November 2007

Assessing Bandwidth Use as a Function of Network Performance

Performing ongoing assessments of an organization's network bandwidth use can help IT departments to enhance the quality of network services and identify problem areas before they hinder work productivity.

Nikhil Wagholikar, CEH
Information Security Analyst
NII Consulting

Most corporate networks consist of different applications without which an organization would be unable to perform critical business functions. Unfortunately, these networks are often taken for granted due to their "behind-the-scenes" role, thus increasing the need for network administrators to prevent any breakdowns in network performance. To help their organization ensure proper safeguards and controls exist to monitor and respond quickly to network issues and threats, internal auditors need to conduct ongoing performance assessments that measure the network's quality of service and determine whether the programs, hosts, and applications that are installed on the corporate network function properly. (Refer to Figure 1 for an illustration of a basic corporate network.) More specifically, these network performance audits need to examine the network's bandwidth use.

Figure 1: Diagram of a Typical Corporate Network (Click to enlarge)

THE AUDIT

Before conducting a network performance audit, internal auditors need to understand how the network operates. The best way to do this is by requesting a copy of the company's network diagram. In organizations with larger networks, multiple diagrams may exist. Regardless of the network's size, diagrams need to illustrate the local area network (LAN), any demilitarized zones (DMZs), and the company's virtual private network (VPN). In addition, auditors need to identify any critical business applications that reside within the network and the network components that support them, as well as determine each application's network bandwidth use.

Network Bandwidth Use

Common Network Components Below is a definition of the most common network components: Demilitarized Zone (DMZ) A part of the computer network that is shared by a trusted network or zone and an untrusted network or zone. Also called the perimeter network. Firewall A trust-based computer network device that permits, disallows, or proxies data packets through it. Local Area Network (LAN) A high-speed computer network that covers a small geographic area, such as a home or office. An example of a LAN is the Ethernet. Router A computer network device that transfers data between different networks. Switch A computer network component that interconnects network segments. Virtual Private Network (VPN) A computer network that uses a public network such as the Internet to transmit private data, thus enabling users to exchange information as if they were inside an internal network.

When assessing the application's network bandwidth use, the auditor should conduct a network traffic analysis that identifies:

1. The average amount of data flowing within the network (i.e., overall bandwidth use).
2. The data's packet size distribution.
3. The type of data flow within the network.
4. The data's error rate.

Ideally, network bandwidth use should be monitored on regularly scheduled intervals that provide a sample of normal daily activity — that is, during hours of peak use (i.e., normal business hours), hours of moderate use (i.e., at the start of the business day), and hours of low use (i.e., after normal business hours). Auditors may wish to avoid a 100 percent monitoring approach as it can result in unmanageable amounts of data. For instance, in just 10 minutes of monitoring, network administrators can obtain as much as 300 MB of data for a computer network consisting of 10 to 15 computers and four to five network devices.

Network use also should be monitored for a considerable period of time (i.e., for a minimum of 15 minutes at regular 30-minute intervals) during the above mentioned business hours to get a clear picture of the company's total network bandwidth use. For easier understanding, results should be presented in a graph format, rather than in a text or Internet protocol (IP) format. Figure 2 shows three graphs illustrating the network bandwidth use of a mid-size IT organization during business hours.

As the examples in Figure 2 show, average network use during the start of the business day (i.e., during hours of low-use) is almost 0 percent. Use during normal business hours (i.e., in the afternoon or during hours of peak-use) is between 25 percent and 40 percent, while use after business hours (i.e., in the evening or during hours of moderate use) is between 5 percent and 15 percent. Typically, network use that is between 50 percent to 75 percent is considered normal, depending on the network size (i.e., a LAN consisting of 100 to 110 computers, 10 servers and applications, 100 clients, five to 10 switches, and one or two routers).

Figure 2: General Network Use (in percentages) During Low-use (top left), peak (top right), and Moderate (bottom center) Business Hours. (Click to enlarge)

If any discrepancies are found when assessing the performance of the company's network bandwidth use, auditors should proceed by:

• Reviewing the LAN's topology.
• Determining whether Trojans, worms, or viruses are present that might infect a particular computer or group of computers.
• Checking for faulty cabling on the network device by manually reviewing the proper pair of color codes on either side of the cables and identifying whether all cables are touching the cable connector using a cable tester.

Furthermore, auditors need to review the configuration of all network devices (e.g., routers and printer settings) and the configuration of network applications (e.g., determining whether the server application is excessively querying clients). When reviewing the configuration of network devices, auditors need to:

1. Check for routes that cause bandwidth choking or clogging of network traffic due to the use of only one gateway.
2. Identify all network users and their level of network access.
3. Determine if access control lists (ACLs) are configured properly and are enabled.
4. Identify whether network administrators are monitoring and tracking changes made to ACLs.
5. Determine whether the company uses a switch port analyzer or remote network monitoring specification.

Identify if network administrators are tracking and limiting changes to the overall network.
In terms of reviewing the configuration of network applications, auditors need to:

1. First understand the importance and role of the network device within the organization's network topology.
2. Be aware of best practices for network devices in general.
3. Identify whether each component and sub-component of the network are missing, applied incorrectly, or used inappropriately.

To rectify network bandwidth use problems, auditors can recommend that organizations use a virtual LAN (VLAN) — a switched network that is logically segmented by functions, project teams, or applications without regard to the physical location of users. VLANs help organizations reduce the use of the broadcast domain — a network in which any computer can send data directly to another computer in the same domain without having to pass through a routing device, as long as both computers reside under same subnet mask. Besides VLANs, the deployment of up-to-date antivirus and anti-spam programs is recommended.

Packet Size Distribution

Key Audit Recommendations Regarding Network Performance Before completing the network performance review, internal auditors need to ensure that recommended actions: Do not hamper the application's normal performance. Do not introduce the use of an application or program that could slow down the data transmission speed or access to applications and programs residing in the network. Do not introduce a network security problem. Take into consideration the cost of the network's overall performance. Do not introduce the use of complex technology the organization may hesitate to acquire or implement. Are of a certain standard, precise, and as simple as possible.

The network's packet size distribution shows the size of digital blocks of data flowing through the network and, thus, is a direct indicator of network bandwidth use. Maximum packet flows during the course of a typical business day follow those of the company's network bandwidth use in terms of their frequency and size (e.g., during hours of peak bandwidth use, packet sizes are at their highest levels for the day).

There are many factors that affect a network's packet size distribution, some of which include the applications installed (e.g., Microsoft SQL server), the kind of services running on the network (e.g., a dynamic host configuration protocol that lets network administrators centrally manage and automate the assignment of IP addresses in a network), and the policies implemented (e.g., Windows Active Directory Group policies). Results obtained from network bandwidth use audits can help internal auditors identify additional factors that are impacting the network's packet flows. For example, in a Windows-based domain environment, normal packet sizes may vary from 65 to 127 bytes to 512 to 1,023 bytes. However, if the organization uses a server-client-based application, then the normal packet size may be greater than 1,518 bytes.

Type of Data Flows
A protocol analysis enables network administrators to employ proper software or hardware tools that capture, decode, interpret, and react to the contents of data packets (i.e., the types of data) as they flow through a network. Thus, protocol analyses are an essential part of any network performance audit since they help identify how much network bandwidth is being used. For instance, protocol analysis can help network administrators determine the service or application that is consuming large amounts of the network's bandwidth.

In addition, protocol analysis information, along with the application's working technology documentation, can help auditors to determine whether the data flowing through the network is genuine traffic (i.e., necessary business information) or is redundant or unnecessary information that could lead to network congestion and, therefore, hamper the network's performance.

Reasons why unnecessary or redundant traffic can flow in the network from a particular application include:

1. A malfunction or misconfiguration of the application, service, or hardware that is originating the data.
2. A bug in the code of the application or hardware that is originating the information.
3. Improper routing of the traffic from the application or hardware that is originating the data to the client requesting the data or any other network component.

Figure 3: Protocol Analysis Results During Morning (top), Afternoon (middle), and Evening Business Hours. (Click to enlarge)

Figure 3 examines a protocol or data flow analysis for the same organization. As shown in the illustrations, the network's transmission control protocol (TCP) — a transportation protocol that provides reliable delivery of data bytes — and NetBIOS — which allows applications on separate computers to communicate over a LAN — use the maximum number of network resources.

Because the factors affecting protocol statistics might be difficult to determine, manual intervention might be necessary when identifying the applications that are using each protocol maximally. For instance, if the auditor notices that the lightweight directory access protocol — a protocol that computer programs use to look up information from a server — is used, then some of the activities related to the domain controller, such as Group Policy updates, might be taking place on a regular basis. Besides manual intervention, auditors can use programs such as Wireshark to determine which IP addresses are using what protocols. Results obtained from these programs can help augment manual analyses.

Data Error Rates
Data errors, as they apply to network packets, can be defined as those data packets that lost their accuracy during their transmission through a network cable before they reached their final destination. Consequently, as these packets arrive at their final destination, they are simply discarded by the recipients (e.g., a computer host or network device). A simple reason why data errors occur is due to any losses of packets flowing within the network. For instance, network cables may experience productivity problems due to heat loss, power transmission loss, or cable material resistance damages. Though these problems have been reduced to a great extent with the latest Ethernet technology, which has error detection capability, improper or non-structured network cabling can still lead to data errors.

When analyzing data error rates, internal auditors should compare the ratio of normal packets to data error packets as this will give a clearer picture of how many error packets are moving within the network. Normal packet flow within the network can be based on:

1. Information from previous network performance audits reports.
2. General packet flows observed by the auditor during low-use, moderate, and peak business hours for a considerable period of time (i.e., four to five days) using data sniffing tools.
3. The auditor's knowledge on how to use the application that is sending and receiving the data packet.
4. The auditor's knowledge on and experience with network activities and performance.

MOVING FORWARD

Network performance audits can help IT departments to better measure a network's quality of service. To this end, internal auditors can work with network administrators to obtain information regarding the network's bandwidth use. Doing so will enable organizations to identify any break downs in network performance and rectify problems that may hinder the organization's day-to-day activities. Besides collecting and reviewing this information, auditors can examine the network's Internet use, cable performance, and e-mail server activities, which may also hinder network performance.

For additional information about network performance audits, internal auditors can visit the following Web sites:

• The Mathworks' Web page on data error calculation.
• Wikipedia's Protocol analysis Web page.
• Colasoft's Network ABC Web page.
• Network Cabling Help's Cabling Basics Web page.

The following two articles also provide useful information on network bandwidth use:

• Novell's "Using Packet Size Distributions to Uncover Hidden Network Utilization Bottlenecks."
• InformIT's "Understanding Protocol Analysis."

Nikhil Wagholikar, CEH, is an information security analyst with Network Intelligence India (NII) Pvt. Ltd., an IT security consulting firm located in Mumbai, India, that offers ethical hacking, computer forensics, security auditing, ISO-27001 compliance and business continuity management services. As part of NII's team, Nikhil has worked on multiple security projects and audits dealing with all aspects of IT, and conducts penetration tests and vulnerability assessments for clients. Nikhil holds the certified ethical hacker designation.

COMMENT ON THIS ARTICLE

Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.

Name:

Email:

Subject:

Comment:

---

To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>

---