Network monitoring/IDS rant - What's hot what's not?
Tivoli, Openview, Unicenter, ipmonitor, mrtg, nagios? There are many network monitoring options but each option has its pitfalls. I'm rapidly coming to the conclusion that any software Computer Associates publishes is designed for the criminally insane. However, there 'has' to be something that offers more visibility into a major WAN than MRTG/RRDTOOL. Perhaps I'm on a Computer Associates rant today but can anyone share any positive experiences with E-trust intrusion detection? 5 MB of traffic flow paralyzes a dual P3 with gobs of ram and it still misses signatures that Snort does not miss. Originally I was going to blame this lousy performance on application tuning; however, it was a CA engineer that set this box up. Any IDS suggestions would be greatly appreciated as well. Regards, Christopher J. Wolff, VP CIO Broadband Laboratories, Inc. http://www.bblabs.com
On Tue, 25 Feb 2003, Christopher J. Wolff wrote:
Tivoli, Openview, Unicenter, ipmonitor, mrtg, nagios?
There are many network monitoring options but each option has its pitfalls. I'm rapidly coming to the conclusion that any software Computer Associates publishes is designed for the criminally insane. However, there 'has' to be something that offers more visibility into a major WAN than MRTG/RRDTOOL.
CA-Unicenter/OVW/Tivoli are not IDS systems... (traditionally) but they can normally monitor the heck out of 'decent' sized networks (less than 500 components was my last experience with OVW atleast, tivoli and CA we never got working correctly with less than 1 metric butt ton of LOE to keep it running)
Perhaps I'm on a Computer Associates rant today but can anyone share any positive experiences with E-trust intrusion detection? 5 MB of traffic flow paralyzes a dual P3 with gobs of ram and it still misses signatures that Snort does not miss. Originally I was going to blame this lousy
So, lemme understand here... Snort works and you are switching why??
performance on application tuning; however, it was a CA engineer that set this box up.
Any IDS suggestions would be greatly appreciated as well.
Regards, Christopher J. Wolff, VP CIO Broadband Laboratories, Inc. http://www.bblabs.com
On Wed, 26 Feb 2003, Christopher L. Morrow wrote:
CA-Unicenter/OVW/Tivoli are not IDS systems... (traditionally) but they can normally monitor the heck out of 'decent' sized networks (less than 500 components was my last experience with OVW atleast, tivoli and CA we never got working correctly with less than 1 metric butt ton of LOE to keep it running)
What are the options and recommendations for networks > 500 components? Pete.
On Wed, 26 Feb 2003, Pete Kruckenberg wrote:
On Wed, 26 Feb 2003, Christopher L. Morrow wrote:
CA-Unicenter/OVW/Tivoli are not IDS systems... (traditionally) but they can normally monitor the heck out of 'decent' sized networks (less than 500 components was my last experience with OVW atleast, tivoli and CA we never got working correctly with less than 1 metric butt ton of LOE to keep it running)
What are the options and recommendations for networks > 500 components?
At my previous job our largest network (we ran something like 8 seperate ones as I recall) was around 500 managed devices, including switches (bay) and routers (cisco/promina). All that was done with OVW, and some plugins we got 'for free' (ciscoworks, bay's crazy OVW plugin for switch management). At networks larger than 500 mostly things are handbuilt and nongraphical... atleast on the one I have experience with. I suppose you can think of it like this: Do you need the graphical info, or do you just want alarms/alerts when problems arise? If you maintain the data in some sane format (think database) you can corellate that info as you want, and generate graphical displays for things of interest. MRTG/RRDTool or RTG are nice packages for somethings, but you might have to have a farm of pollers/graphers/displayers (and a few folks to care for them/create displays that matter) to poll 100,000 interfaces, eh?
On Wed, 26 Feb 2003, Pete Kruckenberg wrote:
On Wed, 26 Feb 2003, Christopher L. Morrow wrote:
CA-Unicenter/OVW/Tivoli are not IDS systems... (traditionally) but they can normally monitor the heck out of 'decent' sized networks (less than 500 components was my last experience with OVW atleast, tivoli and CA we never got working correctly with less than 1 metric butt ton of LOE to keep it running)
What are the options and recommendations for networks > 500 components?
i've done this sort of stuff successfully with Aprisma Spectrum. issues: 1) it's not cheap. on the other hand, Aprisma did used to have a service provider oriented pay-per-number-of-notes-monitored pricing plan, which is how we did it back when i was running a Spectrum based NMS shop. 2) it runs only on W2K and Solaris, and for large installations, runs much better on Solaris. sizing depends on number of nodes being monitored. "enough RAM" is important. multiple spindles with well chosen file system partitioning, and 2 CPUs, also make a difference. 3) getting it to run well requires experience. some default settings are not very suitable for monitoring large WANs, and it is definitely not "set up and forget it" software. 4) apropos to 3, budget for training. one or two smart guys who've been through class can handle it (no need for Aprisma Professional services.) 5) reporting used to be clumsy, although are were some add-ons available to improve this. 6) the database used to be a proprietary network database based on the old VistaDB. they've been migrating towards MySQL, although the migration isn't complete yet. archived polling data does go into MySQL, but the database of monitored nodes was still in the proprietary database the last time i looked at this. note also that there are a bunch of up-and-coming NMS systems that may or may not be better than Spectrum. the last time i did an evaluation, Spectrum was the best in the cost-no-object model, but that was a while ago. richard -- Richard Welty rwelty@averillpark.net Averill Park Networking 518-573-7592 Unix, Linux, IP Network Engineering, Security
MRTG/RRDTool or RTG are nice packages for somethings, but you might have to have a farm of pollers/graphers/displayers (and a few folks to care for them/create displays that matter) to poll 100,000 interfaces, eh?
Polling 100000 interfaces every five minutes is only 333 queries per second. It gets complicated if you want to do something useful with the data you poll. I´ll be happy to listen to ideas what people would like to do with data from 100000 apart from plotting it on X/Y axis. Maybe some of them would eventually get implemented properly. Pete
Christopher J. Wolff wrote:
Tivoli, Openview, Unicenter, ipmonitor, mrtg, nagios?
There are many network monitoring options but each option has its pitfalls. I'm rapidly coming to the conclusion that any software Computer Associates publishes is designed for the criminally insane. However, there 'has' to be something that offers more visibility into a major WAN than MRTG/RRDTOOL.
Perhaps I'm on a Computer Associates rant today but can anyone share any positive experiences with E-trust intrusion detection? 5 MB of traffic flow paralyzes a dual P3 with gobs of ram and it still misses signatures that Snort does not miss. Originally I was going to blame this lousy performance on application tuning; however, it was a CA engineer that set this box up.
Any IDS suggestions would be greatly appreciated as well.
Regards, Christopher J. Wolff, VP CIO Broadband Laboratories, Inc. http://www.bblabs.com
Chris All the reviews I've/heard of etc all say snort is the bestIDS. Now I'm not it is, just passing what I've heard as I've not had the opportunity to compare the things myself. (also remember that alot of CA software is aquired by merger not written by themselve so it normally takes a couple of iterations to get things into the CA way) as to network monitoring I'll go with mrtg and/or nagios anytime (mainly 'cos of the price/performance issue). PSiNETEurope use MRTG to display router stats for their customers and so do alot of other people - it just works. -- Martin Hepworth Senior Systems Administrator Solid State Logic Ltd +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com **********************************************************************
On Tue, 25 Feb 2003, Christopher J. Wolff wrote:
I'm rapidly coming to the conclusion that any software Computer Associates publishes is designed for the criminally insane.
On Tue, 25 Feb 2003, Christopher J. Wolff wrote:
I'm rapidly coming to the conclusion that any software Computer Associates publishes is designed for the criminally insane.
i've generally thought of CA as as the "old software" rest home, the place where it goes to die. cheers, richard -- Richard Welty rwelty@averillpark.net Averill Park Networking 518-573-7592 Unix, Linux, IP Network Engineering, Security
Hello... On Tue, 2003-02-25 at 21:12, Christopher J. Wolff wrote:
Tivoli, Openview, Unicenter, ipmonitor, mrtg, nagios?
There are many network monitoring options but each option has its pitfalls. I'm rapidly coming to the conclusion that any software Computer Associates publishes is designed for the criminally insane. However, there 'has' to be something that offers more visibility into a major WAN than MRTG/RRDTOOL.
Intermapper http://www.intermapper.com You can create charts showing realtime bandwith usage on each of your routers. I also use it to check bandwidth on my web servers. With a glance, you can tell everything is "OK", "abnormal", etc. No IDS, but it is great as a enhancement/replacement for mrtg/rrdtool/nagios. ( I run all three) <disclaimer> No affiliation w/ intermapper just a happy customer for ~6 years <snip> -- Christopher McCrory "The guy that keeps the servers running" chrismcc@pricegrabber.com http://www.pricegrabber.com Let's face it, there's no Hollow Earth, no robots, and no 'mute rays.' And even if there were, waxed paper is no defense. I tried it. Only tinfoil works.
participants (7)
-
Christopher J. Wolff
-
Christopher L. Morrow
-
Christopher McCrory
-
Martin hepworth
-
Pete Kruckenberg
-
Petri Helenius
-
Richard Welty