CHAPTER 10: Network Management 486 FIGURE 10.4 A Simple Physical Network Diagram. Image courtesy of Mark R. Lindsey, mark@lindsey.name FIGURE 10.3 A Confusing Network Diagram. Image courtesy of olimould.com Configuration Management 487 assistance of network diagram software like Microsoft Visio, SmartDraw, and/or AutoCAD. Many physical network diagrams, as represented in Figure 10.5, have the site name, location, type of physical media connecting each site, and the speed at which the site link is running at. Physically laying out your network devices will help you conserve time and money when you finally do decide to create or troubleshoot network issues. Logical Network Diagrams Logical network diagrams depict how your network looks from a computer’s point of view and not as a physical structured layout as we might see it in our server rooms. Protocols, configurations, IP addressing, subnets, access control FIGURE 10.5 A Complex Physical Network Diagram. Image courtesy of Cisco.com CHAPTER 10: Network Management 488 lists, security devices (firewalls, virtual private networks [VPNs], and so on), and applications are all logically associated with a computer network and are drawn into logical network diagrams. Notice Figure 10.6 does not show any of the physical characteristics of Figure 10.5. In fact Figure 10.6 has details such as IP addresses, subnets, firewalls, and logical network paths in and out of different subnets, which are logical. Baselines Identifying how networks operate under “normal” conditions might help you recognize performance, collision, and utilization issues when compar- ing your “normal” conditions to previous periods of operation. Over a period of time you should document the pattern of “normal” behavior in your environment, which is called a baseline. Baselines should be tracked at particular times of day. Baselining activities may include when servers reach maximum allocation, when a router and switch have the highest activity dur- ing the day, and when users are most likely to surf the Internet. Creating a FIGURE 10.6 A Logical Network Diagram. Image courtesy of Dustin L. Fritz Configuration Management 489 baseline early and continuing to do analysis on this baseline will help you understand your network better which assists in identifying problems earlier in the troubleshooting process. Choosing a baseline method can depend on the size of your network and how many users you have. There are free tools on the Internet that can assist with collecting network statistics, which can then be used to output statistical reports for later analysis. Many baseline tools collect and monitor activity on the network, as well as on various hardware components such as CPU, memory, hard drive, and network interface cards (NICs). Other hard- ware baseline applications are placed in between Wide Area Network (WAN) links to simply measure throughput, check for packet errors, and identify bottlenecks. Figure 10.7 is an example of a network baseline tool. Policies, Procedures and Configurations Network management would be impossible without policies, procedures, and configurations. A calculated plan of action to guide decisions and achieve sound outcomes is the goal of creating and adhering to policies, pro- cedures, and configurations. Security vulnerabilities and network manage- ment challenges are the outcomes of badly written or nonexistent policies. FIGURE 10.7 A Network Baseline Tool. Image courtesy of PacketTrap Perspective CHAPTER 10: Network Management 490 To prevent this, consider how network technicians create user accounts. If each network technician created user accounts differently, you would have a lot of problems troubleshooting user account issues because none of the accounts are configured off a standard guideline. Policies provide guidelines on who can create user accounts, for instance. Procedures are much more than guidelines. Procedures lay out each step needed to accomplish a task. For example, when creating a user account, the user ID may be the person’s last name and first initial and not to exceed eight characters. Detailed steps with procedures help execute policies. Common policies might address the following: End user license agreement Network access and user accounts Proper destruction of network devices (that is, printers) Creating of administrative and user passwords Periodic backups for servers and clients Termination of user account access Third party software authorization User account lockout and account disabling Missing or corrupt computer files Malicious code discovery by users Natural disaster affecting network connectivity Software management and storage IP addressing scheme for contractors Computer naming convention for servers Network sharing programs for users WAN troubleshooting techniques Federal and state computer fraud hotline Regulations Regulations are very important to plan and establish your local policies and procedures because many organizations are held to state and federal regulations which will affect their responsibilities as a public/private, for profit, or not-for-profit business. Configuration Management 491 Communications Assistance for Law Enforcement Act (CALEA) requires telecommunications companies and equipment industries to allow for sur- veillance capabilities. See report in Figure 10.8. The Federal Communica- tions Commissions (FCC) periodically releases reports establishing new regulations. In Figure 10.8, this report requires certain broadband and VoIP providers to accommodate wiretaps. Visit http://www.fcc.gov/calea/ for more details. Other important regulations: Health Insurance Portability and Accountability Act (HIPAA) – “The Office for Civil Rights enforces the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information, and the confi- dentiality provisions of the Patient Safety Rule, which protect identifiable information being used to analyze patient safety events and improve patient safety.” http://www.hhs.gov/ocr/privacy/index.html FIGURE 10.8 FCC CALEA Report. CHAPTER 10: Network Management 492 Sarbanes-Oxley Act of 2002 – “On July 30, 2002, President Bush signed into law the Sarbanes-Oxley Act of 2002, which he characterized as “the most far reaching reforms of American business practices since the time of Franklin Delano Roosevelt.” The act mandated a number of reforms to enhance corporate responsibility, enhance financial disclosures, and combat corporate and accounting fraud, and created the “Public Company Account- ing Oversight Board,” also known as the PCAOB, to oversee the activities of the auditing profession.” http://www.sec.gov/about/laws.shtml#sox2002 ISO/IEC 27002:2005 – “… establishes guidelines and general princi- ples for initiating, implementing, maintaining, and improving informa- tion security management in an organization. The objectives outlined provide general guidance on the commonly accepted goals of information security management …” The control objectives and controls in ISO/IEC 27002:2005 are intended to be implemented to meet the requirements identified by a risk assessment. ISO/IEC 27002:2005 is intended as a common basis and practical guideline for developing organizational secu- rity standards and effective security management practices, and to help build confidence in interorganizational activities …, best practices of con- trol objectives and controls in the following areas of information security management: Security policy Organization of information security Asset management Human resources security Physical and environmental security Communications and operations management Access control Information systems acquisition, development, and maintenance Information security incident management Business continuity management Compliance http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail. htm?csnumber=50297 Network Monitoring 493 NETWORK MONITORING Network monitoring is a great way to identify performance and connectiv- ity issues. Using a tool called packet sniffer allows you to collect all the data that is being transmitted to and from your computer or between routers. The advantage to collecting individual packets is that you will have insight and detailed inspection of how and why certain traffic is not working. For instance, in Figure 10.9 you can see someone is viewing a Web site. If you are told by a user that they cannot access the Internet, you can confirm it by col- lecting packets from the network using a packet sniffer or possibly discover that they really are surfing the Internet. HTTP traffic is very easy to identify in Figure 10.9 because it is presented to you with “http” and the associated port number of 80. Along with that is the IP address that is captured in the packet. Using packet sniffers is truly remarkable because you can quickly FIGURE 10.9 Wireshark, an Open Source Packet Sniffer also known as Network Protocol Analyzer.* *Download Wireshark for free at http://www.wireshark.org CHAPTER 10: Network Management 494 identify a network performance problem because you are seeing everything at the packet level come across your network. Just as documentation on configurations and changes can be helpful in solving problems with your network so can the logs generated by the software running on these machines. Logs are records of events that have occurred and actions that were taken. Many systems will provide logs that will give automated information on events that have occurred, including accounts that were used to log on, activities performed by users and by the system, and problems that transpired. These details make logs a valuable tool when troubleshooting problems and identifying adverse incidents (such as intru- sions to the system). On many systems, the logs may be simple text files that are saved to a location on the local hard drive or a network server. In other cases, the sys- tem will provide a specific tool for viewing the information. For example, in Windows NT, 2000, 2003, and XP, a tool called Event Viewer is used to view a series of logs generated by the operating system. As shown in Figure 10.11, Event Viewer allows you to view data stored in the following:  Application log Contains events that are logged by individual pro- grams or applications installed on the operating system.  Security log Displays possible security issues that the operating system monitors. This includes valid and invalid log-on attempts, the use of a specific resource by an audited user, and other actions related to security.  System log Displays events logged by the system components of the operating system. Information stored in this log includes facts about drivers that failed to load properly, warnings on low disk space and memory, remote access attempts, and other information on the system itself. Each of the logs in Event Viewer can be accessed by clicking on the corresponding node in the left pane of the application. When a log is selected, the individual events recorded in the log are displayed in the right pane of the application (Figure 10.10). To view specific information about an event, you simply double-click its entry in the right pane. Logs are also created by other software and devices installed on a computer, or generated by devices that have been configured to write information to a file stored on a particular com- puter. For example, firewall software installed on a server would maintain its own records of users accessing specific Web sites, downloaded files, attempts to access restricted resources, and other information. In the same way, a door lock system may require a personal identification number (PIN), biometrics, Network Monitoring 495 or a card key before access is granted to the building. Such systems commonly record authorized and denied entry attempts to a file or series of files on a specific computer. In each of these cases, the logs provide a record that can be reviewed in the event of a security breach or other problems. Password Lists Passwords are access codes that use alphanumeric and special characters that allow you to log onto operating systems, software, or specific files. Over the years, you’ve probably heard that passwords shouldn’t be written down, and should only be remembered. This is generally true in most cases, as it would be unwise to have passwords written on little pieces of paper and carried in wallets, left on desks, or stuck to the monitors of computers. However, there may be times when you’re unavailable and other members of the IT staff need a particular password to fix a problem. Because of this, passwords should also be documented so others can use them. Password lists should contain all of the passwords used to perform administrative or maintenance tasks on the network. This includes pass- words for: The administrator account on servers and workstations  Accounts that have access to modify other accounts, in case man- agement of network accounts are needed FIGURE 10.10 Windows XP Event Viewer. . accounts are configured off a standard guideline. Policies provide guidelines on who can create user accounts, for instance. Procedures are much more than guidelines. Procedures lay out each step. be impossible without policies, procedures, and configurations. A calculated plan of action to guide decisions and achieve sound outcomes is the goal of creating and adhering to policies, pro- cedures,. “normal” behavior in your environment, which is called a baseline. Baselines should be tracked at particular times of day. Baselining activities may include when servers reach maximum allocation,