd..
Automatically detects any existing subnets and
begins scanning them.
Detected devices are then probed to determine
which IP-based services are supported (like
NetBIOS, HTTP, FTP, etc.),
Additional probes for any services can also be
configured.
After discovery process, the results are plotted
as icons on a map grid including which of its
services are up, down, or unstable.
Features Contd..
How long to wait before timing out a
device
Which services are polled on which
devices
Window layout is stored on the server
rather than the client, so everything set up
on the server can be viewed from multiple
clients.
Features Contd..
Supports remote Dude server and local clients.
Supports SNMP, ICMP, DNS and TCP
monitoring for devices that support it.
Easy installation
Runs on Linux, Mac OS, and Windows.
Best price/value ratio compared to other
products (free of charge).
Modes of Operation
Local – to connect to the local Dude server
Remote – to connect insecurely (nothing is
encrypted, not even passwords) to a remote
Dude server (uses web based interface)
Secure – to connect securely to a remote Dude
server (uses web based interface)
Interface Layout
Logs
Debug – shows all changes happening in the
system
Action – lists manual operations performed by
an administrator (for example, device
add/remove events)
Event – stores network events (for example,
information about failing services)
Probes
ICMP – regular ping.
TCP – a test, which opens a regular TCP
connection to a given port.
DNS – probe the given UDP port (usually, 53)
with a valid DNS request for the given domain
name.
SNMP – check the specified OID( Object
Identifier).
Device properties
Event Log
Web Server Traffic
Local Network Map
Local Network Map (zoom)
Link Speed
Network Segments
Probes
Link Outages
Service Outages
Device Up/Down time
Pros:
Freeware
Lots of customizable options
Useful network mapping features
Separate Client & Server
Uses ftp, http, NetBIOS & ping, SNMP
Export and Import in PNG & PDF format
Email, popup and beep alerts
Secure remote login
Cons:
Rather unintuitive user interface
Device alerts not turned on by default
Minimal and out of date documentation
Web based interface not comprehensive
compared to its windows based client
Conclusion
Good Freeware
Cannot work if firewall is enabled.
Separate client and server
No support
Server logout - Dude service closes
References
http://wiki.mikrotik.com/wiki/Dude_usage_
notes#Device_Representation
http://www.steveatwal.com/the-dude-freenetwork-diagramming-tool/
http://www.smallbusinesscomputing.com/w
ebmaster/article.php/3692871
Q&A
Thank you
PRTG
( Paessler Router Traffic Grapher )
By:
Muhammad Asif Siddiqui
& Syed Usama Idrees
May 24, 2007
PRTG (Paessler Router Traffic Grapher)
MSR – A Comparative Analysis
52
Outline
Introduction
System Requirements
Aspects of Installation
Experimentation (Examples)
Conclusion
May 24, 2007
PRTG (Paessler Router Traffic Grapher)
MSR – A Comparative Analysis
53
Introduction
An easy to use Windows-based software for monitoring network &
bandwidth usage as well as various other network parameters like
memory and CPU utilization
Provides system administrators with live readings and periodical usage
trends of leased lines, routers, firewalls, servers, and many other
network devices
The “ Commercial-Edition-Software ” is designed for the exclusive use by
the customer. For the grant of license a fee has to be paid.
“ Trial Edition " means a free-of-charge-version of the software to be
used only to review, demonstrate, and evaluate the software. We have
used this one.
May 24, 2007
PRTG (Paessler Router Traffic Grapher)
MSR – A Comparative Analysis
54
Features
Supports data acquisition via SNMP, packet sniffing, or Netflow
Classifies network traffic by IP address, protocol, and other
parameters
Easy installation & use on Windows 2000/XP/2003
Capable of monitoring up to several thousand sensors
Works with most switches, routers, firewalls, and other network
devices from Cisco, HP, 3Com, Linksys, Nortel, etc., & with
various other devices (e.g. Windows PCs or network printers)
May 24, 2007
PRTG (Paessler Router Traffic Grapher)
MSR – A Comparative Analysis
55
… continued
May 24, 2007
PRTG (Paessler Router Traffic Grapher)
MSR – A Comparative Analysis
56
System Requirements
•
•
•
•
•
•
Windows 2000/XP/2003
64 MB RAM (128 MB and more recommended)
20 MB disk space for installation
TCP/IP Network Connection
IE 6.0+ or FireFox 1.0+
Protocols enabled on devices
May 24, 2007
PRTG (Paessler Router Traffic Grapher)
MSR – A Comparative Analysis
57
Installation
May 24, 2007
PRTG (Paessler Router Traffic Grapher)
MSR – A Comparative Analysis
58
… continued
May 24, 2007
PRTG (Paessler Router Traffic Grapher)
MSR – A Comparative Analysis
59
Working
Supports the three most common methods of data acquisition:
• SNMP (Simple Network Management Protocol) to access traffic
counters or other readings from SNMP enabled devices (most
common)
• Packet Sniffing to look at incoming/outgoing network packets that
pass through a network card of a compute
• NetFlow for analyzing Cisco NetFlow packets sent by Cisco
routers
May 24, 2007
PRTG (Paessler Router Traffic Grapher)
MSR – A Comparative Analysis
60
User Interface
• Monitoring data can be accessed via a Windows GUI and/or a
web based front end
• Integrated web server for remote access (no external web server
necessary)
• Results are shown in various graphs & tables
• Graphs are always generated on-the-fly for live reporting
May 24, 2007
PRTG (Paessler Router Traffic Grapher)
MSR – A Comparative Analysis
61
Reports
• Configurable reports (graphs and data tables) in
HTML, Excel, TIFF, RTF or PDF format
• Daily, monthly, and yearly reports can be exported via
email or saved to file
• x% percentile calculation for any value, any interval,
and any time frame
• Includes a billing system for bandwidth based billing
May 24, 2007
PRTG (Paessler Router Traffic Grapher)
MSR – A Comparative Analysis
62
Notifications
• For each sensor, individual email notifications can be
configured for :
 Errors (e.g. device is not reachable)
 Reaching traffic limits (e.g. more than x MB
transferred per day or month)
 Reaching traffic or usage thresholds (e.g. more
than 700kbit bandwidth for more than one hour)
May 24, 2007
PRTG (Paessler Router Traffic Grapher)
MSR – A Comparative Analysis
63
Experimentation (Examples)
 Generate reports
 Use web interface
 Specify thresholds
 Add and edit sensors
 Automatic Network Discovery
 Export data tables and graphs
 Add customized graphs / tables
 Customize graphs and tables view
May 24, 2007
PRTG (Paessler Router Traffic Grapher)
MSR – A Comparative Analysis
64
Running the PRTG
•When we run PRTG for the first time, it does
not have any sensor to read. So we need to add
some sensors to collect the data
•After we have added some sensors, the main
window looks like this:
May 24, 2007
PRTG (Paessler Router Traffic Grapher)
MSR – A Comparative Analysis
65
Running the PRTG
•When we run PRTG for the first time, it does
not have any sensor to read. So we need to add
some sensors to collect the data
•After we have added some sensors, the main
window looks like this:
May 24, 2007
PRTG (Paessler Router Traffic Grapher)
MSR – A Comparative Analysis
66
Adding a standard traffic sensor
May 24, 2007
PRTG (Paessler Router Traffic Grapher)
MSR – A Comparative Analysis
67
Adding a standard traffic sensor (continued)
May 24, 2007
PRTG (Paessler Router Traffic Grapher)
MSR – A Comparative Analysis
68
Adding a standard traffic sensor (continued)
May 24, 2007
PRTG (Paessler Router Traffic Grapher)
MSR – A Comparative Analysis
69
Adding a standard traffic sensor (continued)
May 24, 2007
PRTG (Paessler Router Traffic Grapher)
MSR – A Comparative Analysis
70
Adding a standard traffic sensor (continued)
May 24, 2007
PRTG (Paessler Router Traffic Grapher)
MSR – A Comparative Analysis
71
Adding a standard traffic sensor (continued)
May 24, 2007
PRTG (Paessler Router Traffic Grapher)
MSR – A Comparative Analysis
72
Adding a standard traffic sensor
May 24, 2007
PRTG (Paessler Router Traffic Grapher)
MSR – A Comparative Analysis
73
… continued
The above example clearly showed you
how a Standard Traffic Sensor in PRTG
is added and monitored
May 24, 2007
PRTG (Paessler Router Traffic Grapher)
MSR – A Comparative Analysis
74
Conclusion
• The GUI of PRTG is user friendly for the
installation and usage purpose
• Graphical view of the network and bandwidth
usage provides better monitoring of networks
• Provides easily identifying network bottlenecks
• Better quality of service can be assured and
plan according to the desired needs
May 24, 2007
PRTG (Paessler Router Traffic Grapher)
MSR – A Comparative Analysis
75
PRTG
THANK YOU !
May 24, 2007 18, 2007
September
MSR – A Comparative Analysis
76
Firewall Analyzer 4
By:
-Mojeeb Al-Rhman Al-Khiaty
-Naif Al-Wadeai
Outline:








Reasons for choosing this tool !
What is Firewall ?
Firewall Analyzer 4 ( Quick description).
Features, Characteristics and Areas.
How can you use this tool?
Examples
Firewall Architecture.
References.
Reasons for choosing this tool!

Our team members are interest in the
security and security management in
networks.

We attempt to achieve the highest
benefits from this course and connect
it with our thesis ides.
What is Firewall ?

A Firewall is an important perimeter
defense tool that protects your network
from attacks. Security tools like
Firewalls and Proxy Servers generate
a huge quantity of traffic logs, which
can be mined to generate a wealth of
security information reports.[2]
Firewall Analyzer 4.0 !!!


A web-based, cross-platform, log analysis
tool that analyzes logs received from
different firewalls and generates useful
reports and graphs.
Helps network administrators in doing:




Trend analysis
Capacity planning
Policy enforcement
Security compromises. [3]
How can Firewall Analyzer
help you?








Analyze incoming and outgoing traffic/bandwidth
patterns
Identify top Web users, and top websites accessed
Project trends in user activity and network activity
Identify potential virus attacks and hack attempts
Determine bandwidth utilization by host, protocol,
and destination
Alert on firewalls generating specific log events
Analyze efficiency of firewall rules and modify them
if needed
Determine the complete security posture of the
enterprise
Firewall Analyzer 4.0
(Cont.)
 The reporting features available in this
release include,
 Pre-defined reports on bandwidth, protocol,
users, etc.
 Instant reports on firewall activity
 Scheduling of reports
 Custom report profiles
 Historical trend reports
 Export and save reports to PDF
 Custom alert settings.
Features and Benefits (cont.)





Multiple firewall vendor support: Support for most
leading enterprise firewall appliances and servers.
Automated syslog collection and processing :
Automatically collects and parses logs, and updates
the database at user-defined intervals
Syslog archiving : Allows for archiving of log files
at user-defined intervals
Built-in database: Stores and processes syslog
data in the embedded MySQL database
Dashboard : Provides a quick view of current
activity across all devices from a single place
Features and Benefits (cont.)




Automatic alerting: Automatically notifies and
warns against specific events based on userdefined thresholds
Pre-defined device reports: Includes traffic
analysis reports across all devices or specific to
firewalls, proxy servers, and Radius servers
Historical trending : Allows you to analyze trends
in bandwidth usage, protocol usage, etc. over
varying time periods
Customizable report profiles: Allows you to build
reports to meet your specific needs
Features and Benefits (cont.)




Report scheduling: Automatically
generates reports at specified time intervals
and delivers them as PDF reports via email.
Multiple report formats: Generates and
exports reports in HTML, PDF, and CSV
formats.
Advanced user management: Allows you
to create different users and set appropriate
access privileges
Multi-platform support : Runs on Windows
and Linux platforms
Examples
Protocol-wise Distribution
Severity-wise Distribution
Selecting device and date
Selecting
device
changing
year
changing
Month
Reporting
Reporting
(Cont.)
Reporting
(Cont.)
Reporting
(Cont.)
Architecture
References:
1.
2.
3.
“SNMP, SNMPv2, SNMPv3, AND RMON 1 and 2”
by William Stallings, Addison-Wesley, Third
Edition, 1996.
http//www.manageengene.com
http// www.fwanalyzer.com
AT THE END

Thanks for your attention
 Team Members
Ahmad Salam AlRefai
Mohamed Abu Ghalioun
WORM DETECTION SYSTEM
OUTLINE
What is Worm?
 Intrusion Detection System (IDS).
 Billy Goat System.
 Collaborative Distributed Attack Detection.
 Theory of Attack Detection.
 Cooperative Messaging Protocol
 Questions & Answers.

101
WHAT IS WORM


Worm is a self replicating computer program similar to a
virus.
A virus



within another program, it executes when the other program
executes, it need a host program
cause mischief: deleting data, altering display.
Worms



move or propagate in network
replicate themselves in machines before jumping to others
Create much network traffic that overwhelms network (DOS)
102
INTRUSION DETECTION SYSTEM



Started in 1987 by Dorothy E. Denning, a computer
scientist then
at SRI international, Menlo Park, Calif. In "An Intrusion
detection Model" published in IEEE transactions on
software engineering she describes how to model the
statistical characteristics of a system operating normally
so that deviations from the model could be taken as
evidence that intruders were present.
IDS tries to detect illegal things, however legitimate and
illegitimate activities look similar, the diagnoses
depends heavily on the context.
103
TYPES OF INTRUSION DETECTION SYSTEM
A centralized system uses a single device to
monitor the entire network. Centralized systems
are designed primarily to protect enterprises by
monitoring aggregate traffic at fixed locations in
the network and responding by blocking or
delaying observed malicious behavior.
 Distributed systems model tracks anomalies more
reliably but requires installation in each machine.
In this model all events are generated on the local
systems individually.

104
BILLY GOAT SYSTEM



The main problem of previous intrusion detection systems is
the many false alarms they produce, their lack of resistance
to both malicious attacks and accidental failures, and the
constant appearance of new attacks and vulnerabilities.
IBM Zurich Research Laboratory working in a remedy for
worms that differs from other approaches in targeting worms
specifically rather than trying to prevent all breaches of
computer security.
Billy Goat system does the work extremely accurately. Billy
Goat is specialized worm-detection system that runs on
dedicated machine connected to the network and detects
worm-infected machines anywhere in it. Billy Goat is
designed to take advantage of the way worms propagate.
105
Computer connected to the
network often received
automated requests from
other computers (service
request).
 Investigating these requests
 worms caused large
fraction of them.
 Because worms typically find
new computers to target by
searching through Internet
addresses at random.

CONTINUE BILLY GOAT
106



Strategy effective because the ever
increasing number of infected
machines in an attack can soon be
generating hundreds of millions of
addresses to try.
The machines are assigned unused
and unadvertised addresses.
Because no one knew the existence
of those machines so we can
assume that the traffic would
almost surely be illegitimate.
CONTINUE BILLY GATE
107






Billy Goat respond to machine 
virtual environment.
Feigned services provided (many,
sapphire MSQL)
Connection attempts recorded
Helps Billy Goat Revealing
identity of worm.
Allow system to know worm
infected machine.
When worm try to infect Billy
Goat, its identity get recorded
and reported to Administrator.
CONTINUE BILLY GATE
108
CONTINUE BILLY GATE
More than one address can be assigned to the
same machine.
 The machine provide many virtual services.
 To ensure that Billy Goat keep working under
heavy worm attack, we can use distributed
architecture.
 Extremely effective, discover infective machines
in seconds.

109
CENTRALIZED SYSTEMS VS. DISTRIBUTED
LOCAL SYSTEMS
Centralized Systems:

Global view of the enterprise network.



Which means a centralized decision maker.
High quality (low false positive and low false negative).
Not scalable for large networks
may not be sufficient trust between sub-domains to accept a
centralized protection policy.
 large numbers of mobile nodes may exit and enter the network
leaving them temporarily without protection

110
CENTRALIZED SYSTEMS VS. DISTRIBUTED
LOCAL SYSTEMS (CONT.)

Distributed System:
 Scalable
for large networks.
 Lack of global view
 Low quality
 high
false positive and high false negative.
111
COLLABORATIVE DISTRIBUTED ATTACK
DETECTION

It is a suggested solution:
 It
uses a distributed system model, all events are
generated using software detection agents on
individual hosts.
 Solving the problem of the lack of global view
 Sharing
information between nodes.
112
MECHANISM OF COLLABORATIVE DISTRIBUTED
ATTACK DETECTION
Attack Detection
 Cooperative Messaging Protocols

113
ATTACK DETECTION



collaborating sites maintain a decision table.
It is constructed using the ratio of the likelihood of
features are a good indicator of the current worm
attack to the likelihood for the features to occur at
random.
When the observed behavior exceeds predetermined
threshold, enough evidence has been accumulated to
reach a correct decision with high probability.
114
THEORY OF ATTACK DETECTION



let H1 to be the hypotheses that there is a worm.
and H0 be the hypotheses that there is no worm.
Let Yi be the random variable that says there is an
attack or not at site i.



Yi= 1 if there is an attack; could be a false positive (fp)
Yi= 0 if there is no attack; could be a false negative (fn).
The observation vector L(Y) = {Y1, Y2 · · · Yn} then is the set
of measurements obtained by n conditionally independent
end-hosts.
115
THEORY OF ATTACK DETECTION (CONT)



the table is constructed using many random walks
through a collection of local detectors.
The strength of the desired global detectors is
specified by two quantities: Desired detection rate and
desired false alarm rate.
Using these, one can calculate thresholds in the table
of likelihood ratios:

T0 = (1 − DD/1 − DF) and T1 = (DD/ DF).
116
THEORY OF ATTACK DETECTION (CONT)

Each host, then, implements a global intrusion
detector that makes decisions as follows:
 if,
after including the local detector state, the
calculated likelihood ratio, L(Y) < T0, accept the
hypothesis that there is no worm (H0) and halt the
query .
 If L(Y) > T1, accept the worm hypothesis (H1) and
raise a global alarm, otherwise continue the
random walk among end hosts.
117
COOPERATIVE MESSAGING PROTOCOLS



Cooperating hosts contain a random subset of the
addresses of all nodes in the collection.
Nodes with new alerts from their local detectors
choose m other end-hosts at random and send the
message “{1, 1}”, which means, “One site has
reported one alert”.
Hosts receiving this message add their local
information (e.g. it would generate a “{2, 1}” if had not
seen the activity, and a “{2, 2}” if had)
118
COOPERATIVE MESSAGING PROTOCOLS
(CONT.)

If no decision is reached, m new sites are
selected at random and the message
propagates. In this manner multiple sequences
(chains) of evidence are spread randomly
across cooperating end-hosts. If “normal
behavior” decisions are reached in any chain,
that chain halts. If a “likely worm attack”
decision is reached at any point, a global
warning is broadcast to all nodes.
119
References
How to hook Worms, JAMES RIORDAN,
ANDREAS WESPI, DIEGO ZAMBONI, May 2005
 A Distributed Host-based Worm Detection
System, Senthilkumar G. Cheetancheri, John
Mark Agosta, Denver H. Dash, Karl N. Levitt,
,JeffRowe, Eve M. Schooler,

QUESTIONS & ANSWERS
121