0
Erin0201 
210 pts. | Sep 24 2008 4:29PM GMT
Thank you so much for your response. I am looking into the Websense and 8e6 right now. I will also read through your network tap blogs.
By what you are saying in regards to the Ntop. Couldn’t we just hook the pc running ntop to the wan router directly instead of to the switch (if there are ports available that is)? — Sorry to sound dumb here, but I’m not really sure which router/switch is which yet. I am planning to find that out as well. I know that the cables come in to room and to a patch panel and from there go to the switches/hubs.
We do have some hubs in the com room as well, would making sure that pc is hooked in through a hub rather than a switch do the trick for network monitoring?
Thanks again for your help thus far. I will keep in touch as I go through this new information. 
- Erin
Labnuke99 26290 pts. | Sep 24 2008 5:15PM GMT
You could hook the ntop machine to the WAN router, but again you would need to mirror the traffic to this port so the ntop machine can measure it. I would not recommend this configuration. It would not be the best use of the router’s processor or memory to do this activity.
You could use the hub between the LAN and the router but note that the connection between the LAN and the router will go to half-duplex (think of a walkie-talkie - the device can either talk or listen, it cannot do both at the same time). The configuration would be something like this:
WAN router
\\
HUB == ntop machine
//
LAN switch
The hub is a shared medium access. This means that all devices attached to it see all traffic from all devices on that hub. It is also what is called a collision domain. Collisions occur on shared Ethernet networks when two nodes on the ‘network’ start transmitting data at exactly the same time and the two frames collide. This becomes a because stations will have to wait before they can transmit data. This has an impact on network performance and causes timeout and packet loss issues. This is why the network tap is the preferred solution.
The WAN router is likely attached to either a T1 serial interface or maybe a DSL modem/router attached to a standard phone line. It depends on what service you have from your network provider.
Erin0201 210 pts. | Sep 29 2008 12:07PM GMT
After asking some questions I have found that our systems administrator has already routed the port on the switch to monitor the traffic from the router so we should be good with the Ntop.
We are definitely looking into replacing the lattis hubs with switches so that should help things quite a bit. I am making sure to look for managed switches for better control.
We are also looking into Untangle as an open source product which handles web filtering, antivirus, firewall, etc so that we can actually control the types of files being utilized. Also, my boss sent out an e-mail last week letting everyone know that streaming of music or video for personal use is no longer allowed. For now, we’re relying on the users to be honest.
Currently we have in place CA’s (e-trust) antivirus and secure contact manager, but the secure contact manager is not completely configured as our systems admin ran into some issues with it and does not like how it works. We’re not completely happy with our antivirus or the secure contact manager, so we are looking into other options such as Untangle. I’ve also run across another antivirus called ClamAV that I am keeping an eye on as they work to incorporate real-time scanning. I am utilizing this at home along with Spyware Terminator pretty effectively, but an all in one solution would be best for the business.
Are there any other ways to help increase the bandwidth/speed of the network that I could do before we obtain the switches, or is our best bet to implement the switches and see if things improve?
Thanks for your help!
Erin
Labnuke99 26290 pts. | Sep 29 2008 3:17PM GMT
It sounds like you are making some good progress! Well done.
Wireshark is a good tool for digging into the traffic on the network. It can show you how much broadcast traffic is happening and maybe other issues. Take a look also at the router and LAN switch port where it connects, see if they are taking any errors. Look at the WAN side of the router. It could be a poor connection to the provider and they would need to call the carrier to work on the issue. You could have someone come in and test/certify your cable plant to see if it is truly CAT5 or above. That’s about it until you can get the hubs replaced by switches. Also, remember that speed is not capacity. It could be that your network capacity (bandwidth) has hit its limit so users are reporting a speed problem. It’s like saying there is a speed problem at rush hour when it is really a capacity issue because all of the lanes are full and traffic is not moving efficiently.
I would recommend staying away from CLAMAV in a company environment. Maybe use it as a backup scanner. You should use something like the ETrust, McAfee, Symantec or enterprise solution meets the needs of the organization (e.g. reporting, managed update distribution, etc.)
Erin0201 210 pts. | Sep 30 2008 1:21PM GMT
It looks like we’re having a slow down problem at the other end of our building. I am going to take a look at some point today at the switch/hub or whatever it is that is stuck in the ceiling near those offices and see what that is for sure and then see what it’s all connected to in that other com room.
I have another quick question for you. How do you find out if a switch or hub is managed or not and what the IP address is? Do I just take my laptop down there and plug into the device, or? Are there any programs to use for this?
Thanks for all of your help thus far. Great advice!
Erin
Labnuke99 26290 pts. | Sep 30 2008 1:48PM GMT
Unless the device has an IP address on the local network it may be very difficult to find using scanning tools. Angry IPScanner is one of the best fast tools for scanning hosts and services. Lots of folks use nmap as another tool in their toolkit. It is more full featured and is likely overkill for you at this point. Angry IPScanner will scan a given range of IP addresses and specified ports. Usually managed hubs or switches are listening on port 23 (telnet), 80 (http) or 443 (ssl). Scan your subnet for devices listening on these ports. You may be surprised at your findings. There could be users hosting websites on their computers that they do not even know about.
Another way to discover if a device is managed or not is to look at the device. Look for a console port. On Cisco devices this typically a RJ45 connection. Linksys switches use a 9-pin serial connection. These console ports are typically serial ports so you will need a terminal program and a serial cable. Cisco ports are typically 9600,8,n,1. The Linksys is 38400,8,n,1. Other devices are different so may need to either test various settings or find documentation.
I would connect to the device on the serial port and see if you can get any response in your terminal program. Some people like hyperterminal but I use Teraterm SSH. Another good terminal program to have in your toolkit is puTTY. If you can shut the switch/hub down and restart it, then you can see any messages that go by during the POST tests at bootup. This will also give you an idea of configuration.
Good luck in your investigation today.
Erin0201 210 pts. | Sep 30 2008 3:35PM GMT
We actually have Accuterm for terminals which works pretty well. I’m not sure if I’ll be able to restart that switch/hub or not. I’m not even sure what it is. My boss doesn’t know what it is and so I don’t know if he put it in or if one of the IT members from corporate put it in years and years ago.
Thank you for the insight on connecting to the managed switches. I was thinking they would be like home networked switches in that they would in fact have an IP address and be accessible through that. But why make it that easy right?
Thanks again!
Erin
Labnuke99 26290 pts. | Sep 30 2008 3:45PM GMT
It is possible that the devices may have a 192.168.x.x address by default. You could set your laptop to an address in this range and also scan the subnet using Angry IPScanner. I typically have a virtual machine set to that subnet just for this purpose. I fire it up and scan away.
Erin0201 210 pts. | Sep 30 2008 5:40PM GMT
Well I think the issue is either a port on the small 8 port hub in the ceiling, or user error. I forgot to actually try his connection before I messed with the hub since I just took his word for the issue. I swapped the cable on the hub with another port that was inactive and went to test his computer and it works fine.
I am thinking it might be an issue of wireless adapter fighting with LAN connection. I’ve had the issue with my laptop before where you get connection problems by having both trying to connect. I normally shut my wireless card off when I’m connected to the lan to avoid issues.
The user told my boss last night that his wireless card was turned off and so it couldn’t be the problem. Unless he turned it on today for some reason, then it was not turned off last night and so it is a real possibility that the issue was with the wireless card and the onboard LAN NIC fighting for control etc. 
I’ve jotted down a small switch to replace that hub as an upgrade option as well. That should definitely help improve things for them.
I never thought of running a virtual machine to scan addresses in a different range. I might just do that. Thanks for the tip.
