1. Network Management Tools Workshop
“Principles and Tools for Better Network Management”

2. Disclaimer
The information provided in this manual is subject to change without notice. All statements, information, and recommendations in this manual are believed to be accurate but are presented without warranty or any kind, express or implied. Users must take full responsibility for their application of any information within. All information is provided “As Is”.
The images, facts, and information supplied by the vendors Linksys Group, Inc. and Cisco, Inc. were provided of their own accord for the express purpose of the ICCM 2004 Network Management Tools Workshop. Distribution and/or sale of this manual is prohibited.
In no event shall the suppliers of the information pertained within this manual be liable for any indirect, special, consequential, or incidental damages, including, without limitation, lost profits or loss or damage to data arising out of the use or inability to use this manual.
All trademarks mentioned in this document are the property of their respective owners.
Copyright © 2004
T.R. Knight
Lightsys Technology Services, Inc.
All rights reserved.

3. Table of Contents Chapter 1 – Network Architecture Overview 5
Chapter 2 – Network Topology Overview 29
Chapter 3 – Network Security Overview 38
Chapter 4 – Basic Network Tools 45
Chapter 5 – Advanced Network Tools 52
Chapter 6 – Basic Network Monitoring 58
Chapter 7 – Network Monitoring Tools 66
Chapter 8 – Wireless Network Tools 76
Chapter 9 – Traffic Management 83
Chapter 10 – Custom Network Tool Design 88
Appendix A – Workshop Lab Setup 95
Secondary Text:
Open Source Network Administration by James M. Kretchmar

4. Recommended Reading Perl in a Nutshell
By Stephen Spainhour, 2002
War Driving
By Chris Hurley, 2004
Wireless Networks: The Definitive Guide
Creating and Administering Wireless Networks
By Matthew Gast, April 2002
Security
By Bruce Potter, Bob Fleck, December 2002  
Open Source Network Administration
By James M. Kretchmar, 2004
Cisco IOS Access Lists
By Jeff Sedayao, 2001  
Cisco Cookbook
By Kevin Dooley & Ian Brown, 2003
Ethereal Packet Sniffing
By Angela Orebaugh, 2004  

5. Network Architecture Overview
Chapter 1
Network Architecture Overview
Hubs
Switches
Wireless Access Points
Wireless Bridges
Routers
Packet Shapers/QoS Devices
Firewalls
Blackbox Devices

6. Network Models Layer 7 Layer 5 Layer 6 Layer 5 Layer 4 Layer 4 Layer 3

7. Hubs vs Switches
On the outside, hubs and switches appear very similar in that they both have a number of RJ-45 jacks for connecting devices. Inside, however, they work very differently.
Background: Limitations of Ethernet
To understand why switches provide so much more functionality than hubs, you must understand a fundamental limitation of (non-switched) Ethernet: there can only be one device transmitting on a segment at any given time. If two or more devices attempt to transmit at the same time, a collision occurs. (In fact, an Ethernet segment where only one conversation can occur is called a collision domain.) After a collision, all devices must retransmit. As you can imagine, as the number of devices on an Ethernet segment increases, the probability for collisions increase. Because devices must spend more time retransmitting data, the network is perceived to be slow.
Before the advent of switches, a network could be divided into segments with a device called a bridge. Bridges have two Ethernet ports. As traffic flows through a network, a bridge learns which devices (identified by the MAC or "hardware" address) are on each side. The bridge then makes decisions to forward or not forward each packet to the other side based on where the destination device is located. A bridge thus divides a network into two collision domains, allowing two independent "conversations" to occur. If a bridge is placed intelligently (e.g., separating two departments and their respective file servers), they can improve network efficiency.

8. Why Switches are Better
Hubs do no processing on network traffic--they simply repeat the incoming signal to all available ports. On a switch, every port acts as a bridge. If each switch port is connected to a single device, each device can, in principle, act independently of every other device.
For example, consider a switch with the following devices attached:
computer 1
computer 2
computer 3
printer
file server
uplink to the Internet
In this case, computer 1 could be printing a document, while computer 2 connects to a files server, while computer 3 accesses the Internet. Because the switch intelligently forwards traffic only to the devices involved, there can be multiple independent simultaneous conversations.

9. Hub/Switch Speed and Duplex
Bandwidth Limitations
Total network bandwidth is limited to the speed of the hub, i.e. a 10Base-T hub provides 10Mb bandwidth max, no matter how many ports it has.
Total network bandwidth is determined by the number of ports on the switch. i.e. an 8 port 100Mb switch can support up to 800Mb/s bandwidth.

10. Wireless Technologies
WAN
(Wide Area Network)
MAN
(Metropolitan Area Network)
LAN
(Local Area Network)
PAN
(Personal Area Network)
PAN
LAN
MAN
WAN
Standards
Bluetooth
802.11
HiperLAN2
MMDS, LMDS
GSM, GPRS,
CDMA, 2.5-3G
Speed
< 1Mbps
11 to 54 Mbps
11 to 100+ Mbps
10 to 384Kbps
Range
Short
Medium
Medium-Long
Long
Applications
Peer-to-Peer
Device-to-Device
Enterprise networks
T1 replacement, last mile access
Mobile Phones, cellular data
Provided by Cisco, Inc. © Copyright 2003

11. Wireless Knowledge Check
ISM band - The FCC and their counterparts outside of the U.S. have set aside bandwidth for unlicensed use in the ISM (Industrial, Scientific and Medical) band. Spectrum in the vicinity of 2.4 GHz, in particular, is being made available worldwide.
Direct Sequence Spread Spectrum (DSSS) generates a redundant bit pattern for each bit to be transmitted. This bit pattern is called a chip (or chipping code). The longer the chip, the greater the probability that the original data can be recovered. Even if one or more bits in the chip are damaged during transmission, statistical techniques embedded in the radio can recover the original data without the need for retransmission. To an unintended receiver, DSSS appears as low power wideband noise and is rejected (ignored) by most narrowband receivers.

12. DSSS Channels 5 MHz offset between each channel.
3 Non-Overlapping Channels exist: 1, 6, and 11
These are very important when doing Access Point layout and Site Surveying.

13. Channel Setup Channel 1 Channel 11 Channel 6 Channel 11 Channel 1

14. Wireless Bridge Government Buildings Education Municipal Applications
Connect buildings’ data networks
Cheaper than T1 (fast ROI)
Cheaper than trenching fiber
Backup system for when cables get cut
Education
Public school system sharing WAN link
Colleges expanding into leased facilities
Connecting classroom trailers to main bldg.
Municipal Applications
Emergency response (police, fire, city hall)
Public transportation (buses)
Courthouse
Temporary Broadband Link
Construction sites
Sporting events
County Fairs
Provided by Cisco, Inc. © Copyright 2003

15. 802.11b Data rates supported: 11, 5.5, 2 and 1 Mbps
Client will automatically “downshift” to lower data rate when it gets further from AP
2.4 GHz band. Chipping rate 11 MHz
Same as original DSSS scheme
Same occupied bandwidth
Complementary code keying (CCK) modulation to achieve higher data rate in same bandwidth at same chipping rate
Industry (global) accepted standard.
Wi-Fi™ approved. Every major computer company producing products.
Can be purchased in many retail stores. Integrated into brand name computers. Available in coffee shops, airports, restaurants, schools, and at most conferences held today.
Very affordable. Dropping in price quickly.
Not compatible with a.
Compatible with g.

16. 802.11g Data rates supported: 54, 48, 36, 24, 12, and 6 Mbps
Client will automatically “downshift” to lower data rate when it gets further from AP
2.4 GHz using OFDM/CCK technology
Full forward/backward compatibility with b
54 Mbps g products expected in 2003
Higher-speed extension to b
Combines physical layer encoding techniques used in a and b to provide service at a variety of data rates
Not compatible with a.

17. 802.11a Data rates supported: 54, 48, 36, 24, 12, and 6 Mbps
Client will automatically “downshift” to lower data rate when it gets further from AP
15 Countries have approved the use of today’s a products:
U.S., Australia, Poland, Denmark, France, Sweden, New Zealand, Ireland, U.K, Germany, Japan, Singapore, Canada, Belgium, Netherlands
802.11h will ultimately permit worldwide usage of 5 GHz
Transmit Power Control (TPC)
Dynamic Frequency Selection (DFS)
5 GHz band has more channels than 2.4 GHz band
UNII-1 + UNII-2 = 8 channels (vs. 3 channels for 2.4 GHz)
However, depending on distance between APs, you may only be able to use half of the 5 GHz channels due to adjacent channel interference
5 GHz band subject to less interference than 2.4 GHz band
However, 2.4 GHz interference not a major problem in most business environments
Not compatible with b or g.

18. Antennas
Provided by Cisco, Inc. © Copyright 2003

19. Antenna Coverage Yagi/Parabolic Omni Directional Directional Patch
Examples of antenna coverage.
Yagi/Parabolic
Omni Directional
Directional Patch
Provided by Cisco, Inc. © Copyright 2003

20. Dipole/Omni Antennas Dipole/Omni Directional Antennas
Energy lobes push in from the top and bottom as gain increases.
Higher the gain the smaller the vertical beamwidth and larger the horizontal beamwidth.
Typical Omni Directional Antenna Pattern
Beamwidth
Poor coverage directly under the antenna
Provided by Cisco, Inc. © Copyright 2003

21. Diversity and Multipath
Like light, radio signals bounce off objects. Thus, a radio signal can take ore than one path to travel from the radio transmitter (client) to the radio receiver. This is call Multipath signalling.
Multipath signals can cause high RF signal strength but poor signal quality. As the signals of different paths and different times to delivery are combined within a device, distortion can results. If a signal were to return to an antenna from two paths exactly 180 degrees out of phase, this would cause a dead spot.
Dead spots are very common in buildings. As well, antennas receiving multiple copies of the same signal at different strength levels can cause noise.
The best way to compensate for Multipath is to move the antenna. Moving antennas can remove you from the dead spots but cannot compensate for mixing of signals and the resultant distortion.
Wireless Access Points commonly compensate for Multipathing by using Diversity Antennas. Two antennas connected to a device receive the various multiple path signals at different times and can determine the strongest individual signal and utilize it, ignoring the others.

22. Multipath Distortion
Provided by Cisco, Inc. © Copyright 2003

23. Routers
A device that determines the next network point to which a data packet should be forwarded enroute toward its destination. The router is connected to at least two networks and determines which way to send each data packet based on its current understanding of the state of the networks it is connected to. Routers create or maintain a table of the available routes and use this information to determine the best route for a given data packet.
Routers can be a physical device or a software configuration.
Might be used for a LAN, WAN, Cable Modem Network, DSL Network, etc.

24. Routers vs Layer 3 Switching
Layer 3 switching refers to a class of high-performance routers optimized for the campus LAN or intranet. Most often they are hybrid of a Layer 2 switch and a router in capabilities.
Layer 3 switches tend to have packet switching throughputs in the millions of packets per second (pps), while traditional general-purpose routers have evolved from the 100,000 pps range to over a million pps. In essence, aggregate performance is the primary difference between Layer 3 switches and traditional routers.
The only major difference between the packet switching operation of a router and a Layer 3 switch is the physical implementation. In general-purpose routers, packet switching takes place using microprocessor-based engines, whereas a Layer 3 switch performs this using application specific integrated circuit (ASIC) hardware.
One of the fundamental capabilities of routers and Layer 3 switches is the creation of routing tables that automatically adjust themselves to the ever-changing network topologies caused by link failures, device failures, and additions and deletions to the network.
Provided by Cisco, Inc. © Copyright 2004

25. Packet Shaping/QoS Devices
QoS (Quality of Service)
Prioritizing network packets.
Most often used for Voice over IP (VoiP)
Mostly Layer 2 and 3
Packetshaping
Bandwidth Allocation
Flow Control
Prioritizing
Rate Limiting
All 7 layers (up to Application)

26. Packet Shaping/QoS Devices
QoS on a Router/Layer 3 Switch
Linux Server with QoS
Packet Shaping Devices
Packeteer Packetshaper
Allot NetEnforcer

27. Firewalls
Firewalls (whether a physical device or software configuration) protect the resources of a private network from users of other (often external) networks. They filter all network packets to determine whether to forward them to their destination or deny them. Some firewalls include VPNs (virtual private networks) to allow mobile users remote access to the private network.

28. Blackbox Devices Web Filter Spam Filter/Virus Detectors
iPrism
Spam Filter/Virus Detectors
Barracuda
Network Registration
Bradford Campus Manager

29. Network Topology Overview
Chapter 2
Network Topology Overview
Subnets
VLANs
Trunking/Routing Tables
NAT/PAT

30. Basic Network Topology
Bradford
Campus Manager
Unmanaged Switch/Hub
100M TX
Gigabit TX
Gigabit TX
100M TX
Managed Switch
Gigabit Switch
100M TX
100M TX
100M Fiber
Gigabit Fiber
Managed Switch
Managed Switch
Barracuda
Spam Filter
Gigabit Fiber
100M TX
Spanning-Tree Loop
Gigabit Fiber
Gigabit Fiber
Layer 3 Switch
DS3
Gigabit Fiber
Internet
Remote Campus LAN
100M TX
Packetshaper
Managed Switch
Managed Switch
PIX Firewall
Packetshaper
100M TX
100M TX
WAN
Router
WAN
Router T1

31. Subnets
Allow arbitrary complexity of internetworked LANs within organization
Insulate overall internet from growth of network numbers and routing complexity
Site looks to rest of internet like single network
Each LAN assigned subnet number
Host portion of address partitioned into subnet number and host number
Subnet mask indicates which bits are subnet number and which are host number
Simplest subnet is
Subnetting breaks network into separate collision domains.
Within a Hub Network only Subnets can virtually segment a network into separate collision domains.

32. Internet Class Nets Class A Class B Class C Class D Class Eto
reserved
Class B to
Class C to
Class D
Starting at
Class E
Starting at

33. Example of Subnetting Class C Subnetting:
# Mask Bits Subnet Mask # Subnets # Hosts

34. Virtual LANS (VLANS)
A VLAN is a network of computers that can behave as if they are connected to the same wire even though they may actually be physically located on different segments of a LAN or they can be computers physically located on the same segment that act as if they are not.
VLANs are configured through software rather than hardware, which makes them extremely flexible.
One of the biggest advantages of VLANs is that when a computer is physically moved to another location, it can stay on the same VLAN without any hardware reconfiguration.
VLANs can only be done on a switched network

35. Trunking/Routing Tables
Trunking/Routing Tables can help you control the flow of traffic on your network. You can entire networks, subnets, and/or individual VLANs.
Trunking is done on enterprise switches.
VLANS
Routing is done in routers.
Networks and Subnetworks

36. Routing Subnets

37. NAT/PAT Network Address Translation (NAT)
An Internet standard that enables a local-area network to use one set of IP addresses for internal traffic and a second set of addresses for external traffic. A NAT box (often a firewall or router) located where the LAN meets the Internet makes all necessary IP address translations
Port Address Translation (PAT)
A computer on a LAN is translated to the same IP address, but with a different port number assignment
Internal LAN Only Addresses to

38. Network Security Overview
Chapter 3
Network Security Overview

39. Network Security
A major component of network management is the managing of traffic flow on, into, and out of the network. A solid first step is the denying of unwanted traffic on your network.
Router/Switch ACLs
Firewall Configurations
Packetshaping

40. What is a Network ACL?
An Access Control List (ACL) is an authorization mechanism (on a switch, router, firewall, or end node) that maintains lists of hosts that are allowed to access a particular protocol, host, or port.
They can filter
IP Addresses
Particular TCP/UDP Ports
Protocols (udp, tcp, ip, gre)
Broadcast Storm Control

41. Router/Switch ACLs * Example from a Cisco 2950 Switch *
Extended IP access list 101
deny tcp any any eq 707
deny udp any any eq 707
deny tcp any any eq 69
deny udp any any eq tftp
permit ip any any
interface FastEthernet0/1
switchport access vlan 105
switchport mode access
no ip address
ip access-group 101 in
no cdp enable
spanning-tree portfast

42. Broadcast Storm Control
A broadcast storm is a packet broadcast onto a network that causes multiple hosts to respond all at once. Many times storms consist of incorrect packets which causes the storm to grow exponentially in severity. Viruses are a leading cause of broadcast storms.
* Example from a Cisco 2950 Switch *
interface GigabitEthernet0/2
switchport mode trunk
no ip address
storm-control broadcast level
storm-control multicast level
storm-control unicast level

43. Firewall Configurations
Firewalls, whether hardware or software, control the traffic into and out of your local network.
Commonly blocked protocols/ports:
icmp
tcp/udp dhcp, bootps
tcp/udp bootpc, dhcp
udp tftp
tcp/udp 135/593 Microsoft Remote Procedure Call
tcp/udp 137 Netbios Name Service Browsing over TCP/IP
tcp/udp 138 Netbios Datagram Browsing over TCP/IP
tcp/udp 139/445 Common Internet File System (CIFS)
tcp/udp 1067/1068 Bootstrap
tcp/udp 3268/3269 LDAP

44. Packetshaper

45. (Chapter 9 of Secondary Text)
Basic Network Tools
(Chapter 9 of Secondary Text)
Ping (p. 177)
Traceroute (p. 189)
Netstat (p. 197)
Arp
Nslookup
Pathping

46. Ping Uses: Determine connectivity Test response times
Common Command Structure:
Linux> ping -v -c 4 mail3.tayloru.edu
Unique characteristics:
ping –a in Linux is Audible while ping –a in Windows is Reverse DNS
ping6 in Windows is for IPv6
Comments:
What is dangerous about ping?
Why would Taylor remove ping/icmp access to/from the Internet and across much of the LAN?

47. Traceroute/Tracert Uses: Determine network path taken
Determine computer name
Determine connectivity
Test response times
Common Command Structure:
Linux> traceroute -v
Unique characteristics:
Tracert in Windows while traceroute in Linux
Comments:
If you remove ICMP traffic to block ping you also disable traceroute.
Traceroute paths can be different when multi-homed networks are tested.

48. Netstat Uses: Determine connectivity Test response times
Common Command Structure:
Windows/Linux> netstat -a
Windows/Linux> netstat -r
Windows/Linux> netstat -s
Windows/Linux> netsat -i
Unique characteristics:
Many don’t realize command exists in Windows as well as Linux.
Comments:
Wonderful troubleshooting tool to determine what network ports are open on a server or computer and/or what services are running.

49. Arp Uses: Determine known network connections
Hard code network connectivity
Common Command Structure:
Linux> arp -v
Windows> arp -a
Unique characteristics:
Windows arp is very limited. Windows hides much of the network.
Linux arp is very powerful and can even give you the MAC address of listed connections.
Comments:
Arp tables can be poisoned by hackers or even by haphazard curious students. A poisoned arp table on a router will disable an entire network.

50. Nslookup Uses: Determine ip address of a dns name
Determine dns name of an ip address
Learn about a particular network based on its DNS entries
Common Command Structure:
Windows/Linux> nslookup
Windows> nslookup> ls domain.com
Unique characteristics:
Nslookup being replaced by Dig in Linux
Comments:
You can protect yourself from Nslookup DNS scanning with proper configuration of your DNS

51. Pathping Uses: Determine connectivity Determine response time
Determine hob connectivity and response time
Common Command Structure:
Windows> pathping
Unique characteristics:
This is a Windows only network command.
Comments:
The most interesting part of this command are the statistics it calculates after it pings the sites. This commands is also disabled if you disable ICMP.

52. Advanced Network Tools (Chapter 4 and 8 of Secondary Text)
Neo (p. 53)
Tcpdump (p. 155)
Nmap
Nessus
Ethereal

53. Neo
Uses:
It can locate a host on a network device or a collection of network devices
It can enable and disable network ports
It can produce a summary of device layout
It can produce statistics on per-port bandwidth use
It can be used in scripts
Common Command Structure:
Linux> neo
Unique characteristics:
The best aspect of this command is it can be scripted into other scripts or programs.
Comments:
This command can be dangerous if not kept on a secure computer or server. Also, be careful if you are using this that the view of your screen is secure. Your SNMP settings can become public if you are not careful.

54. Tcpdump Uses: Basic ethernet sniffing Can monitor for broadcast storms
Useful at a pc/server level on any type of network
Common Command Structure:
Linux> tcpdump -vvv -n -c 10
Unique characteristics:
Tcpdump can be used to dump a binary file that can be imported into Ethereal.
Comments:
As always, sniffing on a switched network is not as effective as on a hub network. Be warned, tcpdump files can get very large very quickly.

55. Nmap Uses: Determine open ports on remote host
Determine operating system of remote host
Common Command Structure:
Linux> nmap servername
Unique characteristics:
Nmap on Linux can only be used by a user with root privileges
Nmapwin for Windows is VERY slow compared to the Linux version
Comments:
Nmap can give you a quick look at what possible vulnerabilities are on a host. Nmap can also be integrated into scripts to determine an Operating System before continuing with OS dependent actions.

56. Nessus Uses: Determine open ports on remote host
Determine operating system of remote host
Determine security vulnerabilities of a remote host
Given guidance to possible fixes to security vulnerabilities
Common Command Structure:
Run as a server and a client
Unique characteristics:
Nessus for Linux is open source. To get Nessus on Windows you must pay for someone to encapsulate Nessus into a Windows package.
Comments:
Always ranked 1st or 2nd best security scanner available.

57. Ethereal Uses: Robust ethernet sniffing
Can monitor for broadcast storms
Useful at a pc/server level on any type of network
Integrates well with tcpdump
Common Command Structure:
GUI Client
Unique characteristics:
Ethereal exists for both Windows and Linux. The Windows version can read Linux tcpdumps.
Comments:
Don’t leave home without this tool!

58. Basic Network Monitoring (Chapter 2 of Secondary Text)
SNMP (p. 11)
Syslog

59. SNMP
SNMP communication requires a manager (the station that is managing network devices) and an agent (the software in the devices that communicates with the management station). SNMP provides the language and the rules that the manager and agent use to communicate.
SNMP uses community strings as a form of management security. To enable management communication, the manager must use the same community strings that are configured on the agent. You can define both read and read/write community strings (defaults are public & private)
Basic Commands
Get and Get-next - The management station requests an agent to report information.
Set - The management station requests an agent to change one of its parameters.
Get Responses - The agent responds to a Get, Get-next, or Set operation.
Trap - The agent sends an unsolicited message to notify the management station that an event has occurred.
SNMP access a MIB Tree on the device to determine information.

60. MIB
A directory listing information that is used and maintained by a network management protocol, such as SNMP
MIB objects are organized in a tree structure that includes public (standard) and private (proprietary) branches.
The MIB tree is a structure that groups MIB objects in a hierarchy and uses an abstract syntax notation to define manageable objects. Each item on the tree is assigned a number which creates the path to objects in the MIB. This path of numbers is called the object identifier (OID). Each object is uniquely and unambiguously identified by the path of numeric values.

61. MIB Example
-- Packeteer PacketShaper v4.0 Response Time Management MIB
-- November 13,1998
-- Copyright 1998, 1999 Packeteer, Inc.
PACKETEER-RTM-MIB DEFINITIONS ::= BEGIN
IMPORTS
IpAddress, Gauge, Counter
FROM RFC1155-SMI
OBJECT-TYPE
FROM RFC-1212
DateAndTime
FROM SNMPv2-TC
psCommonMib, classIndex
FROM PACKETEER-MIB;
-- Packeteer Response Time Management MIB
psClassResponseTimes OBJECT IDENTIFIER ::= { psCommonMib 7 }

62. OID
Object identifier (OID) is a unique set of numbers that allows Objectivity/DB to locate and manage persistent objects. An OID is 64 bits in length and it is composed of four 16-bit fields in the format of: DB-OC-PG-SL, where
DB - database identifier (dbid) OC - container identifier PG - logical page number SL - logical slot number on the page
OID value do not change during the lifetime of an object.

63. OID Example
OID tree
packeteer (PACKETEER-MIB): oid-value-assignment
products (PACKETEER-MIB): oid-value-assignment
packetShaper (PACKETEER-MIB): oid-value-assignment
packetShaper (PACKETEER-MIB): oid-value-assignment
packetShaper (PACKETEER-MIB): oid-value-assignment
packetShaper (PACKETEER-MIB): oid-value-assignment
packetShaper (PACKETEER-MIB): oid-value-assignment
packetShaper (PACKETEER-MIB): oid-value-assignment
packetShaper (PACKETEER-MIB): oid-value-assignment
packetShaper-asm50 (PACKETEER-MIB): oid-value-assignment
packetShaper-asm70 (PACKETEER-MIB): oid-value-assignment
packetShaper-asm30 (PACKETEER-MIB): oid-value-assignment
packetShaper-asm90 (PACKETEER-MIB): oid-value-assignment
packetShaper (PACKETEER-MIB): oid-value-assignment
packetShaper (PACKETEER-MIB): oid-value-assignment
packetShaper-asm110 (PACKETEER-MIB): oid-value-assignment
packetShaper (PACKETEER-MIB): oid-value-assignment
packetShaper (PACKETEER-MIB): oid-value-assignment
packeteerMibs (PACKETEER-MIB): oid-value-assignment
psCommonMib (PACKETEER-MIB): oid-value-assignment
psSettings (PACKETEER-MIB): oid-value-assignment
psShapingStatusOper

64. Syslog
A network standard protocol and format that allows you to log significant system information to a remote server.
Syslog is available in every major managed network device including switches, routers and firewalls.
Levels
Emergency - A panic condition. This is normally broadcast to all users.
Alert - A condition that should be corrected immediately, such as a corrupted system file.
Critical - Critical conditions, e.g., hardware errors.
Error - System Errors.
Warning - Warning messages.
Notice - Conditions that are not error conditions, but should possibly be handled specially.
Info - Informational messages.
Debug - Messages that contain information normally of use only when debugging a program.

65. Syslog Example
:00:07 Local4.Info Jun :00:07: %PIX : Deny TCP (no connection) from /3683 to /80 flags RST on interface outside
:00:07 Local4.Warning Jun :00:07: %PIX : Deny tcp src inside: /3658 dst outside: /80 by access-group "acl_in"

66. Network Monitoring Tools (Chapter 3 of Secondary Text)
MRTG (p. 39)
STG
Network Management Systems
Ping Plotters

67. MRTG
“The Multi Router Traffic Grapher (MRTG) is a tool to monitor the traffic load on network-links. MRTG generates HTML pages containing graphical images which provide a LIVE visual representation of this traffic.” (
Runs on Windows and Linux
Developed for Routers but can monitor nearly any network device with a MIB Table or something that can generate SNMP traffic readable by MRTG.
Can also be used to monitor
Traffic Jams in the Netherlands
Current temperature
Status of soft drinks in machine
Number of times a door is opened

68. MRTG Example

69. STG
STG (SNMP Traffic Grapher) is a real time monitor of traffic. MRTG is great for trending where STG can give you an at the moment look at your network. Good for monitoring current events or determine a trend.
The difficulty of utilizing STG is knowing what the proper OID is for the device you desire to monitor. Definitely save your configurations once you have the proper OID determined.

70. Network Management Systems
A software package used in monitoring, controlling & managing a data communications network. Often utilizes SNMP, Syslog, and Ping. Allows the network admin to visualize and manage a large network from a single location.
Open Source
JFFNMS
OpenNMS
Commercial (can be very expensive)
CiscoWorks
HP Openview
Unicenter

71. Open NMS Example

72. JFFNMS Example

73. HP OpenView

74. Cisco Works

75. Ping Plotter
Ping plotters are great for trending connectivity. A basic form of a network monitoring system. Good a showing temporal connectivity issues over time.

76. Wireless Network Tools
Chapter 8
Wireless Network Tools
Wireless Client
Kismet
Netstumbler
Cantenna
Wardriving

77. Wireless LAN Client
The drivers themselves often contain useful hacking tools
Network idenfication
Firmware versions
IP address of Client and/or WAP
Hop information
SSID
Signal Strength
Signal Quality
Network Type
MAC Addresses

78. Air Snort/Kismet What is a “weak IV”?
Air Snort and Kismet snagged wireless network packets
Currently only unix/linux versions. Windows in development.
WEP Key recovery possible due to statistical analysis of plaintext and “weak” IV
Leverages “weak” IVs—large class of weak IVs that can be generated by RC4
Passive attack, but can be more effective if coupled with active attack
What is a “weak IV”?
In the RC4 algorithm the Key Scheduling Algorithm (KSA) creates an IV-based on the base key
A flaw in the WEP implementation of RC4 allows “weak” IVs to be generated
Those IVs “give away" info about the key bytes they were derived from
An attacker will collect enough weak IVs to reveal bytes of the base key

79. Netstumbler Netstumbler available for many OSes
Who should use this program?
Security folks wanting to check that their corporate LAN isn't wide open
Systems admins wanting to check coverage of their Wireless LAN
Gatherers of demographic information about popularity
Drive-by snoopers
Overly curious bystanders.

80. Netstumbler Map

81. Cantenna Cantenna ( htttp://www.cantenna.com )
Extends the range of a client and/or access point
Legitimate uses as well

82. War Driving
“Wireless LAN war drivers routinely cruise their immediate areas in cars equipped with laptops loaded with a wireless LAN card, an external high-gain antenna and a GPS receiver. The wireless LAN card and GPS receiver feed signals into freeware, such as NetStumbler, which detects APs and their identifiers along with their GPS-derived locations. NetStumbler also automatically detects whether or not built-in Wi-Fi Wired Equivalent Protocol (WEP) is turned on or off.
More malevolent war-drivers may use Air-Snort or Kismet, tools designed to crack WEP.
The term war-driving is derived from the "war-dialing" exploits of a teenage hacker in the 1983 movie WarGames who has his computer randomly dial hundreds of numbers and eventually winds up tapping into a nuclear command and control system. “
(Retrieved May 22, 2003, from

83. Chapter 9 Traffic Management Packetshaping Advanced VLANs
Advanced ACLs (Router/Firewall)

84. Packetshaping Based on Packeteer Packetshaper Abilities
Identify packets at the Application Layer
Even Identify Citrix Winframes and Oracle Databases
Monitor Bandwidth Usage (Current, 1 Minute, Peak)
Monitor Top Talkers/Top Listeners
Bandwidth Trends up to 30 days
Manage packet flow
Manage bandwidth usage
Management Options
Rate (for TCP)
Available Per Flow Guaranteed Bandwidth and/or Maximum Bandwidth
Priority (for UDP)
Never Admit
Ignore
Partition
Guaranteed Bandwidth or Maximum Bandwidth

85. Advanced VLANs
VLANs can be used for more than just segmenting network traffic into separate collision domains and allowing networks to span buildings. When you combine with Access Control Lists you can CONTROL network traffic flows on your LAN.
Traffic Management Usage:
DMZs (sans Firewall) – Internet Only Servers, Honeypots, etc.
Privileged Networks (secure access – Administrative Networks)
General Networks (limited access – Residential Networks)
Public Networks (minimal access – Guest Networks)

86. Advanced ACLs * Example from a Cisco 3550 Layer 3 Switch *
ip access-list extended public_allow_acl_vlan2
remark Google Search Appliance
permit ip host
permit ip host
remark Webserve
permit ip host
permit ip host
remark Alumnisrv1
permit ip host
permit ip host
ip access-list extended public_block_acl_general
remark Blocks access to non-approved servers
permit ip any
permit ip any
ip access-list extended public_ping_block
permit icmp any any

87. Advanced ACLs * Example from a Cisco 3550 Layer 3 Switch *
vlan access-map public_block_map_vlan2 10
action forward
match ip address public_allow_acl_vlan2
vlan access-map public_block_map_vlan2 20
action drop
match ip address public_block_acl_general
vlan access-map public_block_map_vlan2 30
vlan access-map public_block_map_general 10
vlan access-map public_block_map_general 20
vlan access-map public_ping_block_map 10
match ip address public_ping_block
vlan access-map public_ping_block_map 20
vlan filter public_block_map_vlan2 vlan-list 2
vlan filter public_block_map_general vlan-list 3-41,43-129
vlan filter public_ping_block vlan-list 42

88. Custom Network Tool Design (Chapter 10 of Secondary Text)
Perl (p. 214)
PhP/ASP
Java/Javascript/VBScript
BASH/WSH

89. Perl (Practical Extraction and Reporting Language)
Created for text parsing and formatting
Scripting language. It is not compiled, have to run through an interpreter
There is a (proprietary) compiler for windows, perl2exe
Uses Regular expressions (RegEx)
Mostly procedural, however, the ability to work with objects has been added in recent versions
Can be used to write web applications
Can be used to create stand-alone scripts

90. PHP Free Web scripting language Works with Apache / Tomcat
Object oriented
Powerful and fast
Not as verbose (wordy) as ASP
Used to write web applications

91. ASP Microsoft’s web scripting language Works well with IIS
Based off of VB
Object oriented
Used to write web applications
We managed to build church management software with it.

92. Java Very object oriented Cross platform
It is an interpreted language, has to run inside the JRE
Can be used as a web scripting language
Can also be used to write stand-alone applications
Can also be used to provide applets or servlets inside other pages

93. Javascript Web scripting language
Used to proved dynamic client side interaction on the web
Can update / change DOM on the fly
Can be used inside any other type of web page
Sensitive to browser interpretations

94. So what can we do with them?
SNMP management
Database interaction
Web-based applications
Web-based front-ends to other more powerful applications
Reporting / Trending

95. Appendix A Workshop Lab Setup Lab Network Share \\10.1.1.30\iccm\
Username: iccm
Password: iccm

96. NMT Workshop Network iccm_2500 – 172.16.30.1
Password: iccm
Enable Password: iccm

97. NMT Workshop Win2K Server
Windows 2000 Service Pack 3
Username: administrator
Password: iccm
Software Installed
Active Perl
Ethereal
Kiwi Syslog (monitoring NMT Network)
Languard
MRTG
NessusWX
NMAPWin

98. NMT Workshop Linux Server
Red Hat Linux 9
Username: root
Password: iccmiccm
Software Installed
Ethereal
Nagios
Nessus
OpenNMS

99. NWT Workshop PCs Lab PCs Dual Boot Windows XP/Red Hat 9to
Lab PCs Windows XP
Username: administrator
Password: iccm
Lab PCs Linux
Username: root
Password: iccmiccm

100. Primary Sources Linksys Group, Inc http://www.linksys.com Cisco, Inc.
Open Source Network Management
By James Kretchmar
Copyright 2004
Data and Computer Communications (Seventh Edition)
By William Stallings
Copyright 2003
Personal Experience and Research
T.R. Knight
Network Services Manager
Taylor University