Network Monitoring - Report Example

Network monitoring Name: Number: Course: Lecturer: Date: Abstract With the growth in computer networks that are used in organizations, there is a need to have a way in which networks are managed and monitored. This phenomenon is taking shape as more and more companies develop their intranets. There different types of traffic that are found to be traversing computer networks need to be monitored. Network monitoring has a role in network management as it will help resolve issues and in the process of diagnosis of the issues that are faced in the network. Network monitoring helps in having continued service delivery. There are many tools that are used for network analysis and monitoring. This paper will focus on how Simple Network Monitoring Protocol (SNMP) is used to monitor a network. It will also give an overview of how interfaces of routers and switches are monitored by use of SNMP protocol. Introduction Network monitoring can be defined as the process of getting network traffic and closely checking to know what is happening in the network. Network monitoring is a demanding task and yet it is a very important process in any computer network. This task is undertaken by network administrators. Network monitoring defines the work of a network administrator as they strive to ensure that the network is smooth in its operation. A small time lapse that a network is down will affect the service delivery of an organization and productivity will be compromised. If the network is used for provision of public services, then the service delivery for these services will be interrupted. In order for network administrators to be proactive and not reactive, network administrators should have a way in which they can monitor the network and therefore be able to know where the problem could be and solve before the network comes to a standstill. This way, they will ensure that security holes are covered and looked into[Chr02]. Overview of network monitoring techniques There are various methods of achieving network monitoring. These techniques can be categorized into either be router-based or non-router-based techniques of monitoring the network. Router based monitoring techniques involves the monitoring where monitoring functionalities are built into the router and there will be no need to have additional software being installed in order to undertake network monitoring. Non-router based network monitoring requires additional software and hardware in order to undertake the network monitoring. This method is found to be flexible. Router-based network monitoring capabilities are hardwired to the routers and, therefore, there will be less flexibility[Dav01]. There are network monitoring tools which have been devised. These are third-party tools which work for monitoring networks. They are summarized in the table below: Tool Description Prize Colasoft packet graphing Colasoft packet graphing software has the capability of sorting events separated by OSI layer by criteria of severity, source address or event type and helps speed recovery. It also has a matrix view that depicts connection view which further enhances diagnosis. Colasoft is compatible with Windows XP, Vista as well as windows 7 both in 32 and 64 bit version. Freeware Intermapper control center Intermapper is a network monitoring tool that monitors system availability in a variety of methods which includes: SIMPLE PING via SNMP protocol and HTTP, DHCP, DNS and LDAP for specific tasks[Dav01]. With intermapper and administrator can monitor service availability and be instantly notified on available network problems. One advantage of intermapper is its cross-platform support for both windows and Linux based operating systems. $290 Nagios Nagios is an open source tool that offers support for any sized network. Despite the fact that it is simple to install, it however requires some time to tweak it. Key advantages includes its scalability, ease of navigation, plenty of plug-ins as well as its ability to generate reports Free Zenoss Zenoss monitoring tool is similar to Nagios though it is easier to configure[Chr02]. Zenoss interface is rendered on a web based platform and is cross-platform compatible with support for Linux, Mac OS X and windows. It also comes with virtual appliances for VMware. Free Simple network monitoring protocol (SNMP) SNMP protocol is a protocol that is found in the application layer of TCP/IP model and protocol suite. This protocol enables network administrators to manage networks, enhance performance of networks and plan for the growth of networks. It gets the statistics of the network and the traffic by use of sensors that are passive. The sensors are implemented from the router to the end host. There are two versions of SNMP, SNMPv1 and SNMPv2. This paper will dwell on SNMPv1 as NMPv2 supports the older version (SNMPv1)[Sch10]. Structure of an SNMP There are three components of an SNMP, which are managed devices, network management systems (NMS), and agents. The managed service has in it the NMP agent. It can have such objects as routers, switches, printers, pcs, and hubs. Their main tasks are to provide information and make this information available to NMSs. The agent software has knowledge of how the network is managed and will then convert this information into a form that can be compatible with SNMP. They are situated inside a device which is managed[Mau05]. The work of the NMS is to ensure that there is execution of applications that will monitor and control the devices which are managed. NMSs provide and processing information that are required for network management. There must be at least one NMS in any network. SNMP can work as an agent or NMS or can undertake the actions of both. In order to monitor and control the managed device, there are four commands that are used by SNMP NMS, which are read, write, trap, and traversal commands. The work of the read command is to assess and examine the work of the variable that is kept by managed devices. The write command changes the values of the variables that are stored by the managed devices. The work of the traversal operation is to look for the variables which are supported by the managed devices and look for information about these variables table. The trap command is used by the managed device to report some occurrence which takes place in the managed device to the NMS[Sch10]. For the operation of the SNMP to take place, there are four operations of the protocol which are used. These protocol operations are Get, GetNext, Set and Trap. The Get command is given when a NMS wants information to be taken to the managed device. The version 1 of SNMP message request that is sent has message header and a protocol data unit (PDU). The PDU is the information that is required so that the information in the request is taken to be complete. This request will either retrieve information from an agent or will set information within an agent. The managed devices make use of SNMP agents that are situated in them to get the information that is required and then after this, they will respond to the NMS with eh answer that was requested initially. If the agent does not have the requested information, then there will be no answer to the request. In this situation, the GetNext command will get information about the next object instance. There is a possibility for the NMS agents to send information of request (referred to as Set operation) that is meant to set the values of items that are found in the agents. The Trap operation is used when an agent wants to relay some information to the NMS[Dav01]. As it has been stated initially, the work of an SNMP is to monitor network traffic and relay this information to network administrators. This information helps network administrators to monitor the network and also check the performance. They will be able to enhance performance in case there are requirements and lacking features that are seen in the network. Although this is an important tool that is used by many administrators, it comes with security vulnerabilities to the network. This s because there are no authentication mechanisms associated with the tool. Figure one shows the communication between SNMP manager and SNMP agent. Network management automation With large networks, network management becomes a difficult process. NNMP comes in handy when managing this type of management possible by using a managing host. With SNMP, it is possible to manage hubs, printers, hosts, and management services like DHCP. It is possible to manage any type of network which has been installed with SNMP agent software. This comes with Windows 2003 server. This software will interact with third party SNMP applications so that they give the required information about the network. With SNMP, you can be able to monitor the performance of a network, you can access the performance of remote devices, and you can even configure remote devices. The design of the SNMP is so that it can have the least interference on the device, should be able to be deployed in the largest network as possible[Dav01]. Managers and agents There are SNMP-capable devices and network-management stations. SNMP have managers and agents. This has been discussed in the sections before. A manager is a server that runs software that can be used to manage a network. Managers are commonly referred to as network management stations (NMSs). The tasks that an NMS undertakes is polling and receiving traps that come from agents in the network. A poll is the procedure of asking/querying an agent for some information. An agent can be a hub, router, UNIX server or switch. This information can later be used to determine if there is an event which has taken place. Traps are set in an asynchronous manner without following the queries that are emanating from the NMS. NMS has a responsibility for reacting to the information that they get from the agent. An example is when the T1 line of the internet goes down, the router can send a trap to the NMS[Sch10]. An agent is software that runs on the network devices that are being managed. This software can be separate, like daemon in UNIX or it could be incorporated into the operating system or low-level operating systems like those of Cisco Routers. The current IP devices that are built today come with some SNMP capability integrated to the firmware. The work of many system administrators is made simpler with the fact that many devices have SNMP capabilities. The agent gives management information to the NMS by keeping track to the way the device operates and relaying this information to the NMS. An example is that the agent on a router will detect the various statuses of the interfaces of the router and relay this information to the NMS. The information will include which interface is up, which interface is down, which interface is receiving data, which interface is sending data. This way, the monitoring is being undertaken in the router interface. The NMS can then send some queries on which interface are up, which interface is down. This way, the NMS will undertake the needed action if one of the interfaces is down. If the agent will realize that something bad had taken place, it will send a trap to the NMS. This trap comes from the agent and is targeted at the NMS. Appropriate action will be undertaken. When there is a transition from bad state to a good state some devices will send a signal “all clear”. This is important in wanting to know if the problem was resolved. This will avoid more time trying to resolve the problem[Dav01]. The diagram below shows how an agent is related to an NMS One thing that should be clear is that polls and traps can take place at the same time. There are no conditions or any form of limitations as when an NMS can send a query the agent or when an agent can send a trap. SNMP notifications The feature of SNMP of Inform Request enables routers to send information requests to the NMP managers. When there is a particular event which has taken place, the router will send inform request to the SNMP manager. An example is when an agent router experiences an error; it will send a message to the SNMP manager informing it that an error has occurred. There are two forms in which SNMP notifications can be sent, either as inform requests or as traps. The differences between the two messages are that traps are not reliable because the receiver will not send an acknowledgement that they have received the trap. It is, therefore, hard to determine if the request was received by the recipient or not. On the other hand, an SNMP manager which receives an inform request will acknowledge that they have received the message by use of SNMP response PDU. If there is no receipt of the inform request, then the manager will not send any acknowledgement/response. If the sender do not receive a response from the receiver, then inform will be resent again. In this case, informs are more likely to reach their destinations than are traps[Dav01]. Given the fact that informs are more reliable than traps, they consume more resources in the router and in the network. Unlike a trap which is discarded after it has been sent, an inform will have to be kept in memory until there are acknowledgements received in both agents. Another difference is that a trap will be sent only once while informs can be sent severally depending whether they were acknowledged or not. The several times in which informs could be retrieved in the network causes a lot of traffic overhead in the network. It will also consume a lot of time while the packets are sent from one host to another one. In this regard, there is a tradeoff between reliability and network resources when choosing whether to use traps or informs. If the most important thing is for the SNMP manager to get notifications on the progress of the messages sent, then use inform requests, and if you are concerned with the traffic and resources that will be used in the network, then use traps[Mau05]. The structure of management information and MIBS The structure of management information (SMI) gives a way in which objects which are managed are defined and how their behaviors are. An agent has a collection of objects that it tracks. An example of such an object is the status of the operation of a router interface. The statuses of the router will either be up, down, or testing mode. This list has information that NM can make use of when determining the status of the device where the agent stays. The management information base (MIB) can be taken to be a collection of a database which represents the objects which the agent tracks. Any information that can be represented in a statistical manner and accessed by the NMS has its definition in MIB. NMS provides a way in which managed objects can be managed while a MIB is the definition of the objects themselves. The illustration of a MIB is that of a dictionary. Just like a dictionary shows the spelling of a word and gives the meaning of that word, MIB gives textual name of an object which is managed and shows the meaning of that text. An agent may be configured so that it implements many MIBs but all agents will implement a given type of MIB that is referred to as MIB-II. This is a standard that defines variables for some objects like interface statistics of objects like routers and switches. The can also define other objects that are associated with the system, like, the location of the object, and the contact of the system. The main goal of MIB-II is to give general TCP/IP management details. It does not have all the details that a vendor may want to manage in that given device[Mau05]. Host management While monitoring a network and objects in a network, it is important to manage things like the memory, disk space and usage. The difference between traditional system management and that of network management has been fading by the time and the difference has finally disappeared. The network is now a computer on its own. It does not matter if your routers are running well, if the servers are done, then you will not be able to have a good system. The management of the host device is undertaken using Host Resources MIB. They have definition of some aspects that are used to manage some processes of Windows and UNIX operating systems[Dav01]. There are some aspects which are supported by Host Resources MIB. These aspects include such issues like disk space, number of system users and the number of processes which are running. Router as a SNMP manager The NMP feature will enable the router to act as an SNMP manager. This way, the router will be able to send SNMP requests to agents and also be able to get SNMP responses and notifications coming from agents. The router will also be able to send queries to other SNMP agents if the SNMP process is enabled. In this state, also, the SNMP agent will be able to process incoming SNMP traps[Mau05]. Security issues to be considered Many network policies have been set with an assumption that routers will be able to accept, SNMP requests, responses and also will be able to send SNMP notices. If the SNMP manager has been enabled, the router will be in a position to send NMP requests, SNMP responses and be able to receive SNMP notices. There will be a need to update the security policy before this feature is enabled. SNMP requests and SNMP responses are sent from and to DP port 161. The SNMP notifications are sent to UDP port 162[Dav01]. SNMP sessions The sessions come into being when the SNMP manager in the router sends SNMP requests. These requests include inform and trap messages. They are sent to a host. The SNMP manager in the router may also receive notifications from SNMP agents in the network. In this case, one host is created for each destination host. The session will be deleted if there is no communication between the router and the host in the next timeout session. The router will also be able to track the statistics like the required time for the router to be able to reach the host for each given session. With this statistics that is available in the router for each session, the SNMP manager will, in future, set the timeout periods for requests like informs, and traps for that given host. If the session gets deleted, then all the information will be deleted with the session too. If a session is created in future for the same host, then the request value for the timeout will be restored to the default value[Chr02]. It is clear that sessions consume a lot of memory. For this reason, a timeout value that is reasonable should be set so that the sessions are not deleted prematurely. They should be short enough, too, to be able to purge sessions which are not used often and also which are used only once. Recording network statistics There are different ways in which the statistics of a router/switch interface can be obtained. One common method is by making use of professional tools. Other methods include using programming interfaces and command line tools. In all these methods, some common parameters that are measured include the operating system that the host is running (if the host is a server), the time that the host has been operating (that is, available), and the place where the host is located[Sch10]. The interval time in these measurements are shown in the original values (that is, timeticks) and also in converted values so that to can be read by human, which is in days, hours, minutes and seconds. The most important parameter that SNMP records in a router/switch interface is the uptime or availability of the machine. This is because it shows if the machine us up and is processing requests. Other solutions that have been useful in the past include pinging or using rwho or ruptime commands to the router interface. These two commands are intensive in CPU use and also network resource use. They utilize a lot of network resources. It is important to note that the uptime that is described in this case is the time that the SNMP agent has been in operating, or available, and not the uptime of the whole machine. In most situations, the whole machine and the SNMP agent are the same thing. This is especially true when the device has in-built monitoring like network routers and switches. For computers that show their status using NMP, there will be a difference between system uptime and that of SNMP agent uptime[Dav01]. Recording information over a long time It is often not helpful to get information about something in an instance. It is helpful to have information about something over a long period of time. This will help when analysis and diagnosis is being carried out. In most situations, there are some parameters you might want to monitor for a long time. There could also be values that you might want to record over a period of time. One such parameter is the disk space if a computer was being monitored. There will be the need to monitor the disk usage space as there are times when the disk space reaches a certain level and if this could signify a problem. Also, if the router interface is being monitored for a long time, the number of connections could be monitored. If there are high levels of connections and the connection speed changes, then this information will be helpful as it will help to know that the number of connections affects the speed[Dav01]. Conclusion The process of monitoring networks is a complex a tedious task, and yet very important in network management. With the increase in network devices and hosts, the management of these devices becomes harder and more complex. SNMP is a good, reliable and efficient method for showing the performance and the progress of these devices in the network. Given the fact that the interface is consistent across many devices, it is possible to get the uptime, statistics of the network, the use of disk space and even get the process of monitoring the same methods in many hosts. This paper has focused on how network monitoring can be undertaken using SNMP protocol. It has also dealt with how router and switch interface can be monitored using SNMP. There are also other aspects of monitoring that have been looked into. One such aspect is the structure of the SNMP. This has been covered extensively. References Chr02: , (Brenton & Hunt 2002), Dav01: , (Marchette 2001), Sch10: , (Schneier 2010), Mau05: , (Mauro & Schmidt 2005), Read More