Module 3 / Unit 4 Monitoring and Scanning Flashcards
On completion of this unit, you will be able to: □ Use network monitoring utilities and load / throughput testers to identify performance and connectivity issues. □ Collect and analyze system, history, and event logs plus interface monitoring metrics using technologies such as SNMP and SIEM. □ Use software tools to scan for vulnerabilities and update / patch network appliances and hosts
Gathering systems’ statistics regularly allows systems administrators to identify bottlenecks. Why do they want to do this?
To identify resource usage problems before they critically affect performance.
What would be the purpose of configuring thresholds in network monitoring software?
The software could produce an alert if network performance did not meet any given metric.
What is a “top listener” in terms of network monitoring?
An interface that receives the most incoming traffic.
What is the purpose of a port scanner?
It reveals the ports open on a server and consequently what high-level protocols it is running. It can also show how many client connections are open and how much bandwidth each port is consuming.
What sort of log would you inspect if you wanted to track web server access attempts?
History / security / audit log.
What is the function of SIEM?
Security Information and Event Management (SIEM) is designed to consolidate security alerts from firewalls, anti-malware, intrusion detection, audit logs, and so on.
You suspect that a network application is generating faulty packets. What interface metric(s) might help you to diagnose the problem?
Monitoring errors and discards/drops would help to prove the cause of the problem.
How does an SNMP agent report an event to the management system?
Via a trap.
How would a router appliance be patched to protect against a specific vulnerability described in a security advisory?
This type of OS does not support patching of individual files so the whole OS has to be replaced with a new version. Vendors keep track of which version first addresses a specific security advisory.
What type of information is updated when a scanner receives a new set of “feeds” or “plugins”?
These contain the scripts or identifiers used to detect whether a host is vulnerable to a specific security advisory.
