Network Monitoring: A 360-Degree Plan
3/15/2004 By: Steven E. Miller and Chris Seiberling
In the movies, a safe and happy ending often comes from last-minute heroics. In the equally virtual reality of school computer networks, however, success more typically depends on day-to-day operations. School IT staff must be constantly vigilant about a large constellation of security concerns, including physical harm, electronic attacks, and even inadvertent problems created by normal use.
Last month, Part 1 of this series, "How to Perform a Security Audit," walked you through the basics of setting up a formal process for identifying these security-related concerns and implementing safeguards. This month, we continue the conversation from the perspective of system monitoring. That is to say, using a combination of techniques and technologies to keep regular tabs on your network, from tracking your school's bandwidth usage with network traffic analyzers to spotting firewall breaches via intrusion detection software. In addition, monitoring entails having a broader awareness of the computing environment and how the system meets user needs.
By taking a holistic approach to monitoring, you'll be able to fine-tune your operating procedures and user policies to reduce risk, and be better prepared to recover from the problems that will inevitably occur.
Staying Aware of the Context
An important aspect of system monitoring, often taken for granted and sometimes forgotten, is the overall framework in which you're operating. Here are two areas to consider.
The importance of staying abreast of hidden threats lurking out on the Net cannot be overstated. In fact, experts estimate it would take a malicious user no more than three minutes to find enough code bits to assemble a potent virus or other types of harmful software. You can avoid being taken by surprise by monitoring the IT literature for example, signing up for the weekly e-mail bulletin of new security vulnerabilities offered by the SANS Institute (www.sans.org).
Keeping in touch with what your school's leaders and IT users want from your system now and in the future is the strategic foundation for successfully serving their needs, and gaining their support in maintaining security.
A good first step to addressing this issue is to create a questionnaire (or conduct a focus group or initiate a needs assessment). Some questions might include:
- How are you currently using the provided technologies? What are the ways that the provided technology makes your work easier, more productive, or better?
- What are the biggest frustrations about using the technology?
- Do you foresee any significant changes in your long-term needs; for example, increased capacity for data collection and reporting?
- What steps do you currently take to keep your own work safe and the overall network secure? Which of these procedures do you find most irksome and why?
Once you've gathered this data, apply it to your technology plan. Communicate with the community about how they can improve their security habits, change procedures that don't seem to be working, and shape any new initiatives based on user needs.
Another critical area to monitor is your daily operating procedures.
If you don't already have sensors checking the traditional HVAC concerns-heat, ventilation, and air conditioning in your server rooms, install them. While you're doing that, don't forget about the possibility of water leaks, flaking plaster, or loose wires. The best monitoring tool is the human eyeball, either peering through a remote camera or peeking through a doorway. Set up a weekly or monthly schedule for inspections, or install a minicam in the more remote locations to bring key images to your desktop.
Installing security software does no good if someone can walk in and carry off the equipment or just bang it with a sledgehammer. It's not uncommon for the server room to share space with the computer lab or for the wiring closet to also house brooms or other janitorial equipment. And these days nearly every room in a school has a networked computer. In multiple-use locations where students, custodians, school visitors, and others are in daily proximity to computers or other technology, make sure expensive equipment is locked down to a nonmovable anchor. In addition, where appropriate, consider using a security minicam.
A good network management system, usually a combination of hardware and software elements, should allow your school IT staff to observe the state of the network at any given moment. Using asset management software, look for patterns in the kinds of unauthorized and unlicensed software that most frequently appears, and decide if you want to provide some of it through purchase or license (or at the very least, increase user awareness about the penalties for illegal use by distributing copyright information). Regularly examine the reports generated by your firewall, Web filter, and other network applications. Check the usage patterns of any virtual private networks or other methods you use to provide external access to internal resources. (See "Monitoring Technologies.")
System integrity also depends on protecting yourself against unauthorized or unwanted intrusion, whether it's the system-clogging flood of spam into our e-mail boxes, or the endless flow of increasingly sophisticated blended attacks of viruses, worms, Trojan horses, and other malicious software. Proper intrusion monitoring will help you see and then close the security holes that attackers use. (Again, see "Monitoring Technologies" for specifics.)
Finally, monitor your system's defenses by conducting regular penetration and stress tests. As discussed in last month's article, numerous private firms perform such functions. Better yet, set up a team of your own students or students from a local college and ask them to find ways to break in to the network. Then ask them to help devise methods to plug those holes.
Data storage should be centralized to facilitate regular back ups, encryption, and access controls and ensure that users only get access to the data they're authorized to see, and only can perform the functions that they're authorized to do. That means setting up role-based or user-based permissions for network access (for more information on developing a network rights strategy, see "A Beginner's Guide to School Security"); periodically testing the strength of these protections; and using network traffic analysis tools to monitor usage patterns. Most importantly, all vital data-no matter what the format-should be backed up to off-site storage.
Outsourcing is commonplace these days. But that means your system and your liability-extend beyond the district limits to include your Internet service provider, your e-mail service, your payroll vendor, your data storage provider, your application service provider, and anyone else who is an integral part of your system. How secure are their systems? How safe is the data that passes to and from them? You need to ask tough questions about their procedures and past problems. Then you need to get written promises about future performance and acceptance of liability. As much as possible, monitor their actions: you might visit their server rooms; talk to their engineers; or stay in touch with their other customers.
No matter how good your security system, no matter how hard you try, it's a given that eventually something will go wrong.
Therefore, every district needs to have a business continuity or crisis management plan that helps them minimize damage, recover from security breaches, maintain essential operations, and keep in constant communication with key players and stakeholder groups. The first rule of business continuity is redundancy. All essential data should be duplicated both in another part of your own system and off-site; all communication pathways should have a fall-back alternative; and all key equipment should be replaceable.
But just as having a spare tire in your trunk doesn't do any good if you've let it go flat, it's no use to have a backup system that's not ready to be used. Conduct dress rehearsals about every six months and correct any problems that are revealed. Most important: When the inevitable crisis does occur, treat it as a teachable moment. How do your operations need to be changed in order to prevent the likelihood of future problems?
It may not be the glamorous world of the movies, but the satisfaction of doing your job well can provide a happy ending to the little screen nearest you.
For additional monitoring resources, see "Learn More".
Steven E. Miller, a former teacher, community organizer, and magazine editor, is executive director of Mass Networks Education Partnership.
Chris Seiberling is the manager of the technology audit and planning program for Mass Networks Education Partnership.
NEXT: Monitoring Technologies
Read other articles from the March Issue
We've compiled a list of tools to help you deal withh the various areas of monitoring, along with recommendations on how often to use them. The products names here are examples only and are not necessarily endorsed by the authors. Although not included here, multifunction hardware technology from such companies as 3Com, ServGate, SonicWall, and Symantec may also provide effective security solutions.
||Identify technical weaknesses in software, hardware, and system configurations. Some scanning tools include integrated patch management, registry repair, and software update utilities.
Microsoft Baseline Security Analyzer (www.microsoft.com/technet)
NetIQ Security Analyzer 5.1 (www.netiq.com)
Shavlik EnterpriseInspector (www.shavlik.com)
Sun Microsystems SunSolve (sunsolve.sun.com)
Symantec Vulnerability Assesment (enterprisesecurity.symantec.com)
|Web servers should be checked when there are vulnerability advisories and significant Web site changes are made. Total network scans should take place at least twice a year. Firewall and e-mail servers should be scanned daily to weekly.
|Network Traffic Analysis
||Monitor bandwidth usage to verify network performance; identify traffic patterns; and provide forensic evidence of intrusions and inappropriate network use.
Iris Network Traffic Analyzer (www.eeye.com)
|Monthly; daily, if problems are suspected
||Verify that user passwords are appropriate and effective.
||Cain & Abel (www.oxid.it/cain.html)
John the Ripper (www.openwall.com/john)
|Same as number of days between password changes
||Test the effectiveness of firewalls.
Norton Personal Firewall (www.symantec.com/sabu/nis/npf_mac)
|Wireless Network Surveillance
||Detects unauthorized wireless access points.
|Yearly or whenever system changes are made
|Virus Scanning, Spam Control, and Content Filtering
||Detect and eliminate viruses, worms, Trojan horses, and other malicious software; detect and reduce spam; and limit access to undesirable Web sites.
||Network Associates (www.nai.com/us)
Sophos AntiVirus (www.sophos.com)
Symantec AntiVirus (enterprisesecurity.symantec.com)
|Malware Threat Monitoring
||Stay informed of current threats.
||Internet Security Systems Alert Center (gtoc.iss.net/issEn/delivery/gtoc/index.jsp)
SANS InternetStormCenter (www.isc.sans.org)
Symantec DeepSight Threat Management System (enterprisesecurity.symantec.com)
|File Integrity Checking
||Verify whether data files have become corrupted and detect installation of unauthorized software.
|Review System Logs
||To remain informed of network and server activities.
Server, firewall event, and virus detection logs
Return to Network Monitoring: A 360-Degree Plan > > >
Read other articles from the March Issue
Want to do more research? The Web offers a surplus of information about monitoring and related security issues.
An annotated list of Unix, Linux, and Windows security tools: www.insecure.org/tools.html
Downloadable Unix tools: ftp.cerias.purdue.edu/pub/tools/unix
Comprehensive security guidelines from the National Institute of Standards and Technology Computer Security Resource Center (in particular, check out the NIST Guideline on Network and Security Testing): csrc.nist.gov/publications/nistpubs/index.html
OCTAVE risk assessment methodology: www.cert.org/octave
SANS InfoSec Reading Room, which provides background material on many security topics: www.sans.org/rr
Technical and user-oriented advisories from US-CERT's National Cyber Advisory System: www.us-cert.gov/cas/index.html
Read other articles from the March Issue