Network Security

Practices You Can’t

Do Without

Presenter:

Steve Kuzma, IT Solutions

Who we are:

Why do we have network alerts?

• Knowledge

• Understanding

• Proactive response

• Reactive response

• Overall Preparedness

What should we be monitoring?

• Hardware

• Power

• Internet

• Internal Network

• Environmental Monitoring

• Event logs

• Applications

How to monitor alerts:

• Endpoint management software

• Scripts

• Solarwinds

• Spiceworks

• Windows

Hardware

• Event logs

• Manufacture’s System Tools

• Endpoint

• Hard Drives

• Memory

• CPU

Power

• UPS Management Software

• Run time

• Load

• Load battery self tests

• Battery status

* Some devices have the ability to do environmental monitoring

Internet

• Ping Checks

• Logic Monitor

• SolarWinds

• Up/Down

• Bandwidth

Internal Network

• Logic Monitor

• Ping Checks

• SolarWinds

• Built in administration• Firewalls

• Wireless

• Physical Access

Environmental Monitoring

• Room Alert

• IT WatchDog• Temperature

• Humidity

• Moisture

• UPS Add-ons

Event Logs

• Endpoint Management

• Windows

• Failures

• Processes

• Login Attempts

Applications

• Endpoint Management

• Windows

• Performance Monitor

• Services

• Utilization

Do I need all of these alerts?

• Proactive vs. Reactive

• You’re the authority

• Preparing for the future

Predictive Monitoring: Looking for Bottlenecks

Two Methods:

1. Know the limits of your equipment

• Routing/switching speeds on networking gear

• Throughput of inter-equipment links

• IOPS, transfer rates on storage

2. Find your baseline

• You can’t do trend analysis without a baseline

Trend Analysis

• Requires historical monitoring, you need a

monitoring engine

• Establish a baseline – a week of growth isn’t

necessarily a trend

• We’ll look at some common metrics, but if you’re

not sure, overdo it and monitor it all

• Overhead should be relatively insignificant

• Try to correlate the trend to a reason so you can

better understand and predict

Start simple with physical servers• CPU > 80%, RAM >80%, HD <15%

• Monitoring this is still not predictive!

Look at the trends:

• January RAM was 60%, February was 65%, March was

70%...when do you upgrade?

Is a RAM upgrade the right choice? New server?

• Depends on your BASELINE – is CPU trending as well?

• Also depends on business metrics – did this correspond

with increased web traffic due to a marketing push?

• Can you get the business forecast and prepare?

Monitoring Applications

Helps determine what is driving overall utilization,

but also critical for user/business impact

• Databases are disk dependent (read rate, write

rate, latency)

• Websites are network dependent (number of

connections, network throughput)

Too many to go through here, but know your

applications or build up a baseline

Monitoring networking equipment

• Most manufacturers publish metrics such as

maximum throughput with and without services

Network Metrics (router/switch/firewall)

CPU – most reliable “how hard is it working” metric

• In many cases, this is the bottleneck that drives the

published numbers

Interfaces of critical equipment – how much data is

the link pushing? Is it time to add more connections?

• Inter-switch links – a 1Gbps link isn’t that difficult to

saturate

Watch the trend and strategize!

SAN Metrics

• Controller CPU – overall performance

• Read and Write Latency – biggest determinant

in perceived speed

• IOPS – particularly in virtualization workloads,

how busy is the SAN?

• Throughput on network connections/FC ports –

is the interface an issue?

• Throughput to disk shelves – is it safe to add

more shelves?

Virtualization Metrics

• Host metrics: CPU%, Memory%, Network%

• Advanced host metrics:

• CPU Ready % - % of time VMs are ready to use CPU

but resource is unavailable

• Under 5% is generally considered acceptable

• vCPU Ratio – how many virtual CPUs per physical

core?

• Different opinions – consensus is 2:1 or 3:1 but it is workload

dependent. Try to keep biggest CPU users away from each

other.

More virtualization metrics…

• Memory swapping – host or VM

• Avoid it at all costs. Not only is it slow, but it overtaxes

storage resources as well.

• Storage throughput and latency from hosts

• Particularly NFS – even if you have multiple links,

there is no “overflow” so one data stream can still only

utilize one single link (i.e. 1Gpbs/10Gbps)

Business-type metrics

• Look at these types of things to see what is driving

your increased/decreased utilization:

• Number of connections (website, database, etc.)

• Inbound traffic from outside sources (router interface,

VPN, etc.)

• Accounts created, accounts deleted or inactive

• Might need to create custom counters within the DB

It’s not always about upgrading!

• Metrics that are trending towards problem areas are an

opportunity to grow or an opportunity to become more

efficient.

• Check with application owners and developers to see if

they have any input on your metrics.

• Yes, growing from 2 to 10 application users is a 5x

increase, but should you need another server at 10

users? Or is there efficiency to be gained by disabling

services or rewriting inefficient code?

Firewall Management and Best Practices

• Proactive monitoring / management

• Backing up running configuration

• Automating

• Ping checks

• Predictive monitoring

• Monitoring uplinks for traffic

• Port Lockdown and documentation

• Management Lockdown

Q&A

Next Webinar:

PC Security: How to Avoid Malware, Spyware and

Viruses

Wednesday, March 16, 2016

2:00 – 3:00PM (EST)