Best Practices for network monitoring
How to monitor a network depends on the specifics of a network and is hardly identical on two different networks. Still, a few best practices for network monitoring apply to any situation and company.
Why you should monitor all network ports
Port monitoring consists of checking the status and health of the physical ports on network devices. This means monitoring your router and switch ports, but is not limited to these. Port monitoring adds another layer of protection against disruptions and intrusions that generic network monitoring cannot offer.
This is because by monitoring your hardware ports, it is possible to discover faulty ones, and replace or disconnect them before they cause an interruption to your network traffic. Duplex mismatches and configuration problems can be identified through a port showing a high rate of packet loss and errors. Without port monitoring, this would have eluded the attention of any network administrator.
Problems related to the cables, like a failing or a poorly connected one, can be detected through port monitoring. For example, corrupted packets and connections being intermittently up and down can be caused by the cables, and not necessarily the port itself. Yet through port monitoring these problems can be inferred.
Security-wise, a rogue user connected to one of your devices can be discovered through accurate port monitoring. Knowing the status of each of your network ports means identifying those that are in use, those that are not, and those that should not be. A security audit may require a port scan, which a network monitoring system that includes port monitoring can comply with. Thus, port monitoring is a component of network security monitoring.
How can IP monitoring help
IP monitoring scans IP addresses to identify and include devices to monitor. This means that after installation, the monitoring tool automatically starts a scan of the entire network, or of a specific IP range or subnet, and then automatically integrates the devices found into the monitoring process. In the ideal case, during the scanning process the monitoring software recognizes the type of device and from which manufacturer it comes and, based on this knowledge, automatically includes the relevant metrics into the monitoring.
But that is not all. IP monitoring, once the first scan is done, helps in monitoring the changes relative to IP addresses in your network. Registered domains that point, or not, to the correct address, can be caught by a monitoring software that supports IP monitoring. Any change that regards IP addresses is within the sphere of IP monitoring.
As a consequence of proper IP monitoring, a monitoring software can take care of setting meaningful threshold values as standard, the exceeding or falling below of which will trigger an alarm or notification. Rules can be applied to edge cases or specific, perhaps temporary, necessities of a particular host.
IP monitoring helps in many cases, but especially in two. For inexperienced administrators, it provides a layer of automation that can greatly ease the burden of monitoring and the worries related to it. By leaving the identification step to the network monitoring system through an accurate IP scanning, errors and shadow IT are more easily avoided. When monitoring large networks, with hundreds or thousands of hosts, IP monitoring can set up the monitoring quickly and efficiently, allowing administrators to start monitoring the infrastructure in a short time.
How to monitor large networks
Large networks have an order of magnitude of complexity that makes them a separate category in the world of network monitoring. Network device monitoring may take a long time in a large network with thousands of hosts, and an excess of alerts is definitely a common problem. While it may be tempting to skip parts of the infrastructure, foregoing a holistic view, it is a poor choice. Ignoring may initially be convenient, but it leads to all sorts of future risks that a company is in no position to accept.
For the monitoring of large and complex networks with different locations and differently connected components, a monitoring software that works with a rule-based configuration is quite suitable. With a few simple steps, administrators can use rules to define a policy, such as monitoring only the error rate of all access ports, for monitoring numerous similar devices. Using rules, it is possible to apply the same setting to multiple hosts, immensely reducing the workload in configuring your monitoring setup. Alerts can be more focused, and useful, when using rules: for instance, a terminal that is regularly switched off will be set to not trigger an alert, as it is not an exceptional case but routine behavior.
A policy can be applied to a large network with a handful of well-crafted rules. A rule-based monitoring solution then handles the monitored systems based on this policy. Changing the policy can be done anytime, with a few steps, and applied to numerous devices all at once. Exceptions are also possible at any time and are documented via rules. Automation via rules also makes it easier and less error-prone to include new hosts in the monitoring.
Rule-based monitoring is not strictly necessary when dealing with a moderate amount of hosts. Small companies may operate without such a solution, using a standard network monitoring service instead. But for large infrastructures, rules can be the best solution to monitor the network.
Network topology for a holistic view
A monitoring software that is able to detect all components in a network or in a specific IP range, and retrieve the data required for the monitored metrics, enables the administrator to obtain a holistic view of even complex network infrastructures. Via IP monitoring, a complete view of the network can be presented in an easy-to-read dashboard, facilitating the identification of errors.
The network topology is often given as an overview map, showing how the network is connected, virtually and physically. The network manager can navigate this map, clicking on the specific host that needs immediate attention. Other network monitoring tools display the network in a tree structure or as a table. The table display has the advantage that several pieces of information in a condensed form can be viewed at a glance.
Not only the network topology can be visualized in a holistic view. Some network monitoring tools support viewing performance parameters graphically as well. The current bandwidth, the status of individual ports, and abnormal error rates can all be shown in a graphical way, allowing the network administrator to quickly identify patterns, such as expected or unexpected performance peaks.
All this is possible by implementing your network monitoring solution holistically, considering all the hardware and software, without exceptions.
Network documentation to combat shadow IT
Shadow IT is a term referring to the use of IT-related hardware or software by a department or individual without the knowledge of the IT or security group within the organization. It can encompass cloud services, software, and hardware. The problem with shadow IT is that these hardware and software components are often consumer products. These usually do not have the necessary security features, or are not provided with the required security patches by their producers, so that such hardware or software can quickly prove to be a gateway for cyberattacks into the corporate network.
One of the common cases of shadow IT is the use of a cloud service without the knowledge of the corporate IT department. Sensitive data can end up on an unmonitored cloud, perhaps unintentionally, violating compliance rules.
A monitoring tool that implements a holistic view of the network can combat shadow IT. By scanning the infrastructure, a network documentation is automatically created, which includes anything, permitted or not. The result is not only a topology of the network infrastructure, but also direct information about all hardware components and software solutions in the network.
Any good monitoring tool has an inventory function. This allows to document the devices and software versions present on a network, and this data can be passed to a third-party solution, such as a license management system. This is not only useful for checking the compliance of every component on the network but also to alert the administrator of smaller changes, like updating a service to an unsupported version, that can pose a security risk.
Once the network documentation is obtained, it is easy to discover connected hardware or installed software that should not be used. Without network monitoring, this would have been a tedious and manual check of each host.