16.3 Centralizing the Monitoring Process

To maximize the effectiveness of a monitoring infrastructure, everything should be centralized within a few servers. This means using software that is modular enough to allow for different types of monitoring. Some of the most common programs used for this type of centralized monitoring include HP OpenView, Netcool, Big Brother, WhatsUp Gold, and Nagios.

Most of these programs allow administrators to plug in only the monitoring tools needed, and to develop their own modules to accommodate special needs. Limiting the monitoring tool to only the functionality required increases security and prevents administrators from being deluged with too much information.

Monitoring should never be done directly from the monitoring server. Instead the people responsible for the monitoring should use remote agents to communicate with the monitoring server. There are a couple of ways this can be done. The monitoring server can send alerts to the syslog server, which will then generates an e-mail alert to a ticketing system. Rather than overburden the syslog server, monitoring information can often be accessed through a console, or a web browser.

If console or browser access to the monitoring server will be used, ensure all information is transmitted securely between the monitoring station and the server.

The monitoring servers themselves should be secured. It has already been mentioned that the monitoring server should use an internal firewall, such as Netfilter, as well as standard external security precautions . In addition to these steps, the monitoring server should be located on the management network, so it is removed from general public access. The workstations accessing the server will need to be part of that network as well.

Security of the monitoring server is critical, as it contains information about the entire network. An attacker who gains access to one of the monitoring servers will have a much easier time determining where attack efforts should be directed.