Network administrators implement QoS policies to ensure that their business-critical applications receive the highest priority on the network. CBQoS can make network performance more predictable and bandwidth utilization more effective. NetFlow Analyzer CBQoS reporting provides you in-depth visibility into the policies applied on your interfaces and the traffic patterns in your various class of traffic.

NetFlow Analyzer is capable of monitoring the QoS policies applied on the interfaces of the router and generate reports on Pre-Policy, Post-Policy, Drop and Queue metrics for each class. You can check the CBQoS reporting in NetFlow Analyzer from this link.

Though NetFlow and CBQoS reporting are used for traffic monitoring, they are based on diverse technologies. Some time back,ie. till version 7, NetFlow Analyzer had options to monitor only NetFlow supported interfaces for CBQoS statistics too. Customers who loved our CBQoS reporting feature were not able to monitor the devices that did not have NetFlow capabilities for CBQoS stats. Not fair ? Correct. That is why we brought the capabilities to add non NetFlow interfaces to the product for CBQoS monitoring.

NetFlow Analyzer detects the interfaces of a routing device based on the NetFlow packets exported from it and adds it to the database to show the traffic reports. If there are QoS policies available on the interface, polling for CBQoS data can be enabled and CBQoS reports will be available in the product.

But there are cases we mentioned about before. Customers do have devices which are either non NetFlow capable or NetFlow reports are not needed for. These devices may be an edge router used for branch connectivity which has no NetFlow capability but has quite a number of QoS policies for bandwidth shaping or a data center device where you are not interested in NetFlow reports but need to monitor QoS policies. Lets go on to see how such devices can be monitored for CBQoS stats.

Add Device.

If you have just installed NetFlow Analyzer and started the product for the first time with no device exporting NetFlow packets, you will see a message which states "No device exporting NetFlow packets to UDP port 9996, Click here to add device which has QoS policy" as soon as you login. In this case, you can click on the 'Add Device' option to add the devices you need to monitor for QoS. Here, provide the SNMP credentials for the device and NetFlow Analyzer will poll the device for CBQoS stats and generate reports.

                                

If you are already using the product and wish to add a new device for CBQoS monitoring alone, navigate to NBAR/CBQoS configuration page, select the 'QoS Configuration' tab and from here click on the "Add device" link. You will be given options to enter the router IP Address and SNMP parameters for the device. Once this is done and you click on 'Scan', NetFlow Analyzer will detect the device and show the interfaces having CBQoS policies on them. You can then enable polling for the specific interfaces you need report for from the 'Polling for CBQoS data' category.



And again, what happens when you have CBQoS policies on a main physical interface which has no IP Address and it is the sub interface with IP Address that you are monitoring for NetFlow data? Most of the NetFlow tools detect only L3 NetFlow exporting interfaces, the sub interfaces in this case. But the traffic through the sub interfaces is shaped by the policies applied on the main physical interface and so it is necessary that the main interface is monitored for QoS analysis. NetFlow Analyzer will automatically detect such main interfaces though they are not L3 NetFlow exporting interfaces and show them in the list of interfaces available with QoS policies. You can add these main interfaces to CBQoS monitoring to get an idea on the CBQoS performance.


With NetFlow Analyzer not limiting you to monitor only NetFlow interfaces for CBQoS stats, why wait? Go ahead and add your routers to NetFlow Analyzer to see CBQoS reports. Try our 30 day trial with no feature limitations to know more.



Demo | Download 30-day Trial Twitter  | Customers

Regards

Praveen Kumar


Microsoft released 2 bulletins this tuesday to address 8 vulnerabilities. The Patch Assesment Team at Desktop Central have tested all of these patches and have updated the Central Patch Repository. This means customers can synchronize their patch database and deploy all of these new patches.  Given below is the quick snapshot of the bulletins/patches:


Bulletin IDVulnerability TitleCVE IDExploitability Index Assessment

MS10-017

Microsoft Office Excel Record Memory Corruption Vulnerability

CVE-2010-0257

1 - Consistent exploit code likely

MS10-017

Microsoft Office Excel MDXTUPLE Record Heap Overflow Vulnerability

CVE-2010-0260

1 - Consistent exploit code likely

MS10-017Microsoft Office Excel MDXSET Record Heap Overflow VulnerabilityCVE-2010-02611 - Consistent exploit code likely
MS10-017Microsoft Office Excel XLSX File Parsing Code Execution VulnerabilityCVE-2010-02631 - Consistent exploit code likely
MS10-017Microsoft Office Excel DbOrParamQry Record Parsing VulnerabilityCVE-2010-02641 - Consistent exploit code likely
MS10-016Movie Maker and Producer Buffer Overflow Vulnerability**CVE-2010-02651 - Consistent exploit code likely
MS10-017Microsoft Office Excel Sheet Object Type Confusion VulnerabilityCVE-2010-02582 - Inconsistent exploit code likely
MS10-017Microsoft Office Excel FNGROUPNAME Record Uninitialized Memory VulnerabilityCVE-2010-02622 - Inconsistent exploit code likely

** Update for Movie Maker 2.6 for Windows Vista is yet to get supported in Desktop Central

For any assistance on patching feel free to contact desktopcentral-support@manageengine.com

Happy Patching. 

cheers,


Update March 11: Patches for Movie Maker 2.6 for Windows Vista is now supported in Desktop Central

Enterprises depend on network availability for business continuity. To keep the network up and running, it is bare essential to have a robust, reliable fault and performance management software that helps in effectively monitoring the network. With world-class ManageEngine OpManager in place, you have perfect control over the Network Monitoring arena.

To prevent network problems and performance degradation issues arising due to faulty device configuration changes, OpManager NCM plug-in is essential. OpManager and NCM Plug-in together make Network Management not only efficient, but also truly centralized.

If you are a Network Administrator responsible for managing the configurations of network devices, check yourself:

  • Do you spend hours on manually configuring your devices?
  • Do you laboriously logon to each device separately to retrieve or change configurations?
  • Do frequent configuration changes pose threat to your network availability?

If yes, read on:

Automating these Network Change and Configuration Management activities with OpManager NCM plug-in could significantly save your time, cost and resources, reduce the risk of errors and thereby network downtime and improve efficiency and productivity.

Download the white paper "Overcoming Network Degradation Blues with OpManager NCM plug-in " to know how automating Network Change and Configuration Managament through OpManager NCM plug-in could make your job a lot easier!

Bala
Microsoft, on Thursday, announced an advance notification on the bulletins and patches that are to be released for March Patch Tuesday.

With just two bulletins, this month is relatively light compared to last month. Both these bulletins are marked important. While one affects the Windows Operating Systems, the other affects Microsoft Office applications.Surprisingly, this time, no patches is being released for Windows Server Operating systems. The affected OS and applications include:
  1. Windows XP Service Pack 2 and Windows XP Service Pack 3
  2. Windows XP Professional x64 Edition Service Pack 2
  3. Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
  4. Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
  5. Windows 7 for 32-bit Systems
  6. Windows 7 for x64-based Systems
  7. Microsoft Office XP
  8. Microsoft Office 2003
  9. 2007 Microsoft Office System
  10. Microsoft Office 2004 for Mac
  11. Microsoft Office 2008 for Mac
  12. Open XML File Format Converter for Mac
  13. Microsoft Office Excel Viewer
  14. Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats
  15. Microsoft Office SharePoint Server 2007 (32-bit editions)
  16. Microsoft Office SharePoint Server 2007 (64-bit editions)


Alarms from Applications Manager can be of any of the following severity :
  1. Critical (for Health & Down for Availability) -Amber
  2. Warning - Orange
  3. Clear (for Health & Up for Availability) - Green
A few examples for Alarms can be :
  1. Service is down
  2. Server is down
  3. Process 'java.exe' is down
  4. CPU Utilization has violated the threshold value, 90% > 80% ( Can be Critical or Warning as configured )
  5. Response time is greater than the threshold value, 200 ms > 180 ms
Alarms can be notified through Email or SMS . Corrective Actions like restarting the service or server can be executed through ‘Execute Script ’ option when alarms are generated.

Let us now design an alarm workflow through Applications Manager for the scenario as shown in the diagram below :



The points below outline the solution for the above use case :

a)    In order that the first poll does not generate any alarm, you can configure to generate an alarm after ‘n’ consecutive polls

Ex : Poll 2 times consecutively before reporting the monitor is down.

You can configure this option
  1. Globally : This would mean that a Critical or Warning alert will be generated for all monitor types ( Server, Tomcat, Apache), for all attributes ( CPU, Memory, Java Heap Size ) only if the attribute has crossed the threshold 2 times
  2. At the specific attribute level : This is done while configuring the Threshold . This policy can be applied to monitors with similar attributes thereby saving time and managing escalation policies effectively.
The status of the Monitor will not change in the first poll. If the fault (or event) is still active in the second consecutive poll, the status of the Monitor changes to Critical or Warning, as the case may be.

b)    You can configure to Send Email or SMS and also execute a script for corrective action or 'Log a Ticket' in ServiceDesk Plus, when the alarm is generated in the 3rd poll. In order that this alert be raised as ticket in your helpdesk, configure the Helpdesk Email address in the Email Actions.



The second step in the above use case is thus solved. Now, the third one is to raise a ticket when the alarm is not acknowledged for 20 minutes.

c)    If the alarm is not cleared automatically or manually within the next 20 minutes, you can configure Alarm Escalation Rules .

A screenshot of the Alarm Escalation Rule is shown below :



Using these rules, you can create a ticket in your Helpdesk if the ticket is not closed within 20 minutes. You have to configure your helpdesk email address in the To Address while configuring Email Actions, so that the alarm is generated as a ticket in your helpdesk. [In case, if you would want to raise a ticket with ServiceDesk Plus , you can use the ‘Log a Ticket ’ Action or use the Email Commands Template to generate a ticket.]

The Technician can login to the Helpdesk System to add notes/work log in order to update the steps taken to resolve the problem. Once the problem is resolved, Application Manager automatically changes the status of the monitor to Clear (Green) in the next poll.

Let me know if you have a different alarm work flow, which needs to be integrated into Applications Manager.

Kevin
Remember ‘Minority Report’, the Steven Speilberg directed sci-fi movie starring Tom Cruise? The movie is set in futuristic Washington where the police force employ ‘precogs’ with precognition abilities to view murders that occur in the future. The police use these precogs to track down and stop murders before they happen, and they cut the crime rate in the city by 90%!



IT administrators might wish they had precognition too, so they can track down problems in their network before they occur. Now we can say their wish has been granted. Applications Manager has introduced Anomaly Detection, a new feature which detects potential threats to server or application performance beforehand and sends out alarms. The IT team can analyze and interpret the alarms generated and take pre-emptive action before things go out of hand.

How does Anomaly Detection work?

You have to define anomaly profiles on the performance metrics of an application or server such as CPU Utilization. Applications Manager then continually compares the performance data with the pre-defined set of best data and sends notifications if they deviate from established patterns. Any deviation from normal behavior can be interpreted as a potential threat to application performance.


The anomaly detection capability helps system administrators move from a reactive approach to troubleshooting problems towards a more proactive approach. This in turn can help improve their overall efficiency and bring down IT costs.

Anomaly Detection is available as an add-on feature to Applications Manager and works with both the Professional and enterprise editions. Feel free to try this out and let us know what you think!
Now that you know the need for a Network Connector between OpManager and Applications Manager, let me detail out how to connect these 2 applications through the Network Connector.

Based on recommendations, you can install OpManager and Applications Manager on the same server or a different one.  You should have purchased the Network Connector Add-On in order to connect these two applications.

Step 1 : Configure OpManager details in Applications Manager Admin Interface : Admin -> Add-On Product Settings, click Add against OpManager.



Enter the servername, portnumber of OpManager application and the username and password to connect.



Step 2 : Once you save the settings, the “Fetch Now” image will be active, as shown in the image below. Click the Fetch Now image to fetch data from OpManager.



Step 3 : Create a New Monitor Group.



Step 4 : Click Associate Monitors.



Step 5 : Select the Network Devices which you want to monitor through Applications Manager. You will find the Network Devices, below the Available Monitors section.



Click Associate to add these devices to the monitor group.

You can find that the Alarms generated against these devices in OpManager will be propogated to the Monitor Group view in Applications Manager.

Network Devices Availability & Health :



Network Devices Alarm Snapshot :



You can click the link against the name of these devices to view their snapshot.

You should try it to know how easy and useful it is.

Kevin

In previous discussions, we have mentioned that NetFlow Analyzer offers various kind of reports for bandwidth analysis. Just thought we should highlight the various types of reports available in NetFlow Analyzer and how they help in better bandwidth monitoring and traffic analysis.

To be simple, NetFlow Analyzer depends on the NetFlow packets exported from the routers and switches and generates various reports which can be helpful for bandwidth analysis, bandwidth measuring, troubleshooting and trend analysis etc.

NetFlow Analyzer shows information on the interfaces and their traffic from the product UI itself with PDF and CSV export options available. In addition to these, the product has more reports to help in detailed bandwidth analysis. Following are some of the reports available in NetFlow Analyzer :

1. Troubleshoot report

2. Search Report

3. Consolidated Report

4. Compare Reports

                                  


Troubleshooting Report:

I believe you have an idea about the storage pattern in NetFlow Analyzer with help of Data Storage Pattern Blog . Troubleshooting report is generated from the raw data, (about which we have discussed in the Data Storage Pattern Blog) and is used for detailed traffic analysis, helps identify cause of network spikes with complete port level information.


Troubleshooting Report can be generated by clicking on the troubleshooting icon present in the Interface View for each interface or we can drill down to specific interface then click on More Reports present at the right corner of the user interface. We can generate troubleshooting report by specifying criteria as per our report generation needs. Troubleshoot report can be generated for the time period raw data is stored in NetFlow Analyzer. So, any time you need a detailed analysis of traffic, dont forget the troubleshoot report.


Search Report:

Search report is similar to troubleshooting report but this report generated from aggregated data which is based on top 100 (Again the Data Storage Pattern Blog should give you an idea). You can can generate search report by clicking on More Reports available in Interface View right corner. You can select the interfaces for which you want to generate report by clicking on "Select Device" and like troubleshooting report, you can specify different criteria as per report generation needs. This report is most helpful when you need to analyze specific information going back in time. The report, since it is generated from aggregated data, can give historic information. Imagine having around 80% report accuracy for data ranging back to years !


Consolidated Report :

Consolidated report is a single page report which will list the traffic graph for the selected interface or IP group with the top 10 Application, Source, Destination and Conversation on IN and OUT basis. Consolidated Report can be generated by clicking on the Quick View icon present in the Interface View for each interface or we can drill down to specific interface or IP group then click on More Reports present at the right corner of the user interface. The reports help get a quick view on the traffic stats from each of the interfaces thus helping to avoid drill downs to the interface and then checking the top applications one by one.


Compare Reports:

Compare Report help you compare the traffic pattern over time or with different devices, networks or locations. You can get a picture on the traffic pattern for different devices or have an idea of the traffic pattern for the same device over time. To know more about Compare Report in NetFlow Analyzer, check out this blog.

Most of the reports we have talked about may be needed on a daily basis. Instead of having to generate the report everyday, you can have the reports emailed to you and this is where our Schedule Reports help.

Schedule option lets users create reports about the information they need and have them emailed on a daily, weekly or monthly basis. The reports can be send to multiple email addresses and users can set time filters for daily reports and exclude the reporting on weekends. To know more about Schedule Report in NetFlow Analyzer visit this Blog.

With a better knowledge on the reports available in NetFlow Analyzer, I hope you can get more out of the product.


Demo | Download 30-day Trial Twitter  | Customers

Regards

Praveen Kumar







If media reports on the alleged embezzlement by an employee at Wipro are to be believed, insider threat seems to be emerging the biggest challenge for the IT companies.

In the Wipro incident, it is alleged that the fraudster, a qualified chartered account who was employed with the company's 'controllership' division in the finance department managed to siphon off around $4 million from the company's bank account by accessing a colleague's password.

This report once again lends credence to the belief that a good proportion of the frauds and security incidents are being caused by the insiders of the enterprises - either disgruntled staff or greedy techies or sacked employees.

Lack of well-defined internal controls and access restrictions generally pave the way for security incidents. It is also increasingly becoming clear that stolen identities are serving as the ‘hacking channel’ for many cyber-crimes/frauds and improper management of the administrative passwords could potentially remain at the root of a good number of security threats.

How do we avoid cyber threats / frauds?

Not all security incidents could be prevented or avoided; But, the security incidents that happen due to lack of effective internal controls are indeed preventable. Enterprises should take preventive action to combat cyber-criminals and to ensure information security.

One of the effective ways to achieve internal controls is to deploy a Privileged Password Management software that could replace manual processes and help achieve highest level of security for the data.

Read this paper "Combating Cyber Security Threats" from ManageEngine Password Manager Pro for more details and share your feedback.

Bala
www.passwordmanagerpro.com

Averting False Positives

Feb 24 2010 03:12:41 AM Posted By : vidya

Administrators are a harassed lot with the network issues following them everywhere. The frustration doubles when an guy rushes to a location in the middle of a night on seeing an alert only to find that there was never a problem in the first place. Optimizing the alert management configurations will prevent your inbox from being flooded with erratic up/down alerts.

Invariably, half the alerts are false positives that frustrate you and your team. Here are a few things that you can do to avert false postives:

1. Suppress Alarms for device: Its possible that you have pulled down some devices for maintenance or a device has crashed and may not be up any time soon. Tell OpManager to stop sending alerts for such devices. Go to the device snapshot page > Actions menu > Suppress Alarms and select the period for which you like the alarms suppressed.

2. Set up thresholds: When configuring thresholds, specify the consecutive failure counts. For instance, if the poll interval is 5 mins, a device might not respond to a poll due to a transient spike leading to a 'down' alert. The subsequent polls will succeed and you will find 'clear' alerts. This erratic up-down alerts can be avoided by letting OpManager alert you after 3 consecutive polls.

3. Configure device dependencies: If a router or a firewall is down, the devices behind these do not respond to polls resulting in unnecessary 'down' alerts. Configure device dependencies so that OpManager does not monitor a set of devices if the dependent device is down.

4. Optimize Syslog Rules: The consecutive failure counts can be specified even when parsing syslogs. The advanced syslog configuration screen contains a field where you can indicate the number of occurrences.