Monitoring network protocol security is an important aspect of maintaining overall security. By regularly monitoring network communications, you can more easily identify problems that might be occurring. This is another important aspect of an administrator's job: troubleshooting problems and resolving them as quickly and as efficiently as possible. When it comes to troubleshooting network protocol security, a number of different tools are available for determining the cause of the problem. Using the IP Security Monitor MMC Snap-InAs previously mentioned, IP Security Monitor can be used to monitor and fine tune IPSec performance. However, it is also a very useful tool for troubleshooting. The IP Security snap-in can be used to determine which IPSec policy is being assigned. For example, if IPSec communication is not functioning as it should, you can use IP Security Monitor to verify which IPSec policy is currently in effect on the computer. IP Security Monitor can also be used to view IPSec statistics, which can provide useful information for troubleshooting. For example, if you are experiencing a large number of failures when attempting IP-secured communications, you can use IP Security Monitor to view related statistics. Event ViewerOne of the most useful tools for troubleshooting is the Event Viewer. Using this tool, you can view events that are recorded in the event logs. By default, a computer running Windows Server 2003 typically has three logs listed within the Event Viewer: the application, system, and security logs. You might have additional logs listed, depending on the services installed. For example, a log file is created for the DNS service when it is installed. If the computer running Windows Server 2003 is configured as a domain controller, it will also contain the File Replication Service log and the Directory Service log. Each of the different logs is summarized in the following:
You can open the Event Viewer by clicking Start, pointing to Administrative Tools, and selecting the Event Viewer for the submenu (see Figure 4.13). Figure 4.13. Opening the Event Viewer to view system events.
With Event Viewer open, you can view the contents of a log file by selecting it. The entries contained with the log file are displayed on the Details pane (see Figure 4.14). Figure 4.14. Viewing the contents of a log file.
There is detailed information about every event that is written to one of the log files. By double-clicking a specific event, you can view the event header information (see Figure 4.15). Table 4.2 summarizes the available information. Figure 4.15. Viewing the event detail information.
Table 4.2. Fields Contained in the Event Detail Pane
As already noted in Table 4.2, different types of events can occur. The type of event depends on which log file you are examining. Event viewer displays five different types of events, as summarized in Table 4.3. Table 4.3. Event Types
You can use the Event Viewer to perform the following actions:
Network MonitorAs an organization increases in size, new services and applications are installed; as network shares are created, traffic on a network can increase greatly. Take, for example, the Dynamic Host Configuration Protocol (DHCP). Adding DHCP to a network most definitely has an impact on network traffic during the IP lease and the renewal process.
Using a tool called Network Monitor, you can monitor and log network activity and then use the information to manage and optimize traffic. Another use for this tool is for troubleshooting network communications. For example, you can use Network Monitor to view and troubleshoot IPSec communication. Network Monitor consists of the following components:
Installing Network MonitorNetwork Monitor Tools are not installed with Windows Server 2003 by default, but they can be installed using the following process. Installing Network Monitor Tools automatically installs the Network Monitor Driver.
In some instances, you want to install only the Network Monitor Driver. For example, a computer running Network Monitor Driver can capture the information and forward it to a Systems Management Server (SMS) machine. It is also useful to capture network traffic on a subnet that is remote to where Network Monitor Tools are being run. To install the Network Monitor Driver component, perform the following steps:
Using Network MonitorNetwork Monitor can display a large amount of information about the frames captured to and from a network adapter card. When Network Monitor is first opened, four panes are displayed within the console. The Graph pane displays the network activity in a bar chart. The Sessions Stats pane displays information about individual sessions. The Station Stats pane displays statistics about the sessions the server is participating in. The Total Stats pane displays summary statistics since the capture was started. To view statistics about network traffic, you must first start a capture. To do so, click the Start option from the Capture menu. To view the captured data, click the Start and View option from the capture menu. Network Monitor displays all the frames captured during the capture period with a Summary window. To view specific information about a frame, click the frame within the Summary window. Now when you run Network Monitor, all frames going to and from the computer are captured. If you're looking for specific types of traffic, you can create a capture filter to define what types of frames should be captured. However, keep in mind that this increases the load on a server because it must examine each frame to determine whether it matches the criteria of the filter. To configure capture filters within Network Monitor, choose the Filter option from the Capture menu. |