Security

Use free tools to monitor abnormal behavior

Sometimes, the best security practices start with looking for trouble, instead of waiting for trouble to find you.

IT security has quickly become more reactive than proactive, with IT managers struggling to keep up with the latest attack vectors, instead of heading them off at the pass. While that may be an oversimplification of the highly complex security posturing that many enterprise pursue, it is nonetheless a realization that has been cemented by the reactive nature of today's security systems, which rely on previous detection and signatures to halt malicious behavior.

Moving from reactive to proactive ideologies takes a lot of work on the behalf of security administrators, which comes in the form of understanding what normal network flow looks like, as well as normal application use - not an easy task by any measure. It is a situation that has forced many a system administrator to turn to automated tools that utilize artificial intelligence to identify what normal is and what normal isn't - yet those tools lack the most powerful capability - one that can be summed up as intuition - where a system admin instinctively knows what is normal and what is not.

How does one achieve that level of intuition? It takes getting your hands dirty with the packets that move across the network and being able to drill down from a 10,000 foot view into the activities that make up normal network transactions. Naturally, there are tons of expensive monitoring tools that claim to make the process much easier, but the simple fact of the matter is that a networking administrator needs to learn the basics, before delving into complex, automated, graphics heavy consoles to determine what constitutes normalized network traffic.

Sometimes, the best place to start is with the free network monitoring tools that have come to populate the realms of shareware, freeware and trialware - any of which may provide the basics to learn about traffic flow, anomalies and further educate network administrators on what is happening across their networks.

Case in point is network monitoring software vendor Paessler, a German company looking to make inroads into the enterprise network monitoring market. The company is offering a freeware version of its PRTG Network Monitor (limited to 10 sensors) in the hopes of getting enterprises to take the bait of what a full-fledged Network Monitoring solution can offer.

Nonetheless, buried within that freeware offering is the capability to deploy a Syslog/SNMP Trap Server, a tool that can gather information from applications and devices across the network. By now, network administrators should fully understand the advantages offered by syslog standard, which is used for communicating informational, analysis and debugging messages triggered by various reasons, such as system events, outages, critical conditions, etc.

A central Syslog Server collects the log information of the network's devices and informs when certain events occur, which can be defined based upon the types of events, alerts or warnings offered by devices and software. Syslog servers can also be configured to utilize SNMP Traps, which offer asynchronous notifications from SNMP-enabled devices. Combined (syslog and SNMP) can be used to report on important incidents and data. The trick is to make sure that the information gathered is relevant to normal/abnormal behavior of traffic, and that may take some experimentation.

Of course, Paessler is not the only player with skin in the game. But, as of late, the company seems to be offering increasing levels of help to those looking at "free" tools, and may just be the catalyst to help educate network administrators on what normal is all about on today's complex enterprise networks.

The real lesson here is for network administrators to get their hands dirty and delve into the realm of traffic to garner the knowledge to understand what normal is and normal isn't.

About

Frank J. Ohlhorst is an award-winning technology journalist, author, professional speaker and IT business consultant. He has worked in editorial at CRN, eWeek and Channel Insider, and is the author of Big Data Analytics. His certifications include MC...

7 comments
Barryherne
Barryherne

But why is it free if the tool is great? I have never undertood people offering tools for free? Is it only a free trial period or the muber of monitors limited? At the moment I am using the software Anturis to monitor my infrastructure and I understand why I pay nothing if I have only 5 monitors. My alerts are limited and their choice is poor.

What about you?

duane1x
duane1x

What Geof said. No tool(s) and no depth. More like a paid shill for Paessler, even if it's only 1/3 of a shill because it doesn't even go into a single example or detail. Having said that PRTG is great and I use it all the time, and if you put their logo on your webpage they'll bump you up to 30 sensors.

geofnet
geofnet

Frank, this is an important topic. I guess you had a golf game. This looks like part of an article.


Geof

Dr7u15
Dr7u15

Tools? It only mentions one tool!

fohlhorst
fohlhorst

@duane1x This was just a blog post pointing out that a free tool is available - whether or not you choose to use it is completely up to you - nevertheless, knowing it is out there is something that readers appreciate. 

fohlhorst
fohlhorst

@geofnet This is a Blog Post - not a full fledged article - and just has an example of a free tool - perhaps a roundup of free tools would be a good article? if so, let the powers that be in at Techrepublic know that content would be a welcome article on the site.

Editor's Picks