monitoring your network chris bamber, it systems manager somerville college confidentiality: the...
TRANSCRIPT
Monitoring Your Network
Chris Bamber, IT Systems Manager
Somerville College
Confidentiality: The contents of this presentation and workshop discussion are to be held in strictest confidence.
26th June 2003Christopher Bamber2
What We Can Use the Tools for
Identifying unofficial services or servers Monitoring usage and traffic statistics Protecting your network from the world Troubleshooting your network Investigating a security incident Keeping logs of users activities for
accountability
26th June 2003Christopher Bamber3
Who? What? Where? How? When?
Who is accessing your network?– students, academics, staff, visitors or others
What are they accessing your network for?– academic study, social use, business use, illegal use
Where are they accessing your network from?– internal, external
How are they accessing your network?– remote user, local Ethernet, WAN, dial-up, Wi-Fi, VPN
When did they access your network?– today, yesterday, last week, last month…
26th June 2003Christopher Bamber4
A College Network
Hearbeat
100MBCAT5
100MB Fiber182m62.5/125ST ConnectionsCore 1 & 2 Pass SXCore 3 Fail LXCore 4 Pass SX
Fibre100MB
Fibre100MB
100 MB CAT5
10MB CAT5Fibre 100MB313.7m62.5/125Fail SX lengthCore 1 fail LXCore 2 pass LXCore 3&4 pass LX
100 MB CAT5
100MB CAT5
Fibre 100MB295m62.5/125Fail SX lengthCore 1 pass LXCore 2 fail LXCore 3&4 pass LX
Catering Switch OC1x12 port @10/100MB
Media Converter
100MBCAT5
Fibre 100MB260m62.5/125Fail SX lengthCore 1&2 pass LXCore 3&4 pass LX
1000MBCAT5e
OUCS Router
Me
dia
Co
nver
ter
Elron CommandViewFirewall
100MB CAT5
100MB CAT5
Lodge Switch8 port @ 10/100MB
SERVER04Win2K ADSQL 2K
SERVER05Win2K AD AdvancedExchange FrontEndTerminal ServerAppeal MasterIIS 5 Web ServerDFS
100MB CAT5
1000MB CAT5e
West03 Switch SS3 3300TM1x24 port @10/100MB1 port 1000MB BaseT
West04 Switch SS3 3300TM1x24 port @10/100MB1 port 1000MB BaseT
100MB CAT5
West01 Switch SS2 33001x24 port @10/100MBWest02 Switch SS3 3300TM
1x24 port @10/100MB1 port 1000MB BaseT
Fibre 100MB215m62.5/125Core 1&2, 3&4, 5&6, 7&8, 9&10, 11&12, 13&14, 15&16 pass SX
100MB CAT5
Wave-Point IIWirelass LAN
Media Converter
100MB CAT5
100MB CAT5
Media Converter
Wireless Network
11MB
100MB CAT5
Hostle Switch SS21x12 port @10MB
(CABT Hostel + House)
Margery Fry Switch SS23300XM
2x24 port @10/100MB
Darbishire Switch SS3 3300TM1x24 port @10/100MB
SS2 33001x24 port @10/100MB
House Switch SS2 33002x24 port @10/100MB
DHQ Switch SS2 11002 x 24 port @ 10MB
+2@100MB
CLUSER01Win2K AdvancedExchange Cluster
CLUSER02Win2K AdvancedExchange Cluster
Library Holtby Switch SS23300XM
2x24 port @10/100MB
Vaughan Switch SS2 11003x24 port @10MB+2 ports @100MB
(CABT D2)
(CABINET (H))
(CABINET W1)
100MB CAT5
Penrose Switch SS23x24 port @10/100MB
Maint 120-121 Switch SS33300TM
1x24 port @10/100MB1 port 1000MB BaseT
SAN Array
Fiber Hub
Maitland SwitchSS2 3300
1x12@10/100MB + 1@1000MBSS3 3300SM
1x24 port@10/100MB+1@1000SX
pc201SCO UNIX Server
SERVER01Win2K ADDFS
Main Switch SS3 3300SM1x24 port @ 10/100MB
1 port 1000SX (CABT D1)
IT Office Switch SS4400 1x48port @10/100MB
1 @ 1000MB
eTrust IDS
Med
ia C
onve
rte
r
Maitland Fiber Patch
19 20 21 22 23 2413 14 15 16 17 187 8 9 10 11 121 2 3 4 5 6
43 44 45 46 47 4837 38 39 40 41 4231 32 33 34 35 3625 26 27 28 29 30
Darbishire Fiber Patch
Somerville CollegeOxford University
Network Diagram April 2003
26th June 2003Christopher Bamber5
Software Tools
WS_Ping_ProPack XploiterStat Lite Windows Event Viewer Sophos Anti-Virus for NT Sophos Anti-Virus
ADMIN Tool
Software Firewalls eTrust Intrusion
Detection (Sessionwall) 3Com Network
Supervisor GFI LANguard Network
Security Scanner Network Probe
26th June 2003Christopher Bamber6
A Linux Soloution
26th June 2003Christopher Bamber7
Ws_Ping_ProPack
This tool gives you basic windows interface into a few very handy utils:- Ping, Scan, TraceRoute, Whois, Lookup etc
Doing regular scans of common ports on your network will help to discover unauthorised services or servers
Very quick and simple, also cheap £30.00 for a licence
26th June 2003Christopher Bamber8
A Port Scan
26th June 2003Christopher Bamber9
XploiterStat Lite
Port monitoring software, TCP and UDP
Free, upgrade available at approx. £30.00
Produce text logs of active connections to your machine or servers
Handy for putting a trace on a machine your concerned about
26th June 2003Christopher Bamber10
Windows Event Viewer
Comes with MS Servers, Windows 2000 and XP,it’s FREE!
Use it to look at your logs
Make sure you have some logs
Export your logs to examine them in Excel, it’s quicker
26th June 2003Christopher Bamber11
Sophos Anti-virus for NT
It’s FREE!, site licensed to Oxford University
Protect your workstations from viruses
Use a protected install so users can’t remove it
Make it mandatory for all computers connected to your network
Keep it updated…
26th June 2003Christopher Bamber12
Sophos Anti-Virus ADMIN Tool
It’s FREE! Allows you to install SAV onto
your NT workstations remotely You need to have their admin
shares(C$) available for the initial install
Allows you to update and change the configuration of SAV
Monitors the status and current rollout of the IDE files
Allows you to force an update to the user workstation
Quick and simple
26th June 2003Christopher Bamber13
Software Firewalls
Some free, some not Elron Command View
Firewall for NT SmoothWall – Free and
Comercial versions FreeBSD Firewalls…
26th June 2003Christopher Bamber14
eTrust Intrusion Detection
Providing real-time, non-intrusive detection, policy-based alerts, and automatic prevention
Integrated anti-virus engine with automatic signature updates
Dynamic URL blocking and logging
Predefined policies for a wide range of attacks
Comprehensive built-in reports
26th June 2003Christopher Bamber15
3Com Network Supervisor
Network management utility for managing 3com hubs and switches
It’s free, unless you want the advanced functions
Auto Detects network structure, well almost
26th June 2003Christopher Bamber16
GFI LANguard Network Scanner
Free version available Purchase for extra
functions including patching capability
Will scan a subnet at timed intervals
Produces html reports: demo report
26th June 2003Christopher Bamber17
Network Probe
Free software probe Needs to be placed
where it can sniff the network traffic
Works on windows using a web interface
26th June 2003Christopher Bamber18
Hardware Tools
Fibre & Copper Taps Network Analysers IDS Appliances Firewall Appliances
26th June 2003Christopher Bamber19
Software Sites
WS_Ping_ProPack - http://www.ipswitch.com/Products/WS_Ping/index.html
XploiterStat Lite - http://www.xploiter.com/tambu/totostat.shtml
Sophos Anti-Virus – http://www.sophos.com/
MAILsweeper - http://www.mimesweeper.com/
Elron Firewall - http://www.elronsoftware.com/enterprise/cvfirewall.htm
eTrust - http://www.cai.com/solutions/enterprise/etrust/intrusion_detection/
Transcend - http://www.3com.com/prod/en_UK_EMEA/prodlist.jsp?tab=cat&cat=65
Network Probe - http://www.objectplanet.com/Probe/
26th June 2003Christopher Bamber20
Documents to Read
Oxford University's Computer Usage Rules and Etiquette
http://www.ox.ac.uk/it/rules/
Somerville Rules for Computer Use
http://www.some.ox.ac.uk/it/cp_rules.html
26th June 2003Christopher Bamber21
Contact Information
Christopher Bamber
IT Systems Manager
Somerville College, OX2 6HD
E-mail: [email protected]
Tel: 01865 2 70661