Tivoli, Openview, Unicenter, ipmonitor, mrtg, nagios?
There are many network monitoring options but each option has its
pitfalls. I'm rapidly coming to the conclusion that any software
Computer Associates publishes is designed for the criminally insane.
However, there 'has' to be something that offers more visibility into a
major WAN than MRTG/RRDTOOL.
Perhaps I'm on a Computer Associates rant today but can anyone share any
positive experiences with E-trust intrusion detection? 5 MB of traffic
flow paralyzes a dual P3 with gobs of ram and it still misses signatures
that Snort does not miss. Originally I was going to blame this lousy
performance on application tuning; however, it was a CA engineer that
set this box up.
Any IDS suggestions would be greatly appreciated as well.
Regards,
Christopher J. Wolff, VP CIO
Broadband Laboratories, Inc.
http://www.bblabs.com
Tivoli, Openview, Unicenter, ipmonitor, mrtg, nagios?
There are many network monitoring options but each option has its
pitfalls. I'm rapidly coming to the conclusion that any software
Computer Associates publishes is designed for the criminally insane.
However, there 'has' to be something that offers more visibility into a
major WAN than MRTG/RRDTOOL.
CA-Unicenter/OVW/Tivoli are not IDS systems... (traditionally) but they
can normally monitor the heck out of 'decent' sized networks (less than
500 components was my last experience with OVW atleast, tivoli and CA we
never got working correctly with less than 1 metric butt ton of LOE to
keep it running)
Perhaps I'm on a Computer Associates rant today but can anyone share any
positive experiences with E-trust intrusion detection? 5 MB of traffic
flow paralyzes a dual P3 with gobs of ram and it still misses signatures
that Snort does not miss. Originally I was going to blame this lousy
So, lemme understand here... Snort works and you are switching why??
Christopher J. Wolff wrote:
Tivoli, Openview, Unicenter, ipmonitor, mrtg, nagios?
There are many network monitoring options but each option has its
pitfalls. I'm rapidly coming to the conclusion that any software
Computer Associates publishes is designed for the criminally insane.
However, there 'has' to be something that offers more visibility into a
major WAN than MRTG/RRDTOOL.
Perhaps I'm on a Computer Associates rant today but can anyone share any
positive experiences with E-trust intrusion detection? 5 MB of traffic
flow paralyzes a dual P3 with gobs of ram and it still misses signatures
that Snort does not miss. Originally I was going to blame this lousy
performance on application tuning; however, it was a CA engineer that
set this box up.
Any IDS suggestions would be greatly appreciated as well.
Regards,
Christopher J. Wolff, VP CIO
Broadband Laboratories, Inc.
http://www.bblabs.com
Chris
All the reviews I've/heard of etc all say snort is the bestIDS. Now I'm not it is, just passing what I've heard as I've not had the opportunity to compare the things myself. (also remember that alot of CA software is aquired by merger not written by themselve so it normally takes a couple of iterations to get things into the CA way)
as to network monitoring I'll go with mrtg and/or nagios anytime (mainly 'cos of the price/performance issue). PSiNETEurope use MRTG to display router stats for their customers and so do alot of other people - it just works.
What are the options and recommendations for networks > 500
components?
Pete.
i've generally thought of CA as as the "old software" rest home,
the place where it goes to die.
cheers,
richard
Hello...
Tivoli, Openview, Unicenter, ipmonitor, mrtg, nagios?
There are many network monitoring options but each option has its
pitfalls. I'm rapidly coming to the conclusion that any software
Computer Associates publishes is designed for the criminally insane.
However, there 'has' to be something that offers more visibility into a
major WAN than MRTG/RRDTOOL.
Intermapper http://www.intermapper.com
You can create charts showing realtime bandwith usage on each of your
routers. I also use it to check bandwidth on my web servers. With a
glance, you can tell everything is "OK", "abnormal", etc.
No IDS, but it is great as a enhancement/replacement for
mrtg/rrdtool/nagios. ( I run all three)
<disclaimer>
No affiliation w/ intermapper
just a happy customer for ~6 years
<snip>
At my previous job our largest network (we ran something like 8 seperate
ones as I recall) was around 500 managed devices, including switches
(bay) and routers (cisco/promina). All that was done with OVW, and some
plugins we got 'for free' (ciscoworks, bay's crazy OVW plugin for switch
management).
At networks larger than 500 mostly things are handbuilt and
nongraphical... atleast on the one I have experience with. I suppose you
can think of it like this: Do you need the graphical info, or do you just
want alarms/alerts when problems arise? If you maintain the data in some
sane format (think database) you can corellate that info as you want, and
generate graphical displays for things of interest.
MRTG/RRDTool or RTG are nice packages for somethings, but you might have
to have a farm of pollers/graphers/displayers (and a few folks to care for
them/create displays that matter) to poll 100,000 interfaces, eh?
i've done this sort of stuff successfully with Aprisma Spectrum.
issues:
1) it's not cheap. on the other hand, Aprisma did used to have a service
provider oriented pay-per-number-of-notes-monitored pricing plan,
which is how we did it back when i was running a Spectrum based NMS
shop.
2) it runs only on W2K and Solaris, and for large installations, runs
much better on Solaris. sizing depends on number of nodes being
monitored. "enough RAM" is important. multiple spindles with well
chosen file system partitioning, and 2 CPUs, also make a difference.
3) getting it to run well requires experience. some default settings
are not very suitable for monitoring large WANs, and it is definitely
not "set up and forget it" software.
4) apropos to 3, budget for training. one or two smart guys who've
been through class can handle it (no need for Aprisma Professional
services.)
5) reporting used to be clumsy, although are were some add-ons available
to improve this.
6) the database used to be a proprietary network database based on the
old VistaDB. they've been migrating towards MySQL, although the
migration isn't complete yet. archived polling data does go into
MySQL, but the database of monitored nodes was still in the
proprietary database the last time i looked at this.
note also that there are a bunch of up-and-coming NMS systems that may or
may not be better than Spectrum. the last time i did an evaluation,
Spectrum was the best in the cost-no-object model, but that was a while
ago.
richard
MRTG/RRDTool or RTG are nice packages for somethings, but you might have
to have a farm of pollers/graphers/displayers (and a few folks to care for
them/create displays that matter) to poll 100,000 interfaces, eh?
Polling 100000 interfaces every five minutes is only 333 queries per second.
It gets complicated if you want to do something useful with the data you poll.
I�ll be happy to listen to ideas what people would like to do with data from 100000
apart from plotting it on X/Y axis. Maybe some of them would eventually get
implemented properly.
Pete