Re: Network Monitoring System - Recommendations?

["Alexei Roudnev" <alex () relcom net>]

> I read document of these tools and find they work with
> Cisco products. But, how about Juniper M160 or M320,
> Unishpere's BRAS products?  Where can I find Juniper's
> OID on its tempreture, chassis, CPU, bandwidth ? Does
They use standart MIB2 and a little of Cisco specific MIB's. As I already
said, it is a good tool to view and monitor traffic, utilisation, errors,
and use additional tiool to deep monitor vendor specific parameters. We use
'snmpstat' to monitor routers, switches, ports and interfaces (and bgp) and
cricket to watch few additional parameters (to configure alerts, we use
aliases and mhonarc mail archives with auto expiration - for alerts,
warnings, reports and audits, and for 'root' and 'oracle' e-mail.

> anyone have a  running configuration for M160 or
> Unishpere's BRAS products?
CCR can work with anything which (1) allow telnet or ssh, and (2) can 'write
net' config (in any syntax).
You can use encrypted password file (using passphrase) if you want. Using
SNMP was rejected, because it is absolutely device-specific, impossible in
many cases, and we never saw it as a security problem, because all devices
are restricted to allow ssh or telnet from 2 or 3 servers only, because
passwords are encrypted, and because automated config reading and web access
aree much more important vs very abstract possibility of hacking (in
reality, problem can come from insiders, not from hackers, so no extra
accounst are allowed on monitoring server).

You can get configuratuion (initialize tftp transfer) using some snmp
(WRITE) variable and pre-configured tftp parameters, but it works on a very
few Cisco devices only.

As I said, CCR uses 3 methods:
- password file encrypted by public key
- password file encrypted by 3des passphrase;
- explicit password.

In all cases, problem is with root user only - root can alway decrypt
password or interseipt web session. User, who have permission to edit CCR
config and know passphrase, can (in theory) see passwords as well. Other
users can not, even if they know passphrase - they can only initiate config
reading.

Network admins do not know enable passwords, if they do not need it - they
use passphrase

To have automated config reading, any of first 2 methods can be used
(passphrase must be written into special file, if method 2 is used,
root-only readable). For manual reading, any methgod can be used, without
any file with passphrase.

In reality, it is not serious security problem because all devices can be
accessed from a very few servers only, and because we can use 'ssh' instead
of 'telnet' (CCR can be configured or select ssh/telnet automatically). You
can, in turn, play with security level , but it (again) does not work on
generic case (any cisco device) and is very tricky.

For Juniper or other device - you can try to program 'expect' script, or use
'snmp' initiated transfer - all other things will work.



> On configuration bankup, rancid use telnet (ssh). But,
> I take this a not-secure methode as it has to code
> password in login script. Is there any tool to get
> configuration file from read-only SNMP cumminity?
>
>
> Joe
>
>
>
> --- Jon Lyons <jlyons30 () yahoo com> wrote:
> > Checkout http://perfparse.sourceforge.net/ lets you
> > graph the data from the nagios plugins...
> >
> > --- Alexei Roudnev <alex () relcom net> wrote:
> >
> > > I generated config for 'snmpstatd' automatically,
> > > from user;'s database (it
> > > was simple; all I need was Router, Interface,
> > > User-name, number for this
> > > user, priority).
> > >
> > > For automated config backups, I use CCR (fully web
> > > based Cisco
> > > configuration -> CVS system).
> > >
> > >
> > > ----- Original Message ----- 
> > > From: "Andy Dills" <andy () xecu net>
> > > To: "Charlie Khanna - NextWeb"
> > <charlie () nextweb net>
> > > Cc: <nanog () merit edu>
> > > Sent: Thursday, October 28, 2004 11:46 AM
> > > Subject: Re: Network Monitoring System -
> > > Recommendations?
> > >
> > >
> > > > On Thu, 28 Oct 2004, Charlie Khanna - NextWeb
> > > wrote:
> > > > > Hi - I was interested in finding out what
> > > software applications other
> > > ISPs
> > > > > are using for network monitoring?  For
> > example:
> > > > > 1)       Overall network health - uptime
> > reports
> > > > http://www.nagios.org
> > > >
> > > > > 2)       Backup router config automatically
> > > >
> > > > http://www.shrubbery.net/rancid/
> > > >
> > > > > 3)       Bandwidth reporting (or integration
> > > with an MRTG-type app)
> > > > http://cricket.sourceforge.net/
> > > >
> > > > > 4)       SNMP trap support (BGP/OSPF session
> > > drops - emails out)
> > > > http://www.snmptt.org/
> > > > http://www.nagios.org
> > > >
> > > > > 5)       Database back end (port info into or
> > > over to other apps)
> > > > > I'm just looking for something well rounded
> > for
> > > a small ISP.  I've heard
> > > > > about OpenNMS and other apps but I'd like to
> > get
> > > everyone's feedback.
> > > > > Thanks!
> > > >
> > > > Nothing all in one place, that I'm aware of. But
> > > with a little work, you
> > > > could probably integrate it all into nagios.
> > After
> > > all, you can make the
> > > > host names or descriptions URLs that link to
> > > bandwidth and error graphs or
> > > > other tools.
> > > >
> > > > Andy
> > > >
> > > > ---
> > > > Andy Dills
> > > > Xecunet, Inc.
> > > > www.xecu.net
> > > > 301-682-9972
> > > > ---
> >
> >
> >
> >
> > __________________________________
> > Do you Yahoo!?
> > Yahoo! Mail Address AutoComplete - You start. We
> > finish.
> > http://promotions.yahoo.com/new_mail
>
> __________________________________________________
> Do You Yahoo!?
> Log on to Messenger with your mobile phone!
> http://sg.messenger.yahoo.com