Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Network Security
Practices You Can’t
Do Without
Presenter:
Steve Kuzma, IT Solutions
Who we are:
Why do we have network alerts?
• Knowledge
• Understanding
• Proactive response
• Reactive response
• Overall Preparedness
What should we be monitoring?
• Hardware
• Power
• Internet
• Internal Network
• Environmental Monitoring
• Event logs
• Applications
How to monitor alerts:
• Endpoint management software
• Scripts
• Solarwinds
• Spiceworks
• Windows
Hardware
• Event logs
• Manufacture’s System Tools
• Endpoint
• Hard Drives
• Memory
• CPU
Power
• UPS Management Software
• Run time
• Load
• Load battery self tests
• Battery status
* Some devices have the ability to do environmental monitoring
Internet
• Ping Checks
• Logic Monitor
• SolarWinds
• Up/Down
• Bandwidth
Internal Network
• Logic Monitor
• Ping Checks
• SolarWinds
• Built in administration• Firewalls
• Wireless
• Physical Access
Environmental Monitoring
• Room Alert
• IT WatchDog• Temperature
• Humidity
• Moisture
• UPS Add-ons
Event Logs
• Endpoint Management
• Windows
• Failures
• Processes
• Login Attempts
Applications
• Endpoint Management
• Windows
• Performance Monitor
• Services
• Utilization
Do I need all of these alerts?
• Proactive vs. Reactive
• You’re the authority
• Preparing for the future
Predictive Monitoring: Looking for Bottlenecks
Two Methods:
1. Know the limits of your equipment
• Routing/switching speeds on networking gear
• Throughput of inter-equipment links
• IOPS, transfer rates on storage
2. Find your baseline
• You can’t do trend analysis without a baseline
Trend Analysis
• Requires historical monitoring, you need a
monitoring engine
• Establish a baseline – a week of growth isn’t
necessarily a trend
• We’ll look at some common metrics, but if you’re
not sure, overdo it and monitor it all
• Overhead should be relatively insignificant
• Try to correlate the trend to a reason so you can
better understand and predict
Start simple with physical servers• CPU > 80%, RAM >80%, HD <15%
• Monitoring this is still not predictive!
Look at the trends:
• January RAM was 60%, February was 65%, March was
70%...when do you upgrade?
Is a RAM upgrade the right choice? New server?
• Depends on your BASELINE – is CPU trending as well?
• Also depends on business metrics – did this correspond
with increased web traffic due to a marketing push?
• Can you get the business forecast and prepare?
Monitoring Applications
Helps determine what is driving overall utilization,
but also critical for user/business impact
• Databases are disk dependent (read rate, write
rate, latency)
• Websites are network dependent (number of
connections, network throughput)
Too many to go through here, but know your
applications or build up a baseline
Monitoring networking equipment
• Most manufacturers publish metrics such as
maximum throughput with and without services
Network Metrics (router/switch/firewall)
CPU – most reliable “how hard is it working” metric
• In many cases, this is the bottleneck that drives the
published numbers
Interfaces of critical equipment – how much data is
the link pushing? Is it time to add more connections?
• Inter-switch links – a 1Gbps link isn’t that difficult to
saturate
Watch the trend and strategize!
SAN Metrics
• Controller CPU – overall performance
• Read and Write Latency – biggest determinant
in perceived speed
• IOPS – particularly in virtualization workloads,
how busy is the SAN?
• Throughput on network connections/FC ports –
is the interface an issue?
• Throughput to disk shelves – is it safe to add
more shelves?
Virtualization Metrics
• Host metrics: CPU%, Memory%, Network%
• Advanced host metrics:
• CPU Ready % - % of time VMs are ready to use CPU
but resource is unavailable
• Under 5% is generally considered acceptable
• vCPU Ratio – how many virtual CPUs per physical
core?
• Different opinions – consensus is 2:1 or 3:1 but it is workload
dependent. Try to keep biggest CPU users away from each
other.
More virtualization metrics…
• Memory swapping – host or VM
• Avoid it at all costs. Not only is it slow, but it overtaxes
storage resources as well.
• Storage throughput and latency from hosts
• Particularly NFS – even if you have multiple links,
there is no “overflow” so one data stream can still only
utilize one single link (i.e. 1Gpbs/10Gbps)
Business-type metrics
• Look at these types of things to see what is driving
your increased/decreased utilization:
• Number of connections (website, database, etc.)
• Inbound traffic from outside sources (router interface,
VPN, etc.)
• Accounts created, accounts deleted or inactive
• Might need to create custom counters within the DB
It’s not always about upgrading!
• Metrics that are trending towards problem areas are an
opportunity to grow or an opportunity to become more
efficient.
• Check with application owners and developers to see if
they have any input on your metrics.
• Yes, growing from 2 to 10 application users is a 5x
increase, but should you need another server at 10
users? Or is there efficiency to be gained by disabling
services or rewriting inefficient code?
Firewall Management and Best Practices
• Proactive monitoring / management
• Backing up running configuration
• Automating
• Ping checks
• Predictive monitoring
• Monitoring uplinks for traffic
• Port Lockdown and documentation
• Management Lockdown
Q&A
Next Webinar:
PC Security: How to Avoid Malware, Spyware and
Viruses
Wednesday, March 16, 2016
2:00 – 3:00PM (EST)