Troubleshooting Network Protocol Security

Monitoring network protocol security is an important aspect of maintaining overall security. By regularly monitoring network communications, you can more easily identify problems that might be occurring. This is another important aspect of an administrator's job: troubleshooting problems and resolving them as quickly and as efficiently as possible. When it comes to troubleshooting network protocol security, a number of different tools are available for determining the cause of the problem.

Using the IP Security Monitor MMC Snap-In

As previously mentioned, IP Security Monitor can be used to monitor and fine tune IPSec performance. However, it is also a very useful tool for troubleshooting. The IP Security snap-in can be used to determine which IPSec policy is being assigned. For example, if IPSec communication is not functioning as it should, you can use IP Security Monitor to verify which IPSec policy is currently in effect on the computer.

IP Security Monitor can also be used to view IPSec statistics, which can provide useful information for troubleshooting. For example, if you are experiencing a large number of failures when attempting IP-secured communications, you can use IP Security Monitor to view related statistics.

Event Viewer

One of the most useful tools for troubleshooting is the Event Viewer. Using this tool, you can view events that are recorded in the event logs. By default, a computer running Windows Server 2003 typically has three logs listed within the Event Viewer: the application, system, and security logs. You might have additional logs listed, depending on the services installed. For example, a log file is created for the DNS service when it is installed. If the computer running Windows Server 2003 is configured as a domain controller, it will also contain the File Replication Service log and the Directory Service log. Each of the different logs is summarized in the following:

Application This log contains events pertaining to applications and programs running on the computer.
Security This log contains events pertaining to security as defined in the Audit policy. For example, this includes successful logons , resource access, and use of user rights. By default, security logging is now enabled in Windows Server 2003.
System This log contains events generated by Windows system components .
Directory Service This log contains events generated by Active Directory. This log is available only if the computer is configured as a domain controller.
File Replication Service This log contains events generated by the Windows File Replication Service. For example, any errors generated while the sysvol on domain controllers is being updated are written to this log. Again, this log file is present only if the computer is configured as a domain controller.
DNS Server This log contains events generated by the DNS service. This log is present only if the computer is configured as a DNS server.

You can open the Event Viewer by clicking Start, pointing to Administrative Tools, and selecting the Event Viewer for the submenu (see Figure 4.13).

Figure 4.13. Opening the Event Viewer to view system events.

graphics/04fig13.gif

With Event Viewer open, you can view the contents of a log file by selecting it. The entries contained with the log file are displayed on the Details pane (see Figure 4.14).

Figure 4.14. Viewing the contents of a log file.

graphics/04fig14.jpg

There is detailed information about every event that is written to one of the log files. By double-clicking a specific event, you can view the event header information (see Figure 4.15). Table 4.2 summarizes the available information.

Figure 4.15. Viewing the event detail information.

graphics/04fig15.gif

Table 4.2. Fields Contained in the Event Detail Pane

Information	Description
Date	The date when the event occurred.
Time	The specific time of day when the event occurred.
User	The name of the user under which the event occurred.
Computer	The name of the computer the event occurred on. Normally, this is the local computer unless you are viewing the contents of a log file on a remote computer.
Source	The software that logged the event. This can be a program or a system component.
Event	A number identifying the event that has occurred. This number can help support personnel to troubleshoot the event.
Type	The type of event. The system and application logs define an event as a warning, error, or information.
Classification	The classification of the event by the event source.

As already noted in Table 4.2, different types of events can occur. The type of event depends on which log file you are examining. Event viewer displays five different types of events, as summarized in Table 4.3.

Table 4.3. Event Types

Event Type	Description
Information	An event successfully occurred, such as the loading of a device driver.
Warning	An event has occurred that might lead to future problems. For example, a hard drive might be running low on disk space.
Alert	A significant problem has occurred, such as the failure of a service to start.
Success audit	A successful action has been performed that is defined in the audit policy.
Failure audit	An unsuccessful action has been performed that is defined in the audit policy.

You can use the Event Viewer to perform the following actions:

Troubleshoot IKE (Internet Key Exchange) Negotiations If you've enabled successes and failures for Audit Logon Events, IKE negotiation successes and failures are logged in the Security log. During the IKE negotiations two computers generate a shared, secret key used to secure communications between them.
Troubleshoot IPSec Policies If Audit Policy Changes has been enabled, you can monitor any changes that are made to the IPSec policies. Changes made to the IPSec policy result in an event being written to the Security log.
Monitor Dropped Packets If packet event logging is enabled through the Registry, you can monitor dropped inbound and outbound packets using the System log.

Network Monitor

As an organization increases in size, new services and applications are installed; as network shares are created, traffic on a network can increase greatly. Take, for example, the Dynamic Host Configuration Protocol (DHCP). Adding DHCP to a network most definitely has an impact on network traffic during the IP lease and the renewal process.

Remember that one of the ways in which you can optimize network traffic is to configure the bindings as well as disable unnecessary protocols and services.

Using a tool called Network Monitor, you can monitor and log network activity and then use the information to manage and optimize traffic. Another use for this tool is for troubleshooting network communications. For example, you can use Network Monitor to view and troubleshoot IPSec communication.

Network Monitor consists of the following components:

Network Monitor Driver The Network Monitor Driver is responsible for capturing the frames coming to and from a network adapter.
Network Monitor Tools These tools are used to view and analyze the data captured by the Network Monitor Driver.

Installing Network Monitor

Network Monitor Tools are not installed with Windows Server 2003 by default, but they can be installed using the following process. Installing Network Monitor Tools automatically installs the Network Monitor Driver.

Select Start, Control Panel, Add or Remove Programs.
Click Add/Remove Windows Components.
Within the Windows Component Wizard, select Management and Monitoring Tools, and click the Details button.
Select the Network Monitor Tools check box (see Figure 4.16). Click OK.

Figure 4.16. Installing Network Monitor.
Click Next. Click Finish.

In some instances, you want to install only the Network Monitor Driver. For example, a computer running Network Monitor Driver can capture the information and forward it to a Systems Management Server (SMS) machine. It is also useful to capture network traffic on a subnet that is remote to where Network Monitor Tools are being run. To install the Network Monitor Driver component, perform the following steps:

Within the Network Connections applet, right-click the local area connection and choose Properties.
From the Properties window for the local area connection, click Install.
Click Protocol and click Add.
Within the Network Protocol window, click the Network Monitor Driver.
Click OK.

Using Network Monitor

Network Monitor can display a large amount of information about the frames captured to and from a network adapter card. When Network Monitor is first opened, four panes are displayed within the console. The Graph pane displays the network activity in a bar chart. The Sessions Stats pane displays information about individual sessions. The Station Stats pane displays statistics about the sessions the server is participating in. The Total Stats pane displays summary statistics since the capture was started.

To view statistics about network traffic, you must first start a capture. To do so, click the Start option from the Capture menu. To view the captured data, click the Start and View option from the capture menu. Network Monitor displays all the frames captured during the capture period with a Summary window. To view specific information about a frame, click the frame within the Summary window.

Now when you run Network Monitor, all frames going to and from the computer are captured. If you're looking for specific types of traffic, you can create a capture filter to define what types of frames should be captured. However, keep in mind that this increases the load on a server because it must examine each frame to determine whether it matches the criteria of the filter. To configure capture filters within Network Monitor, choose the Filter option from the Capture menu.