In this section about campus network security we're going to go into some detail about network monitoring and management. This is really the foundation of security on your campus network. You need to have managed equipment in your network in order to be able to properly monitor it and manage the equipment. This means the equipment at the very minimum needs to be able to respond to a ping. It needs to be able to run a protocol like snmp or you need to be able to install an agent on this equipment that can send you data. https is also another protocol that can be used on equipment in order to gather information you need to have some basic network monitoring and management in place because you need to know what's happening on your network in real time if you can and network monitoring management is pretty much the foundation that virtually all network security framework operates on there's some classical network monitoring management tools that are very useful for instance are some of your devices not responding or responding poorly maybe it's a denial of service attack on your network or some kind of break-in a tool like nagios or smoke ping can help you to detect this or you've seen unusual levels of traffic and how do you know if it's an unusual level of traffic first thing you need to do is monitor your network for a while you'll learn what looks normal this is called baselining and then over time you'll realize when something doesn't look normal so a few tools to do this include classical tools such as cacti libra nms and netflow using nf sen and also other types of network flows such as s flows j flow ipfix it depends on the network hardware that you're actually using as to what type of flow you'll have these are a few of the classical network monitoring management tools that are open source and available to you organized by category you can look through this list at any time and see if anything looks interesting to you we'll go over some more here and talking about a bit more modern network monitoring and management tools these are generally tools that are built around software stacks that include some agents for pushing information out from remote devices rather than pulling information but these tools can also use classical protocols such as snmp to pull data from devices and they generally include a data store and then they include something to be able to peruse that data store and ask it questions and usually some software that provides you with a very nice graphical dashboard that you can customize these tools are more complex but they provide you with alerting on events some detailed dashboards that show your network state in real time the reason why i say real time is because since you can push information to these data stores you can push that information as fine-grained as you want to and as quickly as you want to you can detect anomalies you can see trends over time and you can inspect network flows as well a few popular software stacks include prometheus elk and tick there are many many software stacks available we just mentioned a few here we'll show you what these look like very quickly the elk stack involves some agents these are called beats which send information into a data store and you're able to search through that data store and this is called elasticsearch there's also logs dash which is specific for logging information so you can send information to logging servers log stash servers and you can use classic logging protocols to do this and then you can have a graph board a typical graph board where the elk stack is kibana and this is what allows you to see and view the information in a graphical manner the tick stack you have agents these are called telegraph they're sent into a data store and then you can look at that data store using tools like capacitor and chronograph which give you beautiful dashboards as well and prometheus which has become quite popular has things called node exporters which are software that send out information but prometheus also can pull information using snmp or http and then you store it in a data store and you are able to alert on information using a tool called alert manager and grafana is a typical dashboard that you can use to create beautiful images and give you any kind of customized information that you want also if you want to analyze your traffic in real time look for trends and try to figure out what's something going on this is called network traffic analysis and it's important to know it's traversing your network so let's imagine that you discover there's a new virus that has infected some of your machines and all of these infected machines are connected to a specific ip address can you find out which machines have connected to that address do you have that capability on your network we'll talk about this in a bit what tools are available to detect this network flows definitely help to be able to detect this and then there's also network intrusion detection systems and some popular open source systems include snort cerakata and zeke and zeek used to be known as bro these are all open source and available to you log analysis so it's a good idea to collect logs from multiple devices from switches from routers from servers and send all that logging information to a single logging server and that is a box will have a large data store of all your logs and then you can correlate that information you can search it you can do post mortem analysis on that server and you can also apply dashboards to that logging information it's really useful to send your logging information to a remote box so that if you have a compromised machine and somebody goes in and changes the logs to hide their path you still can have the original log messages that indicate what happened you can keep the logging information on both the remote host and the logging box at the same time that's important to remember if you have an acceptable use policy so what is allowed on your network and what is not then these tools help you to enforce it and to actually prove to somebody whether or not they have broken your policy or not so you need to be able to monitor what users are doing and this is a very personal decision on your part as to what level how anonymous will this be how much monitoring are you going to be doing of user activity sometimes this is really simple perhaps you have labs and you can simply look over people's shoulders and see what they're doing and that's pretty good monitoring but that's not practical in today's environment particularly with wirelessly connected laptops there are lots of useful technical tools and what's really important is to understand what's normal on your network so that when you see something abnormal you can start to figure out what to do next and figure out what's happening network flows routers can generate a summary of records about every traffic session scene so this means source address import source destination or destination address destination port bytes packets and you can keep track of sessions that users have actively running on your network so for instance you can see who is using the most bandwidth on your network and what they're using to use that much bandwidth and you can figure out what somebody's been doing you don't see the actual content of the packets that's called deep's packet inspection but you see the general idea of what types of packets were in use some software to do this includes nf dump with nfsen this uses traditional netflows and it's a traditional piece of software and some more modern open source software includes elastoflow be aware of network flows and network address translation if you are using network address translation for your network then for instance if it's on your border router you need to make sure that you're generating net flows on the interface before you do the nat translation otherwise you will not know which address private ip address on your network actually generated the flow if you're doing that on a firewall it's a bit more complicated you need to do the netflow data either from the firewall if that's possible or from a device behind the firewall and this will depend on where you have placed your firewall so if your firewall is before a router then you can obviously do the flows on the router itself but if it's after the router then you will need to generate the flows off of the firewall device itself anomalous traffic so this again is traffic that doesn't make sense that looks different that generates a signature that you haven't seen before so intrusion detection systems as we mentioned before such as snort zeke and circata and there's many others they can identify suspicious traffic patterns they can see machines that are using bittorrent they can see machines infected with certain types of viruses or worms and they can see some network-based attacks typically you would connect a machine running one of these intrusion detection systems to mirror port perhaps on a switch that's right near your border and one of the major issues with these systems is the risk of false positives they can generate many many false alarms at first and it takes a while to tune them so that the information you're getting from them is actually useful and interesting to you associating an ip address to a user this is really important when you do discover that a machine has an issue that you need to investigate further if you're not doing authentication sessions when people log in this can be a bit harder so you can look in things like your arp and dhcp logs to map an ip address to a mac address and then once you have the mac address you can find this on your switches and see what port that device was attached to things like netdot netbox and libra nms can do this for you if you're using wireless the best you can do at that point in time is find out what port the wireless access point was on you can use radius logs 8021.x logs for wireless users so it's really good to have people log in on your wireless network you can use active directory if you're running microsoft products with active directories for domain logins and if you have network access control using something like packet fence or other tools these can be useful for identifying ip addresses to users network management helps you to let people know that maybe they're uploading data to the network and they're not aware of it for instance if you have users using bittorrent they could actually be sharing information and not even be aware of it at that point in time at the university of oregon if somebody uses bittorrent we detect it we let them know via email it's not illegal to use bittorrent it's an extremely useful tool to obtain some software but if they are downloading something illegal or that's not licensed they know that we're aware of their bittorrent use and it's amazing how quickly people will stop doing things that are legal bittorrent is perfectly useful for obtaining things such as entire cd-rom images of for instance linux distributions or data sets and stuff like that so in summary your policy is extremely important your acceptable use policy and what you plan to do if users are breaking your acceptable use policy and in order to enforce this and to be able to back up what you say is happening network monitoring and management is critical you can take action on specific issues such as encryption which we will talk about in a later video. Virus protection and authentication and authorization using network monitoring and management and note that you can use firewalls only to protect sensitive servers rather than using firewalls across your entire network. So for instance if you place your public-facing servers into a separate network segment you can put a firewall in front of those servers and provide them that protection and then you may provide access control lists on your border router for the rest of your network.

© Produced by Philip Smith and the Network Startup Resource Center, through the University of Oregon.

Attribution-NonCommercial 4.0 International (CC BY-NC 4.0)
This is a human-readable summary of (and not a substitute for) the license. Disclaimer. You are free to: Share — copy and redistribute the material in any medium or format Adapt — remix, transform, and build upon the material The licensor cannot revoke these freedoms as long as you follow the license terms. Under the following terms: Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. NonCommercial — You may not use the material for commercial purposes. No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.