IN THIS ISSUE

Vol. 10, December 10, 2007

Print Article Print Entire Issue

Essential Aspects of an Effective Network Performance Audit

Ongoing assessments of an organization's Internet use, cable performance, e-mail server, and network management activities, can help auditors identify network problem areas before they become too costly to fix.

Nikhil Wagholikar
Information Security Analyst, NII Consulting

Regardless of recent improvements in network performance and capacity, it is essential for network administrators to periodically assess the reliability of network technology and its ability to meet business needs. Consequently, network performance assessments can help organizations determine whether the programs, hosts, and applications that are installed on the corporate network function properly. More specifically, these performance audits need to examine the network's bandwidth use, as discussed in the Nov. 10 issue of ITAudit , as well as the company's Internet use, cable performance, and e-mail server activities. To this end, auditors should assess companywide network management activities, including its network's capacity use, change management processes, incident response activities, and log monitoring functions. Following is a discussion of each of these components.

INTERNET USE

Besides network bandwidth use, violation of Internet use policies can cause network performance problems. Unauthorized network activities typically performed during work hours include:

1. Accessing pornographic Web sites, as well as file, photo, and video sharing sites.
2. Performing online trading.
3. Accessing personal e-mails and forwarding e-mails with large attachments, such as videos, PowerPoint presentations, and pictures.
4. Downloading unlicensed software that might contain malware (e.g., spyware and adware applications, and viruses, Trojans, or worms), which may cause a denial-of-service (DoS) attack.

To determine whether employees are adhering to established Internet use policies, internal auditors and network administrators can sniff (i.e., monitor and analyze) data packet traffic flowing between the organization's gateway and the Internet service provider (ISP). This can be achieved by using a switched port analyzer (SPAN) or placing a hub (i.e., a common connection point for devices in a network) between the ISP and the organization's router or firewall (refer to figure 1 for an example of a hub).

When sniffing traffic, it is important to keep in mind that data packet sniffing can lead to a self DoS due to the large amount of data that is generated and captured during traffic monitoring especially during peak work hours. As a result, auditors should use a filtering configuration, such as capturing data up to 300 megabytes (MBs) or capturing only HTTP, HTTPS, file transfer protocol (FTP), or port-specific traffic. A second solution is to perform a sample sniffing activity (e.g., periodically monitoring network data for a group of clients or users) and generalizing the results of this activity to the entire organization. Finally, the auditor can recommend that the organization obtains an Internet use statistics report from the ISP, if possible.

Additionally, Internet use analyses can detect malware infections in the local area network (LAN) that are the result of inappropriate Internet use or determine if applications residing in the network are using the Internet redundantly. For instance, when a worm is present in the LAN, the worm usually tries to contact a particular Internet protocol (IP) or URL to further damage the network. On the other hand, redundant Internet use occurs when all computers residing in the network individually check for and download updates or patches, which can be avoided by using a centralized patching server.

Finally, Internet use analyses can be used to determine whether the organization needs to upgrade its current Internet bandwidth and speed. To this end, auditors can monitor Internet activity through the use of proxy servers (i.e., servers that reside between a client application, such as a Web browser, and a real server to intercept client requests and forward them to the other server). Proxy servers in use today include open source types, such as SQUID, Privoxy, or Sun Java Web Proxy server, as well as commercially available ones such as Microsoft's Internet Security and Acceleration Server.  

CABLE PERFORMANCE

Another performance problem leading to network congestion is cable-pair connectivity. In essence, the network may experience a signal loss during a data transfer session if any of the two copper wire pairs (i.e., the four wires required for LAN connections with a transfer speed of no less than 100 MBs per second) is not properly connected end-to-end. Because any signal loss during a data transfer session could result in low network performance, auditors need to determine if the cables are connected properly. To do this, auditors need to use a pair of hardware cable testers, which need to be connected at the two ends of the physical network cable. When conducting the test, all lights must blink on the cable tester. If this happens, then the network cable has perfect point-to-point connectivity.

Auditors need to note that the organization may choose not to use all four cables for network connectivity, such as in the case of a category five (CAT5) cable. In this case, only the lights correlating to the cables that the organization is using should blink on the hardware cable tester. If even one light is not blinking according to the organization’s cable deployment policy, then there is no perfect peer-to-peer connectivity within the LAN. Consequently, audit reports should clearly specify which cables had insufficient network connectivity.

E-MAIL SERVER REVIEW

Many companies implement a private or local mail server for internal and external e-mail use. For instance, the organization may have a single mailbox for all employees that is hosted by an e-mail service provider. The organization will then install a local mail server at their end to retrieve information from this single mailbox, which is then segregated locally based on employee e-mail IDs. Therefore, if an employee wishes to send an e-mail to a co-worker, the e-mail is sent through this local mail server directly to the recipient. Otherwise, the local mail server will forward the e-mail to its parent mail server for further delivery to the intended external recipient.

Key points to look for when reviewing e-mail server performance include:

• The presence of large numbers of rejected e-mails, especially to a particular user.
• Any malicious requests by or to any user in the organization.
• The possibility of an open-relay mail server.
• The presence of large numbers of attachments, especially spam (i.e., unsolicited e-mail) attachments.
• The ratio of spam e-mail to genuine e-mail.

These key points need to be analyzed and verified manually by the auditor along with the network or system administrator. Also, a cross-verification should be performed by analyzing e-mail server logs. For example, if spam e-mail is congesting the majority of the network's bandwidth, the organization should upgrade its existing spam-filtering solution.

NETWORK ACTIVITY ASSESSMENTS

The auditor also needs to analyze the effectiveness of the processes or activities that are used to manage the network. These activities include the network's capacity use, change management processes, incident response activities, and log monitoring functions.

Capacity Use

The network capacity planning process compares the organization's current and future network capacity in terms of their use and efficiency. Any discrepancy between any user requirements and the organization's capacity can lead to inefficient network use. Therefore, the aim of network capacity planning is to resolve this discrepancy.

To plan for current and future use, internal auditors can recommend that network administrators monitor network use logs. For example, if the network administrator notices that the company currently uses 70 percent of its network bandwidth, he or she can request the purchase of more network resources (e.g., switches, cables, PCs, etc.) to management.

Change Management

Change management is a logical approach that defines the policies, procedures, and controls that need to be used for specific business functions or activities. In terms of network performance, the organization's change management policy needs to document, for instance:

• How Active Directory changes will be handled.
• Different firewall rules, such as opening a port.
• Changes in logging systems.
• How to change user access rights to network resources or data.
• The addition and removal of new computers.
• The proper way to configure network access for individual users.

A systematic documentation of all network changes can help administrators to easily manage the network, as well as help management and internal auditors to quickly understand networkwide changes. Change management policies and actions also can enable auditors and administrators to evaluate network problems at a quick glance and determine the causes for network performance issues or, worse, a security breach after a particular change or upgrade is made.

Before a change or upgrade is made to a network component, auditors need to recommend that network or system administrators discuss the activity with a senior executive, such as the chief technology, information, or security officer, to evaluate the impact the change or upgrade can have on various network aspects (e.g., application compatibility, security, and network performance issues). Finally, auditors need to ensure that the change management policy or document is authorized and signed by the senior manager (refer to figure 2 for a sample change management form).

If a process or service exists, problems will always be associated with the same. This same principle applies to computer networks too. Therefore, companies need to have a standard procedure to handle network problems and provide a quick and efficient solution to those problems. Key items internal auditors need to review when assessing an organization's network incident response plan or document include:

• The level of vendor support (i.e., how will the vendor provide support for problems reported by the organization — will this support be provided over the phone or in person? In addition, is the vendor support team or contact person located in a nearby location or foreign country?).
• An inventory of all network programs and applications.
• Service-level agreements between the organization and the vendor for specific network programs and applications identified in the inventory list.
• Change management policies and procedures.
• A list of incident response team members and their qualifications.
• The organization's approach toward solving any network incidents and the steps that will be taken for mitigating the same as specified in the business continuity or disaster recovery plan, in addition to determining how the plan will be maintained.  
• Configuration backups for all network programs and applications (e.g., are these devices tested in a test environment prior to restoration, are backups encrypted, and where are the backups stored)?   

Log Monitoring

Proactive action is always a better step than reacting to an IT problem. When it comes to network performance, proactive steps apply to monitoring network activities and identifying problems that might affect the organization in the future. One of the best ways to monitor network activities is through data logging. Logs generated can be either from a firewall, managed switch, operating system log, or an application log. For instance, an organization is growing rapidly in terms of its revenue and number of employees within a short period of time. To keep up with this growth, network administrators need to identify the effectiveness of currently used network switches, cables, computer systems, and accessories in keeping up with network performance. Network administrators may also need to update or increase the availability of these and other network components within the next three months so that the company's continuity of flow is not disrupted.

A GOOD MEASURE OF NETWORK OPERATIONS

The use of ongoing performance audits can help IT departments better measure the network's effectiveness and efficiency. To this end, internal auditors need to examine key network functions and components, such as the company's network bandwidth use, the current level of Internet use, the performance of network cables, and e-mail server activities. These network performance audits need to be an ongoing part of the organization's proactive measures to identify any IT system break downs before they hinder the organization's day-to-day activities. Besides collecting and reviewing this information, auditors can examine the network's server memory use and central processing unit (CPU) capacity, which may also hinder network performance.

Nikhil Wagholikar, CEH, is an information security analyst with Network Intelligence India (NII) Pvt. Ltd., an IT security consulting firm located in Mumbai, India, that offers ethical hacking, computer forensics, security auditing, ISO-27001 compliance, and business continuity management services. As part of NII's team, Nikhil has worked on multiple security projects and audits dealing with all aspects of IT, and conducts penetration tests and vulnerability assessments for clients. Nikhil holds the certified ethical hacker designation.