Computer Network Monitoring (CNM)

In this digital era, communication using data packets has become one of the main needs of the general public, so it is not surprising that we can find many computer networks in various places. We can find computer networks in offices, schools, malls, airports, and other public places. With the proliferation of these computer networks, network monitoring is needed on each computer network so that these computer networks can run effectively and optimally continuously considering the density of traffic that exists to be served by these computer networks.

1. Purpose of Monitoring and Testing Computer Networks 

Maybe some people think that if a computer network is up and running well then the job is done and the computer network does not need to be fiddled with anymore. In fact, after the computer network is running well, maintenance still needs to be done to maintain network health, ensure availability, and improve performance. Therefore, computer network monitoring plays a very important role in a computer network.

Monitoring and testing a computer network itself is a task carried out by a computer network administrator to create smooth, effective, and optimal computer network traffic continuously as long as the computer network is active so that it can generate profit or save expenses for computer network maintenance in that place. Computer network monitoring also functions as a tracker or the first system used to find where the problems are experienced by a computer network if there are slow or failing components caused by various things such as overloaded, crashed application servers / web servers / other systems, network and device connection problems, or human error. After this system knows where the damage is, the system will then immediately notify the admin through various media such as computers, cellphones, or other devices so that the admin can quickly solve the problems that occur on the network. Computer network monitoring is also used to check bandwidth usage, application performance, server performance, etc. In addition, with computer network monitoring, an admin can also create a database of important information that can be used for planning network development in the future.

2. How to Monitor a Computer Network?

In its application, network testing and monitoring are done by sending a signal called ping to various system ports on the network. This ping is done with various time intervals, some are done every four hours or some are done every few minutes. The following is an example of a ping that is done between users in a computer network:

In the image above, it can be seen that the ping was successful because the destination IP gave a reply. If the destination IP does not give a reply or RTO (Request Time Out), it means there is a problem with the computer network. In the image, it can also be seen that in addition to giving a reply, there are also details:

"bytes=32 time=11ms TTL=128"

Bytes=32 indicates the size of the ICMP (Internet Control Message Protocol) packet sent, which is 32 bytes. Then time=11ms indicates the round trip delay (latency) value which indicates the amount of time required for the packet sent to the destination IP. This time is calculated by dividing the difference in time between the PING packet being sent and the response time from the PING packet being received. And the last one is TTL=128. TTL here is the Time to Live value used to prevent circular routing on a network. By subtracting the initial TTL value of 128 from the final TTL value, the number of hops passed from the originating computer to the destination computer can be calculated. Every time a PING packet passes through an IP address, its TTL value will be reduced by one. So if the TTL reaches zero, the PING packet will be discarded/dropped and the PING result shows: TTL expired in transit.

Thus it can be concluded that ping has several monitoring functions, namely: 

  1. Knowing the Up/Down Status of a Network. If the ping sent to the destination computer address is successful and gets a reply, then the computer is in an up state, but if the destination computer address does not give a reply or RTO then the computer is in a down state or not connected to the network
  2. Monitoring the Availability Status of Computers on a Network. Ping can be used as a tool to monitor the availability of computers on a network, which is one indicator of network quality, namely by periodically PINGing the target computer. The smaller the downtime, the better the quality of the network.
  3. Knowing the Responsiveness of a Network's Communication. The magnitude of the delay or latency value reported by ping is an indication of how responsive communication occurs with the target computer. The greater the delay value indicates the slower the response given. So this delay value can also be used as an indicator of network quality.

In addition to ping, network monitoring usually also uses a network monitoring software to observe active traffic. There are various types of network monitoring software such as cacti, HP overview, nagios, MGRT, openNMS, SolarWind, etc. This time I will explain one computer network monitoring software, namely Microsoft Network Monitor 3.4.

As the name suggests, Microsoft Network Monitor 3.4 is a network monitoring tool created by Microsoft, which can be downloaded for free on the Microsoft website.

Basically, Microsoft Network Monitor 3.4 is a Protocol Analyzer. So this tool can be used to capture, view, and analyze data packets sent by a computer based on the network protocols used so that it can be used to analyze traffic from a computer network. This tool has special features that other network monitoring tools may not have, namely:

  • Process tracking
  • Grouping by network conversation
  • Support for over 300 public and Microsoft proprietary protocols
  • Simultaneous capture sessions
  • Wireless Monitor Mode with supported wireless NICs
  • Real-time capture and display of frames
  • Reassembly of fragmented data
  • Sniffing of promiscuous mode traffic
  • Can read libpcap capture files
  • API to access capture and parsing engine.

If you have downloaded this tool, try installing it. After the installation process is complete, you can use this tool in full service. Here is the initial display of Microsoft Network Monitor 3.4

Click new capture to start creating a new capture. Or you can also open a previously created capture file with open capture . then click start to start capturing the existing network. Here's what it looks like:

a. Network Conversation

In the network conversation box, there is traffic that is actively communicating in the network.

b. Display Filter

The display filter box is a command box to filter only certain traffic. This filter provides various types of filters such as IPv4 Addresses, IPv6 Addresses, IPv4 Subnet, DNSAllNameQuery, Http error, TCP ports, USB Hub error, etc. In the display above, IPv4 Addresses are filtered with IP address 192.168.137.234 (AMARAF-PC). It can be seen in the frame summary box that only AMARAF-PC displays its communication activity in the network.

c. Frame Summary

In the frame summary box, there are columns that show details of the frames sent during communication activities in the network. The columns contain source, destination IP, protocol, etc. These columns are the Time Zone columns (NM 3.4). In this Frame Summary box, it not only provides the Time Zone column, but also other columns such as NM 3.3, ETW (ETL), PCAP, TCP Troubleshoot, etc. which can later be changed using the Column button in the frame summary box.

  • Frame details. Frame details contain details of the contents of each layer of the frame in the traffic.
  • Hex details. Just like frame details, Hex details also contain details of the frames in the traffic but in hexadecimal form.

Types of Firewalls

Basically, firewall types are divided into:

1.Filtering Firewall

Filtering works by forwarding packets based on certain criteria, such as source address, destination address, packet type, port numbers (source and destination) and so on. For example, we can allow people from outside the network to connect to port 25 so they can send mail directly to internal machines, or to port 80 so they can get data directly to an available web server.

2. Proxy Firewall

In a network that implements a proxy system, communication connections to the internet are made through a delegation system. Computers that can be recognized by the internet act as 'representatives' for other machines that want to connect to the outside. Proxy servers for (a collection of) certain protocols are run on dual-homed hosts or bastion-hosts, where all network users can communicate with them, then this proxy server acts as a delegate. In other words, each client program will connect to the proxy server and this proxy server will be the one that will connect to the real server on the internet. The proxy server will evaluate each connection request from the client and decide which ones are allowed and which ones are not. If this connection request is approved, the proxy server relays the request to the real server.

Figure 10.10. Proxy Firewall
Figure 10.10. Proxy Firewall

There are several terms referring to the type of proxy server, including application level proxy, circuit level proxy, generic or special proxy, smart proxy etc. Whatever type of proxy is used, there are several consequences of implementing this system:

Generally requires modification of client or access procedures and requires the provision of different server programs for each application.

The use of a proxy system allows the use of private IP Addresses for internal networks. Consequently, we can choose to use class A IP Addresses (10.xxx) for private IP addresses used in the internet network, so that computers that can be connected to the internal network can reach millions of computers.

The SOCKS or TIS FWTK packages are examples of proxy software packages that are frequently used and freely available on the internet.

2.1 Encryption

Most information sent across networks is usually in plain text, including passwords. It is therefore very easy to steal and then read, making it very important for us to keep it confidential.

One way to make this happen is by encrypting information that is released over a network, so that there is no longer any worry that vital information will be exposed.

Encryption uses principles such as human signatures on document sheets and is done digitally. It states the validity of the data sender that the data sent really comes from the sender. At present, data encryption can be done in software or hardware. Various types of data encryption methods at the application level have been developed such as RSA, MD-5, IDEA, SAFER, Skipjack, Blowfish, etc. With this strategy, data transfer from and to the computer network takes place confidentially.

2.2 IDS / IPS

Intrusion Detection System and Intrusion Prevention System are systems that are widely used to detect and protect a security system from attacks. The defense mechanism is carried out by comparing incoming packets with existing signature data. IDS will calculate the number of incoming commands and compare them with the permitted limits, if it exceeds the limit then IPS will run the command according to the configuration such as running a firewall to block the IP that sends the command.

2.3 Network Topology

Computer network topology has a very important role in computer network security. Dividing computer groups according to their roles is something that needs to be done.

2.4 Port Scanning

Port Scanning method is usually used by attackers to find out what ports are open in a computer network system. But the same method can also be used by computer network administrators to check whether the open ports are in accordance with the initial design of the computer network.

2.5 Packet Fingerprinting

By doing Packet Fingerprinting, we can find out the owner of the packet sent. For example, we can check the ownership of a site. This is very important, so we can know how to protect our computer network.

2.6 Diversity

Current software and hardware have various configurations and advantages. For example, various web browsers such as Mozilla Firefox, Internet Explorer, Iceweasel, etc. We can utilize the diversity of these devices in building our computer networks according to our needs. With the diversity of these devices, if there is an infiltration of a computer, it requires another effort to penetrate a different computer. Before we use the device, especially software, it is a good idea to also know the level of security provided by the device. That way, we will have complete data to determine the combination of security designs for our computer network.

2.7 Use Antivirus Software

To increase the security of a local network that is directly connected to the internet from virus attacks, it is necessary to use antivirus software.  

Some examples of antivirus software applications include:

  • On email servers: Spamassassin, ClamAV, Amavis
  • On proxy server : Using squidguard
  • On the client: using McAfee, Norton, AVG, Antivir, etc.

2.8 Make sure all applications are using the latest version

If we have a network that will be connected to the internet, then to support the security of the network, an update is needed. The update here is updating all applications with the latest software following developments. And usually the latest software can be used to overcome some existing threats.

2.9 Turn off the computer / disconnect the network when not in use

If our network has been attacked by hackers, we should disconnect the network. This is intended so that the network below it is not affected by the hacker attack.

2.10 Perform Regular Data Backups

If you have important data stored on a computer connected to the internet, it would be better if you backed up the data regularly, so that if the computer is infected with a virus or hacked by someone else, the important data will still be saved.

3. Conclusion

When our local network is connected to the internet, there are three things that need to be considered, namely: Confidentiality, Integrity, and Availability. Threats or disturbances consist of several types. Namely threats from within (internal) and threats from outside (external). Internal threats only concern damage to the system used. However, what should be watched out for are the types of external threats, such as: Hackers, Crackers and Script Kiddies. These external threats are destructive and steal information from the system used. These external threats occur because the computer used is connected to the internet network, so special protection needs to be given to prevent these things. For example: by using a firewall, encryption, port scanning, using anti-virus software, and updating the software used.

4. QUESTIONS

  1. Mention the types of Hackers! Explain!
  2. Mention the types of attacks used by intruders to control systems on our computers/networks!
  3. What is meant by DoS (Denial of Service)?
  4. Mention the various types of DoS attacks!
  5. Mention the types of Firewall! Explain!

Author

Arsyad Dwiyankuntoko 
11ipa3.arsyad@gmail.com
http://arsyaddwiyankuntoko.blogspot.com


Post a Comment

Previous Next

نموذج الاتصال