Determining what a user is doing

Carter Bullard carter at qosient.com
Wed Jul 9 09:56:14 EDT 2008 

Hey Barry,
Sure, no problem.  I  think ISP's have an interesting obligation to  
monitor
their networks, and limitations based on what is legal to monitor, at  
least
I'm aware of the issues in the US.  I would pay attention to  
monitoring for a
few specific reasons:

    1) Operations Monitoring
    2) Security Monitoring
    3) Performance Monitoring

All three together will suggest deployment strategies for monitors,
and what to pay attention to.  If you are running a WiMAX like network,
you can monitor a pretty large chunk of your wireless network with only
a few monitors.  And if you have considered putting in active probes,
like something that pings/challenges everything on your network, you
can put an argus in or near the active element and collect availability
and performance data from that device.

For operations management, I would monitor for availability and
reachability failures, including routing loop detection.   Argus is a
very good "finger pointing" tool, and because you have responsibility
for only a part of the link between customer and target, being able to
point a finger quickly and correctly is really important.  I would
definitely monitor your customer service/network management equipment,
what ever is doing the provisioning and configuration and  
troubleshooting.
Argus data can provide more information, generally, than that equipment
can, when there are problems.

Of course, the closer you get to your customer, the better data you will
get relative to what the customer maybe doing on the network.  Thats
why we've ported argus to so many machine types, so you can be in the
end system doing End-to-End performance analysis, and we have ported
argus to OpenWRT, so that you can get data from traditional ISP and  
Cable
CPE equipment (in theory at least).   Detecting if a particular  
customer is
doing X, Y or Z, gets tricky if you don't have some guarantee's
on source address assignment (ie if your customers can spoof IP  
addresses,
monitoring at your aggregation points may not reveal the real who).
Also your customers are going to be attacking each other, stealing  
services
from each other, or just reading each others mail, and so getting an  
argus
into that path, maybe a little tricky.

Security for outside -> inside discovery and attack is pretty straight  
forward,
and argus can supplement any strategy that you're currently using, but  
argus
data is good at illuminating inside -> outside discovery and attack,  
where you
can't block it, but you want to know that its going on.

The performance part is what my company does, so if you're interested in
talking about performance monitoring in complex network architectures,
give me a shout.

Carter


On Jul 9, 2008, at 2:10 AM, Barry Kolts wrote:

> Thanks Carter this will be very helpful.
> Barry
>
>
>
>

More information about the argus mailing list