2.1 Introduction
The LAN administrator’s main focus is usually on keeping the network operating properly and making sure the needs of users are addressed in a timely manner, including hardware and software upgrades. To meet the needs of all users, the LAN administrator must have appropriate tools to accomplish a number of specific tasks. Many of these tasks can be automated to enable the LAN administrator to take care of multiple networks that may consist of hundreds of servers, desktop computers and peripherals—the configurations of which may change on a daily basis to meet the varying needs of mobile professionals, telecommuters, workgroups, departments, or the organization as a whole. Many of these tools may come bundled with the LAN vendor’s network management system. Some are bundled with help desk software. Others are available from third-party vendors as standalone products that can be launched from the network management system or help desk. All of these different management and administration systems and tools can even share data via application programming interfaces (APIs).
Whether bundled with other products or used separately, the right tools help the LAN administrator monitor, analyze, and adapt the LAN to changing organizational needs. The tools themselves are applications and utilities based on NetWare, Windows, or UNIX. In large heterogeneous environments, the LAN administrator will have occasion to use tools that work with multiple network operating systems. With the right tools, the LAN administrator can access multiple functions and client operating systems through a consistent graphical user interface, which can greatly improve personal performance.
Console and Agents
The key concepts in LAN administration are the console and agents. The console is the workstation that is set up to view information collected by the agents. The agents are special programs that are designed to retrieve specific information from the network. An application agent, for example, works on each workstation to log application usage. Workstation users are not aware of the agent and it has no effect on the performance of the workstation or the applications running on it. The collected information is organized into data sets and stored in a relational database, where it can be retrieved for viewing on the LAN administrator’s console.
Information from multiple sets of data can be displayed in several ways—cells, charts, text—and analyzed for such purposes as license management or inventory management, and printed as a detail or summary report. The entire process is illustrated in Figure 2.1. A comprehensive tool set allows the LAN administrator to perform the following main functions:
-
View and manipulate network data;
-
Automate file distribution;
-
Maintain hardware inventory;
-
Receive notification of network events;
-
Establish and manage network printer support;
-
Automate network processes, such as backup and virus detection;
-
Monitor disk and file usage;
-
Create task lists;
-
Work with text files;
-
Establish and maintain security;
-
Manage storage.
All of the agents that collect information in support of these functions are configured at the console using commands selected from the menu bar. Once configured, each type of agent can be assigned an icon that launches its associated viewer for displaying collected information.
With LANs increasingly being interconnected over wider geographical areas, network administrators can make use of agents to monitor WAN links as well. The agents play a role similar to the one monitors and protocol analyzers play in hardware. Although the agents collect the same information as the monitors, they also process the packets to provide detailed and high-level information regarding network traffic. In this way, they resemble protocol analyzers.
Hardware-based monitors and software-based agents can be used together distributed throughout a LAN, as well as geographically dispersed via the WAN. Their packet capture with filtering and decoding capabilities allows early detection of suspect traffic patterns and identification of faulty network devices. Since agents use the network only when information is requested from the network management system, they do not burden the network with unnecessary overhead.
2.2.1 Intelligent Agents
A critical tool in the IT department’s arsenal of management tools is the “ intelligent” agent, which is an autonomous and adaptive software program that accomplishes its tasks by executing commands remotely. System administrators, network managers, and software developers can create and use intelligent agents to execute critical processes, including performance monitoring, fault detection and restoration, hardware and software asset management, virus protection, and information search and retrieval. One of the latest applications of intelligent agents is intrusion detection, in which the agent reports security breaches at a router or firewall and takes appropriate steps to prevent further attacks. With the agent concept enjoying increasing acceptance, vendors are offering integrated development environments for creating agents, agent managers for deploying and managing agents across a network, and sample intelligent agents that are ready-to-run and can be customized for particular needs without requiring any programming skills.
What makes these agents so smart is the addition of programming code that tells them exactly what to do, how to do it, and when to do it. In essence, the intelligent agent plays the dual role of manager and agent. Under this scheme, polling is localized, events and alarms are collected and correlated, various tasks and trouble responses are automated, and only the most relevant information is forwarded to the central management station. In the process, network traffic is greatly reduced, as is the time for problem resolution.
2.2.2 Agent Behavior
The behavior of intelligent agents can be modified in two ways: templates and programs. The choice will depend on the level of an organization’s in-house network and systems management expertise.
Template Solutions
Some vendors, such as Hewlett-Packard, offer rules-based templates to modify the behavior of intelligent agents without the need for native-language programming. The role of the agent is defined in a template that tells the network management system what to do with the information collected by the agent. A network manager can bring up a representation of the template used for monitoring a particular application, for example, and edit the rules concerning responses to various alerts.
For instance, when a firewall issues an error message, under the rules described in its template, it sends all alerts to a particular system administrator. The network manager can change the rule so that an automated response is initiated instead, allowing agents to resolve problems and perform routine tasks (e.g., backups, batch jobs, file maintenance) locally. This prevents the system administrator from being overwhelmed by warning and informational messages, so he or she can focus only on potential service-disrupting conditions that cannot be resolved locally.
In a similar manner, responsibilities can be assigned to specific people. For instance, an operator can be assigned a particular group of Internet servers according to subsidiary company, department, or location. Likewise, responsibilities also can be assigned by type of application, such as electronic commerce implemented by various publicly accessible Web servers, or by the expertise of various site personnel [e.g., Webmaster, Common Gateway Interface (CGI) programmer, Java application developer, certified security engineer]. The advantage of templates is that they can alter the reporting behavior of agents without the need to rewrite the agents themselves.
Programmatic Solutions
For programmers, many vendors offer tool kits that accelerate the development of the agent and manager components, which is normally a significant and time-consuming activity. Without a tool kit, each agent must be hand-coded, that is built from scratch—a process that can take days or weeks. The use of tool kits can reduce development time to only minutes, allowing developers to spend more time on the value-added components of their application, such as processing data gathered by the agent or communicating with, and controlling, external devices.
The agent-creation process is further simplified because developers now can use an intuitive C++ interface that insulates them from the complexities of APIs. For example, without using a tool kit, a developer might have to write more than 200 lines of code to create a simple “get” request. With a tool kit, such agent development can take as few as four lines of code, with the rest of the code being generated automatically. By drastically reducing the amount of manual coding, developer errors are reduced, and quality and productivity are increased. In addition, the code-generation process provides greater code consistency, thus improving code quality and maintainability as well.
Likewise, manager development is also enhanced through a convenient C++ interface that insulates the developer from complex object manipulations. This interface may result in as much as a tenfold reduction in the lines of code for writing manager requests and defining agent responses, for example.
Some tool kits are actually elements of an integrated suite of tools and platforms that facilitate and accelerate the development and deployment of agent- or manager-based network management solutions. These tools are targeted at various phases of the software development life cycle: requirements analysis, high-level design, detailed design, test, and implementation.
It is not enough to have agent-manager development tool kits—there must be a means to test the results before implementation in the live environment. For this task, there are test tool kits that automatically create a suite of tests and provide automated and interactive methods to send those tests to an agent and receive performance reports that aid in further development.
Through the use of interactive and regression tests, the agent tester tool kit fully exercises the agent during customization and testing. The interactive test method provides the ability to incrementally test the customization of the agent, while the regression-testing method allows for a complete suite of tests to be executed, with the results being verified against the expected results. The agent tester tool kit also gives developers the flexibility to customize generated test programs, incorporating event-handling and response, error-handling, and complex MIB definitions.
This level of automation means that developers can completely test their agents without ever writing code, enabling rapid deployment of effective and reliable management solutions, while reducing development costs, improving quality, and shortening the development cycle.
Agents can be built with Java and used to monitor and report on key performance metrics of systems, services, and applications. Since Java is a cross-platform development tool, agents built with Java can provide a single, unified management system to support any mix of IP-based desktop, server, and network resources that also run Java—including hubs, switches, and routers. In addition to relieving the burden of front-line managers, who usually must cope with a collection of unrelated tools while demands on them are accelerating, the Java agents can self-populate through the network to add new resource support and functionality enhancements.
The agents can also collaborate to resolve problems directly—and without alarm generation—rather than escalating them to a higher-level manager in the traditional way. This intelligence reduces management traffic on the network, enables faster response to events, and reduces administration costs. In addition, the agents can be managed directly via a basic Web browser or through an existing SNMP management application.
2.2.3 Agent Applications
Agent technology has been available for several years and still represents one of the fastest growing areas in network management—and for good reason. In a global economy that encourages the expansion of networks to reach new markets and discourages the addition of personnel to minimize operating costs, it simply makes sense to automate as many management tasks as possible through the use of intelligent agents. In recognition of these new business realities, the list of tasks that are being handled by agents is continually growing.
Performance Management
Network performance monitoring can help determine network service-level objectives by providing measurements to help managers understand typical network behavior and normal periods. The challenge is defining “typical” and “ normal.” Intelligent agents can help define the network’s behavior and gather the information for documenting achieved performance levels. The following capabilities of intelligent agents are particularly useful for building a network performance profile:
-
Baselining and network trending: Identifies the true operating envelope of the network by defining typical and normal behavior that can be used to compare performance at some time in the future, perhaps to see if service level objectives are still being met and reveal out-of-norm conditions, which, if left unchecked, may have drastic consequences on the productivity of users.
-
Application usage and analysis: Identifies the overall load of network traffic, what times of the day certain applications load the network, which applications are running between critical servers and clients, and what their load is throughout the day, week, and month. Application usage and analysis allows the network manager to discover important performance information on a real-time or historical basis.
-
Client-server performance analysis: Identifies which servers may be over utilized, which clients are hogging server resources, and what applications or protocols they are running. Such performance analyses help the network manager define and adhere to client-server performance objectives.
-
Internetwork perspective: Identifies traffic rates between subnets so the network manager can find out which nodes are using WAN-links to communicate. This information can be used to define typical rates between interconnect devices. This perspective can show how certain applications use the critical interconnect paths and define normal WAN use for applications.
-
Data correlation: Allows peak network usage intervals to be selected throughout the day to determine which nodes are contributing to the network load at that peak point in time. Traffic source and associated destinations can be determined with seven-layer protocol identification.
Applications Management
There are client-side agents that continuously monitor the performance and availability of applications from the end user’s perspective. A just-in-time applications performance management capability captures detailed diagnostic information at the precise moment when a problem or performance degradation occurs, pinpointing the source of the problem so it can be resolved immediately.
Such agents are installed on clients as well as application servers. They monitor every transaction that crosses the user desktop, traversing networks, application servers, and database servers. They monitor all distributed applications and environmental conditions in real-time, comparing actual availability and performance with service-level thresholds.
This analysis enables network and application managers to understand the source of application response time problems by breaking down response times into network, application, and server components. As a result, troubleshooting that sometimes takes weeks can be accomplished in a matter of minutes.
Fault Management
When faults on the network occur, it is imperative that problems be resolved quickly to decrease the negative impact on user productivity. Network managers must be able to respond quickly and have procedures in place to reestablish lost service and maintain beneficial service levels. The following capabilities of intelligent agents can be used to gather and sort the data needed to quickly identify the cause of faults and errors on the network:
-
Packet interrogation: Isolates the actual conversation that is causing the network problem, allowing the network manager to get to the heart of the problem quickly.
-
Data correlation: Since managers cannot always be on constant watch for network faults, it is imperative to have historical data available that provides views of key network metrics at the time of the fault. What was the overall error/packet rate and the types of errors that occurred? What applications were running at the time of the fault? Which servers were most active? Which clients were accessing these active servers, and which applications were they running? Data correlation can help answer these questions.
-
Identification of top error generators: Identifies the network nodes that are generating the faults and contributing to problems such as bottlenecks caused by errors and network down time.
-
Immediate fault notification: With immediate notification of network faults, managers can instantly learn when a problem is occurring before users do. Proactive alarms help detect and solve the problem as it is happening.
-
Automated resolution procedures: Intelligent agents can be configured to automatically fix the problem when it occurs. The agent can even be programmed to automatically e-mail or notify help desk personnel with instructions on how to solve the problem, thus saving time and money.
Capacity Planning and Reporting
Capacity planning and reporting services play a significant role in delivering sustainable network service levels to end users. They also provide documented proof to management and other organizations that pay for services to help ensure that network service levels are consistently achieved. Capacity planning and reporting allows for the collection and evaluation of information to make informed decisions about future network configurations, accommodating growth in client-server computing environments. The following capabilities of intelligent agents can be used to assist in managing network growth:
-
Baselining: Allows the network manager to determine the true operating performance of the network by comparing performance at various times, perhaps on a monthly basis, which can identify business cycle deviations.
-
Load balancing: Allows the network manager to compare inter-network service objectives from multiple sites at once to determine which subnets are overor underutilized. It also helps the network manager discover which subnets can sustain increased growth and which require immediate attention.
-
Protocol/application distribution: Helps the network manager understand which applications have outgrown which domains or subnets. For example, these capabilities can find out if certain applications are continuously taking up more precious bandwidth and resources throughout the enterprise. With this kind of information, the network manager can better plan for the future.
-
Host load balancing: Allows the network manager to obtain a list of the top network-wide servers and clients using mission-critical applications. For example, the information collected from intelligent agents might reveal if specific servers always dominate precious LAN or WAN bandwidth, or spot when a central processing unit (CPU) is becoming overloaded. In either case, an agent on the LAN segment, WAN device, or host can initiate load balancing automatically when predefined performance thresholds are met. The information gathered by the agent can be used for resource planning.
-
Traffic profile optimization: To best guarantee service-level performance, the ability of network managers to compare actual network configurations against proposed configurations is crucial. From the information gathered and reported by intelligent agents, traffic profiles can be developed that allow what-if scenarios to be put together and tested before incurring the cost of physically redesigning the network. This takes the guesswork out of determining the best placement of client/server nodes and applications, for example.
Web Traffic Management
To build Web sites for electronic commerce and other mission-critical applications, administrators are mirroring site content at additional points of presence (PoPs). This provides redundancy in case one site goes down, and enables traffic to be routed between the sites to increase overall response time. Flow management software determines which Web server to send a request so the fastest service can be provided to the clients.
Resonate Inc.’s Global Dispatch, for example, integrates multiple PoPs into a single Web site resource. The company’s flow management software uses three factors to determine where to send a request: PoP availability, PoP load, and the Internet latency between the client and each PoP.
As requests are received, the Global Dispatch scheduler instructs the agents installed at each Web server to measure the latency between the PoP and the client’s local domain name system (DNS). Results are sent back to the Global Dispatch scheduler and combined with current load and availability information to return to the client the IP address (or virtual IP address) of the PoP best suited to respond. Global Dispatch stores this information in cache to enable faster response to future requests.
A single PoP can also have multiple agents, each performing a share of the triangulation work, which minimizes scheduling overhead. The use of multiple agents is especially useful in large Web site environments, since each server eventually must be taken offline for repairs or upgrades. Flow control scheduler/agent software allows a machine to be removed from the server mix and have the traffic routed to other Web servers so users can continue to access various services.
Security Management
A properly functioning and secure corporate network plays a key role in maintaining an organization’s competitive advantage. Setting up security objectives related to network access must be considered before mission-critical applications are put in potentially compromising networked environments. Intelligent agents can help discover holes in network security by continuously monitoring network access with the following capabilities:
-
Monitor effects of firewall configurations: By monitoring post firewall traffic, the network manager can determine if the firewall is functioning properly. For example, if the firewall was just programmed to disallow access of a specific protocol or external site, but the program’s syntax was wrong, the intelligent agent will report it immediately.
-
Show access to and from secure subnets: By monitoring access from internal and external sites to secure data centers or subnets, the network manager can set up security service-level objectives and firewall configurations based on the findings. For example, the information reported by the intelligent agent can be used to determine whether external sites should have access to the company’s database servers.
-
Trigger packet capture of network security signatures: Intelligent agents can be set up to issue alarms and automatically capture packets upon the occurrence of external intrusions or unauthorized application access. This information can be used to track down the source of security breaches. Some intelligent agents even have the capability to initiate a trace procedure to discover a breach’s point of origination.
-
Show access to secure servers and nodes with data correlation: This capability reveals which external or internal nodes are accessing potentially secure servers or nodes and identifies which applications they are running.
-
Show applications running on secure nets with application monitoring: This capability evaluates applications and protocol use on secure networks or traffic components to and from secure nodes.
-
Watch protocol and application use throughout the enterprise: This capability allows the network manager to select applications or protocols for monitoring by the intelligent agent so that the flow of information throughout the enterprise can be viewed. For example, this information can identify who is browsing the Web, accessing database client-server applications, or using the e-mail system.
Some agents are capable of taking action based on the nature of the security threat. Symantec, for example, offers its Intruder Alert, which uses a real-time, manager-agent architecture to monitor the audit trails of distributed systems for “footprints” that indicate suspicious or unauthorized activity on all major operating systems, Web servers, firewalls, routers, applications, databases, and SNMP traps from other network devices. Instead of reporting suspicious activity hours or even days after it occurs, Intruder Alert instantly takes action to alert IT managers, shut systems down, terminate offending sessions, and other steps to stop intrusions before they damage critical systems.
Typically, an organization would use either a network-based intrusion detection system to monitor only a handful of key facilities that transport sensitive information, or use a host-based solution that places monitoring agents on the systems that host critical applications and store vital data. By adding a host-based manager-agent component called NetProwler to Intruder Alert, Symantec is able to offer a combined approach to intrusion detection. From within Intruder Alert’s management interface, administrators can view multiple NetProwler events and hundreds of Intruder Alert agents, enabling them to react to either network- or host-based violations from a single console.
No comments:
Post a Comment