IN THIS ISSUE
Essential Aspects of an Effective Network Performance Audit
Ongoing assessments of an organization's Internet use, cable performance, e-mail server, and network management activities, can help auditors identify network problem areas before they become too costly to fix.
When sniffing traffic, it is important to keep in mind that data packet sniffing can lead to a self DoS due to the large amount of data that is generated and captured during traffic monitoring especially during peak work hours. As a result, auditors should use a filtering configuration, such as capturing data up to 300 megabytes (MBs) or capturing only HTTP, HTTPS, file transfer protocol (FTP), or port-specific traffic. A second solution is to perform a sample sniffing activity (e.g., periodically monitoring network data for a group of clients or users) and generalizing the results of this activity to the entire organization. Finally, the auditor can recommend that the organization obtains an Internet use statistics report from the ISP, if possible.
Additionally, Internet use analyses can detect malware infections in the local area network (LAN) that are the result of inappropriate Internet use or determine if applications residing in the network are using the Internet redundantly. For instance, when a worm is present in the LAN, the worm usually tries to contact a particular Internet protocol (IP) or URL to further damage the network. On the other hand, redundant Internet use occurs when all computers residing in the network individually check for and download updates or patches, which can be avoided by using a centralized patching server.
Finally, Internet use analyses can be used to determine whether the organization needs to upgrade its current Internet bandwidth and speed. To this end, auditors can monitor Internet activity through the use of proxy servers (i.e., servers that reside between a client application, such as a Web browser, and a real server to intercept client requests and forward them to the other server). Proxy servers in use today include open source types, such as SQUID, Privoxy, or Sun Java Web Proxy server, as well as commercially available ones such as Microsoft's Internet Security and Acceleration Server.
Another performance problem leading to network congestion is cable-pair connectivity. In essence, the network may experience a signal loss during a data transfer session if any of the two copper wire pairs (i.e., the four wires required for LAN connections with a transfer speed of no less than 100 MBs per second) is not properly connected end-to-end. Because any signal loss during a data transfer session could result in low network performance, auditors need to determine if the cables are connected properly. To do this, auditors need to use a pair of hardware cable testers, which need to be connected at the two ends of the physical network cable. When conducting the test, all lights must blink on the cable tester. If this happens, then the network cable has perfect point-to-point connectivity.
Auditors need to note that the organization may choose not to use all four cables for network connectivity, such as in the case of a category five (CAT5) cable. In this case, only the lights correlating to the cables that the organization is using should blink on the hardware cable tester. If even one light is not blinking according to the organization’s cable deployment policy, then there is no perfect peer-to-peer connectivity within the LAN. Consequently, audit reports should clearly specify which cables had insufficient network connectivity.
E-MAIL SERVER REVIEW
Many companies implement a private or local mail server for internal and external e-mail use. For instance, the organization may have a single mailbox for all employees that is hosted by an e-mail service provider. The organization will then install a local mail server at their end to retrieve information from this single mailbox, which is then segregated locally based on employee e-mail IDs. Therefore, if an employee wishes to send an e-mail to a co-worker, the e-mail is sent through this local mail server directly to the recipient. Otherwise, the local mail server will forward the e-mail to its parent mail server for further delivery to the intended external recipient.
Key points to look for when reviewing e-mail server performance include:
These key points need to be analyzed and verified manually by the auditor along with the network or system administrator. Also, a cross-verification should be performed by analyzing e-mail server logs. For example, if spam e-mail is congesting the majority of the network's bandwidth, the organization should upgrade its existing spam-filtering solution.
NETWORK ACTIVITY ASSESSMENTS
The auditor also needs to analyze the effectiveness of the processes or activities that are used to manage the network. These activities include the network's capacity use, change management processes, incident response activities, and log monitoring functions.
The network capacity planning process compares the organization's current and future network capacity in terms of their use and efficiency. Any discrepancy between any user requirements and the organization's capacity can lead to inefficient network use. Therefore, the aim of network capacity planning is to resolve this discrepancy.
To plan for current and future use, internal auditors can recommend that network administrators monitor network use logs. For example, if the network administrator notices that the company currently uses 70 percent of its network bandwidth, he or she can request the purchase of more network resources (e.g., switches, cables, PCs, etc.) to management.
Change management is a logical approach that defines the policies, procedures, and controls that need to be used for specific business functions or activities. In terms of network performance, the organization's change management policy needs to document, for instance:
A systematic documentation of all network changes can help administrators to easily manage the network, as well as help management and internal auditors to quickly understand networkwide changes. Change management policies and actions also can enable auditors and administrators to evaluate network problems at a quick glance and determine the causes for network performance issues or, worse, a security breach after a particular change or upgrade is made.
Before a change or upgrade is made to a network component, auditors need to recommend that network or system administrators discuss the activity with a senior executive, such as the chief technology, information, or security officer, to evaluate the impact the change or upgrade can have on various network aspects (e.g., application compatibility, security, and network performance issues). Finally, auditors need to ensure that the change management policy or document is authorized and signed by the senior manager (refer to figure 2 for a sample change management form).
Policy number: (Policy number for this change.)
If a process or service exists, problems will always be associated with the same. This same principle applies to computer networks too. Therefore, companies need to have a standard procedure to handle network problems and provide a quick and efficient solution to those problems. Key items internal auditors need to review when assessing an organization's network incident response plan or document include:
Proactive action is always a better step than reacting to an IT problem. When it comes to network performance, proactive steps apply to monitoring network activities and identifying problems that might affect the organization in the future. One of the best ways to monitor network activities is through data logging. Logs generated can be either from a firewall, managed switch, operating system log, or an application log. For instance, an organization is growing rapidly in terms of its revenue and number of employees within a short period of time. To keep up with this growth, network administrators need to identify the effectiveness of currently used network switches, cables, computer systems, and accessories in keeping up with network performance. Network administrators may also need to update or increase the availability of these and other network components within the next three months so that the company's continuity of flow is not disrupted.
A GOOD MEASURE OF NETWORK OPERATIONS
The use of ongoing performance audits can help IT departments better measure the network's effectiveness and efficiency. To this end, internal auditors need to examine key network functions and components, such as the company's network bandwidth use, the current level of Internet use, the performance of network cables, and e-mail server activities. These network performance audits need to be an ongoing part of the organization's proactive measures to identify any IT system break downs before they hinder the organization's day-to-day activities. Besides collecting and reviewing this information, auditors can examine the network's server memory use and central processing unit (CPU) capacity, which may also hinder network performance.
The Institute of Internal Auditors - 247 Maitland Avenue • Altamonte Springs, Florida 32701-4201 U.S.A.
+1-407-937-1100 • Fax +1-407-937-1101 • www.theiia.org
All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.