Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Network Monitoring

Posted on 2015-02-20
9
Medium Priority
?
160 Views
Last Modified: 2015-03-04
I have an interesting question. We have a concern that changes are being made to our Windows NT network outside of the appropriate processes being followed (vetting, testing, making others aware etc). We aren't certain, but there is a possibility changes are being made to network config, proxy servers etc. Are there any tools available that can tell if changes are being made, without being intrusive or being detected? We don't want the ability to make changes, stop changes etc, only the ability to tell if changes are made. Any thoughts?
0
Comment
Question by:isaacr25
  • 2
  • 2
  • 2
  • +2
9 Comments
 
LVL 13

Assisted Solution

by:Bryant Schaper
Bryant Schaper earned 336 total points
ID: 40621533
Yes, look at something like ManageEngine, they have a configuration manager, link below.  I have never implemented, but some tools even allow the tool to make the change so you can track by whom.


http://www.manageengine.com/products/device-expert/
0
 
LVL 99

Assisted Solution

by:John Hurst
John Hurst earned 664 total points
ID: 40621542
If your network is on one subnet, use something like CommView (tamosoft.com) which is a good packet sniffer (I use it). Set it up to collect packets and review the packet logs to see if you are spotting activity. You can filter for specific IP addresses to reduce collection once you know.

WireShark is similar to CommView and is open source and free.
0
 
LVL 25

Assisted Solution

by:Mohammed Khawaja
Mohammed Khawaja earned 664 total points
ID: 40621741
Running a packet sniffer and trying to decipher what was changed is not an easy task.  What I suggest you do is look at software such as SolarWinds configuration manager which would alert you if a configuration was changed on a device such as a router, firewall, etc. (support all Cisco routers, firewalls, etc.).  If you are interested in managing/informed of changes on Windows servers, then you should start with a log consolidation/aggregation software such as Splunk (by the way, Splunk can also track configuration changes and alert you) and you can build dashboards as well as alerts for things such as local logons to servers, etc.
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 

Author Comment

by:isaacr25
ID: 40621761
Thanks for the suggestions. Would all of these tools be invisible to network admins etc?
0
 
LVL 13

Expert Comment

by:Bryant Schaper
ID: 40621772
Yes, they would be invisible, depending on how you configure, ie access and email alerts.  If your switching is supported, they basically login and pull the current config and compare to baseline.
0
 

Author Comment

by:isaacr25
ID: 40623693
I'm looking into these products. Are there any free or trial versions of these products available?
0
 
LVL 99

Assisted Solution

by:John Hurst
John Hurst earned 664 total points
ID: 40623760
CommView comes with a 30-day trial if you wish to try it. WireShark is free.  Solar Winds is pricey but has a free trial. The others, I do not know.
0
 
LVL 25

Assisted Solution

by:Mohammed Khawaja
Mohammed Khawaja earned 664 total points
ID: 40623763
Splunk is free if you index 500 MB or less a day.
0
 
LVL 5

Accepted Solution

by:
Leon Adato earned 336 total points
ID: 40633271
I'm going to second Mohammed Khawaja's comment. Solarwinds NCM (Network Configuration Manager) is a pretty economic choice (and it has a 30 day unlimited demo). It will back up the configs of all your network devices on a regular basis (you decide - daily, weekly, etc, on a per-device or per-device-group basis). On the SECOND collection, you can get an alert/report that shows anything that has changed in a side-by-side comparison. It automatically filters out the "stupid changes" (like timestamp) so you don't get noise alerts.

You can add alert responses to push the previous config back to the machine if you want. And all the configs are stored, so you can revert back to any previous version if you need to.

It also has the ability to scan all the configs that have been backed up and look for problems - security flaws, best practices, etc.

It's a pretty slick tool.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

927 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question