Network mgmt tools Alan Crosswell keeping the free love alive alan@columbia.edu February 2006 1 Credits • Dan Medina • Matt Selsky • Megan Pengelly • Martin Wren • Johan Anderson • Joel Rosenblatt • + all the GPL tool authors February 2006 2 Outline • Network management • Switch management • Router configs • Log summarization • Netflow • Survivor systems monitor • Intermapper February 2006 3 Outline • Security • GULP – auth log mining • PAIRS – IDS • Mazu – anomaly detection February 2006 4 Switchmgr  Web interface to SNMP commands to Cisco CatOS/IOS switches/routers on campus  Database backend provides another layer of information for ports: – Jack location information <-> port number – (LDAP) jack location <-> person Switchmgr Privileges  Use pamacea to authenticate users  Users view/modify switches based on their Unix groups – Student RCCs can only view dorm switches – Cabling group can only modify jack location information Switchmgr: switch view Switchmgr: jack view Switchmgr: port view Cisco Config Management  Nightly backups into RCS to archive all switch and router configs  Currently uses 'clogin' from RANCID project to authenticate and run automatically  Web-based comparison tool for viewing changes to configs over time, or can just use RCS at the command-line  Nightly email tells group which switches & routers have changed their configurations since the previous day Switch & Router Log Monitoring  cisco-summary.pl emails log summaries to our group every day  Person On Call ensures that all log messages are OK, or fixes any problems found Netflow  Track traffic going across the border  CFlowd on a linux machine to process flow files exported from main routers  CUFlow builds on Cflow tools to provide graphs and charts per service or router  CUQuota monitors bytes to and from internal hosts and polices them when they exceed 180 M/h upload or 350 M/h download CUFlow  Our graphing/charting Cflow class is GPL'd and available at  http://www.columbia.edu/acis/networks/advanced/CUFlow Survivor • "It's a systems monitor. It monitors systems." Like Mon, Big Brother, Nagios, etc, but better or worse, depending on what features you like. • http://freshmeat.net/projects/survivor/ • demo # This file is used to configure the filesystem checking on each host. # The format of this file is # filesysregex,warn,prob # Disks not explicitly listed here use the default thresholds in check.cf. # Disks listed here that don't exist are ignored. # Values must be greater than 0. 101 or greater will never match, and so # can be used to suppress warnings or problems. # # Important filesystems should have some spare space ^/$,90,94 # Some hosts write variable stuff into /var, others /usr/var ^/usr$,90,94 ^/var$,90,94 # Generate warnings, but not problems, for filesystems holding software ^/usr/local,98,101 ^/opt,98,101 ^/miniopt,98,101 ^/service,98,101 # Some filesystems are never worth worrying about ^/m/mnt,101,101 ... # Survivor check specification file check load { module load { warn 20 prob 30 } } check loadna { module snmp { community XXX oid .iso.3.6.1.4.1.789.1.2.1.3.0 warnmatch gt[75] probmatch gt[90] } alert on noncritical alertplan } check ldapmain { module ldap { port 389 filter sn=metz response objectclass=person } helpfile ldapmain } Outline • Security • GULP – auth log mining • PAIRS – IDS • Mazu – anomaly detection February 2006 19 GULP • Authn syslogs are collected in a database. • user identity • service/server • client IP address • Merged with • MAC addresses (ARP tables polled) • RADIUS caller ID for dialups GULP • Web interface allows searching by • IP addr • MAC addr • user identity • etc. • demo GULP - Marketscore GULP – search for user GULP – search for user PAIRS • Analyzes Netflow for • host/port scanning • hitting a darknet • connecting to known C&C nodes • Includes a responsible party database • by CIDR and domain • demo Event Summary Information 26 Host Scan Event (Tracking by MAC) 27 Services Provided (Gnutella) 28 Services Consumed (Gnutella) 29 Right-Click (Drill Down) 30 Gnutella Peers 31 Policy to Detect Hosts Communicating on tcp/6667 32 Columbia U Owned Hosts Initiating Connections for tcp/6667 33 Columbia Owned Hosts Providing Services on tcp/6667 34 Who is communicating on port tcp/6667? 35 Port Scan Event 36 Detailed Connection Attempts from Port Scan Event 37 New Host Event – Is this a Change Control Violation? 38 Services Provided by the New Host 39 To Whom? 40 Anomalous Connection for www.ais.columbia.edu (Internal Web Server) 41 Why is www.ais.columbia.edu providing services on tcp/40046? Is this a mis-configuration? 42 Detailed connection information associated with Anomalous Event 43 Why is tcp/3400 the largest service provided by the ldappool application instead of tcp/389? 44 In 1-hour, 142 unique peers connected to ldappool on tcp/3400. 45 Global BW Utilization for Columbia U 46 BW Graph for Barnard College 47 Server Consolidation: Distribution of external Web traffic to GSB. 48 Network Segmentation: Distribution of Inbound SMTP traffic 49 Network Segmentation: Visualization 50 Application Profiling: Identify components in the critical-path 51 Application Profiling: Visualization Top 20 52 Application Profiling: Visualization Top 100 53 Access Policy for GSB: Services Provided from Uris Hall to Warren Hall 54 Access Policy for GSB: Services Provided from Warren Hall to Uris Hall 55