Zachary Loeber

I eat complexity and am never without a meal.

Create Your Own Network Assessment Appliance

In this write-up I setup several network assessment tools which can be used in the discovery process of a new environment. This can be useful for a newly hired sysadmin or a consultant in rapidly gathering information to assess the health and/or state of a network.

Introduction

I often find myself assessing a foreign network infrastructure for performance or other issues. Depending on the size of the environment, digesting everything can be daunting without the help of some third party tools. I’ve been using a custom Linux VM on my workstation that has all kinds of tools specifically for gathering information about a network’s performance, layout, and statistics. I’ve decided to retool the VM I currently use and take better notes on what I install so others may do the same if they so desire.

List of tools installed

Nedi

Nedi is probably the coolest network information gathering tool out there. You can create maps, population reports, and get more information than you ever wanted to know about an environment. The catch is that you really want to enable cdp/lldp (FDP?) on all infrastructure devices and make sure that they all have an SNMP read-only string configured. You also gain benefits by setting the SNMP location string in a particular format.

This format (directly from the nedi site) is as follows:

Region;City;Building;Floor;[Room;][Place within room;][Whatever additional info you want]

Example SNMP location string for a device:

Illinois;Chicago;Main Station;5;DC;Rack 17;7-8

Even if you don’t have the time to set all these locations on all devices the information gathered from Nedi (that is more of a task for the system administrator as it requires knowledge of device placement and such ahead of time), the information gathered with the tool still very valuable for performing analysis of an environment. Nedi is really meant to squat on the network and gather information over a period of time. In this article I do not set it up with any cron jobs as I normally run this appliance from my laptop for short term engagements for general environment analysis only. I use a few other applications to gather performance metrics for short periods of time that I’m on site.

Observium

This is one of those hidden gems which I’m surprised more people are not using. Observium terms itself as:

…an autodiscovering PHP/MySQL/SNMP based network monitoring which includes support for a wide range of network hardware and operating systems including Cisco, Linux, FreeBSD, Juniper, Brocade, Foundry, HP and many more.

Observium has grown out of a lack of easy to configure network monitoring platforms. It is intended to provide a more navigable interface to the health and performance of your network. Its design goals include collecting as much historical data about devices as possible, being completely autodiscovered with little or no manual intervention, and having a very intuitive interface.

I use Observium as an alternate way of mapping out a network by interface. Here is a quick example of what such output may look like with a couple of HP switches at the core connected to each other and to a few other cisco switches:

I also use it for a short term performance monitor of an environment’s equipment. As an example, I once used it to determine that a random network outage that lasted less than a minute was isolated to an old catalyst switch with an IOS bug that forced a reboot from memory over-consumption.

The BIG caveat to using this tool is that any device added needs to be able to resolve in DNS. It is the author’s preference (and I kinda do not blame the man, not enough people fully resolve their infrastructure equipment).

Xerela

Ok, this one was going to be NetworkAuthority (which I’ve setup in the past). But when I went to go install it again I was unsurprised to find out that it had died. Fortunately an open sourced project forked from it called Xerela. Even more fortunate is that the project is windows only with a nice installer. So this isn’t going to be officially covered in this install guide but I felt the need to give the project props in hopes that it stays alive 🙂 If you do install this on your laptop you will need the Java SDK installed so may as well download that ahead of time. Oh, and install perl as well.

In the future I may shove Rancid into this position but the goal of Rancid is more long term rather than assessment oriented. It is great at collecting configurations but the primary use is to collect and diff the configs to be able to know what is changing in your environment. If you go onsite for a day or two the effort to setup Rancid just to get a copy of device configs is not really worth it.

Smokeping

I use this tool to gather information concerning internet latency. Sometimes network issues are not necessarily internal but rather provider based. This can be used to provide evidence of latency issues which a provider may be having. And the graphs it produces look pretty on a deliverable report as well J

Nipper-NG

Nipper is used for firewall configuration auditing. Nipper became a commercial product some time ago but, with a little work, you can still use the fork of the OSS version though. Generating reports from this appliance is not as easy as using NipperME but it is certainly not impossible. I don’t cover NipperME as this appliance is really meant to be headless in use. I may go into the many windows tools I use for network analysis in a future write up though.

Pre-requisites

When installing ubuntu at the install screen press F4 for modes and select the minimal virtual machine install mode. Select the OpenSSH Server and the LAMP Server options. Create your user and a root mysql password and keep a note of them.

Get some base software and prep your sandbox some:

Nedi

Now time for nedi.

There, now you are able to access nedi at http:///nedi/html with the admin/admin credentials. If you find you are reusing this tool for many sites you can easily customize it by logging in, going to System -> Files, and using the first dropdown in the upper left to select /var/www/nedi/seedlist and/or /var/www/nedi/nedi.conf to modify snmp/logon string and initial seedlists for an environment. Then clear things out from the last engagement you may have done by going to the System -> Nedi area, selecting the “Init” radio button on the right and entering in root for your user and your mysql password for the password. Execute that puppy and all data cleared. Finally select verbose, protocol, node dev, FQDN, Route, and OUI checkboxes and the “discover” radio box. Click execute again and depending on the environment size wait around for a bit while watching all that beautiful information roll down on the screen.

As a bonus I also include NeDi2GraphML. This can be used to create some pretty wicked looking diagrams which you can edit with yED. To create a diagram you can run the following after having performed your initial collection.

Then transfer NiceSchemmatic.graphml to your workstation for editing as you see fit.

Observium

Setup your observium home and get it installed (I ran into issues not running observium from opt so that is why it is there)

If you will be using observium in an assessment you will gain the most value by adding devices to it early on. It really excels in gathering performance information in a manner which is easy to maneuver through. You can now access observium at http://:81/

SmokePing

This is probably the easiest one to setup. Just add a few external targets to monitor and start the service.

To access smokeping go to http:///cgi-bin/smokeping.cgi

Nipper-NG

This one is pretty easy:

Then use nipper at the command line to see options for scanning your firewall configuration and generating client consumable deliverables.

Extras

I’ve added a few extra applications in this appliance setup which can be used (or not) in an assessment. I ran across a few of them while doing this write up and have not actually used them in a real assessment. But they show potential and are pretty easy to setup so I decided to include them in the appliance. I give minimal instructions on their usage (as I’ve minimally used them). I’ll leave it as an exercise to the reader to determine their worthiness.

SwitchMap

I’ve literally never used this before but the project looks promising so I did a very basic setup for future use. Much of what I read from the readme points to a process where you setup a config file, run some scripts in order, and finally run a script which produces an html formatted report. I’m looking forward to using this when the opportunity presents itself.

Open-AudIT

This little bad boy is not really new to me but my experience with it is minimal. I decided to add it to the appliance to get more experience with its usage and see if I can gain further assessment information from it for future engagements.

The setup for the appliance is fairly basic. You just need to download it, put it into a php/apache capable directory, and change a few perms.

After this is done go to http:///openaudit and go through the initial configuration steps. Use root/ when asked for database information.

To actually get a domain audit is a bit more of a pain. The general process is to make your appliance available to the network, download a config and a vbs file from it to a DC, modify the config, then run the vbs to start collecting server information to send back up to appliance.

From the Admin->Config page add an ldap connection. After it has been added add a path as well, it may not be immediately discernible where this is done. Simply hover over the ldap connection and select “Add New Path” from the pop-up menu (as shown below). Make the path the root of the domain you are assessing (ie. DC=zacharyloeber,DC=net)

Then remote to a DC and access http:///openaudit/scripts/ from a web browser, download audit.config and audit.vbs from it to the local machine, and edit audit.config. Below is audit.config pertinent configuration settings (not the entire audit.config, just the areas which are most important)

audit_location = “r”

audit_host=”http://192.168.1.148″

strComputer = “”

audit_local_domain = “y”

local_domain = “LDAP://dc=zacharyloeber,dc=net”

nmap_subnet = “172.17.0.”            ‘ The subnet you wish to scan

nmap_subnet_formatted = “172.017.000.”    ‘ The subnet padded with 0’s

Then, from that same directory, (where both the audit.config and audit.vbs files are located) run:

Tying It All Together

We are not really tying these apps together as much as making them usable for you from your laptop. If you are using VMware workstation then you need to setup some NAT love to get things working. Typically VMware workstation will use vmnet8 for NAT so you will want to go into the virtual network editor and setup a few NAT Setting rules on it for your new network info collecting baby.

The primary NAT settings which need to be set are as follows:

<td valign="bottom" nowrap="nowrap" width="64">
  <span style="color: #ffffff;"><strong>Type</strong></span>
</td>

<td valign="bottom" nowrap="nowrap" width="244">
  <span style="color: #ffffff;"><strong>Virtual Machine IP Address</strong></span>
</td>

<td valign="bottom" nowrap="nowrap" width="130">
  <span style="color: #ffffff;"><strong>Description</strong></span>
</td>
<td valign="bottom" nowrap="nowrap" width="64">
  <span style="color: #00ffff;">TCP</span>
</td>

<td style="text-align: justify;" valign="bottom" nowrap="nowrap" width="244">
  <span style="color: #00ffff;"><IP Address></span>
</td>

<td valign="bottom" nowrap="nowrap" width="130">
  <span style="color: #00ffff;">SSH</span>
</td>
<td valign="bottom" nowrap="nowrap" width="64">
  <span style="color: #00ffff;">TCP</span>
</td>

<td valign="bottom" nowrap="nowrap" width="244">
  <span style="color: #00ffff;"><IP Address></span>
</td>

<td valign="bottom" nowrap="nowrap" width="130">
  <span style="color: #00ffff;">Nedi, Open-AudIT, Smokeping</span>
</td>
<td valign="bottom" nowrap="nowrap" width="64">
  <span style="color: #00ffff;">TCP</span>
</td>

<td valign="bottom" nowrap="nowrap" width="244">
  <span style="color: #00ffff;"><IP Address></span>
</td>

<td valign="bottom" nowrap="nowrap" width="130">
  <span style="color: #00ffff;">Observium</span>
</td>

Conclusion

Although this little setup guide only covers a small portion of the tools I use on a daily basis it should be enough for most people to get their feet wet. I do not at all cover the ways which I utilize the data collected from an environment to come to an assessment for a client. This is because each environment and engagement is different. If you are looking for security issues your assessment will be far different than if you are looking for causes of a periodic network slowdown (or not, root/cause analysis can lead to some pretty interesting results). Besides, if you understand networking and infrastructure then you will know what you are looking for far better than I could verbalize.