control, and governance
Assessing Bandwidth Use as a Function of Network Performance
Performing ongoing assessments of an organization's network bandwidth use can help IT departments to enhance the quality of network services and identify problem areas before they hinder work productivity.
Nikhil Wagholikar, CEH
Information Security Analyst
Most corporate networks consist of different applications without which an organization would be unable to perform critical business functions. Unfortunately, these networks are often taken for granted due to their "behind-the-scenes" role, thus increasing the need for network administrators to prevent any breakdowns in network performance. To help their organization ensure proper safeguards and controls exist to monitor and respond quickly to network issues and threats, internal auditors need to conduct ongoing performance assessments that measure the network's quality of service and determine whether the programs, hosts, and applications that are installed on the corporate network function properly. (Refer to Figure 1 for an illustration of a basic corporate network.) More specifically, these network performance audits need to examine the network's bandwidth use.
Before conducting a network performance audit, internal auditors need to understand how the network operates. The best way to do this is by requesting a copy of the company's network diagram. In organizations with larger networks, multiple diagrams may exist. Regardless of the network's size, diagrams need to illustrate the local area network (LAN), any demilitarized zones (DMZs), and the company's virtual private network (VPN). In addition, auditors need to identify any critical business applications that reside within the network and the network components that support them, as well as determine each application's network bandwidth use.
Network Bandwidth Use
Common Network Components
Below is a definition of the most common network components:
Demilitarized Zone (DMZ)
Local Area Network (LAN)
Virtual Private Network (VPN)
Ideally, network bandwidth use should be monitored on regularly scheduled intervals that provide a sample of normal daily activity — that is, during hours of peak use (i.e., normal business hours), hours of moderate use (i.e., at the start of the business day), and hours of low use (i.e., after normal business hours). Auditors may wish to avoid a 100 percent monitoring approach as it can result in unmanageable amounts of data. For instance, in just 10 minutes of monitoring, network administrators can obtain as much as 300 MB of data for a computer network consisting of 10 to 15 computers and four to five network devices.
Network use also should be monitored for a considerable period of time (i.e., for a minimum of 15 minutes at regular 30-minute intervals) during the above mentioned business hours to get a clear picture of the company's total network bandwidth use. For easier understanding, results should be presented in a graph format, rather than in a text or Internet protocol (IP) format. Figure 2 shows three graphs illustrating the network bandwidth use of a mid-size IT organization during business hours.
As the examples in Figure 2 show, average network use during the start of the business day (i.e., during hours of low-use) is almost 0 percent. Use during normal business hours (i.e., in the afternoon or during hours of peak-use) is between 25 percent and 40 percent, while use after business hours (i.e., in the evening or during hours of moderate use) is between 5 percent and 15 percent. Typically, network use that is between 50 percent to 75 percent is considered normal, depending on the network size (i.e., a LAN consisting of 100 to 110 computers, 10 servers and applications, 100 clients, five to 10 switches, and one or two routers).
Furthermore, auditors need to review the configuration of all network devices (e.g., routers and printer settings) and the configuration of network applications (e.g., determining whether the server application is excessively querying clients). When reviewing the configuration of network devices, auditors need to:
Identify if network administrators are tracking and limiting changes to the overall network.
In terms of reviewing the configuration of network applications, auditors need to:
To rectify network bandwidth use problems, auditors can recommend that organizations use a virtual LAN (VLAN) — a switched network that is logically segmented by functions, project teams, or applications without regard to the physical location of users. VLANs help organizations reduce the use of the broadcast domain — a network in which any computer can send data directly to another computer in the same domain without having to pass through a routing device, as long as both computers reside under same subnet mask. Besides VLANs, the deployment of up-to-date antivirus and anti-spam programs is recommended.
Packet Size Distribution
Key Audit Recommendations Regarding Network Performance
Before completing the network performance review, internal auditors need to ensure that recommended actions:
There are many factors that affect a network's packet size distribution, some of which include the applications installed (e.g., Microsoft SQL server), the kind of services running on the network (e.g., a dynamic host configuration protocol that lets network administrators centrally manage and automate the assignment of IP addresses in a network), and the policies implemented (e.g., Windows Active Directory Group policies). Results obtained from network bandwidth use audits can help internal auditors identify additional factors that are impacting the network's packet flows. For example, in a Windows-based domain environment, normal packet sizes may vary from 65 to 127 bytes to 512 to 1,023 bytes. However, if the organization uses a server-client-based application, then the normal packet size may be greater than 1,518 bytes.
Type of Data Flows
A protocol analysis enables network administrators to employ proper software or hardware tools that capture, decode, interpret, and react to the contents of data packets (i.e., the types of data) as they flow through a network. Thus, protocol analyses are an essential part of any network performance audit since they help identify how much network bandwidth is being used. For instance, protocol analysis can help network administrators determine the service or application that is consuming large amounts of the network's bandwidth.
In addition, protocol analysis information, along with the application's working technology documentation, can help auditors to determine whether the data flowing through the network is genuine traffic (i.e., necessary business information) or is redundant or unnecessary information that could lead to network congestion and, therefore, hamper the network's performance.
Reasons why unnecessary or redundant traffic can flow in the network from a particular application include:
Figure 3: Protocol Analysis Results During Morning (top), Afternoon (middle), and Evening Business Hours. (Click to enlarge)
Because the factors affecting protocol statistics might be difficult to determine, manual intervention might be necessary when identifying the applications that are using each protocol maximally. For instance, if the auditor notices that the lightweight directory access protocol — a protocol that computer programs use to look up information from a server — is used, then some of the activities related to the domain controller, such as Group Policy updates, might be taking place on a regular basis. Besides manual intervention, auditors can use programs such as Wireshark to determine which IP addresses are using what protocols. Results obtained from these programs can help augment manual analyses.
Data Error Rates
Data errors, as they apply to network packets, can be defined as those data packets that lost their accuracy during their transmission through a network cable before they reached their final destination. Consequently, as these packets arrive at their final destination, they are simply discarded by the recipients (e.g., a computer host or network device). A simple reason why data errors occur is due to any losses of packets flowing within the network. For instance, network cables may experience productivity problems due to heat loss, power transmission loss, or cable material resistance damages. Though these problems have been reduced to a great extent with the latest Ethernet technology, which has error detection capability, improper or non-structured network cabling can still lead to data errors.
When analyzing data error rates, internal auditors should compare the ratio of normal packets to data error packets as this will give a clearer picture of how many error packets are moving within the network. Normal packet flow within the network can be based on:
Network performance audits can help IT departments to better measure a network's quality of service. To this end, internal auditors can work with network administrators to obtain information regarding the network's bandwidth use. Doing so will enable organizations to identify any break downs in network performance and rectify problems that may hinder the organization's day-to-day activities. Besides collecting and reviewing this information, auditors can examine the network's Internet use, cable performance, and e-mail server activities, which may also hinder network performance.
For additional information about network performance audits, internal auditors can visit the following Web sites:
The following two articles also provide useful information on network bandwidth use:
Nikhil Wagholikar, CEH, is an information security analyst with Network Intelligence India (NII) Pvt. Ltd., an IT security consulting firm located in Mumbai, India, that offers ethical hacking, computer forensics, security auditing, ISO-27001 compliance and business continuity management services. As part of NII's team, Nikhil has worked on multiple security projects and audits dealing with all aspects of IT, and conducts penetration tests and vulnerability assessments for clients. Nikhil holds the certified ethical hacker designation.
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.