Network Monitoring Without Credentials a Terrible Idea Security and Ease of Administration Require Tight Identification Policies and Practices By Mark Towler and Jason Alberino We know credentials can be a pain, but IT understands they are a NECESSARY pain. In the world of network monitoring, credentials are the account and password details for every network, system, or required device that allows access. They're not tremendously different from your username and password when you log into your computer or any other system but apply to all the devices that make up the network.
Credentials are clearly essential. If you cannot get access to a device or system, you can't get any information about it, including often what it is. When a network monitoring solution discovers your entire network, it's vital you have credentials for every single device in your network. When that system looks at each individual item, device, or IP address and asks, "Who are you? What is it you do? And tell me details about yourself," the network monitoring solution should answer back something other than, "You have no access."
Why Credentials Matter
Without credentials, you can find out very basic information such as identifying a device as a wireless access port or server – but that's about it. Credentials are critical for network discovery. They identify not only what that device is but what it's doing and what kind of actions are available that can be changed or modified on that device.
Once you've got access, there's a variety of things you can do, or a system (or solution) can do on your behalf.
A good network monitoring solution stores credentials – all necessary network credentials to allow IT to log in easily to all devices on an ongoing basis.
Credentials and Cloud Services
Credentials are not just for physical devices. Often cloud resources are a part of a network that need to be monitored and managed. In those cases, you have separate credentials to access your Amazon Web Services or Azure system – or any other online cloud-based solution. The same goes for virtual machines.
Credentials come in a variety of types. The most common is SNMP, or simple network management protocol. There are several different versions, which tend to be backward compatible. There are SNMP 1, 2, or 3, but almost anything will respond to an SNMP ping. This is usually the easiest way to figure out what's going on.
Credentials help you get information about system attributes, or the system instrumentation so you know not only that the device exists, but what it's doing, what its response time is, and various other bits of information like throughput, or status. Here, you apply more impressive or complex credentials. These credentials include Windows WMI, or VMware, or SSH credentials.
Remote execution may require a different type of credential, such as SSH, or more commonly and very old school Telnet. These are credentials that allow you to access a device or a system, and to make changes, take control, or remotely operate it.
Legacy Application and Device Creep
There's a whole world of applications, each one of which can have multiple types of credentials. Anyone who's spent time doing network administration knows you never take things away. They always get added on. Systems and solutions are built upon layers of earlier and older ones, with multiple vendors, specifications, devices, solutions and systems, all doing different jobs – many requiring different credential types.
Applying Windows, Linux and Virtual Machine Credentials
You need Windows host credentials for Windows host devices and other Windows devices. That's usually done through the WMI standard, which goes a level deeper than simply responding to a ping or responding with very basic device management.
We're seeing a lot more Linux, Unix and Windows hybrid solutions. If you've got Linux or Unix hosts, you need them to play nicely with a Windows solution, or a Windows monitoring or managing system. Here you may need an SNMP agent or an SNMP service that acts as an intermediary. It will get the SNMP static information, and provide it in a Windows-compatible, or WMI compatible format. This adds another additional layer of complication when reaching into Linux and Unix systems. You can also use SSH credentials to manage and monitor those Linux or Unix host devices.
VMware is the most common virtual machine solution, though Hyper-V has been giving it a run for its money. For both of those, you need the appropriate credentials to access all those virtual machines within either vCenter or Hyper-V.
Keeping the Keys to the Kingdom Safe
Credentials are literally the key to the kingdom. If you are putting them all into one solution, anyone who can get access to your network monitoring or management solution can access every single device on your network.
Two things to consider here. It is critical to maintain up-to-date credentials so your network monitoring or management solution can fully access your entire network. It's even more important to keep your monitoring, or management system secure. That means passwords are up-to-date and you are changing them if necessary. It also means using strong passwords and, if possible, integrating with an open, or a third-party single sign-on solution, something like Open ID or others that will allow you to maintain a level of security across your entire system.
Avoid Default Credentials
The biggest threat to network security is not people accessing credentials through a network monitoring solution. It is using credentials such as guest guest, or 123, 123, that were set from the factory as defaults. One of the advantages of using a network monitoring solution is putting all your credentials in one place and seeing what's going on with them. This way you have an idea of how many of those credentials haven't been changed from factory settings, or haven't been changed in a long, long time.
What’s Up with WhatsUp Gold?
We recommend a network monitoring solution that finds everything on your network, and uses credentials to not only understand what's connected, and how it's connected, but what it's doing – what's reaching its thresholds, what isn't, and what's the health of your network at a glance.
WhatsUp Gold is the new monitoring solution Progress provides. It shows you when trouble is coming and finds and fixes problems before your users even notice. Its powerful alerting and dashboarding capabilities let you know if there's a problem via text, email, Slack, or even Teams. It is simple to set up and easy to license. It includes features like configuration management, cloud monitoring, traffic analysis, application monitoring, and virtual monitoring.
A Few Credentials Questions for WhatsUp Gold Guru Jason Alberino
WhatsUp Gold users always want to make the most of their networking monitoring solution, and who better to pepper with questions than our own WUG Ninja Jason Alberino. Here are a few things customers asked in our recent Best Practice Series: Credentials
Question: In the spirit of minimizing permissions concerns, is it better to use SNMP for Windows instead of WMI? Is there anything SNMP won't provide that WMI will?
Alberino: I used to recommend only using SNMP because WMI was so bloated. Since Microsoft deprecated support for SNMP in Server 2012, they really haven't touched it. And I have seen issues with using just SNMP. Using WMI is fine as long as you're controlling access to the credentials, or setting up read-only credentials, so to speak. You have multiple options there.
WMI does indeed provide more information than SNMP does on Windows devices, specifically, things like the CPU utilization within WhatsUp Gold. If you do that in SNMP with Windows, it shows ‘unknown processor type.’ Why is that? Because that's how Microsoft populates SNMP. But if you're using a WMI credential, you get the full-on processor name, Intel Xeon, model number, et cetera.
The same thing goes when it comes to disk utilization using WMI versus SNMP. SNMP on Windows does not supply disk mount information, and a lot of SQL and Exchange best practices say you should be using disk mounts. WMI can give you that information, where SNMP cannot. At least where it stands nowadays, I always recommend WMI over SNMP because it is now very stable. It's not what it once was many years ago. If you're on Server 2012 or higher, you should be using WMI instead of SNMP at this point.
Question: Is credential monitoring part of standard WhatsUp Gold, or is it an add-on? Can you maybe give us a little bit more detail on how you can manage credentials within WhatsUp gold?
Alberino: Credential monitoring is more of an add-on to WhatsUp Gold through the Log Management suite we added earlier this year. With log management, you can collect Windows event logs and Syslog messages, as well as create thresholds for alerts. Maybe you don't want to be notified anytime someone tries to use their password and it's bad. Instead, you want to be notified if it happens 10 times in the past 10 minutes, something along those lines. That is possible with the Log Management add-on.
The same goes for Syslog messages. If someone is logging into your router, or switch with a bad username or password, you want to know about it. That's where log management comes to the rescue once again, but that is an add-on to WhatsUp Gold, if you have the Premium edition. If you are licensed for the Total Plus edition, we grant access to the log management with no additional charge. Using your existing Total Plus license, you now have access to log management as long as you upgrade to version 21 or higher.
Question: Can you detail how WhatsUp Gold stores credentials, and allows you to use them and change them if necessary?
Alberino: Credentials are stored and encrypted within our database. That is a permission you can grant people. People either have access to the credential’s library within WhatsUp Gold or they do not. And even those people with access would not be able to see plain text passwords anywhere or anything like that. All the information is encrypted within the database. If you're concerned about someone looking at the credential library, just don't grant them access.