Port monitoring is a necessary measure to make sure your network is running at an optimized level.
For those unfamiliar with New England, many villages and cities began as fishing towns. These communities still do business on the sea, with multiple companies shipping out their products on massive boats. How do these boats gain access to the towns to continue doing business in them? By docking their ships and crew at a port, a maritime facility where ships and boats of all sizes load and discharge cargo, or in some cases, passengers.
Now, for those who work in IT and Infrastructure Management (IM)—most likely away from the water—you are familiar with "network ports" or "switch ports." Ports are part of network addresses serving as points of entry into the network. Ports also ensure the thorough distribution of connections and data packets.
Like any other aspect of network infrastructure monitoring, the ability to scan various ports ultimately benefits a company. Not to mention, it saves much time from having to look at each and every port through a tedious, manual process.
How does one protect these access areas? More specifically, how does an IT professional monitor these ports for their own devices and their company's expansive network infrastructure?
This blog is dedicated to Port Monitoring, the letter P in our growing ABCs of ITIM series. Within the sections below, we will be answering the above rhetorical questions.
What Is a Port?
In the network (non-nautical sense), we can describe ports as three distinct types but usually fall into either virtual or physical:
- A jack, socket or plug for a piece of hardware or accessory (i.e., ethernet ports for Cat6/Cat5e cables).
- A number defined by software associated with a network protocol that receives or transmits a communication for a specific service.
- A type of software has been translated or converted to run on different hardware or operating systems than it was initially designed for.
On average, a company will have more than 65,000 (the exact number is between 65,336 or, according to TechTarget, 65,535) ports that should be monitored. While not all of them are constantly being used, many of those ports are transferring data by the second.
What Is Port Monitoring?
Port monitoring is a standard action for IT professionals in which they analyze the traffic passing through various entry points. Port monitoring involves analyzing the traffic mirrored from one port to another port located on a network switch. Alternatively, port monitoring processes can mirror traffic coming from a switch connected to a network analyzer. Using a network analyzer, IT professionals can mirror traffic from one port to another on one switch or connected switches.
How Does Port Monitoring Work?
Port monitoring will usually involve the use of network or hardware monitoring tools to collect and analyze the status of specific network ports. These types of tools can be configured to monitor various parameters, including the status of the port, the amount of traffic flowing through the port, and the kind of traffic being transmitted. As a result, port monitoring can benefit IT and network administrators to manage (among other tasks) uptime and downtime efficiently.
What are the Main Types of Port Monitoring?
The port monitoring process will sort the found ports into one of the following categories:
- Open: The target host responds with a packet indicating it is listening on that port. It also suggests that the service that was used for the scan (typically TCP or UDP) is in use as well.
- Closed: The target host received the request packet but responded back with a reply indicating that there is no service listening on that port.
- Filtered: The port scan categorizes ports as filtered when a request packet is sent, but no reply is received. This typically indicates that the request packet has been filtered out and dropped by a firewall.
Transmission control protocol (TCP) and user datagram protocol (UDP) are the two primary methods of transmitting data. Though used commonly, the two have very different processes in how data is transferred:
- TCP: A two-way connection-based transmission of data relying on the status of its destination in order to create bidirectional data transmission.
- UDP: A more simple, directionless transmission that sends out packets of data in portions rather than all at once.
For organizations that primarily use TCP, the most common type of scan is the SYN scan. SYN scans create a partial connection to the host on a target port by sending a packet and then evaluating the response from the host. If the request packet is not filtered or blocked by a firewall, then the host replies by sending a SYN/ACK packet if the port is open or an RST packet if the port is closed.
Another method of TCP scanning is the connect scan, which involves the scanner attempting to connect to a port on the target host using the TCP connect system call and initiating the whole handshake process. This creates a lot of packet overhead and is easier to detect, making it a less utilized method of port scanning by cybercriminals.
Other types of TCP port scans include the following:
- NULL: A sort of scan that sends packets with no flags set in their headers.
- FIN: Only scans that have the FIN bit set.
- XMAS: Scan packets with the FIN, PSH and URG flag bits turned on.
Port scanning, a common type of port monitoring, has the end user check the status of a range of ports on a network device. Network administrators use this type of tool to assist in locating open and vulnerable ports in an organization's infrastructure. Port scanning can also help with identifying any and all misconfigurations.
Another type of port monitoring is Simple Network Management Protocol (SNMP) monitoring. SNMP is a commonly implemented protocol that allows network administrators to monitor and manage network devices from a central location. By using SNMP, administrators can monitor the status of network ports, receive notifications when specific events occur and collect performance data for analysis.
What Metrics of a Port Can You Monitor?
There are several metrics you should keep track of, including the percentage based on whether the port is an expansion port or fabric port and the average size and time frame of a data traffic transfer. However, administrators should prioritize analyzing performance-oriented ones. After deploying a port monitoring tool, IT and network teams can measure the following performance metrics:
- Key Port Metrics will involve aspects of bandwidth, including bandwidth percentage sent and received. Key port metrics also include data rates in which they are sent or received.
- I/O Rate includes the average number of frames per second that are sent or received through a port.
- Peak Data Rate is as exactly as it sounds; a measurement in which the port monitoring tool analyzes the highest rate at which data is sent or received by the port. However, one difference to take away from this type of metric is how they are processed; A send operation is a processed read operation or a write operation indicated by the report. A receive operation is a processed write operation or a read one characterized by a report.
- Frame Error Rates are more complex than other metrics. Some of the errors being analyzed are the percentage of nonsequential read operations found in cached data and the percentage of nonsequential write operations that are handled in the cache.
- Port Protocol Error Rate is another complex metric that measures, among other statistics, the average number of frames per second that are discarded because host buffers are unavailable for the port.
- Link Error Rates are metrics related to the average number of disparity errors that are received per second.
Five Benefits of Using Port Monitoring
1. Better insight into how ports are being used. When monitoring a company's switch ports, an IT professional can see which ports are the most frequently used but also monitors the overall network efficiency. In turn, the team can save time, money and overall work efforts.
2. Improved security to a network. Port monitoring software lowers the risks of IT professionals who can protect their company's network infrastructure from clearing the way for a multitude of workflows.
3. Safeguard sensitive data and other related information. Frequently, unutilized switch ports are one of the most common security vulnerabilities. Returning to our nautical comparison in the beginning, an unused port serves as an available dock for any cyber attacker.
4. Effectively manage downtime and uptime. Port monitoring is vital to maintaining network uptime with provided visibility, and with those insights, network administrators can start looking into what specific issues are causing downtimes.
5. Troubleshoot bottlenecks within an organization's network. An automated port monitoring tool can help IT and network professionals allocate resources to remove potential workflow bottlenecks.
Five Challenges of Port Monitoring
1. Mapping out ports is problematic in complex network infrastructure. Since networks are growing increasingly complex, either on-premise or in the cloud, it isn't easy to obtain visibility for the whole infrastructure, network ports included.
2. Receiving the right insights into the connected devices connected to a specific port. While port monitoring gives administrators great insight into their network activity, understanding the precise details of the connected device is crucial to mitigate other problems.
3. Physical defects can affect the monitoring process. It might go without saying, but damaged cables, software glitches and poorly configured network switches all create poor performances across the network. As such, starting your port monitoring processes can be difficult.
4. Various software-related configurations also affect port monitoring. Network and IT professionals should be aware of Network Interface Controller (NIC) cards that need to be adequately connected, spanning tree loops and blocking or data transmission protocols unrecognized by a router or switch.
5. Any and all blind spots in your ports can lead to potentially dangerous security breaches. It is common for organizations to allow employees to bring their own devices. But in turn, these devices are connected to large networks. An automated end-to-end port monitoring solution can give them the insights needed to the ports from those devices.
How to Use a Port Monitoring Tool Yourself
To answer this (rhetorical) question, an IT or network administrator should utilize a type of port monitoring software or tool. Other IT or network infrastructure teams will use resources and time to monitor their company's ports manually as such, deploying a network monitoring solution with automation abilities is ideal for saving time and money, such as Progress WhatsUp Gold.
How to Start Monitoring with Progress WhatsUp Gold
WhatsUp Gold's network discovery tools help administrators map out their network surroundings and quickly discover the devices found in the network. The software can discover any-and-all connected devices while building a comprehensive and accurate image of the port-to-port connectivity of said devices.
Additionally, WhatsUp Gold's network traffic monitoring and analysis tool provides even greater insight into what users, applications and protocols are consuming bandwidth. Or if there is a suspicious port from connected devices.
It is always worth looking into solutions to network vulnerabilities by using some of the tools mentioned earlier or by hiring a certified ethical hacker to verify your security level. How you implement your port monitoring solution all depends on what your team's budget is, along with what their expertise is with the specific technology.
Learn more about WhatsUp Gold, including its port monitoring capabilities and how it benefits your organization.
View All of The ABCs of Infrastructure Monitoring
Looking to start on the basics of IT infrastructure monitoring? Our alphabetized index is an excellent place to begin or extend your education. View all of our current topics.