logging in or signing up crosswell-abq-tools-20060208.ppt aSGuest4107 Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 23 Category: Entertainment License: All Rights Reserved Like it (0) Dislike it (0) Added: November 27, 2008 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Network mgmt toolskeeping the free love alive : February 2006 1 Network mgmt toolskeeping the free love alive Alan Crosswell alan@columbia.edu Credits : February 2006 2 Credits Dan Medina Matt Selsky Megan Pengelly Martin Wren Johan Anderson Joel Rosenblatt + all the GPL tool authors Outline : February 2006 3 Outline Network management Switch management Router configs Log summarization Netflow Survivor systems monitor Intermapper Outline : February 2006 4 Outline Security GULP – auth log mining PAIRS – IDS Mazu – anomaly detection Switchmgr : Switchmgr Web interface to SNMP commands to Cisco CatOS/IOS switches/routers on campus Database backend provides another layer of information for ports: Jack location information <-> port number (LDAP) jack location <-> person Switchmgr Privileges : Switchmgr Privileges Use pamacea to authenticate users Users view/modify switches based on their Unix groups Student RCCs can only view dorm switches Cabling group can only modify jack location information Switchmgr: switch view : Switchmgr: switch view Switchmgr: jack view : Switchmgr: jack view Switchmgr: port view : Switchmgr: port view Cisco Config Management : Cisco Config Management Nightly backups into RCS to archive all switch and router configs Currently uses 'clogin' from RANCID project to authenticate and run automatically Web-based comparison tool for viewing changes to configs over time, or can just use RCS at the command-line Nightly email tells group which switches & routers have changed their configurations since the previous day Switch & Router Log Monitoring : Switch & Router Log Monitoring cisco-summary.pl emails log summaries to our group every day Person On Call ensures that all log messages are OK, or fixes any problems found Netflow : Netflow Track traffic going across the border CFlowd on a linux machine to process flow files exported from main routers CUFlow builds on Cflow tools to provide graphs and charts per service or router CUQuota monitors bytes to and from internal hosts and polices them when they exceed 180 M/h upload or 350 M/h download CUFlow : CUFlow Our graphing/charting Cflow class is GPL'd and available at http://www.columbia.edu/acis/networks/advanced/CUFlow Survivor : Survivor "It's a systems monitor. It monitors systems." Like Mon, Big Brother, Nagios, etc, but better or worse, depending on what features you like. http://freshmeat.net/projects/survivor/ demo Slide 15: # This file is used to configure the filesystem checking on each host. # The format of this file is # filesysregex,warn,prob # Disks not explicitly listed here use the default thresholds in check.cf. # Disks listed here that don't exist are ignored. # Values must be greater than 0. 101 or greater will never match, and so # can be used to suppress warnings or problems. # # Important filesystems should have some spare space ^/$,90,94 # Some hosts write variable stuff into /var, others /usr/var ^/usr$,90,94 ^/var$,90,94 # Generate warnings, but not problems, for filesystems holding software ^/usr/local,98,101 ^/opt,98,101 ^/miniopt,98,101 ^/service,98,101 # Some filesystems are never worth worrying about ^/m/mnt,101,101 ... Slide 16: # Survivor check specification file check load { module load { warn 20 prob 30 } } check loadna { module snmp { community XXX oid .iso.3.6.1.4.1.789.1.2.1.3.0 warnmatch gt[75] probmatch gt[90] } alert on noncritical alertplan } check ldapmain { module ldap { port 389 filter sn=metz response objectclass=person } helpfile ldapmain } Outline : February 2006 19 Outline Security GULP – auth log mining PAIRS – IDS Mazu – anomaly detection GULP : GULP Authn syslogs are collected in a database. user identity service/server client IP address Merged with MAC addresses (ARP tables polled) RADIUS caller ID for dialups GULP : GULP Web interface allows searching by IP addr MAC addr user identity etc. demo GULP - Marketscore : GULP - Marketscore GULP – search for user : GULP – search for user GULP – search for user : GULP – search for user PAIRS : PAIRS Analyzes Netflow for host/port scanning hitting a darknet connecting to known C&C nodes Includes a responsible party database by CIDR and domain demo Event Summary Information : 26 Event Summary Information Host Scan Event (Tracking by MAC) : 27 Host Scan Event (Tracking by MAC) Services Provided (Gnutella) : 28 Services Provided (Gnutella) Services Consumed (Gnutella) : 29 Services Consumed (Gnutella) Right-Click (Drill Down) : 30 Right-Click (Drill Down) Gnutella Peers : 31 Gnutella Peers Policy to Detect Hosts Communicating on tcp/6667 : 32 Policy to Detect Hosts Communicating on tcp/6667 Columbia U Owned Hosts Initiating Connections for tcp/6667 : 33 Columbia U Owned Hosts Initiating Connections for tcp/6667 Columbia Owned Hosts Providing Services on tcp/6667 : 34 Columbia Owned Hosts Providing Services on tcp/6667 Who is communicating on port tcp/6667? : 35 Who is communicating on port tcp/6667? Port Scan Event : 36 Port Scan Event Detailed Connection Attempts from Port Scan Event : 37 Detailed Connection Attempts from Port Scan Event New Host Event – Is this a Change Control Violation? : 38 New Host Event – Is this a Change Control Violation? Services Provided by the New Host : 39 Services Provided by the New Host To Whom? : 40 To Whom? Anomalous Connection for www.ais.columbia.edu (Internal Web Server) : 41 Anomalous Connection for www.ais.columbia.edu (Internal Web Server) Why is www.ais.columbia.edu providing services on tcp/40046?Is this a mis-configuration? : 42 Why is www.ais.columbia.edu providing services on tcp/40046?Is this a mis-configuration? Detailed connection information associated with Anomalous Event : 43 Detailed connection information associated with Anomalous Event Why is tcp/3400 the largest service provided by the ldappool application instead of tcp/389? : 44 Why is tcp/3400 the largest service provided by the ldappool application instead of tcp/389? In 1-hour, 142 unique peers connected to ldappool on tcp/3400. : 45 In 1-hour, 142 unique peers connected to ldappool on tcp/3400. Global BW Utilization for Columbia U : 46 Global BW Utilization for Columbia U BW Graph for Barnard College : 47 BW Graph for Barnard College Server Consolidation: Distribution of external Web traffic to GSB. : 48 Server Consolidation: Distribution of external Web traffic to GSB. Network Segmentation:Distribution of Inbound SMTP traffic : 49 Network Segmentation:Distribution of Inbound SMTP traffic Network Segmentation: Visualization : 50 Network Segmentation: Visualization Application Profiling: Identify components in the critical-path : 51 Application Profiling: Identify components in the critical-path Application Profiling:Visualization Top 20 : 52 Application Profiling:Visualization Top 20 Application Profiling:Visualization Top 100 : 53 Application Profiling:Visualization Top 100 Access Policy for GSB: Services Provided from Uris Hall to Warren Hall : 54 Access Policy for GSB: Services Provided from Uris Hall to Warren Hall Access Policy for GSB: Services Provided from Warren Hall to Uris Hall : 55 Access Policy for GSB: Services Provided from Warren Hall to Uris Hall You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
crosswell-abq-tools-20060208.ppt aSGuest4107 Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 23 Category: Entertainment License: All Rights Reserved Like it (0) Dislike it (0) Added: November 27, 2008 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Network mgmt toolskeeping the free love alive : February 2006 1 Network mgmt toolskeeping the free love alive Alan Crosswell alan@columbia.edu Credits : February 2006 2 Credits Dan Medina Matt Selsky Megan Pengelly Martin Wren Johan Anderson Joel Rosenblatt + all the GPL tool authors Outline : February 2006 3 Outline Network management Switch management Router configs Log summarization Netflow Survivor systems monitor Intermapper Outline : February 2006 4 Outline Security GULP – auth log mining PAIRS – IDS Mazu – anomaly detection Switchmgr : Switchmgr Web interface to SNMP commands to Cisco CatOS/IOS switches/routers on campus Database backend provides another layer of information for ports: Jack location information <-> port number (LDAP) jack location <-> person Switchmgr Privileges : Switchmgr Privileges Use pamacea to authenticate users Users view/modify switches based on their Unix groups Student RCCs can only view dorm switches Cabling group can only modify jack location information Switchmgr: switch view : Switchmgr: switch view Switchmgr: jack view : Switchmgr: jack view Switchmgr: port view : Switchmgr: port view Cisco Config Management : Cisco Config Management Nightly backups into RCS to archive all switch and router configs Currently uses 'clogin' from RANCID project to authenticate and run automatically Web-based comparison tool for viewing changes to configs over time, or can just use RCS at the command-line Nightly email tells group which switches & routers have changed their configurations since the previous day Switch & Router Log Monitoring : Switch & Router Log Monitoring cisco-summary.pl emails log summaries to our group every day Person On Call ensures that all log messages are OK, or fixes any problems found Netflow : Netflow Track traffic going across the border CFlowd on a linux machine to process flow files exported from main routers CUFlow builds on Cflow tools to provide graphs and charts per service or router CUQuota monitors bytes to and from internal hosts and polices them when they exceed 180 M/h upload or 350 M/h download CUFlow : CUFlow Our graphing/charting Cflow class is GPL'd and available at http://www.columbia.edu/acis/networks/advanced/CUFlow Survivor : Survivor "It's a systems monitor. It monitors systems." Like Mon, Big Brother, Nagios, etc, but better or worse, depending on what features you like. http://freshmeat.net/projects/survivor/ demo Slide 15: # This file is used to configure the filesystem checking on each host. # The format of this file is # filesysregex,warn,prob # Disks not explicitly listed here use the default thresholds in check.cf. # Disks listed here that don't exist are ignored. # Values must be greater than 0. 101 or greater will never match, and so # can be used to suppress warnings or problems. # # Important filesystems should have some spare space ^/$,90,94 # Some hosts write variable stuff into /var, others /usr/var ^/usr$,90,94 ^/var$,90,94 # Generate warnings, but not problems, for filesystems holding software ^/usr/local,98,101 ^/opt,98,101 ^/miniopt,98,101 ^/service,98,101 # Some filesystems are never worth worrying about ^/m/mnt,101,101 ... Slide 16: # Survivor check specification file check load { module load { warn 20 prob 30 } } check loadna { module snmp { community XXX oid .iso.3.6.1.4.1.789.1.2.1.3.0 warnmatch gt[75] probmatch gt[90] } alert on noncritical alertplan } check ldapmain { module ldap { port 389 filter sn=metz response objectclass=person } helpfile ldapmain } Outline : February 2006 19 Outline Security GULP – auth log mining PAIRS – IDS Mazu – anomaly detection GULP : GULP Authn syslogs are collected in a database. user identity service/server client IP address Merged with MAC addresses (ARP tables polled) RADIUS caller ID for dialups GULP : GULP Web interface allows searching by IP addr MAC addr user identity etc. demo GULP - Marketscore : GULP - Marketscore GULP – search for user : GULP – search for user GULP – search for user : GULP – search for user PAIRS : PAIRS Analyzes Netflow for host/port scanning hitting a darknet connecting to known C&C nodes Includes a responsible party database by CIDR and domain demo Event Summary Information : 26 Event Summary Information Host Scan Event (Tracking by MAC) : 27 Host Scan Event (Tracking by MAC) Services Provided (Gnutella) : 28 Services Provided (Gnutella) Services Consumed (Gnutella) : 29 Services Consumed (Gnutella) Right-Click (Drill Down) : 30 Right-Click (Drill Down) Gnutella Peers : 31 Gnutella Peers Policy to Detect Hosts Communicating on tcp/6667 : 32 Policy to Detect Hosts Communicating on tcp/6667 Columbia U Owned Hosts Initiating Connections for tcp/6667 : 33 Columbia U Owned Hosts Initiating Connections for tcp/6667 Columbia Owned Hosts Providing Services on tcp/6667 : 34 Columbia Owned Hosts Providing Services on tcp/6667 Who is communicating on port tcp/6667? : 35 Who is communicating on port tcp/6667? Port Scan Event : 36 Port Scan Event Detailed Connection Attempts from Port Scan Event : 37 Detailed Connection Attempts from Port Scan Event New Host Event – Is this a Change Control Violation? : 38 New Host Event – Is this a Change Control Violation? Services Provided by the New Host : 39 Services Provided by the New Host To Whom? : 40 To Whom? Anomalous Connection for www.ais.columbia.edu (Internal Web Server) : 41 Anomalous Connection for www.ais.columbia.edu (Internal Web Server) Why is www.ais.columbia.edu providing services on tcp/40046?Is this a mis-configuration? : 42 Why is www.ais.columbia.edu providing services on tcp/40046?Is this a mis-configuration? Detailed connection information associated with Anomalous Event : 43 Detailed connection information associated with Anomalous Event Why is tcp/3400 the largest service provided by the ldappool application instead of tcp/389? : 44 Why is tcp/3400 the largest service provided by the ldappool application instead of tcp/389? In 1-hour, 142 unique peers connected to ldappool on tcp/3400. : 45 In 1-hour, 142 unique peers connected to ldappool on tcp/3400. Global BW Utilization for Columbia U : 46 Global BW Utilization for Columbia U BW Graph for Barnard College : 47 BW Graph for Barnard College Server Consolidation: Distribution of external Web traffic to GSB. : 48 Server Consolidation: Distribution of external Web traffic to GSB. Network Segmentation:Distribution of Inbound SMTP traffic : 49 Network Segmentation:Distribution of Inbound SMTP traffic Network Segmentation: Visualization : 50 Network Segmentation: Visualization Application Profiling: Identify components in the critical-path : 51 Application Profiling: Identify components in the critical-path Application Profiling:Visualization Top 20 : 52 Application Profiling:Visualization Top 20 Application Profiling:Visualization Top 100 : 53 Application Profiling:Visualization Top 100 Access Policy for GSB: Services Provided from Uris Hall to Warren Hall : 54 Access Policy for GSB: Services Provided from Uris Hall to Warren Hall Access Policy for GSB: Services Provided from Warren Hall to Uris Hall : 55 Access Policy for GSB: Services Provided from Warren Hall to Uris Hall