Which network service allows administrators to monitor and manage network devices?

Network Administrators

Network administrators (also referred to as IT administrators) are responsible for installing, implementing, and maintaining business applications for an organization or company. Often these applications require intricate infrastructure and server configurations. Network administrators have varying levels of skills and expertise. Depending on your application, you’ll need to determine the information your users need and the best ways to present it to the network administrators responsible for installing and configuring your application. You may find that there are several network administrator personas for a single product, for example:

Server administrator responsible for setting up the network infrastructure required to install and deploy the application

Network administrator responsible for installing and configuring the application

Network administrator responsible for monitoring and maintenance

Desktop administrator responsible for deploying the application on client computers and for ongoing support of the client-side application

Because network administrators and their colleagues are responsible for keeping the network running smoothly, they need to understand what the feature does, and its impact on the entire network.

“Network administrators want under-the-hood information. They want to understand how a feature works, not just what it does.”

—Gershon Levitz, Senior Technical Writer at Microsoft

General Password Protection Measures

Network administrators and users can take a number of measures to protect passwords, including the following:

Follow guidelines for creating strong passwords.

Configure settings so that user accounts are disabled or locked out after a reasonable number of incorrect password attempts.

Use the Encrypting File System (EFS) on Windows 200x and XP computers, or BitLocker drive encryption on systems running Windows Vista and Windows Server 2008.

Store critical data on network servers rather than local machines.

Don't rely on the password protection built into most applications.

Enable password shadowing on UNIX/Linux systems.

Ensure that passwords are never sent across the network in plain-text form.

Use antisniffer software and sniffer detection techniques to guard against crackers who try to intercept passwords traveling across the network.

Abstract

A Network Administrator’s specific job duties will vary based on the size and structure of the organization it is in. The focus will be on the transport infrastructure (routers, switches, firewalls, and wireless access points) used by the organization. In some cases, changing the network wiring will be part of your job duties as well. In smaller organizations, there will often be additional job duties where you are assisting with servers or even end-user workstations. Moving from one Network Administration role to another Network Administration role is generally easy. Having gained the experience, you are now much more attractive to other employers. If you enjoy networking, and have advanced your skills, moving up to a Network Engineer role is often an option.

Directional dangers

•

Sending wireless bridges off course

Low Tech Level 1

The majority of antennas you'll come across are omnidirectional, servicing a general area around an AP. If you happen to find wireless APs with strong directional antennas, there's a specific purpose for that: to direct the signal to (or away from) a specific area. Directional antennas can be used for signal containment or directional coverage, but often, and more interestingly, they're used in wireless bridges. Even the slightest changes in a directional antenna can wreak havoc on the wireless system. If that AP is serving as a bridge, a malicious person could easily take out an entire building or portion of a network by removing, replacing, or re-aiming a directional antenna. Imagine you're yelling across a field to your friend. No matter how loud you try to be, if you're turned around facing the other direction, he or she may never hear you. The same is true with RF signals traveling to and from wireless APs. The antennas are precisely placed in order to provide the best directional signal to the next hop.

A network administrator would be hard-pressed to troubleshoot this type of attack remotely. If the wireless team has a good monitoring system or WIPS, they're more likely to spot the RF changes picked up if sensors and monitoring APs are in the immediate area. Full remediation would probably involve a visual survey of the APs and antennas, and possibly a physical RF site survey using a laptop and wireless survey application. Since hunting down this issue may be nearly impossible after the fact, the best mitigation is preventing it in the first place. Organizations with external APs or antennas should carefully select their mounting locations and ensure there's appropriate physical security protection for the devices. Mounting on rooftops, maintenance areas, and tall poles or using secured enclosures is strongly recommended. For more on physical security, be sure to read the guidance provided by Jack in Chapters 1 and 2.

Note

Scattered, reflected, and diffracted, please! You may like your hash browns served fancy style, but scattered, smattered, reflected, or in any way distorted is no way to take your RF. Aside from tampering with antennas, forced reflection is probably the simplest and most effective wireless disturbance. As you can probably construe from the word, reflection happens when RF signals bounce off something. Think of it as completely rerouting the path of the RF signal, away from its intended users, and off into some black hole of space (or other unintended users).

Industry adoption

Storage network administrators are a very conservative group because keeping data secure is much more critical than other aspects of data center operation. This is why they like dedicated FC networks which are physically isolated from other networks and use equipment that is certified by a handful of key vendors. Although iSCSI has security features that can be enabled, many companies don’t like the idea of their critical data being transmitted on less secure local area networks or public networks. Even so, iSCSI has been a successful solution for cloud data center storage applications where the entire network is controlled by the data center administrator.

FCoE on the other hand has taken a while to gain wide industry acceptance. One reason for that was the lack of Ethernet bandwidth. While FC networks were operating at 4Gbps, Ethernet was still at 1Gbps. Once 10Gb Ethernet became more widely available, companies like Cisco and Brocade started offering FCFs and FSBs with CNAs provided by various NIC vendors. But the lack of FCoE storage targets and the limitations imposed by the BB-5 standard limited the economies of scale that are enjoyed by technologies such as Ethernet. It is expected that the new BB-6 standard will improve this somewhat by opening the market to lower cost FCoE networking solutions. Other factors that will help enable FCoE in the market include the emergence of 40Gb Ethernet which means that FCoE will have a significant performance advantage over 16Gb FC implementations and the fact that storage administrators are getting more comfortable with FCoE technology.

Monitoring Network Traffic and Network Devices

Every network administrator should be familiar with two key utilities:

Network Monitor Allows you to capture data, identify the source, and analyze the content and format of the message.

System Monitor Allows you to monitor other resources and determine the performance of those resources.

Using Network Monitor

There are two versions of Network Monitor: one is part of the Windows Server 2003 operating system, and the other is part of Microsoft Systems Management Server (SMS). The version that ships with Windows Server 2003 can monitor only traffic inbound and outbound to the machine on which the utility is being run. The SMS version can monitor most network traffic from any machine to any other machine on the network, by placing the network card on the machine where it is running in promiscuous mode to capture all traffic.

Network Monitor is not installed by default. You can install it by following these steps:

1.

From Control Panel, select Add/Remove Programs.

2.

Click Add/Remove Windows Components.

3.

Click Management and Monitoring Tools.

4.

Click Details.

5.

Click the check box next to Network Monitor Tools.

6.

Click OK.

7.

Click Finish.

After Network Monitor is installed, you can use the interface to monitor traffic, as shown Figure 3.19. When you want to view the results, you can view each frame of captured data. You can save the trace to a file, or you can start the trace over. You could then use the traces to find and filter traffic in order to analyze the data. You can also capture fragments into files for later analysis. You can even see some of the unencrypted data being transmitted on your network.

Figure 3.19. Network Monitor

Network Monitor should be run during low-usage times or for short intervals to minimize the impact on performance of capturing all that data on your machine. It is also useful to identify the type of traffic you are concerned with and use the filters to capture only the data you need.

Using System Monitor

System Monitor is a Microsoft Management Console (MMC) snap-in tool that allows you to use counters to monitor the performance of hardware, applications, and operating system components on Windows Server 2003 machines.

A counter is basically a hook into a driver or application component that allows System Monitor to gather statistics. System Monitor can capture these statistics and display them in a graph, as shown in Figure 3.20, or in a report. It can also send administrative alerts when specified conditions are met, and even launch an application to allow you to correct the situation or send an e-mail or a page to an administrator. You can save the logs to different file formats to allow you to analyze them in other applications or tools.

Figure 3.20. System Monitor

Note

Windows Server 2003 includes command-line tools to help control the scheduling of performance counter and event trace logs. System Monitor is no longer required to gather performance data from remote computers (although it can still be used for that purpose). Typeperf allows you to write performance counter data directly to the command window.

System Monitor also allows you to view more than one log file at the same time, so that you can compare baseline logs with the current data. The Performance Logs and Alerts service can gather data and store it in a Microsoft SQL Server database that can be viewed by System Monitor. You can also save portions of log files or SQL Server data to a new file. This can help save space, simplify comparisons of data, and reduce analysis time.

Collecting Digital Evidence

A network administrator or another member of the IT staff will often be the first person to become aware of a cybercrime in a corporate setting, and the IT incident response team (if the company has one) will take the initial steps to stop the crime in progress and “freeze” the crime scene before law enforcement personnel take over. Even after the police are called in, the process of collecting digital evidence usually involves several people, who we previously discussed in detail in Chapter 5:

First responders, who are officers or official security personnel who arrive first at the crime scene. These people are responsible for identifying the crime scene, protecting it, and preserving evidence.

Investigators, or an investigative team, who is responsible for establishing a chain of command, conducting a search of the crime scene, and maintaining the integrity of the evidence.

Crime scene technicians and specialists, who are called out to process the evidence, and who are responsible for preserving volatile evidence (which we'll discuss later in this chapter), duplicating disks, and preparing evidence for transport (including shutting down systems, and packaging, tagging, and logging evidence).

It is important that one person be designated in charge of the scene and be given the authority to make final decisions as to how the scene will be secured, how the search will be conducted, and how the evidence will be handled. This is usually the role of the senior investigator. It is equally important that each member of this team understand his or her role and adhere to it. The ability of the team to work together is essential to the successful collection of evidence.

Virtual Local Area Network

VLANs allow network administrators to divide the network by designating certain switch ports as part of a logical network. While several computers or devices can be connected to the same physical network, they can all be separated logically through the use of a VLAN. Characteristics of VLANs are as follows:

VLAN databases can provide important details to any individual who is trying to discern the logical breakup of the network.

VLANs logically divide the network and affect the traffic and security of a switched network.

VLANs are commonly used in the enterprise or corporate computing networks to segment networks.

Out-of-Band Support Channels

Although many network administrators have moved as far away from dial-up access as possible, there still exists a need to implement modems for communications for a variety of situations. One of the most frequent implementations encountered involves using modems as an out-of-band communications solution for managing network equipment such as routers and switches. Out-of-band communications provide administrators the capability of remotely managing devices should traditional local area network or wide area network connectivity become unreliable or unavailable.

Although modems may be implemented for the purpose of out-of-band communications, poor implementation of such devices may provide an avenue of attack allowing attackers to gain access to the core backbone of the network. If an attacker is able to connect to a router via a poorly secured modem and successfully authenticate, there are many type of attacks that can be performed that may reduce the confidentiality, integrity, and availability of the network and the data that passes through it.

If an attacker has appropriate access, he or she may set new passwords for the router, essentially hijacking the device. Administrators may have a difficult time reclaiming administrative access to the router, depending on whether or not physical access to the router is required to regain control. This may take a considerable amount of time if the network administrators are not prepared. Additionally, many network administrators fail to implement proper logging for failed logon events, which allows attackers to perform extensive dictionary or brute-force attacks without detection. Successful authentication attacks may allow attackers to maintain access for long periods without detection by administrators. Once this level of access is achieved, the attacker can cripple the entire network by reconfiguring the router.

Attackers may use router software to sniff network traffic as it passes through the router. This obviously is a great concern, as many network administrators fail to implement encrypted protocols. Sniffing network traffic can also provide attackers with a wealth of information about the protocols and the types of traffic that traverses the network. This type of attack will most likely allow attackers to sniff legitimate usernames and passwords, allowing for further attacks against services available on the network.

The attacker may be able to perform denial-of-service (DoS) attacks, as explained in Chapter 1, “Denial of Service,” by configuring the router to route all traffic to a nonexistent address, also known as a null route or black hole. This of course will cause a total loss of data, as it traverses this point within the network.

Remote access for out-of-band communications should be secured to prevent these types of attacks. The previous attacks described only account for a small amount of what an attacker can do if modems connected to support devices are compromised.

Introduction

As a network administrator, one of your biggest responsibilities is to know what's on your network. You need to know what devices are attached to the network, and what software is installed on those devices. After all, if you don't even know what is connected to your network, or how those devices are set up, then how in the world can you possibly consider your network to be secure?

Fortunately, GFI LANguard Network Security Scanner can help with this problem. Some of the product's scanning capabilities are designed to help you compile hardware and software inventories, and even to help you document your network. In this chapter, I'll show you how it works.