16.1 What to Monitor

The first quandary when building a monitoring policy is to determine what needs to be monitored . There is often a rush to monitor as much of the infrastructure as possible, but that is rarely a good idea. Instead, it is better to focus on network devices that will impact more than one user if they fail. That leaves a large part of the network open to monitoring, but it does not bog administrators down with unnecessary monitoring messages.

The goal of a monitoring infrastructure should be to monitor all devices that provide service to multiple users on the network. In addition to the devices that are monitored, it is important to determine what services need to be monitored on each device, and how to overcome problems when they occur.

The escalation process involves determining which group is responsible for which devices. While monitoring should be centralized, in most organizations different groups will handle different network devices. If an organization has separate systems, network, and security groups, then ownership of devices will need to be assigned, and the escalation process will have to be worked out within each of those groups. Most intelligent monitoring software allows for multiple escalations, and most with remote access capabilities, such as OpenView, allow different views to be created, depending on the needs of an organization.

For example, if routers and switches are the responsibility of the network group, then that group can create a view of just those devices. The networking group will be able to monitor those devices throughout the day, and escalation procedures specific to the networking group will be assigned to those devices.

Outside of the escalation process, different devices have different monitoring needs. While all network devices need to be checked to determine whether or not they are available, some devices require more detailed monitoring.

16.1.1 Servers

Servers often require the most extensive monitoring, because there are so many possibilities for failure. In addition to general availability and bandwidth usage, server monitoring also requires examination of the hard drive for partitions that are nearly full, and for bad sectors.

CPU and RAM utilization needs to be closely watched on a server to ensure that neither reaches critical levels. High CPU and RAM usage is often a sign that a server has been compromised and is being used to launch attacks against other networks. At the very least, it indicates that an application is using significant resources and should be investigated.

Servers should be monitored for unauthorized ports as well. If a port that should not be available on a server suddenly opens up, that could be a sign of an attack. At the very least it may indicate that an application recently installed on the server is opening unnecessary ports and poses a potential security risk.

Individual applications should be monitored as well. This is different than monitoring the overall health of the server. Rather than focus on the server, monitoring the health of an application means testing to ensure it responds with proper information. As an example, many monitoring applications will alert server administrators when the content of a website changes. If someone has bypassed security measures and gained unauthorized access to the web server, the monitoring application will catch it quickly and notify the appropriate party. Databases should be queried as part of the monitoring system to ensure that the database returns valid information. The more forensic the network monitoring is, the sooner problems will be caught. Servers are the most common target; they need the greatest levels of monitoring.

16.1.2 Routers and Switches

Routers and switches need to be monitored for availability, RAM and CPU usage and for bandwidth usage. Routers and switches are especially sensitive to bandwidth spikes after a network device has been compromised. If unusual traffic patterns occur suddenly on a switch or a router, it can be a sign that a security breach has occurred. It also may indicate that unauthorized applications, such as file-swapping software, have been installed. Keeping a close eye on shifts in bandwidth usage for routers and switches can help administrators track down problems much more efficiently .

Routers and switches should also be monitored for unauthorized port access. If an attacker connects to a port that is supposed to be unused on a switch, it should show up in monitoring. Equally important is if a disabled interface is activated on a router. Again, administrators should know when new interfaces are brought up and quickly investigate unknown access to these devices.

16.1.3 Security Monitoring

In addition to monitoring for the availability of network devices and applications, it is necessary to perform regular security monitoring. Security monitoring can include performing port scans on network devices looking for unauthorized applications or open ports that should not be open. It also includes testing for password security, launching common attacks against network devices, and load testing of servers and routers.

While all these tests should be performed in a lab, it is also necessary to perform regular security monitoring on the live network to ensure that all systems are operating at peak efficiency, and with the proper security measures in place. Some of these tests can be performed with an IDS, while other tests require special software.

The goal of these tests is to look for vulnerabilities that an attacker would look for and correct them before an attacker can find them. When these tests are performed, it is important to act fast and fix any holes that are found. As with any other type of monitoring, the more proactive administrators can be when it comes to finding and fixing security holes, the harder it will be for an attacker to find a way into the network.