Cooper/T.Smith Corp. of Mobile, Ala. knows a few things about monitoring traffic loads. Since 1840, the privately held stevedoring, import/export and international logistics company has been keeping loads moving along the Mississippi River and in and out of ports throughout the Western Hemisphere.
When it came to monitoring the loads on its WAN, however, it was a different matter. And, despite the old saying, what you don’t know can hurt you, particularly when it comes to network problems.
The company has a full TCP/IP network connecting its remote offices to the headquarters. To save on bandwidth, the company runs Citrix Metaframe (from Citrix Systems, based in Ft. Lauderdale, Fla.) on the desktops, all of which run Windows 2000. The 500 end users connect to the servers through about 40 Cisco routers. The network, though, was not being monitored.
“We didn’t have any type of network management tool,” says network engineer Alicia D. Widder. “We were blind when there was a problem and needed a tool to help us gain visibility into what was happening.”
As it turned out, installing such a tool also saved the company from a network crash when the Code Red worm came to call. It wasn’t security, however, that prompted Cooper to install network and systems management software.
“We wanted something that would help us monitor uptime,” says Widder. “Also, with our 35-40 remote locations we needed to graph the bandwidth so that we would know if we needed more or less bandwidth.”
Cooper spent $30,000 to install and support WebNM by Somix Technologies, Inc. of Sanford, Maine. Widder says it is simpler to implement and run than the larger management packages that typically cost six-figure sums.
WebNM provides basic network mapping and monitoring functions, including creating real time and historical graphs of traffic volume on any of the network links. In addition, it has automated trouble ticketing, remote desktop management, hardware and software inventory, and service level reporting.
Cooper had a technician come out for three days in October 2000 to install and configure the software. Ahead of the visit, the company prepared in advance by enabling Simple Network Management Protocol (SNMP) on the servers and setting up community strings. With that done, the technician spent a couple of hours loading the software and auto-discovering all network devices.
Cooper also required three to four reports set up on each router and server to monitor such items as bandwidth and CPU utilization. To set up a report, one has to select any of the devices by clicking on it on the network map. The program presents a list of all the reports that can be generated according to the Management Information Base extensions (MIBs) for that device.
Clicking next to the desired report begins the cycle of collecting, graphing and reporting on that parameter. Since the graphs can be accessed in a browser, some enterprises make the graphs available to all employees through the intranet, but Cooper just makes it available to the IT staff.
Though minimal, some training was conducted.
“The Somix technician worked with me at my level of knowledge and taught me everything — how to manage and troubleshoot the software as well as how to create new graphs,” saysWidder. “Now that everything is running I know whenever any router goes down and nine times out of 10 WebNM helps us tell the provider where the problem is.”
Security and Monitoring at Cooper/T.Smith
Lack of network visibility can lead to vulnerabilities internally and externally. Despite billions spent on firewalls and antivirus software, and vendor patches to shore up security holes, significant risk of exposure still exists.
“Finding solutions to cyber-security vulnerabilities and attacks has been historically reactive,” says Dave McCurdy, executive director of the Internet Security Alliance (ISA). “Attacks happen, analyses are made and patches provided, if possible.”
But companies often struggle to install patches across their networks, plus patches only work if you are not among the early sites attacked, particularly with the fast-moving, self-replicating attacks we have witnessed over the past two years.
Code Red, for example, infected 250,000 computers in a nine-hour period on July 19, 2001, according to Carnegie Mellon University’s CERT Coordination Center. ISA estimated that SirCam, Code Red and Love Bug alone infected more than 40 million computers, resulting in $12.5 billion in cleanup and lost productivity costs.
That is where having and using network management software comes into play. While you may not be able to completely prevent an attack, you can at least find out quickly what resources are under attack and isolate them before they infect the rest of the network devices. That capability saved Cooper/T.Smith from a major problem.
“We monitor the memory and CPU usage of our main router so when the Code Red virus came in, I could see memory availability go way down,” says Widder. “Otherwise I might not have known it was there till the system crashed.”
Widder now uses a WebNM module to address such security problems. Called “Logalot,” it aggregates all the Syslog and Windows Event Log entries into a central database, where administrators can establish policies to manage these events. For some events, you will just want the data to be logged, but others require an immediate alarm.
In addition to the usual items such as a failing power supply or a non-responding application, it also tracks key security items such as stealth and port scans on the firewall, users trying to browse the Internet without anti-virus software activated, the IP addresses of devices attacking the firewall, failed log-in attempts, and Intrusion Detection System logs.
Widder reports added uptime through heightened network awareness coupled with added security. “It is a total management tool for our network,” she says.