Why should businesses actively monitor network traffic?
What benefits are there to network monitoring?
Any suggestions for where to start with setting up effective network monitoring?
These are the 3 fundamental questions all businesses should answer before embarking on any monitoring project.
Let's start by saying that Network Monitoring is only 1 component of IT Monitoring. If you only monitor what is going on with the network itself you're driving with most of your car windows covered.
You also need to consider;
- Server Monitoring (hardware, OS)
- Application Monitoring (databases, AD, other middleware, web servers, application executables - the list goes on)
- Environmental Monitoring
- Security Monitoring
- End-user monitoring
Within these areas of monitoring, everything you monitor falls into one or more categories;
- Availability (is it working?)
- Performance (is it working fast enough?)
- Capacity (Have got enough of it?)
As a previous respondent has said, this also should be mapped to what the organization is using the IT for. i.e. what is the line of business systems that a company depends on to exist?
All these factors - the scope of monitoring and the categories of monitoring data when taken holistically, enable a business too;
1. Identify business-impacting events within the IT Infrastructure
2. Identify POTENTIALLY business-impacting events within the IT Infrastructure before they actually impact work.
3. Identify trends in an activity that can be indicative of changing business needs.
4. Identify where and when investment will need to be made to ensure that the business maintains operation (it's no use waiting until that disk drive is full before buying the upgrade - it's too late then).
5. Help to identify potential inadequacies in the IT Infrastructure (you do have a backup network route to your factory in Bolton don't you ?)
6. Identify potentially "rogue" devices on your network. Do you really want Alexa listening into the office activity?
7. Help to identify application improvements - how are people 'really' using your application? (I bet it's not the way that you expected !).
If you take these 7 capabilities that IT Monitoring provides and consolidate them into a single raison d'etre.....
A comprehensive monitoring solution encompassing the entire IT estate will enable an organization to save money by reducing the impact of IT issues. It will enable an organization to better plan the budget for IT investment. It will increase operational efficiency by reducing the number and duration of IT outages.
In a perfect world, IT Monitoring will pay for itself in terms of system availability, performance, and capacity. But it's not a perfect world.....
Only monitoring Network components only gives a network-centric view of any issue. Let's take a silly example..... Your router is reporting a massive increase in network traffic from one VLAN to another. The trend suggests that you're going to run out of capacity when the peak sales season hits. The problem though is that you've recently had an app upgrade that for some unknowne reason is doing full table scans of a 40GB table for each of your 300 users. Why fix the network when the application is at fault?
As for the final point - where to start?
As a previous respondent suggested, "start with an open-source no-cost solution....". That's probably a fair start. I would however consider all my points above first before launching into rounds of "yum install" or "tar -xvf". As far as possible, have an understanding of what your key business system are and how they plug together. Then identify the metrics that matter to the operation of that system. This is your foundation. For each metric consider why you need it, what you're going to do with it, how long to keep it for (that's the capacity side of monitoring) and what is the impact of it going wrong.
Now let me make something clear - and this is a personal perspective from a number of decades working in IT Monitoring - IT Monitoring Software is a mature market. It's a commoditised. Just about ALL monitoring software does fundamentally the same thing.
Large commercial vendors have a user base that's paying for support and upgrades as part of a maintenance contract. In order to maintain that revenue, these vendors introduce features and facilities that frankly very few customers actually exploit. Then the competition introduces the same features and maybe a few more and the whole cycle starts again - it's an example of the Red Queen Effect. The end result is that over time features are added that are of limited value or add to the underlying system requirements. I know of one platform that for a reasonably sized infrastructure needs around 12 - 20 servers just to do the monitoring (and that's excluding the proxies for remote monitoring).
Someone mentioned AIOPS. AI needs to learn in order to adapt. At the moment, AIOPS is MLOPS (Machine Learning Ops). The actual personnel and resource overhead in maintaining the additional components needed to make AI(ML)OPS a reality are beyond most companies - with the exception of very large telcos, service providers, and research agencies. For instance, AIOPS depends fundamentally on having a real-time dynamic view of the entire IT infrastructure and how everything is interconnected. Basically a CMS on steroids. As we enter the era of Docker containers, nebulous cloud services simply maintaining this view automatically is extremely difficult and resource-intensive.
Sure, IT Monitoring tools do network discovery and can identify new and changing environments but maintaining those dependencies is a complex process and I sincerely don't think that anyone vendor has 100% mastered it yet.
If you are a very large organization, with literally a million pounds to spend on IT Monitoring these large commercial solutions are the best. They're not perfect, not by a long chalk, but they are there. Factor in your running costs though.
Back to open-source. Open-source solutions such as Nagios and my personal favorite, Zabbix, are excellent at collecting data. And that is the fundamental, number one, priority. If you can't measure it, you can't monitor it.
My tips are, therefore:
1. Know what is important to your business.
2. Don't (please don't!!!) stick to monitoring networking devices.
3. Make sure you factor in the support and admin costs.
4. Don't forget to monitor user activity (known as Application Performance Management) as well as technical metrics such as CPU and Disk Space.
5. Start with the basics.
Hope that helps guide you.
Feel free to reach out to me on LinkedIn: www.linkedin.com/in/itomdave
@David Collier Thanks for this amazing, in-depth response!
Start with an open-source no-cost solution like Nagios for Network Monitoring to get familiar with the features you like and don't like.
Benefits to network monitoring are the reduction in the meantime to recover and seamless experience to our customers.
Why should businesses monitor network traffic? Each business really needs to grasp its "why" on networking monitoring. Is it reactive and defensive or is it proactive with a roadmap leading to AIOps?
@reviewer1122879 Thanks for your input! Can you elaborate a bit more about how a business can decide on their 'why' for network monitoring?
As already said Network monitoring is just one type of monitoring, and you should monitor on all levels to get a clear picture.
Hnad in hand with monitoring goes a good Event, Alert setup, to be warned when something is happening.
Now to Why?
- Network monitoring is to find the bottlenecks in your network, by looking at Bandwidth and latency.
- check on malfunctionign systems, by looking at Network errors
- find out between which points the most traffic is excahnged.
- you can look at trends, sudden peaks in traffic.
Benefits: Most benefit you will get is to prevent network disturbances. e.g when someone is hogging the internet connection you can quickly resolve it.
- it should also give an idea on where to invest on network equipment based on usage, bottlenecks etc.
- with respect to appliation performance, the network is normally the first thing that one is pointing at. so, it certainly helps to be able to see if the network is overused.
- insights will help wih e.g. QoS implementation, for voip, and business critical applications.
start setting up: I wuld also recommend to start with opensource, (also depend on the size of your network and its complexity).
Start with colelting standard in/out for the most important network components, like internet connection, routers, central switches.
Then based on some initial observations, you can define some alerts on when an connection (e.g. internet) is over used, e.g alarm at 60, 80, 90% capacity.
Thanks for such a comprehensive answer @Raymond De Rooij :)
Maintaining full network visibility
You can’t adequately understand your network’s performance if you don’t have full network visibility. Your company needs to be able to observe every bit of traffic that travels through your network, as well as monitor every connected device and examine common performance metrics. Any network monitoring tool worth its salt will provide comprehensive monitoring capabilities that doesn’t leave any portion of your network in the dark. That way, there won’t be performance-affecting problems hiding somewhere on your network.
Discovering security threats
While network monitoring solutions are primarily designed for performance monitoring purposes, they can also help you find security threats lurking in your system. Some malware and viruses are designed to stay put on a network after they’ve gained access without doing anything initially; others might be performing small actions that would be undetectable to the human eye. Network monitoring solutions will observe a network for unusual and suspicious network traffic (indicating a security threat is drawing network resources) and alert your company to the problem.
Predicting and preventing network downtime
You can never guarantee 100% service uptime, even with the most powerful network monitoring solution — but they can help you prevent unexpected network outages. A key function of network monitoring solutions is observing for network traffic that indicates the failure of a device or network is about to happen. This way, your enterprise can preemptively correct any unexpected downtime, allowing you to maximize service availability wherever possible.
Observing bandwidth utilization
For most network administrators, bandwidth usage is one of the most important performance metrics to analyze. Ideally, your company wants to be using as much bandwidth as possible while ensuring that every service is running efficiently. A network monitoring solution will track bandwidth usage, inform your network when bandwidth utilization is reaching critical levels, and ensure that quality-of-service (QoS) protocols are running correctly.
Reducing mean time to repair (MTTR)
Network performance issues don’t just pose a financial cost; the time it takes your network team to repair a problem could be spent on other, more important tasks. As such, reducing the time between when a performance issue occurs and when it’s fixed is essential for businesses. Network monitoring solutions alert your team to performance issues as soon as they discover them, meaning a company can get straight to work addressing the problem. Many monitoring tools also include diagnostics tools that provide your team with an initial assessment of the issue, so your employees don’t need to spend as much time diagnosing the problem.
Testing changes to a network or device
Whenever you make a change to your network or a device, you need to test it to ensure that it’s performing as you expect. Adding or reconfiguring a device can screw up the rest of your network if it isn’t implemented properly. Network monitoring tools allow you to test new or updated hardware and connections, letting you see if they could cause problems before they negatively impact your network.
Generating network performance reports
A network monitoring solution constantly tracks performance data and displays it via visual representations on their dashboard. Monitoring tools can also generate reports that your enterprise can review, converting them into several printable file types. Your company can choose the schedule that the solution generates these reports on — weekly, monthly, quarterly, etc.
Finding performance issues that occur after business hours
Performance issues can occur at any time, even when there isn’t anybody in the office to fix them. If a problem happens after business hours, your enterprise needs to know about it; network monitoring tools continuously observe a network, meaning that they can discover these issues for you. A solid network monitoring solution won’t send out the alerts for these issues immediately, however, since those alerts could be lost by the time your team comes back to work. Ideally, the solution will delay the alert until a time determined by the network administrator.
Why is network monitoring in Place?
Defensive monitoring is in placebecause someone said we need but does not understand how it helps your business.
Proactive monitoring is when businesses mature to understand outages mean lost business lost customer satisfaction and lost opportunities then the why becomes apparent. Proactive AI Monitoring moving to predictive ML resolution is a strategic activity, Although not sexy.
By monitoring network traffic with PRTG, you can:
Network monitoring proves clear visibility of your network thereby allowing you to act immediately in case of a network issue or bottleneck. You can easily identify network-related and security related issues that otherwise would take a lot of time in a network with more than 100 devices or more.
The first step would be to identify the devices and applications that you would like to cover under network monitoring. You can start with open source tools or solutions like PRTG or NetCrunch (cost-effective solutions).
@Aji Joseph Thanks for you input!
It is extremely important to be checking network traffic to detect possible failures such as bottlenecks, malfunctioning of a device on the network, or to detect any unusual increases in packets that could be some type of malware.
One of the biggest benefits is that you can see the performance of network traffic, Internet links, and the behavior of switches and routers.
It all starts with the most basic cabling that would be, having quality cabling, implemented in compliance with best practices, then making the network equipment settings according to the use to be made.
@JOHAN ROJAS Thanks for your input! This is really helpful.
Hi SOC analysts and other infosec professionals,
Which standard/custom method do you use to decide about the alert severity in your SOC?
Is it possible to avoid being too subjective? How do you fight the "alert fatigue"?
What tools do you recommend for SQL server monitoring for an enterprise-level business?