Monitoring Your Network

Chris Bamber, IT Systems Manager

Somerville College

Confidentiality: The contents of this presentation and workshop discussion are to be held in strictest confidence.

26th June 2003Christopher Bamber2

What We Can Use the Tools for

Identifying unofficial services or servers Monitoring usage and traffic statistics Protecting your network from the world Troubleshooting your network Investigating a security incident Keeping logs of users activities for

accountability

26th June 2003Christopher Bamber3

Who? What? Where? How? When?

Who is accessing your network?– students, academics, staff, visitors or others

What are they accessing your network for?– academic study, social use, business use, illegal use

Where are they accessing your network from?– internal, external

How are they accessing your network?– remote user, local Ethernet, WAN, dial-up, Wi-Fi, VPN

When did they access your network?– today, yesterday, last week, last month…

26th June 2003Christopher Bamber4

A College Network

Hearbeat

100MBCAT5

100MB Fiber182m62.5/125ST ConnectionsCore 1 & 2 Pass SXCore 3 Fail LXCore 4 Pass SX

Fibre100MB

Fibre100MB

100 MB CAT5

10MB CAT5Fibre 100MB313.7m62.5/125Fail SX lengthCore 1 fail LXCore 2 pass LXCore 3&4 pass LX

100 MB CAT5

100MB CAT5

Fibre 100MB295m62.5/125Fail SX lengthCore 1 pass LXCore 2 fail LXCore 3&4 pass LX

Catering Switch OC1x12 port @10/100MB

Media Converter

100MBCAT5

Fibre 100MB260m62.5/125Fail SX lengthCore 1&2 pass LXCore 3&4 pass LX

1000MBCAT5e

OUCS Router

Me

dia

Co

nver

ter

Elron CommandViewFirewall

100MB CAT5

100MB CAT5

Lodge Switch8 port @ 10/100MB

SERVER04Win2K ADSQL 2K

SERVER05Win2K AD AdvancedExchange FrontEndTerminal ServerAppeal MasterIIS 5 Web ServerDFS

100MB CAT5

1000MB CAT5e

West03 Switch SS3 3300TM1x24 port @10/100MB1 port 1000MB BaseT

West04 Switch SS3 3300TM1x24 port @10/100MB1 port 1000MB BaseT

100MB CAT5

West01 Switch SS2 33001x24 port @10/100MBWest02 Switch SS3 3300TM

1x24 port @10/100MB1 port 1000MB BaseT

Fibre 100MB215m62.5/125Core 1&2, 3&4, 5&6, 7&8, 9&10, 11&12, 13&14, 15&16 pass SX

100MB CAT5

Wave-Point IIWirelass LAN

Media Converter

100MB CAT5

100MB CAT5

Media Converter

Wireless Network

11MB

100MB CAT5

Hostle Switch SS21x12 port @10MB

(CABT Hostel + House)

Margery Fry Switch SS23300XM

2x24 port @10/100MB

Darbishire Switch SS3 3300TM1x24 port @10/100MB

SS2 33001x24 port @10/100MB

House Switch SS2 33002x24 port @10/100MB

DHQ Switch SS2 11002 x 24 port @ 10MB

+2@100MB

CLUSER01Win2K AdvancedExchange Cluster

CLUSER02Win2K AdvancedExchange Cluster

Library Holtby Switch SS23300XM

2x24 port @10/100MB

Vaughan Switch SS2 11003x24 port @10MB+2 ports @100MB

(CABT D2)

(CABINET (H))

(CABINET W1)

100MB CAT5

Penrose Switch SS23x24 port @10/100MB

Maint 120-121 Switch SS33300TM

1x24 port @10/100MB1 port 1000MB BaseT

SAN Array

Fiber Hub

Maitland SwitchSS2 3300

1x12@10/100MB + 1@1000MBSS3 3300SM

1x24 port@10/100MB+1@1000SX

pc201SCO UNIX Server

SERVER01Win2K ADDFS

Main Switch SS3 3300SM1x24 port @ 10/100MB

1 port 1000SX (CABT D1)

IT Office Switch SS4400 1x48port @10/100MB

1 @ 1000MB

eTrust IDS

Med

ia C

onve

rte

r

Maitland Fiber Patch

19 20 21 22 23 2413 14 15 16 17 187 8 9 10 11 121 2 3 4 5 6

43 44 45 46 47 4837 38 39 40 41 4231 32 33 34 35 3625 26 27 28 29 30

Darbishire Fiber Patch

Somerville CollegeOxford University

Network Diagram April 2003

26th June 2003Christopher Bamber5

Software Tools

WS_Ping_ProPack XploiterStat Lite Windows Event Viewer Sophos Anti-Virus for NT Sophos Anti-Virus

ADMIN Tool

Software Firewalls eTrust Intrusion

Detection (Sessionwall) 3Com Network

Supervisor GFI LANguard Network

Security Scanner Network Probe

26th June 2003Christopher Bamber6

A Linux Soloution

26th June 2003Christopher Bamber7

Ws_Ping_ProPack

This tool gives you basic windows interface into a few very handy utils:- Ping, Scan, TraceRoute, Whois, Lookup etc

Doing regular scans of common ports on your network will help to discover unauthorised services or servers

Very quick and simple, also cheap £30.00 for a licence

26th June 2003Christopher Bamber8

A Port Scan

26th June 2003Christopher Bamber9

XploiterStat Lite

Port monitoring software, TCP and UDP

Free, upgrade available at approx. £30.00

Produce text logs of active connections to your machine or servers

Handy for putting a trace on a machine your concerned about

26th June 2003Christopher Bamber10

Windows Event Viewer

Comes with MS Servers, Windows 2000 and XP,it’s FREE!

Use it to look at your logs

Make sure you have some logs

Export your logs to examine them in Excel, it’s quicker

26th June 2003Christopher Bamber11

Sophos Anti-virus for NT

It’s FREE!, site licensed to Oxford University

Protect your workstations from viruses

Use a protected install so users can’t remove it

Make it mandatory for all computers connected to your network

Keep it updated…

26th June 2003Christopher Bamber12

Sophos Anti-Virus ADMIN Tool

It’s FREE! Allows you to install SAV onto

your NT workstations remotely You need to have their admin

shares(C$) available for the initial install

Allows you to update and change the configuration of SAV

Monitors the status and current rollout of the IDE files

Allows you to force an update to the user workstation

Quick and simple

26th June 2003Christopher Bamber13

Software Firewalls

Some free, some not Elron Command View

Firewall for NT SmoothWall – Free and

Comercial versions FreeBSD Firewalls…

26th June 2003Christopher Bamber14

eTrust Intrusion Detection

Providing real-time, non-intrusive detection, policy-based alerts, and automatic prevention

Integrated anti-virus engine with automatic signature updates

Dynamic URL blocking and logging

Predefined policies for a wide range of attacks

Comprehensive built-in reports

26th June 2003Christopher Bamber15

3Com Network Supervisor

Network management utility for managing 3com hubs and switches

It’s free, unless you want the advanced functions

Auto Detects network structure, well almost

26th June 2003Christopher Bamber16

GFI LANguard Network Scanner

Free version available Purchase for extra

functions including patching capability

Will scan a subnet at timed intervals

Produces html reports: demo report

26th June 2003Christopher Bamber17

Network Probe

Free software probe Needs to be placed

where it can sniff the network traffic

Works on windows using a web interface

26th June 2003Christopher Bamber18

Hardware Tools

Fibre & Copper Taps Network Analysers IDS Appliances Firewall Appliances

26th June 2003Christopher Bamber19

Software Sites

WS_Ping_ProPack - http://www.ipswitch.com/Products/WS_Ping/index.html

XploiterStat Lite - http://www.xploiter.com/tambu/totostat.shtml

Sophos Anti-Virus – http://www.sophos.com/

MAILsweeper - http://www.mimesweeper.com/

Elron Firewall - http://www.elronsoftware.com/enterprise/cvfirewall.htm

eTrust - http://www.cai.com/solutions/enterprise/etrust/intrusion_detection/

Transcend - http://www.3com.com/prod/en_UK_EMEA/prodlist.jsp?tab=cat&cat=65

Network Probe - http://www.objectplanet.com/Probe/

26th June 2003Christopher Bamber20

Documents to Read

Oxford University's Computer Usage Rules and Etiquette

http://www.ox.ac.uk/it/rules/

Somerville Rules for Computer Use

http://www.some.ox.ac.uk/it/cp_rules.html

26th June 2003Christopher Bamber21

Contact Information

Christopher Bamber

IT Systems Manager

Somerville College, OX2 6HD

E-mail: chris.bamber@some.ox.ac.uk

Tel: 01865 2 70661