UNIX SECURITY --- October 04, 2001 Published by ITworld.com -- changing the way you view IT http://www.itworld.com/newsletters __________________________________________________________________________ ______ HIGHLIGHTS * Network monitoring with SNMP can provide valuable information for both performance tuning and security. __________________________________________________________________________ ______ Network Service Monitoring By Rick Johnson Securing a network involves knowing the status of all services and devices at any given moment, making network monitoring vital for any system administrator. However, few realize the same information has security value as well. Knowing if a service stops responding or if the CPU utilization spikes could provide clues to a compromise, or at least an attempt. Outsourcing this responsibility to a third party is possible, but some companies lack the time and resources to dump this problem into the lap of someone else. Luckily, implementing network service monitors is possible with a minimal application of finances. The most widespread and configurable method uses SNMP (Simple Network Management Protocol). SNMP allows management of multiple network devices using a single standard. Being a standard, almost every network- connected device possesses SNMP capabilities. The most common are routers, firewalls, and switches but even printers have joined the ranks. SNMP is best viewed, in my opinion, as a client-server architecture. The device waits until the daemon initiates contact and asks for specific information based on the Management Information Base (MIB) database controlled by the daemon. A MIB is a collection of information organized hierarchically in a tree form and comprised of specific entries called object identifiers (OIDs). OIDs are the specific variables known by a network device and the operations allowed on it. If a manufacturer wants to add some new commands to a device, such as a router, then they must add the appropriate variables to the MIB database. When meeting certain conditions, such as errors, status changes, or rebooting, a network device can also send unsolicited data called a "trap" to the SNMP daemon. Two sets of passwords, called communities, secure access to SNMP data. The public (read only) community gathers information on the device while the private (read write) community allows modifications to the device's configuration. These passwords must be configured on the device being managed. I beg you, please set them to something other than PUBLIC and PRIVATE. As for setting up a server, or even for monitoring your Linux box, I highly recommend the NET-SNMP http://itw.itworld.com/GoNow/a14724a43234a75972874a2) package. It contains various tools relating to SNMP including an extensible agent, an SNMP library, tools to request or set information from SNMP agents, tools to generate and handle SNMP traps, and a version of the Unix netstat command using SNMP and a Tk/perl MIB browser. I have only briefly overviewed SNMP, and I highly encourage you to spend plenty of time learning its true value. __________________________________________________________________________ ______ About the author(s) ------------------- Rick Johnson is the CTO and Head of Development for IPDex Technologies (http://www.ipdex.com). During his off hours, Rick is a consultant, writer, and developer for various open source projects. Rick can be reached at rick@pointman.org or on the Web at http://www.pointman.org. __________________________________________________________________________ ______ ADDITIONAL RESOURCES The NET-SNMP Home Page http://itw.itworld.com/GoNow/a14724a43234a75972874a2 SNMP - Simple Network Managment Protocol http://itw.itworld.com/GoNow/a14724a43234a75972874a0 Linux SNMP Network Management Tools http://itw.itworld.com/GoNow/a14724a43234a75972874a3 __________________________________________________________________________ ______
<<attachment: winmail.dat>>