Regardless of how you choose to monitor your organization's network, you must do so in a secure manner. The data you collect—even if it's just a ping response—is a treasure trove for black hats trying to map and break into your network.
Using ICMP to ping devices to monitor your network won't return performance statistics or tell you whether a specific service is running. But it will tell you if a network device is alive and able to respond to network traffic.
Ping is one of the oldest forms of monitoring, and that means it's also one of the oldest exploitable methods of monitoring and mapping your network. Therefore, be extremely cautious about allowing just any IP address to ping critical components of your network, and take steps to control that traffic with access lists on your external and internal routers.
Here's a sample entry for the access list on the routers between your network monitor server and the devices you want to monitor:
access-list 101 permit icmp network.monitoring.server monitored.device echo
You also need to permit the response back to the monitor server with the following entry:
access-list 102 permit icmp monitored.device network.monitoring.server echo-reply
Replace network.monitoring.server and monitored.device with the IP address of your monitoring server and the device you're monitoring, respectively.
Get the TR Blog Roundup
Find out who's offering the best advice, the quirkiest comments, and the most compelling life stories every week with TechRepublic's Blog Roundup. Click here to automatically sign up to receive it every Wednesday.
Monitoring via SNMP polling can provide a wealth of information and build performance statistics that you can use to analyze your network. This approach uses a management information base (MIB), which is a database of objects that a network management system can monitor. Device manufacturers define MIBs, but you can also create your own.
SNMP is a bit more dangerous to use than ping. It not only allows you to read information, but you can also change device settings as well.
For monitoring purposes, you should implement read-only SNMP strings on the devices you're monitoring. You must also control SNMP through your network.
Here's a sample entry for the access list:
access-list 101 permit udp network.monitoring.server monitored.device eq snmp
Again, you also need to permit the response back to the monitor server with the following entry:
access-list 102 permit udp monitored.device network.monitoring.server eq snmp
When implementing monitoring via SNMP, make sure that you remove the default read-only/write community strings and restrict SNMP polling to the network monitoring server's IP address.
Monitoring via an agent deployed as part of a monitoring server typically provides the most in-depth information about the devices you want to monitor and the services running on those devices. It uses a nonstandard port that you must also control with an access list.
If you want to monitor devices across a WAN link, consider implementing a VPN between the monitoring server and the monitored devices. Not all devices support SNMP v2, which encrypts SNMP sessions. (SNMP v1 sends SNMP information via clear text.) A VPN can help secure your monitoring information.
Monitoring your network is an essential function that provides the status of your business resources. The method you use to gather this information often depends on how critical network status is to your company and the size of the check it's willing to write to get the job done. But regardless of which monitoring method you choose, make sure you monitor your network in a secure manner.
Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.