SysAdminMagazine

Keep up the
Good Network

# 44
 SysAdmin Magazine January 2019

SysAdmin Contents
Magazine

03 Network devices explained

№ 44 January ‘19
07 Network security devices you need to know about

17 Why monitoring of network devices is critical for network security

SysAdmin Magazine is a free 20 Network security best practices

source of knowledge for IT Pros
who are eager to keep a tight
grip on network security and do 27 Top 10 best network monitoring tools
the job faster.

33 Free tool of the month: Netwrix Auditor for Network Devices

34 How- to: How to monitor user logоns in a domain

The Sysadmin Magazine team

sysadmin.magazine@netwrix.com

2
 SysAdmin Magazine January 2019

To build a strong network and defend it, you need to un-
derstand the devices that comprise it.
What are network devices?
Network devices, or networking hardware, are physical de-
Hub
Hubs connect multiple computer networking devices to-
gether. A hub also acts as a repeater in that it amplifies
signals that deteriorate after traveling long distances over
connecting cables. A hub is the simplest in the family of
network connecting devices because it connects LAN com-
ponents with identical protocols.

Jeff Melnick
vices that are required for communication and interaction
A hub can be used with both digital and analog data, pro-
between hardware on a computer network.
vided its settings have been configured to prepare for the
IT Security Expert, Blogger formatting of the incoming data. For example, if the in-
coming data is in digital format, the hub must pass it on as
packets; however, if the incoming data is analog, then the
Types of network devices hub passes it on in signal form.

Here is the common network device list:

Hubs do not perform packet filtering or addressing func-
Hub tions; they just send data packets to all connected devices.
Switch Hubs operate at the Physical layer of the Open Systems
Router Interconnection (OSI) model. There are two types of hubs:
Bridge simple and multiple port.
Gateway
Modem
Repeater

Network devices Switch

Access Point

explained
Switches generally have a more intelligent role than hubs. A
switch is a multiport device that improves network efficien-

3

cy. The switch maintains limited routing information about
nodes in the internal network, and it allows connections to
systems like hubs or routers. Strands of LANs are usually
connected using switches. Generally, switches can read the
hardware addresses of incoming packets to transmit them
to the appropriate destination.
Using switches improves network efficiency over hubs or
routers because of the virtual circuit capability. Switches
also improve network security because the virtual circuits
are more difficult to examine with network monitors. You
can think of a switch as a device that has some of the best ca-
pabilities of routers and hubs combined. A switch can work
at either the Data Link layer or the Network layer of the OSI
model. A multilayer switch is one that can operate at both
layers, which means that it can operate as both a switch and
a router. A multilayer switch is a high-performance device
that supports the same routing protocols as routers.
Switches can be subject to distributed denial of service
(DDoS) attacks; flood guards are used to prevent malicious
traffic from bringing the switch to a halt. Switch port secu-
rity is important so be sure to secure switches: Disable all
unused ports and use DHCP snooping, ARP inspection and
MAC address filtering.
4
SysAdmin Magazine January 2019
Router ministrators. The routes themselves can be configured as stat-
ic or dynamic. If they are static, they can only be configured
Routers help transmit packets to their destinations by charting
manually and stay that way until changed. If they are dynamic,
a path through the sea of interconnected networking devices
they learn of other routers around them and use information
using different network topologies. Routers are intelligent de-
about those routers to build their routing tables.
vices, and they store information about the networks they’re
connected to. Most routers can be configured to operate as
Routers are general-purpose devices that interconnect two or
packet-filtering firewalls and use access control lists (ACLs).
more heterogeneous networks. They are usually dedicated
Routers, in conjunction with a channel service unit/data ser-
to special-purpose computers, with separate input and out-
vice unit (CSU/DSU), are also used to translate from LAN fram-
put network interfaces for each connected network. Because
ing to WAN framing. This is needed because LANs and WANs
routers and gateways are the backbone of large computer
use different network protocols. Such routers are known as
networks like the internet, they have special features that give
border routers. They serve as the outside connection of a LAN
them the flexibility and the ability to cope with varying net-
to a WAN, and they operate at the border of your network.
work addressing schemes and frame sizes through segmen-
tation of big packets into smaller sizes that fit the new net-
Router are also used to divide internal networks into two or
work components. Each router interface has its own Address
more subnetworks. Routers can also be connected internally
Resolution Protocol (ARP) module, its own LAN address (net-
to other routers, creating zones that operate independently.
work card address) and its own Internet Protocol (IP) address.
Routers establish communication by maintaining tables about
The router, with the help of a routing table, has knowledge of
destinations and local connections. A router contains infor-
routes a packet could take from its source to its destination.
mation about the systems connected to it and where to send
The routing table, like in the bridge and switch, grows dynami-
requests if the destination isn’t known. Routers usually com-
cally. Upon receipt of a packet, the router removes the packet
municate routing and other information using one of three
headers and trailers and analyzes the IP header by determin-
standard protocols: Routing Information Protocol (RIP), Border
ing the source and destination addresses and data type, and
Gateway Protocol (BGP) or Open Shortest Path First (OSPF).
noting the arrival time. It also updates the router table with
new addresses not already in the table. The IP header and ar-
Routers are your first line of defense, and they must be con-
rival time information is entered in the routing table. Routers
figured to pass only traffic that is authorized by network ad-
normally work at the Network layer of the OSI model.

Bridge
Bridges are used to connect two or more hosts or network
segments together. The basic role of bridges in network
architecture is storing and forwarding frames between
the different segments that the bridge connects. They
use hardware Media Access Control (MAC) addresses for
transferring frames. By looking at the MAC address of the
devices connected to each segment, bridges can forward
the data or block it from crossing. Bridges can also be used
to connect two physical LANs into a larger logical LAN.
Bridges work only at the Physical and Data Link layers of the
OSI model. Bridges are used to divide larger networks into
smaller sections by sitting between two physical network
segments and managing the flow of data between the two.
Bridges are like hubs in many respects, including the fact
that they connect LAN components with identical proto-
cols. However, bridges filter incoming data packets, known
as frames, for addresses before they are forwarded. As it
filters the data packets, the bridge makes no modifications
to the format or content of the incoming data. The bridge
filters and forwards frames on the network with the help
of a dynamic bridge table. The bridge table, which is initial-
ly empty, maintains the LAN addresses for each computer
in the LAN and the addresses of each bridge interface that
connects the LAN to other LANs. Bridges, like hubs, can be
5
either simple or multiple port.
Bridges have mostly fallen out of favor in recent years and
have been replaced by switches, which offer more func-
tionality. In fact, switches are sometimes referred to as
“multiport bridges” because of how they operate.
Gateway
Gateways normally work at the Transport and Session lay-
ers of the OSI model. At the Transport layer and above,
there are numerous protocols and standards from differ-
ent vendors; gateways are used to deal with them. Gate-
ways provide translation between networking technologies
such as Open System Interconnection (OSI) and Transmis-
sion Control Protocol/Internet Protocol (TCP/IP). Because
of this, gateways connect two or more autonomous net-
works, each with its own routing algorithms, protocols, to-
pology, domain name service, and network administration
procedures and policies.
Gateways perform all of the functions of routers and
more. In fact, a router with added translation function-
ality is a gateway. The function that does the translation
between different network technologies is called a proto-
col converter.
SysAdmin Magazine January 2019
Modem
Modems (modulators-demodulators) are used to trans-
mit digital signals over analog telephone lines. Thus, digital
signals are converted by the modem into analog signals of
different frequencies and transmitted to a modem at the
receiving location. The receiving modem performs the re-
verse transformation and provides a digital output to a de-
vice connected to a modem, usually a computer. The digital
data is usually transferred to or from the modem over a
serial line through an industry standard interface, RS-232.
Many telephone companies offer DSL services, and many
cable operators use modems as end terminals for identi-
fication and recognition of home and personal users. Mo-
dems work on both the Physical and Data Link layers.
Repeater
A repeater is an electronic device that amplifies the signal
it receives. You can think of repeater as a device which re-
ceives a signal and retransmits it at a higher level or higher
power so that the signal can cover longer distances, more
than 100 meters for standard LAN cables. Repeaters work
on the Physical layer.

Access point
While an access point (AP) can technically involve either a
wired or wireless connection, it commonly means a wire-
less device. An AP works at the second OSI layer, the Data
Link layer, and it can operate either as a bridge connect-
ing a standard wired network to wireless devices or as a
router passing data transmissions from one access point
to another.
Wireless access points (WAPs) consist of a transmitter and
receiver (transceiver) device used to create a wireless LAN
(WLAN). Access points typically are separate network devic-
es with a built-in antenna, transmitter and adapter. APs use
the wireless infrastructure network mode to provide a con-
nection point between WLANs and a wired Ethernet LAN.
They also have several ports, giving you a way to expand
the network to support additional clients. Depending on the
size of the network, one or more APs might be required to
provide full coverage. Additional APs are used to allow ac-
cess to more wireless clients and to expand the range of
the wireless network. Each AP is limited by its transmission
range — the distance a client can be from an AP and still ob-
tain a usable signal and data process speed. The actual dis-
tance depends on the wireless standard, the obstructions
and environmental conditions between the client and the
AP. Higher end APs have high-powered antennas, enabling
them to extend how far the wireless signal can travel.
6
SysAdmin Magazine January 2019
APs might also provide many ports that can be used to in-
crease the network’s size, firewall capabilities and Dynamic
Having a solid understanding of the types of network de-
Host Configuration Protocol (DHCP) service. Therefore, we
vices available can help you design and built a network
get APs that are a switch, DHCP server, router and firewall.
that is secure and serves your organization well. However,
To connect to a wireless AP, you need a service set iden-
to ensure the ongoing security and availability of your net-
tifier (SSID) name. 802.11 wireless networks use the SSID
work, you should carefully monitor your network devices
to identify all systems belonging to the same network, and
and activity around them, so you can quickly spot hard-
client stations must be configured with the SSID to be au-
ware issues, configuration issues and attacks.
thenticated to the AP. The AP might broadcast the SSID, al-
lowing all wireless clients in the area to see the AP’s SSID.
However, for security reasons, APs can be configured not
to broadcast the SSID, which means that an administrator
needs to give client systems the SSID instead of allowing it
to be discovered automatically. Wireless devices ship with
default SSIDs, security settings, channels, passwords and
usernames. For security reasons, it is strongly recommend-
ed that you change these default settings as soon as pos-
sible because many internet sites list the default settings
used by manufacturers.
Access points can be fat or thin. Fat APs, sometimes still
referred to as autonomous APs, need to be manually con-
figured with network and security settings; then they are
essentially left alone to serve clients until they can no lon-
ger function. Thin APs allow remote configuration using a
controller. Since thin clients do not need to be manually
configured, they can be easily reconfigured and monitored.
Access points can also be controller-based or stand-alone.

Using the proper devices and solutions can help you de-
fend your network. Here are the most common types of
network security devices that can help you secure your
network against external attacks:
Firewall
Jeff Melnick
A firewall device is one of the first lines of defense in a net-
work because it isolates one network from another. Fire-
IT Security Expert, Blogger
walls can be standalone systems or they can be included
in other infrastructure devices, such as routers or servers.
You can find both hardware and software firewall solu-
tions; some firewalls are available as appliances that serve
as the primary device separating two networks.
Firewalls exclude unwanted and undesirable network traf-
fic from entering the organization’s systems. Depending
on the organization’s firewall policy, the firewall may com-
pletely disallow some traffic or all traffic, or it may perform
a verification on some or all of the traffic. There are two
Network security
commonly used types of firewall policies:
Whitelisting — The firewall denies all connections ex-
devices you need
cept for those specifically listed as acceptable.
to know about
Blacklisting — The firewall allows all connections ex-
cept those specifically listed as unacceptable.
7
SysAdmin Magazine January 2019
There are four types of firewalls: packet-filtering firewalls,
stateful packet-filtering firewalls, proxy firewalls and web
application firewalls.
Packet-filtering firewall
A packet-filtering firewall is a primary and simple type of
network security firewall. It has filters that compare in-
coming and outgoing packets against a standard set of
rules to decide whether to allow them to pass through. In
most cases, the ruleset (sometimes called an access list)
is predefined, based on a variety of metrics. Rules can in-
clude source/destination IP addresses, source/destination
port numbers, and protocols used. Packet filtering occurs
at Layer 3 and Layer 4 of the OSI model. Here are the com-
mon filtering options:
The source IP address of the incoming packets — IP
packets indicate where they were originated. You can
approve or deny traffic by its source IP address. For
example, many unauthorized sites or botnets can be
blocked based on their IP addresses.
The destination IP addresses — Destination IP ad-
dresses are the intended location of the packet at the
receiving end of a transmission. Unicast packets have a
single destination IP address and are normally intend-
ed for a single machine. Multicast or broadcast packets

have a range of destination IP addresses and normally are
destined for multiple machines on the network. Rulesets
can be devised to block traffic to a particular IP address on
the network to lessen the load on the target machine. Such
measures can also be used to block unauthorized access
to highly confidential machines on internal networks.
The type of Internet protocols the packet contains
— Layer 2 and Layer 3 packets include the type of pro-
tocol being used as part of their header structure. These
packets can be any of the following types:
Normal data-carrying IP packet
Message control packet (ICMP)
Address resolution packet (ARP)
Reverse Address Resolution Protocol (RARP)
Boot-up Protocol (BOOTP)
Dynamic Host Configuration Protocol (DHCP)
Filtering can be based on the protocol information that the
packets carry so you can block traffic that is transmitted by
a certain protocol.
The main advantage of packet-filtering firewalls is the
speed at which the firewall operations are achieved, be-
cause most of the work takes place at Layer 3 or below
and complex application-level knowledge is not required.
Most often, packet-filtering firewalls are employed at the
very periphery of an organization’s security networks. For
8
example, packet-filtering firewalls are highly effective in
protecting against denial-of-service (DoS) attacks that aim
to take down sensitive systems on internal networks.
However, they have some minuses, too. Because pack-
et-filtering firewalls work at OSI Layer 3 or lower, it is
impossible for them to examine application-level data.
Therefore, application-specific attacks can easily get into
internal sensitive networks. When an attacker spoofs net-
work IP addresses, firewall filters are ineffective at filtering
this Layer 3 information. Many packet-filtering firewalls
cannot detect spoofed IP or ARP addresses. The main rea-
son for deploying packet-filtering firewalls is to defend
against the most general denial-of-service attacks and not
against targeted attacks.
Stateful packet-filtering firewall
Stateful packet-filtering techniques use a sophisticated ap-
proach, while still retaining the basic abilities of packet-fil-
tering firewalls. The main thing is that they work at Layer
4 and the connection pairs usually consist of these four
parameters:
The source address
The source port
The destination address
The destination port
SysAdmin Magazine January 2019
Stateful inspection techniques employ a dynamic memo-
ry that stores the state tables of the incoming and estab-
lished connections. Any time an external host requests a
connection to your internal host, the connection parame-
ters are written to the state tables. As with packet-filtering
firewalls, you can create rules to define whether certain
packets can pass through. For example, a firewall rule can
require dropping packets that contain port numbers high-
er than 1023, as most servers respond on standard ports
numbered from zero to 1023.
Even though stateful packet filtering firewalls do a good
job, they are not as flexible or as robust as regular pack-
et-filtering firewalls. Incorporating a dynamic state table
and other features into the firewall makes the architec-
ture more complex, which directly slows the speed of op-
eration. This appears to users as a decrease in network
performance speed. In addition, stateful packet filtering
firewalls cannot completely access higher-layer protocols
and application services for inspection.
The difference between stateful packet-filtering firewalls
and simple packet-filtering firewalls is that stateful packet
filtering tracks the entire conversation, while packet filter-
ing looks at only the current packet. Stateful inspections
occur at all levels of the network and provide additional se-
curity, especially in connectionless protocols, such as User
Datagram Protocol and Internet Control Message Protocol.

Proxy firewall
Proxy firewalls aim for the Application layer in the OSI
model for their operations. Such proxies can be deployed
in between a remote user (who might be on a public net-
work such as the internet) and the dedicated server on the
internet. All that the remote user discovers is the proxy,
so he doesn’t know the identity of the server he is actually
communicating with. Similarly, the server discovers only
the proxy and doesn’t know the true user.
A proxy firewall can be an effective shielding and filtering
mechanism between public networks and protected inter-
nal or private networks. Because applications are shield-
ed by the proxy and actions take place at the application
level, these firewalls are very effective for sensitive appli-
cations. Authentication schemes, such as passwords and
biometrics, can be set up for accessing the proxies, which
fortifies security implementations. This proxy system en-
ables you to set a firewall to accept or reject packets based
on addresses, port information and application informa-
tion. For instance, you can set the firewall to filter out all
incoming packets belonging to EXE files, which are often
infected with viruses and worms. Proxy firewalls generally
keep very detailed logs, including information on the data
portions of packets.
The main disadvantage in using application proxy firewalls
9
is speed. Because these firewall activities take place at the
application level and involve a large amount of data pro-
cessing, application proxies are constrained by speed and
cost. Nevertheless, application proxies offer some of the
best security of all the firewall technologies.
Web application firewall (WAF)
Web application firewalls are built to provide web applica-
tions security by applying a set of rules to an HTTP conver-
sation. Because applications are online, they have to keep
certain ports open to the internet. This means attackers
can try specific website attacks against the application and
the associated database, such as cross-site scripting (XSS)
and SQL injection.
While proxy firewalls generally protect clients, WAFs pro-
tect servers. Another great feature of WAFs is that they
detect distributed denial of service (DDoS) attacks in their
early stages, absorb the volume of traffic and identify the
source of the attack.
Intrusion detection system (IDS)
An IDS enhances cybersecurity by spotting a hacker or
malicious software on a network so you can remove it
SysAdmin Magazine January 2019
promptly to prevent a breach or other problems, and use
the data logged about the event to better defend against
similar intrusion incidents in the future. Investing in an IDS
that enables you respond to attacks quickly can be far less
costly than rectifying the damage from an attack and deal-
ing with the subsequent legal issues.
From time to time, attackers will manage to compromise
other security measures, such as cryptography, firewalls
and so on. It is crucial that information about these com-
promises immediately flow to administrators — which can
be easily accomplished using an intrusion detection system.
Deploying an IDS can also help administrators proactively
identify vulnerabilities or exploits that a potential attacker
could take advantage of. Intrusion detection systems can
be grouped into the following categories:
Host-based IDS
Network-based IDS
Intrusion prevention system (IPS)
Host-based intrusion detection systems
Host-based IDSs are designed to monitor, detect and
respond to activity and attacks on a given host. In most
cases, attackers target specific systems on corporate net-
works that have confidential information. They will often

try to install scanning programs and exploit other vulner-
abilities that can record user activity on a particular host.
Some host-based IDS tools provide policy management,
statistical analytics and data forensics at the host level.
Host-based IDSs are best used when an intruder tries to
access particular files or other services that reside on the
host computer. Because attackers mainly focus on oper-
ating system vulnerabilities to break into hosts, in most
cases, the host-based IDS is integrated into the operating
systems that the host is running.
Network-based intrusion detection systems
Network traffic based IDSs capture network traffic to de-
tect intruders. Most often, these systems work as packet
sniffers that read through incoming traffic and use spe-
cific metrics to assess whether a network has been com-
promised. Various internet and other proprietary proto-
cols that handle messages between external and internal
networks, such as TCP/IP, NetBEUI and XNS, are vulner-
able to attack and require additional ways to detect ma-
licious events. Frequently, intrusion detection systems
have difficulty working with encrypted information and
traffic from virtual private networks. Speed over 1Gbps
is also a constraining factor, although modern and costly
network-based IDSs have the capability to work fast over
this speed.
10
Cooperative agents are one of the most important com-
ponents of a distributed intrusion detection architecture.
An agent is an autonomous or semi-autonomous piece
of software that runs in the background and performs
useful tasks for another. Relative to IDSs, an agent is gen-
erally a piece of software that senses intrusions locally
and reports attack information to central analysis serv-
ers. The cooperative agents can form a network among
themselves for data transmission and processing. The
use of multiple agents across a network allows a broader
view of the network than might be possible with a single
IDS or centralized IDSs.
Intrusion prevention system (IPS)
An IPS is a network security tool that can not only detect
intruders, but also prevent them from successfully launch-
ing any known attack. Intrusion prevention systems com-
bine the abilities of firewalls and intrusion detection sys-
tems. However, implementing an IPS on an effective scale
can be costly, so businesses should carefully assess their
IT risks before making the investment. Moreover, some in-
trusion prevention systems are not as fast and robust as
some firewalls and intrusion detection systems, so an IPS
might not be an appropriate solution when speed is an
absolute requirement.
SysAdmin Magazine January 2019
One important distinction to make is the difference be-
tween intrusion prevention and active response. An active
response device dynamically reconfigures or alters net-
work or system access controls, session streams or individ-
ual packets based on triggers from packet inspection and
other detection devices. Active response happens after
the event has occurred; thus, a single packet attack will be
successful on the first attempt but will be blocked in future
attempts; for example, a DDoS attack will be successful on
the first packets but will be blocked afterwards. While ac-
tive response devices are beneficial, this one aspect makes
them unsuitable as an overall solution. Network intrusion
prevention devices, on the other hand, are typically inline
devices on the network that inspect packets and make de-
cisions before forwarding them on to the destination. This
type of device has the ability to defend against single pack-
et attacks on the first attempt by blocking or modifying the
attack inline. Most important, an IPS must perform packet
inspection and analysis at wire speed. Intrusion preven-
tion systems should be performing detailed packet inspec-
tion to detect intrusions, including application-layer and
zero-day attacks.
System or host intrusion prevention devices are also inline
at the operating system level. They have the ability to inter-
cept system calls, file access, memory access, processes and
other system functions to prevent attacks. There are several
intrusion prevention technologies, including the following:

System memory and process protection — This type
of intrusion prevention strategy resides at the system
level. Memory protection consists of a mechanism to
prevent a process from corrupting the memory of an-
other process running on the same system. Process
protection consists of a mechanism for monitoring pro-
cess execution, with the ability to kill processes that are
suspected of being attacks.
Inline network devices — This type of intrusion pre-
vention strategy places a network device directly in the
path of network communications with the capability to
modify and block attack packets as they traverse the
device’s interfaces. It acts much like a router or fire-
wall combined with the signature-matching capabilities
of an IDS. The detection and response happens in real
time before the packet is passed on to the destination
network.
Session sniping — This type of intrusion prevention
strategy terminates a TCP session by sending a TCP
RST packet to both ends of the connection. When an at-
tempted attack is detected, the TCP RST is sent and the
attempted exploit is flushed from the buffers and thus
prevented. Note that the TCP RST packets must have
the correct sequence and acknowledgement numbers
to be effective.
Gateway interaction devices — This type of intrusion
prevention strategy allows a detection device to dynam-
11
ically interact with network gateway devices such as rout-
ers or firewalls. When an attempted attack is detected, the
detection device can direct the router or firewall to block
the attack.
There are several risks when deploying intrusion prevention
technologies. Most notable is the recurring issue of false
positives in today’s intrusion detection systems. On some
occasions, legitimate traffic will display characteristics simi-
lar to malicious traffic. This could be anything from inadver-
tently matching signatures to uncharacteristically high traffic
volume. Even a finely tuned IDS can present false positives
when this occurs. When intrusion prevention is involved,
false positives can create a denial-of-service (DoS) condition
for legitimate traffic. In addition, attackers who discover or
suspect the use of intrusion prevention methods can pur-
posely create a DoS attack against legitimate networks and
sources by sending attacks with spoofed source IP address-
es. A simple mitigation to some DoS conditions is to use a
whitelisting policy.
Session sniping system identification is another concern
when deploying active response IPSs. When systems termi-
nate sessions with RST packets, an attacker might be able
to discover not only that an IPS is involved but also the type
of underlying system. Readily available passive operating
system identification tools analyze packets to determine
SysAdmin Magazine January 2019
the underlying operating system. This type of information
might enable an attacker to evade the IPS or direct an at-
tack at the IPS.
Another risk with active response IPSs involves gateway
interaction timing and race conditions. In this scenario, a
detection device directs a router or firewall to block the
attempted attack. However, because of network latency,
the attack has already passed the gateway device before it
receives this direction from the detection device. A similar
situation could occur with a scenario that creates a race
condition on the gateway device itself between the attack
and the response. In either case, the attack has a high
chance of succeeding.
When deploying an IPS, you should carefully monitor and
tune your systems and be aware of the risks involved. You
should also have an in-depth understanding of your net-
work, its traffic, and both its normal and abnormal charac-
teristics. It is always recommended to run IPS and active
response technologies in test mode for a while to thor-
oughly understand their behavior.
 SysAdmin Magazine January 2019

Privileged access workstation (PAW) Sensors are deployed throughout a building to monitor contrasts with the traditional method of having point solutions
radio frequencies. The sensors forward the data they for each security function. UTM simplifies information-secu-
A wireless intrusion prevention system (WIPS) is a stand-
collect to a centralized server for further analysis, action rity management because the security administrator has a
alone security device or integrated software application
and archiving. This approach is more expensive because single management and reporting point rather than having
that monitors a wireless LAN network's radio spectrum for
it requires dedicated hardware, but it is also thought to be to juggle multiple products from different vendors. UTM ap-
rogue access points and other wireless security threats.
most effective. pliances have quickly gained popularity, partly because the
all-in-one approach simplifies installation, configuration and
A WIDPS compares the list of MAC addresses of all connected
Most WIDPS have these fundamental components: maintenance. Such a setup saves time, money and people
wireless access points on a network against the list of autho-
when compared to the management of multiple security sys-
rized ones and alerts an IT staff when a mismatch is found. Sensors — Monitor the radio spectrum and forward logs
tems. Here are the features that a UTM can provide:
To avoid MAC address spoofing, some higher-end WIDPSes back to a central management server.
like Cisco ones are able to analyze the unique radio frequency Network firewall
Management server — Receives information captured
signatures that wireless devices generate and block unknown Intrusion detection
by the sensors and takes appropriate defense actions
radio fingerprints. When you find the rogue wireless mobile Intrusion prevention
based on this information.
access point, you can suppress its signal by your access points. Gateway anti-virus
In addition to providing a layer of security for wireless LANS, Database server — Stores and organizes the information Proxy firewall
WIDPSes are also useful for monitoring network performance captured by the sensors. Deep packet inspection
and discovering access points with configuration errors. A Web proxy and content filtering
Console — Provides an interface for administrators to set
WIDPS operates at the Data Link layer level of the OSI model. Data loss prevention (DLP)
up and manage the WIDPS.
Security information and event management (SIEM)
There are three basic ways to deploy a WIDPS: Virtual private network (VPN)
Network tarpit
The wireless access point does double duty, providing net-
work traffic with wireless connectivity while periodically
scanning for rogue access points.
Unified threat management (UTM)
The disadvantages of combining everything into one include
Unified threat management (UTM) is an approach to in- a potential single point of failure and dependence on one
A sensor that is built into the authorized access point con-
formation security in which a single hardware or software vendor. Vendor diversity is considered to be a network se-
tinually scans radio frequencies, looking for unauthorized
installation provides multiple security functions (intrusion curity best practice, so you should assess your risks before
access points.
prevention, antivirus, content filtering and so forth). This deploying such an appliance.

12

Network access control (NAC)
NAC is a network security control device that restricts the
availability of network resources to endpoint devices that
comply with your security policy. Some NAC solutions can
automatically fix non-compliant devices to ensure they are
secure before allowing them to access the network. Net-
work access control does a lot to enhance the endpoint
security of a network. Before giving access to the network,
NAC checks the device’s security settings to ensure that they
meet the predefined security policy; for example, it might
check whether the host has the latest antivirus software
and the latest patches. If the conditions are met, the device
is allowed to enter the network. If not, NAC will quarantine
the endpoint or connect it to the guest network until the
proper security enhancements are made to comply with
policy. NAC can use agents to assess the device’s security or
it can be agentless.
Proxy server
Proxy servers act as negotiators for requests from client
software seeking resources from other servers. A client
connects to the proxy server and requests some service (for
example, a website); the proxy server evaluates the request
and then allows or denies it. Most proxy servers act as for-
13
SysAdmin Magazine January 2019
ward proxies and are used to retrieve data on behalf of the Web filter
clients they serve.
Web filters prevent users’ browsers from loading certain
pages of particular websites. URL filtering involves block-
If a proxy server is accessible by any user on the internet,
ing websites (or sections of websites) based solely on the
then it is said to be an “open” proxy server. A variation is the
URL, restricting access to specified websites and certain
reverse proxy, also known as a “surrogate.” This is an inter-
web-based applications. This is in contrast to content
nal-facing server used as a front-end to control (and pro-
filtering systems, which block data based on its content
tect) access to a server on a private network. The reverse
rather than from where the data originates. Microsoft,
scenario is used for tasks like load-balancing, authentica-
for example, implemented a phishing filter, which act-
tion, decryption and caching — responses from the proxy
ed as a URL filter for their browser, and then replaced it
server are returned as if they came directly from the orig-
with the SmartScreen filter, which runs in the background
inal server, so the client has no knowledge of the original
and sends the address of the website being visited to the
servers. Web application firewalls (described earlier) can be
SmartScreen filter server, where it is compared against a
classified as reverse proxy servers.
list that is maintained of phishing and malware sites. If a
match is found, a blocking web page appears and encour-
Proxies can be transparent or nontransparent. A transpar-
ages you to not continue.
ent proxy does not modify the request or response be-
yond what is required for proxy authentication and iden-
Web filter appliances have additional technologies to
tification; in other words, clients need not be aware of the
block malicious internet web sites. They have a database
existence of the proxy. A nontransparent proxy modifies
of malware sites but also you can create your own list or
the request or response in order to provide some added
service to the user agent, such as group annotation ser-
policy of blocked web sites. You can apply site whitelis-
ting or blacklisting, see every user’s full web site histo-
vices, media type transformation, protocol reduction or
ry, inspect cached pages, and even detect the amount of
anonymity filtering.
downloaded traffic. Analyzing this information will help
you to understand how your users work on the internet
In organizations, proxy servers are usually used for traffic
and what their interests are, so it can be a great advan-
filtering (web filters) and performance improvement (load
tage in insider threat prevention.
balancers).

Network load balancer (NLB)
Load balancers are physical units that direct computers to
individual servers in a network based on factors such as
server processor utilization, number of connections to a
server or overall server performance. Organizations use
load balancers to minimize the chance that any particular
server will be overwhelmed and to optimize the bandwidth
available to each computer in the network.
A load balancer can be implemented as a security software
or hardware solution, and it is usually associated with a de-
vice — a router, a firewall, a network address translation
(NAT) appliance and so on. A load balancer splits the traffic
intended for a website into individual requests that are then
rotated to redundant servers as they become available. A
key issue with load balancers is scheduling — determining
how to split up the work and distribute it across servers.
There are several load balancing methods:
Round-robin — The first client request is sent to the first
group of servers, the second is sent to the second, and so
on. When it reaches the last group of servers in the list, the
load balancer starts over with the first group of servers.
Affinity — Affinity minimizes response time to clients
by using different methods for distributing client re-
quests. It has three types:
14
No affinity — NLB does not associate clients with
a particular group of servers; every client request
can be load balanced to any group of servers.
Single affinity — NLB associates clients with par-
ticular groups of servers by using the client's IP ad-
dress. Thus, requests coming from the same client
IP address always reach the same group of servers.
Class C affinity —NLB associates clients with par-
ticular groups of servers by using the Class C por-
tion of the client's IP address. Thus, clients coming
from the same Class C address range always ac-
cess the same group of servers.
Least connection — This method takes the current serv-
er load into consideration. The current request goes to the
server that is servicing the least number of active sessions
at the current time.
Agent-based adaptive load balancing — Each server in
the pool has an agent that reports on its current load to
the load balancer. This real time information is used when
deciding which server is best placed to handle a request.
Chained failover — The order of servers is configured
(predefined) in a chain.
Weighted response time — Response information from
a server health check is used to determine which server is
responding the fastest at a particular time.
SysAdmin Magazine January 2019
Software-defined networking — This approach com-
bines information about upper and lower networking lay-
ers. This allows information about the status of the serv-
ers, the status of the applications running on them, the
health of the network infrastructure, and the level of con-
gestion on the network to all play a part in the load balanc-
ing decision making.
Network load balancers can have an active-active or ac-
tive-passive configuration. An active-active configuration
means that multiple load balancing servers are working
at all times to handle the requests as they come in. An ac-
tive-passive configuration has one primary server and oth-
ers are in listening mode, ready to be activated and start
splitting the load if the first server becomes overwhelmed.
Spam filter
A mail gateway can be used not only to route mail but to
perform other functions as well, such as encryption or, to
a more limited scope, DLP. More commonly, spam filters
can detect unwanted email and prevent it from getting to a
user's mailbox. Spam filters judge emails based on policies
or patterns designed by an organization or vendor. More
sophisticated filters use a heuristic approach that attempts
to identify spam through suspicious word patterns or word

frequency. The filtering is done based on established rules,
such as blocking email coming from certain IP addresses,
email that contains particular words in the subject line, and
the like. Although spam filters are usually used to scan in-
coming messages, they can also be used to scan outgoing
messages to help identify internal PCs that might have con-
tracted a virus.
Antivirus
Antivirus software is one of the most widely adopted se-
curity tools by both individuals and organizations. There
are different ways antivirus solutions recognize malicious
software:
Based on the existing malware signatures — Signa-
tures are the most popular way to detect malicious code.
These signatures are basically the malware’s fingerprints;
they are collected into huge databases for use by antivirus
scanners. That’s why it is critical that the antivirus applica-
tion stays up to date — so that the latest signatures are
present. Signature-based detection works by looking for
a specific set of code or data. Antivirus solutions compare
every file, registry key and running program against that
list and quarantine anything that matches.
15
SysAdmin Magazine January 2019
Using heuristics — Signatures are the most popular way to create defenses against future attacks.
to detect malicious code. These signatures are basically
Based on file length — Another method of virus de-
the malware’s fingerprints; they are collected into huge
tection is to use file length. Because viruses work by at-
databases for use by antivirus scanners. That’s why it is
taching themselves to software as their surrogates, the
critical that the antivirus application stays up to date — so
length of the surrogate software usually increases. An-
that the latest signatures are present. Signature-based de-
tivirus software compares the length of the original file
tection works by looking for a specific set of code or data.
or software with the length of the file or software when-
Antivirus solutions compare every file, registry key and
ever it is used. If the two lengths differ, this signals the
running program against that list and quarantine anything
existence of a virus.
that matches.
Using heuristics — A slightly more advanced technique
Based on checksums — A checksum is a value calcu-
lated in a file to determine if data has been altered by a
is heuristics. Instead of relying on malware that has been
virus without increasing file length. Checksums should
seen in the wild, as signatures do, heuristics tries to identify
be used only when it is clear that the file was virus-free
previously unseen malware. Heuristics detection will scan
the first time a checksum was computed; otherwise, the
the file for features frequently seen in malware, such as
baseline checksum will be invalid. Virus symptoms usu-
attempts to access the boot sector, write to an EXE file or
ally depend on the type of virus. Remember that symp-
delete hard-drive contents. A threshold must be set by the
toms are not unique to any one virus; several viruses
administrators to determine what will trigger malware de-
can have similar symptoms. Some of the most common
tection. This threshold must be set just right for heuristics
symptoms are the following:
scanning to be effective. Heuristic signatures are the way of
monitoring for certain types of “bad” behavior. Every virus Frequent or unexpected computer reboots
has its own specific characteristics. The known character- Sudden size increases in data and software
istics are used to build up defenses against future viruses. File extension change (common with ransomware)
Although there are new viruses created and distributed al- Disappearance of data files
most every day, the most common viruses in circulation are Difficulty saving open files
the copies of the same old ones. Therefore, it makes sense Shortage of memory
to use the historical facts of viruses and their characteristics Presence of strange sounds or text
 SysAdmin Magazine January 2019

Antivirus can be a part of endpoint protection systems that

provide not only virus protection but DLP, AppLocker, con-
tent filtering and other capabilities as well.

There are several ways an attacker can avoid antivirus prod- IT Risk
Assessment
ucts. If the attacker’s software is never seen by the antivirus
companies, then there will be no code signature and it will
not be caught. But it can still be caught by antivirus heuris-
tics technology. Attackers can also avoid being seen by the
antivirus program; there are many stealth techniques that
can be used to avoid getting scanned.
Checklist
Learn how to jump-start an
A-class risk mitigation program

We’ve described almost all devices that will increase secu-

rity in your network. Some of them, such as firewalls and
antivirus software, are must-have network security devic-
es; others are nice to have. Before implementing any new
security device, always perform an IT security risk assess-
ment; it will help you determine whether the investment is
worth it.
Download Free Guide

16

A secure network infrastructure is critical for organizations,
and that requires keeping close track of what’s going on
with routers, switches and other network devices. You need
to be able to quickly detect and investigate threats to your
perimeter security, such as unauthorized changes to config-
urations, suspicious logon attempts and scanning threats.
For example, failing to detect improper changes to the con-
figurations of your network device in a timely manner will
Ryan Brooks
leave your network susceptible to attackers breaking in to
your network and even gaining control over it.
Cybersecurity Expert, Netwrix Product Evangelist
In this article, I share the top 4 issues that network device
auditing can help solve and offer a 3-step procedure for get-
ting started with auditing your network devices effectively.
Top 4 security issues for network
devices
Why monitoring of
network devices is
ISSUE 1
Misconfigured devices
critical for network Improper configuration changes are one of the key threats
security
associated with network devices. A single improper change
can weaken your perimeter security, raise concerns during
17
SysAdmin Magazine January 2019
regulatory audits and even cause costly outages that can
bring your business to a standstill. For example, a miscon-
figured firewall can give attackers easy access to your net-
work, which could lead to lasting damage to your organi-
zation.
Auditing of network devices combined with alerting ca-
pabilities will give you the insight and control you need.
By enabling you to quickly spot improper configuration
changes and understand who changed what, auditing en-
ables better user accountability and helps you detect po-
tential security incidents before they cause real trouble.
ISSUE 2
Unauthorized logons
Most attempts to log on to a network device are valid
actions by network administrators — but some are not.
Inability to promptly detect suspicious logon attempts
leaves your organization vulnerable to attackers trying to
hack their way to your network. Therefore, you need to
be alerted immediately about unusual events, such as a
device being accessed by an admin on a holiday or outside
of business hours, failed logon attempts, and the modifi-
cation of access rights, so IT personnel can take action to
prevent a security compromise.
 SysAdmin Magazine January 2019

security flaw in D-Link devices that was discovered in 2016

ISSUE 3
VPN logons
Many organizations implement virtual private network
(VPN) access to improve the security of remote connec-
tions, but there are many associated risks that should not
be overlooked. Practice shows that VPNs are not 100%
secure and any VPN connection is a risk. Ideally, rights to
access network resources via VPN are granted only after
proper approvals and users are able to access only those
assets they need to do their jobs. In reality, VPN connec-
tions can usually be used by anyone in the organization
without any approvals.
Therefore, you need to be able to spot threats, such as
a user connecting via public Wi-Fi (since someone might
steal their credentials) and a user who doesn’t usually
work with VPN suddenly beginning to use it (which can be
a sign that a user has lost their device and someone else is
trying to log in using it). Carefully monitoring your network
ISSUE 4
Scanning threats
Network scanning is not inherently a hostile process, but
hackers often use it to learn about a network's structure
and behavior to execute attack on the network. If you
don’t monitor your network devices for scanning threats,
you might miss improper activities until a data breach oc-
curs and your sensitive data is compromised.
Network device monitoring and alerting will help you pro-
actively defend your network against scanning threats by
answering questions such as which host and subnet were
scanned, which IP address the scanning was initiated from,
and how many scanning attempts were made.
Case study: security flaws in D-Link
by researchers from the security startup firm Senrio. They
reported that a stack overflow issue in a Wi-Fi enabled
camera, D-Link DCS-930L, allowed them to silently change
the administrator password for the web-based manage-
ment interface. This vulnerability could have been used by
attackers to overwrite administrator passwords and install
malware on the devices. In response to the report, D-Link
promised to release a firmware update for DCS-930L to fix
the vulnerability and began testing the flaw's impact on its
other models.
This was not the last time that D-Link failed to discover se-
rious vulnerabilities in its devices by themselves. In 2018,
a researcher from Silesian University of Technology in Po-
land reported that eight D-Link router models in the com-
pany’s small/home office “DWR” range are vulnerable to
complete takeover. This time, D-link said that are going to
patch only two of the eight impacted devices; the others
will no longer be supported.

devices and keeping track of each VPN logon attempt will
help you quickly understand who tried to access your net-
work devices, the IP address each authentication attempt
was made from and the cause of each failed VPN logon.
network devices leave users open to
attacks
Experience demonstrates that many security incidents be-
gin with attacks on network devices. Therefore, any vul-
nerabilities in these devices represent a major risk for an
organization’s systems and data. One example is a major

18
 SysAdmin Magazine January 2019

Getting started with network device 3. Determine the frequency of auditing.

auditing One of the common questions is how often you need to

Three basic steps will help you get started with proper net-
work infrastructure monitoring. These are general recom-
mendations that should be tailored to the needs of your
organization; you need to know your IT environment and
business processes well to audit your network devices in
the most effective manner.
1. Regularly assess risks and perform penetration tests.
audit your network devices. No compliance standard de-
fines a specific timeframe for network device auditing, and
practice shows that it depends on the nature of your busi-
ness and the complexity of your network infrastructure.
One common guideline is to conduct monthly checks of the
overall state of your network devices and ensure you get
immediate alerts on suspicious activities that might pose
threat to your network environment, such as a change to a
device’s configuration.

You need to understand your attack surface area and de-

tect vulnerabilities that could put you at risk. Regular risk
assessments will help a great deal here but, ideally, you
should also perform regular penetration testing to identify
flaws in your network devices before hackers can discover
and exploit them.

2. Determine which devices you need to audit.

There is no definitive list of network devices that you need

to audit; it will depend on the specifics of your business,
your industry, and the size and architecture of your net-
work. I definitely recommend you monitor the devices that
are responsible for the most critical assets in your organi-
zation, as well as all internet-connected devices.

19
 SysAdmin Magazine January 2019

Understand the OSI model

The International Standards Organization (ISO) developed the Open Systems Interconnect (OSI) model in 1981. It consists
of seven functional layers that provide the basis for communication among computers over networks, as described in the
table below. You can easily remember them using the mnemonic phrase “All people seem to need data processing.” Un-
derstanding this model will help you build a strong network, troubleshoot problems, develop effective applications and
evaluate third-party products.

Adam Stetson Layer Function Protocols or Standards

Layer 7: Provides services such as e-mail, file transfers HTTP, FTP, TFTP, DNS, SMTP, SFTP, SNMP,
Systems Engineer, Security Expert
Application and file servers RLogin, BootP, MIME

Layer 6: Provides encryption, code conversion and data MPEG, JPEG, TIFF
Presentation formatting

Layer 5: Negotiates and establishes a connection with SQL, X- Window, ASP, DNA, SCP, NFS, RPC
Session another computer

Layer 4: Supports end-to-end delivery of data TCP, UDP, SPX

Transport

Layer 3: Performs packet routing IP, OSPF, ICMP, RIP, ARP, RARP
Network

Network security
Layer 2: Provides error checking and transfer Ethernet, Token Ring, 802.11
Data link of message frames

best practices Layer 1:

Physical
Physically interfaces with transmission medium
and sends data over the network
EIA RS-232, EIA RS-449, IEEE, 802

20

Understand types of network devices
To build a strong network and defend it, you need to un-
derstand the devices that comprise it. Here are the main
types of network devices:
Hubs connect multiple local area network (LAN) devic-
es together. A hub also acts as a repeater in that it am-
plifies signals that deteriorate after traveling long dis-
tances over connecting cables. Hubs do not perform
packet filtering or addressing functions. Hubs operate
at the Physical layer.
Switches generally have a more intelligent role than
hubs. Strands of LANs, are usually connected using
switches. Mainly working at the Data Link layer, they
read the packet headers and process the packets ap-
propriately. Generally, switches can read the hard-
ware addresses of incoming packets to transmit them
to the appropriate destination.
Routers help transmit packets to their destinations by
charting a path through the sea of interconnected net-
work devices. They remove the packets from the in-
coming frames, analyze them individually and assign
IP addresses. Routers normally work at the Network
layer of the OSI model.
21
Bridges are used to connect two or more hosts or net-
work segments together. The basic role of bridges in
network architecture is storing and forwarding frames
between the different segments that the bridge con-
nects. They use hardware Media Access Control (MAC)
addresses for transferring frames. Bridges work only
at the Physical and Data Link layers of the OSI model.
Gateways normally work at the Transport and Ses-
sion layers of the OSI model. At the Transport layer
and above, there are numerous protocols and stan-
dards from different vendors; gateways are used to
deal with them.
Know network defenses
Using the proper devices and solutions can help you de-
fend your network. Here are the most common ones you
should know about:
Firewall — One of the first lines of defense in a net-
work, a firewall isolates one network from another.
Firewalls either can be standalone systems or includ-
ed in other devices, such as routers or servers. You
can find both hardware and software firewall solu-
tions; some firewalls are available as appliances that
serve as the primary device separating two networks.
SysAdmin Magazine January 2019
Intrusion detection system (IDS) — An IDS enhances
cybersecurity by spotting a hacker or malicious soft-
ware on a network so you can remove it promptly to
prevent a breach or other problems, and use the data
logged about the event to better defend against simi-
lar intrusion incidents in the future. Investing in an IDS
that enables you respond to attacks quickly can be far
less costly than rectifying the damage from an attack
and dealing with the subsequent legal issues.
Intrusion prevention system (IPS) — An IPS is a net-
work security solution that can not only detect intrud-
ers, but also prevent them from successfully launching
any known attack. Intrusion prevention systems com-
bine the abilities of firewalls and intrusion detection
systems. However, implementing an IPS on an effec-
tive scale can be costly, so businesses should careful-
ly assess their IT risks before making the investment.
Moreover, some intrusion prevention systems are
not as fast and robust as some firewalls and intrusion
detection systems, so it might not be an appropriate
solution when speed is an absolute requirement.
Network access control (NAC) involves restricting
the availability of network resources to endpoint de-
vices that comply with your security policy. Some NAC
solutions can automatically fix non-compliant nodes
to ensure it is secure before access is allowed. NAC is
most useful when the user environment is fairly static

and can be rigidly controlled, such as enterprises and
government agencies. It can be less practical in settings
with a diverse set of users and devices that are fre-
quently changing, which are common in the education
and healthcare sectors.
Web filters are solutions that by preventing users’
browsers from loading certain pages from particular
websites. There are different web filters designed for
individual, family, institutional and enterprise use.
Proxy servers act as negotiators for requests from cli-
ent software seeking resources from other servers. A
client connects to the proxy server, requesting some
service (for example, a website); the proxy server eval-
uates the request and then allows or denies it. In or-
ganizations, proxy servers are usually used for traffic
filtering and performance improvement.
Anti-DDoS devices detect distributed denial of service
(DDoS) attacks in their early stages, absorb the volume
of traffic and identify the source of the attack.
Load balancers are physical units that direct computers
to individual servers in a network based on factors such
as server processor utilization, number of connections
to a server or overall server performance. Organizations
use load balancers to minimize the chance that any par-
ticular server will be overwhelmed and to optimize the
bandwidth available to each computer in the network.
22
Spam filters detect unwanted email and prevent it
from getting to a user's mailbox. Spam filters judge
emails based on policies or patterns designed by an
organization or vendor. More sophisticated filters use
a heuristic approach that attempts to identify spam
through suspicious word patterns or word frequency.
Segregate your network
Network segmentation involves segregating the network
into logical or functional units called zones. For example,
you might have a zone for sales, a zone for technical sup-
port and another zone for research, each of which has
different technical needs. You can separate them using
routers or switches or using virtual local area networks
(VLANs), which you create by configuring a set of ports on
a switch to behave like a separate network.
Segmentation limits the potential damage of a compro-
mise to whatever is in that one zone. Essentially, it divides
one target into many, leaving attackers with two choices:
Treat each segment as a separate network, or compro-
mise one and attempt to jump the divide. Neither choice
is appealing. Treating each segment as a separate network
creates a great deal of additional work, since the attack-
er must compromise each segment individually; this ap-
SysAdmin Magazine January 2019
proach also dramatically increases the attacker’s exposure
to being discovered. Attempting to jump from a compro-
mised zone to other zones is difficult. If the segments are
designed well, then the network traffic between them can
be restricted. There are always exceptions that must be al-
lowed through, such as communication with domain serv-
ers for centralized account management, but this limited
traffic is easier to characterize.
Segmentation is also useful in data classification and data
protection. Each segment can be assigned different data
classification rules and then set to an appropriate level of
security and monitored accordingly.
An extreme example of segmentation is the air gap — one
or more systems are literally not connected to a network.
Obviously, this can reduce the usefulness of many sys-
tems, so it is not the right solution for every situation. In
some cases, however, a system can be sensitive enough
that it needs to not be connected to a network; for exam-
ple, having an air-gapped backup server is often a good
idea. This approach is one certain way of preventing mal-
ware infections on a system.
Virtualization is another way to segment a network. Keep
in mind that it is much easier to segment virtual systems
than it is to segment physical systems. As one simple ex-
ample, consider a virtual machine on your workstation.

You can easily configure it so that the virtual machine is
completely isolated from the workstation — it does not
share a clipboard, common folders or drives, and literally
operates as an isolated system.
Types of network segments
Network segments can be classified into the following cate-
gories:
Public networks allow accessibility to everyone. The in-
ternet is a perfect example of a public network. There is
a huge amount of trivial and unsecured data on public
networks. Security controls on these networks are weak.
Semi-private networks sit between public networks
and private networks. From a security standpoint, a
semi-private network may carry confidential informa-
tion but under some regulations.
Private networks are organizational networks that
handle confidential and propriety data. Each organiza-
tion can own one or more private networks. If the or-
ganization is spread over vast geographical distances,
the private networks at each location may be intercon-
nected through the internet or other public networks.
Demilitarized zone (DMZ) is a noncritical yet secure re-
gion at the periphery of a private network, separated
from the public network by a firewall; it might also be
23
separated from the private network by a second firewall. Or-
ganizations often use a DMZ as an area where they can place
a public server for access by people they might not trust. By
isolating a server in a DMZ, you can hide or remove access to
other areas of your network. You can still access the server
using your network, but others aren’t able to access further
network resources.
Software-defined networking (SDN) is a relatively
recent trend that can be useful both in placing securi-
ty devices and in segmenting the network. Essentially,
in an SDN, the entire network is virtualized, which en-
ables relatively easy segmentation of the network. It
also allows administrators to place virtualized security
devices wherever they want.
Place your security devices correctly
As you design your network segregation strategy, you need
to determine where to place all your devices. The easiest
device to place is the firewall: You should place a firewall
at every junction of a network zone. Each segment of your
network should be protected by a firewall. This is actually
easier to do than you might think. All modern switches and
routers have firewall capabilities. These capabilities just
need to be turned on and properly configured. Another
device that obviously belongs on the perimeter is an an-
SysAdmin Magazine January 2019
ti-DDoS device so you can stop DDoS attacks before they
affect the entire network. Behind the main firewall that
faces public network, you should have a web filter proxy.
To determine where to place other devices, you need to
consider the rest of your network configuration. For exam-
ple, consider load balancers. If we have a cluster of web
servers in a DMZ, then the load balancer needs to be in
the DMZ as well. However, if we have a cluster of database
servers in a private network segment, then the load balanc-
er must be placed with that cluster. Port mirroring will also
be placed wherever your network demands it. This is often
done throughout network switches so that traffic from a
given network segment is also copied to another segment.
This can be done to ensure that all network traffic is copied
to an IDS or IPS; in that case, there must be collectors or
sensors in every network segment, or else the IDS or IPS
will be blind to activity in that segment.
Network aggregation switches are another device for which
there is no definitive placement advice. These switches ag-
gregate multiple streams of bandwidth into one. One ex-
ample would be to use an aggregation switch to maximize
bandwidth to and from a network cluster.

Use network address translation
Network address translation (NAT) enables organizations
to compensate for the address deficiency of IPv4 network-
ing. NAT translates private addresses (internal to a partic-
ular organization) into routable addresses on public net-
works such as the internet. In particular, NAT is a method
of connecting multiple computers to the internet (or any
other IP network) using one IP address.
NAT complements firewalls to provide an extra measure
of security for an organization’s internal network. Usually,
hosts from inside the protected networks, which have pri-
vate addresses, are able to communicate with the outside
world, but systems that are located outside the protected
network have to go through the NAT boxes to reach inter-
nal networks. Moreover, NAT enables an organization to
use fewer IP addresses, which helps confusing attackers
about which particular host they are targeting.
Don’t disable personal firewalls
Personal firewalls are software-based firewalls installed
on each computer in the network. They work in much
the same way as larger border firewalls — they filter out
certain packets to prevent them from leaving or reaching
24
your system. The need for personal firewalls is often ques-
tioned, especially in corporate networks, which have large
dedicated firewalls that keep potentially harmful traffic
from reaching internal computers. However, that fire-
wall can’t do anything to prevent internal attacks, which
are quite common and often very different from the ones
from the internet; attacks that originate within a private
network are usually carried out by viruses. So, instead of
disabling personal firewalls,
Use centralized logging and
immediate log analysis
Record suspicious logins and other computer events and
look for anomalies. This best practice will help you recon-
struct what happened during an attack so you can take
steps to improve your threat detection process and quick-
ly block attacks in the future. However, remember that
attackers are clever and will try to avoid detection and
logging. They will attack a sacrificial computer, perform
different actions and monitor what happens in order to
learn how your systems work and what thresholds they
need to stay below to avoid triggering alerts.
SysAdmin Magazine January 2019
Use web domain whitelisting
For all domains
Limiting users to browsing only the websites you’ve explic-
itly approved helps in two ways. First, it limits your attack
surface. If users cannot go to untrusted websites, they are
less vulnerable. It’s a solid solution for stopping initial ac-
cess via the web. Second, whitelisting limits hackers’ op-
tions for communication after they compromise a system.
The hacker must use a different protocol, compromise an
upstream router, or directly attack the whitelisting mech-
anism to communicate. Web domain whitelisting can be
implemented using a web filter that can make web access
policies and perform web site monitoring.
Route direct internet access from
workstations through a proxy server
All outbound web access should be routed through an au-
thenticating server where access can be controlled and
monitored. Using a web proxy helps ensure that an actual
person, not an unknown program, is driving the outbound
connection. There can be up-front work required to recon-
figure the network into this architecture, but once done,
it requires few resources to maintain. It has practically no

impact on the user base and therefore is unlikely to generate
any pushback. It raises the level of operational security since
there is a single point device that can be easily monitored.
Use honeypots and honeynetsserver
A honeypot is a separate system that appears to be an at-
tractive target but is in reality a trap for attackers (inter-
nal or external). For example, you might set up a server
that appears to be a financial database but actually has
only fake records. Using a honeypot accomplishes two im-
portant goals. First, attackers who believe they have found
what they are looking for will leave your other systems
alone, at least for a while. Second, since honeypots are not
real systems, no legitimate users ever access it and there-
fore you can turn on extremely detailed monitoring and
logging there. When an attacker does access it, you’ll be
gathering an impressive amount of evidence to aid in your
investigation.
A honeynet is the next logical extension of a honeypot — it
is a fake network segment that appears to be a very entic-
ing target. Some organizations set up fake wireless access
points for just this purpose.
25
Protect your network from insider
threats
To deal with insider threats, you need both prevention and
detection strategies. The most important preventive measure
is to establish and enforce the least-privilege principle for ac-
cess management and access control. Giving users the least
amount of access they need to do their jobs enhances data
security, because it limits what they can accidentally or delib-
erately access and ensures that is their password is compro-
mised, the hacker doesn’t have all keys to the kingdom. Other
preventative measures include system hardening, anti-sniff-
ing networks and strong authentication. Detection strategies
include monitoring users and networks and using both net-
work- and host-based intrusion detection systems, which are
typically based on signatures, anomalies, behavior or heuris-
tics.
End users also need to be trained in how to deal with the secu-
rity threats they face, such as phishing emails and attachments.
The best security in the world can be undermined by end users
who fail to follow security policies. However, they cannot really
be expected to follow those policies without adequate training.
Monitor and baseline network
protocols
SysAdmin Magazine January 2019
You should monitor the use of different protocol types on
your network to establish baselines both the organization
level and a user level. Protocol baselining includes both wired
and wireless networks. Data for the baseline should be ob-
tained from routers, switches, firewalls, wireless APs, sniffers
and dedicated collectors. Protocol deviations could indicate
tunneling information or the use of unauthorized software to
transmit data to unknown destinations.
Use vpns
A virtual private network (VPN) is a secure private network
connection across a public network. For example, VPNs can be
used to connect LANs together across the internet. With a VPN,
the remote end appears to be connected to the network as if
it were connected locally. A VPN requires either special hard-
ware or VPN software to be installed on servers and worksta-
tions. VPNs typically use a tunneling protocol, such as Layer 2
Tunneling Protocol, IPSec or Point-to-Point Tunneling Protocol
(PPTP). To improve security, VPNs usually encrypt data, which
can make them slower than normal network environments.
Use multiple vendors
In addition to diversity of controls, you should strive for di-

versity of vendors. For example, to defend against malware,
you should have antimalware software on each of your com-
puters, as well as on the network and at the firewall — and
use software from different vendors for each of these plac-
es. Because each vendor uses the same malware detection
algorithms in all its products, if your workstation, network
and firewall antimalware solutions all come from vendor A,
then anything missed by one product will be missed by all
three. The best approach is to use vendor A for the firewall
antimalware, vendor B for the network solution, and vendor
C to protect individual computers. The probability of all three
products, created by different vendors and using different
detection algorithms, missing a specific piece of malware is
far lower than any one of them alone missing it.
Use your intrusion detection system
properly
An IDS can be an important and valuable part of your network
security strategy. To get the most value from your IDS, take ad-
vantage of both ways it can detect potentially malicious activities:
Anomaly detection — Most systems maintain a certain
baseline of activity on their networks and sensitive hosts.
An IDS can record that baseline and scan for abnormal
activity. If something unusual happens, such as a spike
26
in activity that could indicate a ransomware or SQL in-
jection attack, it sends an alert so the administrator can
analyze the event and take action as soon as possible.
Misuse detection — The IDS will also compare activities
with attack signatures, which are sets of characteristic fea-
tures common to a specific attack or pattern of attacks.
This helps them spot attacks even if they don’t generate
activity that violates your organization’s baseline.
Automate response to attacks when
appropriate
Many network devices and software solutions can be config-
ured to automatically take action when an alarm is triggered,
which dramatically reduces response time. Here are the ac-
tions you can often configure:
Block IP address — The IDS or firewall can block the
IP address from which the attack originated. This op-
tion is very effective against spam and denial-of-service
attacks. However, some attackers spoof the source IP ad-
dress during attacks, so the wrong address will be blocked.
Terminate connections — Routers and firewalls can be
configured to disrupt the connections that an intruder
maintains with the compromised system by targeting
SysAdmin Magazine January 2019
RESET TCP packets at the attacker.
Acquire additional information — Another option is to
collect information on intruders by observing them over
a period of time. By analyzing the information you gath-
er, you can find patterns and make your defense against
the attack more robust. In particular, you can:
Look for the point of initial access, how the intruders
spread and what data was compromised. Reverse-en-
gineer every piece of malicious software you find and
learn how it works. Then clean up the affected systems
and close the vulnerability that allowed initial access.
Determine how malicious software was deployed.
Were administrative accounts used? Were they used
after hours or in another anomalous manner? Then
determine what awareness systems you could put in
place to detect similar incidents in the figure.
Physically secure your network
equipment
Physical controls should be established and security per-
sonnel should ensure that equipment and data do not leave
the building. Moreover, direct access to network equipment
should be prohibited for unauthorized personnel.

If you don’t know the state of your network every second
of the day, you're like a blind pilot inevitably headed for
disaster. Fortunately, the market now offers many good
software solutions, both commercial and open source, for
network monitoring.
With functionality such as discovering devices, monitor-
ing network equipment and servers, identifying network
Adam Stetson
trends, graphically presenting monitoring results, and
even backing up switch configurations and routers, these
network monitoring software tools will surely surprise you.
Systems Engineer, Security Expert
So here's a list of the best network monitoring software:
1. Zabbixls
Zabbix is a full-scale tool for network and system monitor-
ing that combines several options in one web console. It
can be configured to monitor and collect data from a wide
variety of servers and network devices, and it provides ser-
vice and performance monitoring of each object. Zabbix
enables you to monitor servers and networks with a wide
range of technologies, including virtualization hypervisors
and web application stacks. Zabbix supports VMware, Hy-
Top 10 best network per-V and other virtualization hypervisors, providing de-
tailed information about the performance and availabil-
monitoring tools ity of the hypervisor and its activity. In particular, it can
monitor Java application servers, web services and data-
27
SysAdmin Magazine January 2019
bases. New monitoring hosts can be added manually or
through an automatic discovery process. A wide range of
templates are applied by default, such as those for Linux,
FreeBSD and Windows Server operating systems and for
SMTP, HTTP, ICMP and IPMI protocols.
Zabbix must be installed and configured manually, com-
ponent by component, on a Linux system or a virtual ma-
chine on a hypervisor. The user interface is not very clear
and uses complicated terminology. There is no client pro-
gram because it is accessed via HTTPS or SSH, but there is
a mobile application available. The network device discov-
ery process does not have the ability to browse the net-
work and discover existing devices during product installa-
tion; this can be done later using certain protocols.
This solution can work without agents, using the SNMP
protocol, but running an agent on each device makes us-
ing Zabbix a bit easier. However, it’s difficult and time-con-
suming to install agents on hundreds or even thousands
of devices, and there are certain basic devices, like print-
ers, where installation of agents is impossible.
Zabbix allows you to customize the dashboard and web
interface to focus on the most important components of
the network. Notifications can be based on custom actions
that apply to a host or host groups. You can configure ac-
tions that will run remote commands if certain event crite-

ria are met. The program displays network bandwidth us-
age and CPU utilization graphs. In addition, Zabbix supports
custom maps, screens and even slideshows that show the
current status of monitored devices. Zabbix can be difficult
to implement at the initial stage, but the use of automatic
detection and various templates can reduce the challenge.
In addition to the installation package, Zabbix is available as
a virtual device for several popular hypervisors.
The product is free, but it so complex that you will likely
need one of the levels of paid support.
2. PRTG
The Paessler PRTG network monitoring tool is an inte-
grated solution that is suitable both for small and enter-
prise environments. The setup is dynamic, meaning that
your monitoring capabilities can grow or shrink with the
business size requirements of your organization. It is a
Windows program that can be installed on a server with
shared access. PRTG is more than just a server monitoring
solution, because it can monitor any IT-related resource
that connects to your network, including firewalls, servers,
printers, switches, routers, databases, websites and even
UPS. PRTG can send out email and SMS alerts based on
your custom threshold levels. This means that you can ad-
just the sensitivity of specific servers so you get more fre-
28
quent warnings from critical servers and almost no noise
from non-critical ones.
The application can monitor everything that you need to
know about your server, such as CPU load, hard disk ca-
pacity and performance, RAM utilization, and bandwidth
monitoring. The user interface is simple and clear, with
functional elements conveniently located in intuitive plac-
es. Administrators can view the entire server environment
at a glance through customizable dashboards and reports,
which means that specific graphs and analytics can be gen-
erated for specific needs. There are predefined templates
to help with the configuration processes and speed the
installation process. Other key features include flexible
alert methods, multiple user interfaces to choose from,
failover-tolerant monitoring, distributed monitoring, and
customizable maps and dashboards.
With PRTG, there is no need to install any agents on each
device; monitoring can be performed only using the pro-
gram kernel. Using remote probes allows monitoring of
various networks, either in the same place or in remote
locations, branches, etc. The remote computer collects lo-
cation information and combines it on the PRTG central
server, providing access to all local and remote devices,
sensors, alerts and warnings via the internet, and also
uses a protocol with strong SSL encryption. The product is
free only for 100 sensors, so download it only if you have
SysAdmin Magazine January 2019
small system inventory or you are willing to pay for it.
3. Whatsup gold
This is a powerful, easy-to-use software tool for compre-
hensive monitoring of applications, networks and systems.
It allows you to troubleshoot problems before they affect
the user experience. You can also get an accurate idea of
the performance of your IT environment.
WhatsUp Gold uses new methods of visualization and in-
teraction with the entire IT environment. It has a unique
interactive map that helps you quickly assess the perfor-
mance of the entire network, infrastructure and virtual en-
vironment. It provides information about the connection
status of network devices and dynamic response to in-
teractions, which ensures minimum response time. Inter-
active maps can be dynamically filtered to get an instant
overview of the physical, virtual and wireless networks.
You can zoom in to view detailed information on individu-
al sites or devices, or zoom out to see the subject of study
in the overall picture. A map can be configured to display
the environment by geography (on a map or on a building
map), by category (by connection, application or traffic) or
by any other layout.
The tool starts with an advanced discovery process that

identifies all devices connected to your network and auto-
matically applies standard or custom device roles; this sig-
nificantly speed up the monitoring setup. WhatsUp Gold
has active monitors that show device status in real time
and passive monitors for SNMP traps, Syslog, and Windows
event logs. Performance monitors use SNMP, SSH or WMI
to track CPU, disk, memory and network usage. WhatsUp
Gold has an option to receive early warning when users
are experiencing poor response times, so you can fix them
before users experience full downtime. These warnings
can be sent via email, SMS and web.
It also has a network traffic analysis module that col-
lects network traffic and bandwidth usage data from any
flow-enabled device on the network. One of the greatest
performance management features is an action policy that
detects a state change, such as when a router goes down,
and immediately writes a log entry or starts an action script
to reboot the system several minutes later and then sends
an email notification after completion. WhatsUp Gold has
no free version but it has a free trial.
4. Cacti
Cacti is a great network monitoring software tool for graph-
ical representation of the network. Cacti is a free network
monitoring solution and is included in the LAMP (Linux,
29
Apache, MySQL, PHP) suite, which provides a standardized
software platform for building graphs based on any statis-
tical data. If a network device returns numeric data, then
most likely it can be integrated into Cacti. There are tem-
plates for network monitoring platforms like Cisco routers
and switches. Basically any network device that communi-
cates with SNMP (Simple Network Management Protocol)
can be monitored by Cacti. In addition, scripts in Perl or
PHP can also be used for monitoring. Cacti performs avail-
ability and performance monitoring of servers, services
and network devices. It also tracks the workload and avail-
ability of network channels.
The central link in this system is graphs — all controlled
parameters and settings are somehow tied to the graphs.
Graphs of statistics are presented in the form of a tree in
which graphs are grouped by their criteria. All graphs can
be quickly created in Graph Management using supplied
templates. Templates are one of the big advantages of
Cacti — the user just selects a template and the graph is
ready. Each graph is described by two elements: settings
that define the properties of the graph, and elements that
define the data that should be represented on it. Informa-
tion displayed on the chart can be refined on the fly; for
example, you can quickly view the data for the past few
years to see if the current behavior of the network equip-
ment or server is abnormal. And with the help of the Net-
work Weathermap, a PHP plug-in for Cacti, you can create
SysAdmin Magazine January 2019
real-time maps of your network that show the load of com-
munication channels between network devices.
In short, Cacti is a toolkit with extensive capabilities for
graphical display and analysis of network performance
trends that can be used to monitor almost any monitored
metric that can be represented in a graph. However, this
solution supports almost limitless tuning possibilities,
which can make it too difficult for certain apps.
5. Nagios
Nagios is powerful network monitoring tool that has been
in active development for many years. It does almost any-
thing that system and network administrators might need
from a network monitoring utility. The web interface is
fast and intuitive, and the server part is extremely reliable.
Nagios’s rather complex configuration can be a problem
for beginners to learn, but it is also an advantage, since
the tool can be adapted to almost any monitoring task. As
with Cacti, a very active community supports Nagios core,
so various plug-ins exist for a huge variety of hardware
and software. Nagios enable you to continuously monitor
the status of servers, services, network channels and ev-
erything else that has IP addresses. For example, you can
monitor the use of disk space on the server, RAM and CPU
usage, FLEXlm license usage (software license manager

tool), server air temperature, WAN and internet connec-
tion latencies, netflow traffic, and much more.
No monitoring system for servers and networks would be
complete without notifications. The Nagios software plat-
form offers a customizable mechanism for notifications via
e-mail, SMS and instant messaging via the most popular in-
ternet messengers, as well as an escalation scheme that can
be used to make reasonable decisions about who should be
notified when and in what circumstances. In addition, the
display function shows all monitored devices in the logical
representation of their placement on the network, with col-
or coding that highlights problems as they arise.
The main disadvantage of Nagios is its configuration pro-
cess — it is mostly done through the command line, which
greatly complicates installation if you’ve never worked
with it before. People familiar with standard Linux and
Unix configuration files, however, should not experience
any particular problems. The possibilities of Nagios are
huge, but the effort required to use some of them may
not always be worth it. Nevertheless, the advantages of
the early warning system metrics provided by this tool for
so many aspects of the network are hard to overstate.
30
6. LogicMonitor
LogicMonitor is a SaaS service for monitoring physical,
virtual and cloud-based networks. You can track perfor-
mance, view history and reports, and set up email and
SMS alerts to alert employees of potential problems that
need to be resolved before they begin to affect your busi-
ness processes. LogicMonitor is a lightweight program
that can be installed on a Linux or Windows OS. Logic-
Monitor provides a single web console that is ready to
automatically discover most switches, routers, firewalls,
load balancers, servers, applications, databases, VoIP
systems and storages. LogicMonitor’s dashboard allows
users to monitor live performance indicators along with
a list of system errors and statuses because it automati-
cally collects performance data from connected servers,
networks and workstations via over 20 standard proto-
cols such as JMX, Perfmon, SNMP, WMI, and various APIs.
Network administrators can prioritize issues, configure
escalation rules for alerts and schedule downtime ac-
cording to their service standards.
Of course, LogicMonitor has reporting capabilities as
well; you can build reports on any time period for any
device, group, service or data source. Reports can be in
HTML, PDF or CSV, and can be executed on demand or
scheduled to be delivered by email at regular intervals.
You have to know what you're looking for before you con-
SysAdmin Magazine January 2019
figure a report. All in all, LogicMonitor is a powerful in-
frastructure monitoring and alerting service with a nicely
customizable web portal that displays in-depth metrics
and system information.
7. SolarWinds network performance monitor
SolarWinds Network Performance Monitor quickly detects,
diagnoses and assists in resolving network performance
problems before downtime. In addition, with dynamic net-
work topology maps and automatic detection of compo-
nents, administrators can easily scale the network and align
important processes as it grows. SolarWinds Network Per-
formance Monitor controls the response time, availability
and uptime of routers, switches and other SNMP-enabled
devices. Network Performance Monitor has automated net-
work scanning processes that identify new network devices
and monitor the state of all critical equipment. It supports
heterogeneous networks and devices from leading hard-
ware manufacturers. The monitoring process looks for the
availability and performance indicators of network devices
and interfaces, such as bandwidth load, delays, responses,
packet loss, CPU and memory for each piece of equipment
with SNMP and WMI support.
Network Performance Monitor allows you to quickly config-

ure alerts for events, conditions and conditions of network
devices. If necessary, you can block notifications based
on dependencies and topology so you receive alerts on
important network issues only. It also includes tools for
generating notifications, reports, manuals and help files
in different file formats. The user interface is simple to
understand yet robust enough to provide a comprehen-
sive view of the network. It is easy to see everything at a
glance, and the statistical network baselines provide ad-
ditional information to optimize network devices and re-
spond to issues quickly. SolarWinds Network Performance
Monitor has a NetPath feature that uses advanced prob-
ing to make troubleshooting network performance prob-
lems easier. With this feature, sysadmins can detect the
network path from a source computer and trace it all the
way to the destination service. NetPath works even when
traceroute does not.
8. Spiceworks network monitor
Spiceworks Network Monitor is extremely flexible and
scalable, allowing independent thresholds per system or
device, so it is a great solution for more granular moni-
toring of memory, disk activity and more. The software is
quick and easy to implement. It runs on a VM or a physical
box. It’s pretty light on resources, though it can eat up a
31
SysAdmin Magazine January 2019
bunch of disk space; if it is co-located with another app, support SNMP version 3. The software does not reconcile
the drive can fill quickly if you don't keep up with the logs systems that are going down — sometimes when connec-
or automate cleanup. The software is agentless, so there tion links go down, they do not go back up in the software
is little to no impact on the monitored devices. It can even though physically they are up again, so they must be de-
monitor SNMP traps from switches, printers, copiers and leted and re-added. And the user interface is rather slow.
other devices. It does a great job of monitoring during off However, the software is no-cost so there is no risk in giv-
hours. ing it a try.
Spiceworks Network Monitor tracks infrastructure devic-
es, such as switches and routers, for input/output rate,
packets per second and packet loss. It also tracks servers 9. Wireshark
for CPU utilization, disk utilization, network data rate and
Wireshark is a well-known network traffic monitoring tool.
packet loss, and memory utilization. You can drill down to
It works with the overwhelming majority of known proto-
display those parameters graphically in expanded views.
cols, and it has both a clear and logical graphical interface
However, Spiceworks Network Monitor does not monitor
based on GTK + and a powerful filter system. Moreover, it
or manage other devices, most notably, mobile ones.
is cross-platform, working under Linux, Solaris, FreeBSD,
NetBSD, OpenBSD, Mac OS X and, of course, Windows. Ba-
You can choose to look at specific devices in significantly
sically, Wireshark is a packet sniffing tool that reveals the
more detail with the Critical Device Widget. You can click a
smallest details of network traffic and network protocols.
specific parameter in the Critical Device window, and the
You can analyze pcap files and TCP connection, see packet
graph for that parameter is expanded and additional de-
contents, and search for specific packets in the netflow.
tails show up on the screen, such as exact numbers for the
If you have the necessary knowledge, you can effective-
total switch bandwidth usage with the stats at each point
ly troubleshoot and diagnose a variety of problems that
where the numbers changed.
arise in the network using Wireshark.
There are a few disadvantages. Spiceworks Network Mon-
itor provides excellent basic monitoring, but it doesn’t
 SysAdmin Magazine January 2019

10. Netwrix auditor for network devices In short, Netwrix Auditor for Network Devices is not just a
really valuable monitoring tool; it’s an enterprise-level soft-
We’ve reviewed a lot of great network monitoring tools.
ware platform that gives you complete visibility into changes,
Nevertheless, if system administrators detect network de-
configurations and access across your network infrastructure.
vice performance issues, they need to inspect configuration
Netwrix Auditor has free 20-day trial; during that period, you
changes to determine the cause of the issue and quickly fix it.
can not only evaluate Netwrix Auditor for Network Devices
Therefore, a network device change monitoring tool is invalu-
but also all the other Netwrix Auditor applications for systems
able. Netwrix Auditor for Network Devices delivers reports
such as Active Directory, Group Policy, Azure AD, Exchange,
and alerts detailing what was changed on each network de-
Office 365, file servers, SharePoint, Microsoft SQL Server and
vice and when it happened, with the before and after values.
VMware.
It supports Cisco and Fortinet devices.

Product installation is straightforward, and the UI is user

friendly and fast. Reports are very clear and responsive, which
makes this solution a great addition to other network perfor-
mance monitoring tools. Reports can tell you about network
device configuration changes, details about logon attempts,
port scanning information, and details about hardware issues
such as a power supply failure or critical CPU temperature. It
also tracks remote access such as VPN.

Netwrix Auditor has built-in search of audit data, alerts on

threat patterns, and a behavior anomaly detection engine. It
also has a RESTFul API engine that enables you to connect the
Netwrix Auditor platform with other software solutions, such
as Nutanix, Amazon Web Services, ServiceNow, ArchSight,
IBM Qradar, Splunk, Alien Vault and LogRythm; you can re-
ceive data from or send data to these solutions.

32
 SysAdmin Magazine January 2019

Free network audit software that keeps you current of what’s happening on your network devices

Tool of the Month

Netwrix Auditor for Network Devices

Activity Summary

Modified 1
Removed 1
Free Community Edition
Read 1

Netwrix Auditor Action Object type What Item Where When Workstation

for Network
Modified CPU 172.28.9.220 172.28.0.0 – 172.28.9.220 9/05/2018 1.0.0.15
172.28.254.254 11:31:29 AM
(IP range)

Devices Action name: Critical CPU temperature

Removed Configuration 172.28.9.220 172.28.0.0 – 172.28.9.220 9/04/2018 1.0.0.15

172.28.254.254 01:01:00 AM
(IP range)

Download Free Tool Action name: Write erase

Read Subnet 100.0.0.0 172.28.0.0 – 172.28.9.220 9/04/2018 1.0.0.15

172.28.254.254 01:00:38 AM
(IP range)

Action name: Subnet scanning detected

This message was sent by Netwrix Auditor from au-srv-fin.enterprise.com.

33
 SysAdmin Magazine January 2019

How-to for IT Pro

5. Open Event viewer and search Security log for event id’s 4648
(Audit Logon).

How to monitor user logоns in a domain Event 4648, Microsoft Windows security auditing

General Details
1. Run gpmc.msc > Create a new GPO > Edit it: Go to
A logon was attempted using explicit credentials.
"Computer Configuration" > Policies > Windows
Settings > Security Settings > Advanced Audit Policy Subject:
Security ID: ENTERPRISE\J.Smith
Configuration > Audit Policies > Logon/Logoff: Account Name: J.Smith
Account Domain: ENTERPRISE
Audit Logon > Define > Success And Failures. Logon ID: 0x7F57B95E

Account Whose Credentials Were Used:

2. Go to Event Log > Define:
Account Name: J.Smith
Maximum security log size to 4gb Account Domain: ENTERPRISE
Target Server:
Retention method for security log to "Overwrite Target Server Name: DC1

events as needed".

3. Link the new GPO to OU with Computer Accounts:

Go to "Group Policy Management" > right-click the
defined OU > choose Link an Existing GPO > choose
the GPO that you created.

4. Force the group policy update: In "Group Policy

Management" right click on the defined OU > click
on "Group Policy Update".

34
 [On-Demand Webinar]

Behind the scenes:

4 Ways your organization can be hacked
If you had a hacker sneaking around your network right now, how would you know? In this webinar, Brian
Johnson from 7 Minute Security will reveal some of the top security gaps that attackers can use to breach an
organization’s IT perimeter.

Brian Johnson
Security enthusiast /
Podcaster 7 Minute Security

Watch Now

Corporate Headquarters: Phone: 1-949-407-5125 Copyright © Netwrix Corporation. All rights reserved. Netwrix is trademark of Netwrix Corporation and/or
300 Spectrum Center Drive, Toll-free: 888-638-9749 one or more of its subsidiaries and may be registered in the U.S. Patent and Trademark Office and in other
Suite 200 Irvine, CA 92618 EMEA: +44 (0) 203-318-02 countries. All other trademarks and registered trademarks are the property of their respective owners.