Global Information Assurance Certification Paper - GIAC Certifications
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Global Information Assurance Certification Paper
Copyright SANS Institute
Author Retains Full Rights
This paper is taken from the GIAC directory of certified professionals. Reposting is not permited without express written permission.
Interested in learning more?
Check out the list of upcoming events offering
"Security Essentials Bootcamp Style (Security 401)"
at http://www.giac.org/registration/gsecCricket … the next MRTG
John J. Renwick
30 March, 2001
MRTG is the Multi Router Traffic Grapher tool from Tobias Oetiker which has been
s.
available since 1995 http://ee-staff.ethz.ch/~oetiker/webtools/mrtg/ . Cricket is evolving
ht
to be the next generation of Graphing tools. http://cricket.sourceforge.net/
rig
Cricket was created due to a need to forecast network growth and plan ahead for
ull
expansion. Cricket, like its predecessor MRTG, provides for instantaneous management
features such as, is the link up, what is the status of the routers, and what is the traffic
f
load? Also, like MRTG, Cricket features graphical displays of network traffic trends
ns
overfingerprint
Key configurable time periods
= AF19 with998D
FA27 2F94 comparison to otherF8B5
FDB5 DE3D dates06E4
or times.
A169It 4E46
provides
tai
information for long-term analyses of traffic trends on a specific link or an entire
re
network.
or
The program, while looking much like MRTG, has been enhanced in many ways. It is
th
more configurable, uses a hierarchical configuration tree, gathers data from scripts,
SNMP, Perl procedures, etc. It is made up of two modules, a collector and a grapher, the
Au
collector does the heart of the work, gathering the data while running out of cron and
storing that data in Round Robin Database (RRD) files, which is then fed into the
2,
graphing program. The graphing program for the RDD generates the display of that data,
00
which results in graphs similar to those displayed by MRTG.
-2
Cricket has taken its place as the evolutionary successor to MRTG, because in addition to
00
graphing data, it also gathers application and host-based statistics and is able to monitor
20
such events as PVC states, cable modem signal strength, and router CPU load. While it
displays much of the same information, the hierarchical configuration tree that it uses and
te
improved code allow it to perform many more tasks much faster.
tu
sti
Quote from NETWORK WORLD FUSION FOCUS: 03/07/01
In
“It is a redesign of MRTG, which was mentioned last week. One reader mentioned that
NS
Cricket is much more scaleable than MRTG. According to one reader, "we have
completely replaced our Spectrum reports with those from Cricket."”
SA
The program itself is a high performance, extremely flexible system which monitors
©
trends in time oriented data. The design of Cricket was expressly done to help
overburdened network managers visualize and understand and react to the traffic on their
networks.
As stated
Key above,= Cricket
fingerprint is made
AF19 FA27 up998D
2F94 of twoFDB5
modules,
DE3D a collector
F8B5 06E4 andA169
a grapher.
4E46The
collector runs from cron at 5 minutes intervals, or it can be configured to run more often,
or less often depending on the needs of the network manager, however you don’t want to
set the interval too low as you need to be able to receive and store the data requested in
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.less than the interval set. It stores the data into a database managed by a RRD Tool, more
on this tool later. When you want to review the data that has collected, you can simply
use a web-browser to view graphs of the data.
s.
Cricket’s operation is governed by a set of config files called a config tree. The config
ht
tree defines everything Cricket needs to know about the types of data to be collected,
rig
where to get the data, and how to get it. The config tree is compact and easy to manage
and was designed to minimize redundant information. Think of a config tree as a set of
ull
configuration files organized into a tree architecture, the hierarchical structure allows us
to be able to use inheritance to reduce repeated information in this configuration. To
f
implement the tree in an easy to understand directory structure we don’t allow
ns
complicated
Key or tricky
fingerprint = AF19concepts such998D
FA27 2F94 as multiple
FDB5 inheritance.
DE3D F8B5 06E4 A169 4E46
tai
re
The rules that are present at the end of the branch is the compilation of all the rules sets in
all the branches on a path leading from the trunk of the config tree to the end of the
or
branch. (See Figure 1) Lower rules always override higher rules, Rules that all of the
th
system will share are located in the trunk of the config tree. In this example, the length of
the polling interval is set there. At the next level, we set attributes that will be restricted
Au
to the current branch. At this level, typically you will find the target type. Finally at the
highest level we set things that will vary on a machine basis. For this example, we set the
2,
interface or machine name that we are trying to measure here. By using the rules of
00
inheritance, you avoid repeating the rules at the top of the config tree in the trunk of the
-2
config tree. This three level config tree in the example is a very simple layout, and in real
network operations you will want to develop a more complex tree structure, for instance
00
separating different sites, or operations to be in different branches. There is a sample
20
config tree that comes with Cricket that is just a starting point in time. There are no built-
in limits on the shape or the architecture of the config tree, but too complex of a tree can
te
be a configuration management nightmare.
tu
sti
NT HP
In
Host
SUN
NS
Switch
SA
Router Host NT
©
5 Min
Key fingerprint = AF19 FA27 2F94 998D Poll
FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.Figure 1
Con fig Tree
Cricket is written entirely in Perl and was developed on Solaris machines running under
Apache. It is known to work on Linux, HP-UX, variants of BSD, and some other
operating systems.
s.
ht
RRD Tool is written in C for speed, and comes in both a Perl module and a command
rig
line version, which means it can be used interactively or across a pipe from scripts it is
what does all the database work for Cricket. RRD achieves its high performance by using
ull
binary files to minimize I/O during the common update operation. RRD Tool stores and
normalizes the data after the collector retrieves it, and outputs the data into the graphical
f
format when the grapher asks for it. The way that RDDtool accesses the data is in a
ns
circular
Key data buffering
fingerprint = AF19method that makes
FA27 2F94 the I/ODE3D
998D FDB5 two toF8B5
three06E4
timesA169
faster4E46
than in
tai
MRTG. RDDtool can also keep an arbitrary number of data arrays; each fed at a
different rate. For example, you can take 1680 samples taken every 5 minutes for an
re
entire weeks worth of data alongside 720 samples taken every 30 minutes for an entire
or
months worth of data.
th
If you are familiar with MRTG, you can see the parallel between of RRDtool and of
Au
MRTGs graphing and logging features. It is significantly faster and more flexible than
MRTG, and that is where it’s strength lays. RRD is more flexible than MRTG in at least
2,
two aspects. Number one, and probably it’s strongest attribute is that it can take data from
00
an arbitrary number of data sources, MRTG was limited to only two datasources, one for
input bandwidth and one for output bandwidth. RRD is a system to store and display
-2
time-series data which would be, network bandwidth, machine-room temperature, server
00
load average, router loads etc. It stores the data in a very compact non-expanding method,
utilizing a fixed size database which grows linearly with the number of monitored
20
devices, not time and it displays the detailed graphs by processing the data to enforce a
certain data density. It is used with either shell or Perl scripts or by various frontends that
te
poll the different network devices using a friendly Graphical User Interface (GUI)
tu
sti
RRDtool is available from http://eestaff.ethz.ch/~oetiker/webtools/rrdtool/
In
It is available for various UNIX and LINX platforms and Windows NT and 2000.
NS
RRDtool does not fully replace MRTG, and there is a very good reason for that as it
SA
allows other frontends to be used to interface to it, which allows for a much more robust
tool that was never envisioned by MRTG. It provides an excellent basis for building
©
tools, which work much better than MRTG. It is my understanding that MRTG-3 will
also utilize the RRDtool, therefore you can get a head start by utilizing the existing
frontends written to take advantage of RRDtool, or you can program your own
application specific frontends.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Frontends:
The following frontends are available from Tobi Oetiker’s webpage:
http://ee-staff.eth z.ch/ ~o etiker/webtools/ rrdto ol/ frontends/
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.Big Sister
The Big Sister system and network monitor concentrates on detecting failing
services and systems, displaying status overviews and alarming. As a means of
providing diagnostic information to the system administrator Big Sister also
s.
collects trend data and uses RRDtool as a powerful and easy-to-use utility for
ht
storing and visualizing collected data.
rig
Big Sister's features include:
ull
• detection of service or system failure via an agent alarming
f
• display of consolidated and/or detailed status overviews
ns
• collection
Key fingerprint = AF19
andFA27 2F94 998D
visualization FDB5 DE3D
of system F8B5 06E4
performance A169
data via 4E46
RRDTool
tai
• interconnection of different Big Sister sites
re
http://bigsister.graeff. com/
or
th
Au
Ntop
2,
Ntop is a web-based application for both Unix and Win32 that reports information
00
about network traffic, similar to what the popular Unix top command does. Main
-2
ntop features include:
00
• Sort network traffic according to many (IP and non-IP) protocols
•
20
Display traffic statistics
• Show IP traffic distribution among the various protocols
te
• Analyze IP traffic and sort it according to the source/destination
tu
• Display IP Traffic Subnet matrix (who's talking to who?)
•
sti
Identify network security violations
• Ability to browse data from a WAP phone
In
• Ability to access data from remote using popular languages such as Perl and
NS
PHP
SA
By means of the ntop Perl API, it is possible to extract live traffic data from ntop
and easily store them into the RRDtool. Thanks to the RRDtool, network
©
administrators can perform advanced and long-term traffic trend analysis
statistics. An early prototype of ntop+RRDTool can be found at
http://www.ntop.org/RRD/.
http://www.ntop.org/
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Remstats
Remstats is a statistics gathering and graphing system. The idea behind remstat is
to run
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.little data collection agents on remote machines and poll them from a central
server where the data is kept. The data presentation happens on the fly with
automatically generated rrdcgi scripts which create the necessary graphs on
demand. Graphs can also be created statically if running rrdcgi is not possible.
s.
http://silverlo ck.dgim.crc.ca/remst ats/release/
ht
rig
RRGrapher
RRGrapher is a front-end for RRDtool that allows you to interactively build
ull
graphs
of your own design. It allows you the freedom to use any combination of other
f
RRDtool frond-ends such as MRTG, Cricket, and 14all to create and maintain the
ns
.rrd files,= but
Key fingerprint AF19generate graphs998D
FA27 2F94 containing from any
FDB5 DE3D of those
F8B5 06E4sources in the same
A169 4E46
tai
graphs.
re
Unlike other RRDtool front-ends, RRGrapher doesn't produce ".rrd" files, it is
or
used in conjunction with other popular front-ends, or custom front-ends of your
own devising.
th
RRGrapher's features include:
Au
2,
• A simple installation - RRGrapher is just a single CGI script.
00
• The ability to create graphs from data sources stored in many ".rrd" files, even
-2
those created by any number of different RRDTOOL front-ends.
• "Bookmark-able" URLs for your web browser - RRGrapher generates URLs
00
which contain all the information needed to reproduce your custom graph,
20
allowing you to produce them on-demand in the future.
• Display of an rrdtool command-line that you could use to generate the graph -
te
RRGrapher could help you to learn how to use RRDTOOL, or will at least
tu
provide a command line which you can cut-and-paste to generate your graph
in "batch" mode, for instance to display on a web page.
sti
In
http://net.doit.wisc.ed u/~pl onk a/RRGraph er/
NS
NRG
NRG (aka Network Resource Grapher) is the result of work at WiscNet to design
SA
and implement a highly automated and scalable MRTG-like system.
©
http://nrg.hep. wisc.edu/
FwGold
A tool to graphically display Checkpoint Firewall-1® logging statistical data
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Snapshots of graphics produced using FwGold can be seen here:
http://rotoni.com/FwGold/ example.htm
FwGold's features include:
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.• Firewall access statistics logging and graphics
• Keep graphics of last day, week, month and year statistical data
• RRDtool based (stores data into non growing round robin databases)
• Completely Perl written (uses RRDs perl module)
s.
• Client/Server structure (the server runs on the fw-1 management module, the
ht
client can be anywhere perhaps where a Web server runs, the communication
rig
TCP port is configurable)
• Both client and server sides don't need to run as 'root'
ull
• Fully configurable (users can freely define criteria’s to match when filtering the
f
FW log and which db and graphics to generate, which graphic's format, colors and
ns
labels, which file names etc.)
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
• Automatic generation of DBs, graphics and html files
tai
• Automatic prevention of spikes in case of counter resets due to server restarts
re
• Automatic detection of missed data
• Automatic detection of configuration errors
or
• Default configuration file to generate common firewall statistics (total
th
connections, connections per protocol, total accepted connections per protocol,
etc.) Au
• Detailed installation and configuration instructions
2,
00
http://rotoni.com/FwGold
-2
00
Hoth
Hoth is an IP accounting tool exclusively for Linux 2.2, as it relies on the IPChains
20
firewalling code (it will be ported to 2.4 once the kernel is stable). Hoth has the
ability to account per source/destination IP, source/destination port, protocol, and
te
interface just like the real ipchains. Furthermore you can stack every accounted data.
tu
sti
Hoth consists of an .ini style like config file, scripts for creating the firewall rules out
In
of the config file and a CGI script to view the accounted data as graphics, which are
created realtime.
NS
http://joker.rhwd.de/soft ware/ hoth/
SA
NMIS
©
NMIS is a Network Management System which performs multiple functions from the
OSI Network Management Functional Areas, mainly Fault and Performance
Management. The idea being to make use of all that polling for performance stats and
get fault management for free.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Sample pages are available on the NMIS home page.
NMIS features include:
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.• The entire network is summarized into a single metric, which indicates
reachability, availability and health of all network devices being managed by
NMIS.
• Summary page for entire network with reachability, availability, health, response
time metrics
s.
• Summary pages of devices including device information, health graph, and
ht
interface summary
rig
• Color coded events, status for at a glance interpretation.
• Graphing of Interface, CPU, Memory stats for Cisco Routers and Switches.
ull
• Graphs can be drilled into.
• Graphs produced on the fly.
f
ns
• Graphs can have varying lengths from 2hours to 1 year
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
• Interface statistics are returned in Utilization not just bits per second
tai
• Response time graphed and metrics for health and availability generated from
re
statistics collected
• Integrated Fault and Performance Management
or
• Threshold engine which send alerts on certain thresholds.
th
• Alert events are issued for device down or interface down
Au
• Event levels are set according to how important the device is
• Events are "State full" including thresholds, meaning that an event is only issued
2,
once.
00
• Notification engine can be expanded to handle any "command line" notification
-2
method, including email, paging, signs, speakers, etc
• A list of current events is available and there is an escalation level and time the
00
event has been active.
• Events are logged
20
• Outage time calculated for each down event
te
• Planned outages can be put in so alerts are not issued
tu
• Reports for utilization, outages, etc
sti
• Find functions which search based on strings in interface types and descriptions.
• Dynamic handling of if Index changes and difficult SNMP interface handling
In
• Integrated logging facility to view events and syslog messages.
NS
http://www.sins.com.au/nmis/
SA
Bronc
©
Bronc aims to be the fastest front-end available for RRDtool. It is written in Perl,
using
Mason as a template/component engine and mod_perl to speed things up. Bronc
features...
Key•fingerprint
a SNMP=collector,
AF19 FA27 2F94
which 998DSNMP-capable
queries FDB5 DE3D F8B5 06E4
devices andA169 4E46
stores
measurements in RRDtool databases
• on-the-fly graphing using BRONC::Grapher, which runs under mod_perl
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.• a extensible, Perl-based configuration file, which allows for quick configuration
of complex graphs
http://bron c.blueasp en.com
s.
Orca
ht
Orca is a tool useful for plotting arbitrary data from text files onto a directory on a
rig
Web server.
ull
http://www.gps. calt ech.edu/ ~blai r/orca/
f
SLAMon
ns
KeySLAMon
fingerprintis =a AF19
front-end
FA27for2F94
RRDTool
998D that
FDB5 allows
DE3Dyou to calculate
F8B5 06E4 A169working
4E46hour and
tai
24-by-7 availability for anything that you're currently monitoring with RRDTool. The
graphs and reports can cover any time period you're interested in: daily, monthly,
re
yearly, etc.
or
Currently SLAMon doesn't directly do any monitoring itself. For that you need
th
another front-end, to create and update RRD files for each resource. The
Au
measurements contained in these files are used as input by SLAMon to calculate
availability and update the corresponding availability RRDs.
2,
00
http://slamon.sourcefo rg e.net
-2
References
00
Allen, Jeff R. “About Cricket” http://cricket.sourceforge.net/
20
Allen, Jeff R. “Driving by the Rear-View Mirror: Managing a Network with Cricket“
te
First Conference on Network Administration Santa Clara, California, April 7-10, 1999
tu
http://www.us enix.org/publi cations/lib rary/p roceedings/n et a99/ full_papers/all en/all en_html/index.html
sti
Kramp, Bill “Beyond MRTG” SysAdmin, March 2000, Vol. 9 Issue 3
In
Oetiker, Tobias “mrtg - What is MRTG”
NS
http://ee-staff.ethz.ch/~oetiker/webtools/mrtg/mrtg.html
SA
Rasmussen, Audrey “Your favorite tools, Part 2” Network World Network Systems
Management Newsletter, 03/07/01
©
http://www.nwfusion.com/newsletters/nsm/2001/00477466.html
Wilson, Brian “Apache Server Page Load Monitoring With Cricket” Web Review,
02/25/00 http://www.webreview.com/2000/02_25/designers/02_25_00_2.shtml
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.Last Updated: January 3rd, 2021
Upcoming Training
Amazon Web Services (AWS) SEC401 Seattle, WA Jan 04, 2021 - Jan 09, 2021 CyberCon
SANS Security East 2021 , Jan 11, 2021 - Jan 16, 2021 CyberCon
SANS Security Fundamentals 2021 , Netherlands Jan 18, 2021 - Jan 29, 2021 CyberCon
Cyber Threat Intelligence Summit & Training 2021 Virtual - US Eastern, Jan 21, 2021 - Feb 01, 2021 CyberCon
SANS Cyber Security West: Feb 2021 , Feb 01, 2021 - Feb 06, 2021 CyberCon
Open-Source Intelligence Summit & Training 2021 Virtual - US Eastern, Feb 08, 2021 - Feb 23, 2021 CyberCon
SANS Essentials Australia 2021 - Live Online , Australia Feb 15, 2021 - Feb 20, 2021 CyberCon
SANS Essentials Australia 2021 Melbourne, Australia Feb 15, 2021 - Feb 20, 2021 Live Event
SANS London February 2021 , United Kingdom Feb 22, 2021 - Feb 27, 2021 CyberCon
SANS Secure Japan 2021 , Japan Feb 22, 2021 - Mar 13, 2021 CyberCon
SANS Scottsdale: Virtual Edition 2021 , Feb 22, 2021 - Feb 27, 2021 CyberCon
SANS Cyber Security East: March 2021 , Mar 01, 2021 - Mar 06, 2021 CyberCon
SANS Secure Asia Pacific 2021 Singapore, Singapore Mar 08, 2021 - Mar 20, 2021 Live Event
SANS Secure Asia Pacific 2021 , Singapore Mar 08, 2021 - Mar 20, 2021 CyberCon
SANS Cyber Security West: March 2021 , Mar 15, 2021 - Mar 20, 2021 CyberCon
SANS Riyadh March 2021 , Kingdom Of Saudi Mar 20, 2021 - Apr 01, 2021 CyberCon
Arabia
SANS Secure Australia 2021 Canberra, Australia Mar 22, 2021 - Mar 27, 2021 Live Event
SANS Secure Australia 2021 Live Online , Australia Mar 22, 2021 - Mar 27, 2021 CyberCon
SANS 2021 , Mar 22, 2021 - Mar 27, 2021 CyberCon
SANS Munich March 2021 , Germany Mar 22, 2021 - Mar 27, 2021 CyberCon
SANS Cyber Security Mountain: April 2021 , Apr 05, 2021 - Apr 10, 2021 CyberCon
SANS London April 2021 , United Kingdom Apr 12, 2021 - Apr 17, 2021 CyberCon
SANS Autumn Australia 2021 - Live Online , Australia Apr 12, 2021 - Apr 17, 2021 CyberCon
SANS Autumn Australia 2021 Sydney, Australia Apr 12, 2021 - Apr 17, 2021 Live Event
SANS SEC401 (In Spanish) April 2021 , Spain Apr 12, 2021 - Apr 23, 2021 CyberCon
SANS Cyber Security East: April 2021 , Apr 12, 2021 - Apr 17, 2021 CyberCon
SANS Secure India 2021 , Singapore Apr 19, 2021 - Apr 24, 2021 CyberCon
SANS Baltimore Spring: Virtual Edition 2021 , Apr 26, 2021 - May 01, 2021 CyberCon
SANS Cyber Security Central: May 2021 , May 03, 2021 - May 08, 2021 CyberCon
SANS Security West 2021 , May 10, 2021 - May 15, 2021 CyberCon
SANS In French May 2021 , France May 31, 2021 - Jun 05, 2021 CyberConYou can also read
