After four months, it is time again to write another article about another product.
As it happens, we’ve added a new toy to our portfolio:

SolarWinds Access Rights Manager (ARM)

Some of you may know it under its former name, 8MAN.

 

What exactly does ARM do? And who came up with this TLA?

The tool validates permissions within Active Directory®, Exchange™, SharePoint®, and file servers. So who has access to what, and where does the permission come from?

Users, groups, and effective permissions can be created, modified, or even deleted.

Reports and instant analysis complete the package.

Everything works out of an elegant user interface, and you can operate it—even if you aren’t a rocket scientist.

 

ARM will be installed on any member server and comes with minimal requirements.
The OS can be anything up from 2008SP1; give it two cores and four gigs of RAM, and you’re golden, even for some production environments. The data is stored on an SQL 2008 or later.

The install process is quick.

 

 

Once installed, the first step is to click the configuration icon on the right-hand side. The color is 04C9D7, and according to the internet, it is called “vivid arctic blue,” but let’s call it turquoise.
On that note, let me tell you: I am German and unable to pronounce turquoise, so I am calling it Türkis instead.

 

 

The next step is to create an AD and SQL® user and connect to the database:

 

 

ARM is now available, but not yet ready to use.

 

 

We need to define a data source, so let’s attach AD. The default settings will use the credentials already stored in ARM for directory access.

 

 

In my example, an automated search kicks off in the evening. When you set it up for the first time, I suggest clicking the arrow manually once to get some data to work with.
Attention: Don’t do this with 10,000 users in the early morning.

Alright, that’s it.


Now click the orange—sorry, F99D1C—icon to start the tool.

 

 

Login:

 

 

The first thing we see is the dashboard:

 

 

Let’s deal with the typical question, “Why was that punk able to access X at all?”
The main reason for this is probably a nested authorization, which isn’t obvious at first glance.
But now ARM comes into play.
Click on Accounts and enter Mr. Punk’s name into the search box above:


 

The result is a tree diagram showing the group memberships, and it is easy to see where the permission is coming from.

 

 

If you click on a random icon, you will see more details—give it a try.
You can also export the graphic as a picture.
On the right side, you will find AD attributes:

 

 

Now it is getting comfortable. It is possible to edit any record just from here:

 

 

Oh yes, I don’t trust vegetarians!

By the way, this box here is mandatory on any change, as proper change management requires the setting of notes.

 

 

And while we’re at it, right-click on an account:

 

 

Let’s walk from AD to file permissions. It’s only a short walk, I promise.
Click Show access rights to resources as seen above.

Now we need to select a file server:

 

 

On the right, we see the permissions in detail:

 

 

We ship ARM with a second GUI in addition to the client—a web interface accessible from anywhere, where you find tools for other tasks.

Typical risks are ready for your review out of the box. Just click on Risks. I know you want to do it:

 

 

You’ll find some interesting information, like inactive accounts:

 

 

Permanent passwords:

 

 

Or everybody’s darling, the popular “Everyone” permission on folders:

 

 

One does not simply “Minimize Risks,” but give it a try:

 

 

I could initiate changes directly from here – also in bulk.

 

By the way, any change made via ARM will be automatically logged.
The logbook is at the top of the local client, and we can generate and export reports:

 

You may have seen this above already, but you can find more predefined reports directly on the Start dashboard:

 

 

Let’s address one or two specific topics.

Since Server 2016, there is a new feature available called temporary group membership.
It can be quite useful; for example, in the case of an employee working in a project team who requires access to specific elements for the duration of the project. That additional authorization will expire automatically after whatever time has been set.

Practical, isn’t it?

 

But also consider this: Someone might have used an opportunity and given him- or herself temporary access to a resource with the understanding that the change of membership will disappear again, which makes the whole process difficult—if not impossible—to comprehend.

But not anymore! Here we go:

 

 

If you hover over this box here…

…you will find objects on the right side:

 

 

For this scenario, these two guys here might be interesting:

 

Unfortunately, in my lab, there’s nothing to see right now, so let’s move on.

 

ARM allows routine tasks to be performed right from the UI; for example, creating new users or groups, assigning or removing permissions, and much more.
This becomes even more interesting when templates, or profiles, are introduced.

Let’s change into the web client. Click the cogwheel on top, then choose Department Profiles:

 

 

At the right side, click Create New.

 

 

The profile needs a shiny name:

 

 

Always make sure people who operate microwaves receive proper training. But that’s a different story.

More buttons on the left side; I will save it for now:

 

 

Starting now, you can assign new hires to these profiles, and everything else is taken care of by the tool, like assigning group memberships or setting AD attributes.

 

Of course, these profiles are also baselines, and there is a predefined report available showing any deviations from the standard. Just click Analysis and User Accounts.

 

 

Select a profile and off you go:

 

 

Elyne is compliant; congratulations. But that’s hardly surprising, as she is the only employee in Marketing:

 

 

These are just a few features of ARM. Other interesting topics would be the integration of different sources, or scripts for more complex automation. This is food for future postings.

 

But you know what I like most about ARM, as a computer gamer?
You can click on just about anything.

Try this out; it’s at the left side of the Start dashboard:

 

 

Have fun exploring.

Woes of Flow

A poem for Joe

 

It uncovers source and destination

without hesitation.

Both port and address

to troubleshoot they will clearly assess.

Beware the bytes and packets

bundled in quintuplet jackets,

for they are accompanied by a wild hog

that will drown your network in a bog.

The hero boldly proclaims thrice,

sampling is not sacrifice!

He brings data to fight

but progress is slow in this plight.

 

Mav Turner

 

As network operators, one of the most common—and important—troubleshooting tasks revolves around tracking down bandwidth hogs consuming capacity in our network infrastructure. We have a wealth of data at our fingertips to accomplish this, but it’s sometimes challenging to reconcile into a clear picture.

 

Troubleshooting high utilization usually begins with an alert for exceeding a threshold. In the Orion Platform’s alerting facility, there are several conditions we can set up to identify these thresholds for action. The classic—and simple—approach is to set a threshold for utilization defined as a percentage of the available capacity. The Orion Platform also supports baselining utilization in a trailing window and setting adaptive thresholds. Next, you need to investigate to determine what’s driving utilization and decide what action to take.

 

Usually, the culprit is a particular application generating an unusual level of traffic. We can get some insights into application traffic volumes from a NetFlow analyzer tool like NetFlow Traffic Analyzer.

 

So, why don’t the volume measurements match exactly from these two sources of data? Aren’t interface utilization values the same as traffic volume data from NetFlow?

 

Let’s review the metrics we’re working with, and how this data comes to us.

 

Interface capacity—the rate at which we can move data through an interface—is modeled as an object in SNMP, and we pick that up from each interface as part of the discovery and import process into Network Performance Monitor network monitoring software. It can be overridden manually; some agents don’t populate that object in SNMP correctly.

 

Interface utilization is calculated from the difference in total data sent and received between polls, divided by the time interval between polls. The chipset provides a count of octets transmitted or received through the interface, and this value is exposed through SNMP. The Orion Platform polls it, then normalizes it to a rate at which the interface speed is expressed. That speed is usually “bits per second.”

 

SNMP Polled Utilization

 

The metrics reported by SNMP about data received or sent through the interface includes all traffic—layer two traffic that isn’t propagated beyond a router, as well as application traffic that is routed. Some of the data that flows through the interface isn’t application traffic. Examples include address resolution protocol traffic, some link-layer discovery protocols, some link-layer authentication protocols, some encapsulation protocols, some routing protocols, and some control/signaling protocols.

 

For a breakdown of application traffic, we look to flow technologies like NetFlow. Flow export and flow sampling technologies are normalized into a common flow record, which is populated with network and transport layer data. Basic NetFlow records include ICMP traffic, as well as TCP and UDP traffic. While it’s possible on some platforms to enable an extended template that includes metrics on layer 2 protocols, this is not the default behavior for NetFlow, or any of the other flow export protocols.

 

Top N Applications traffic volumes

 

The sFlow protocol takes samples from layer 2 frames, and forwards those. So, while it’s possible to parse out layer 2 protocols from sFlow sample packets, we generally normalize sFlow along with the flow export protocols to capture ICMP, TCP, and UDP traffic, and discard the layer 2 headers.

 

When we work with flow data, we’re focusing on the traffic that is generally most variable and represents the applications that most often drive that high utilization that we’re investigating. But you can see that in terms of the volumes represented, flow technologies are examining only a subset of the total utilization we see through SNMP polled values.

 

SNMP Polled versus application flow volumes

 

An additional consideration is timing. SNMP polling and NetFlow exports are designed to work on independent schedules and are not synchronized by design. Therefore, we may poll using SNMP every five minutes and average the rate of bandwidth utilization over that entire period. In the meantime, we may have NetFlow exports from our devices configured to send every minute, or we may be using sFlow and continuously receiving samples. Looking at the same one-minute period, we may see very different values at a particular interval for interface utilization and application traffic that is likely the main driver for our high utilization.

 

SNMP Polling and flow export over time intervals

 

If we’re using sFlow exclusively, our accuracy can be mathematically quantified. The accuracy of randomly sampled data—sFlow, or sampled NetFlow—depends solely on the number of samples arriving over a specific interval. For example, a sample arrival rate of ~1/sec for a 10G interface running at 35% utilization and sampling at 1:10000 yields an accuracy of +/-3.91% for one minute at a 98% confidence interval. That accuracy increases as utilization grows or over time as we receive a larger volume of samples. You can explore this in more detail using the sFlow Traffic Characterization Worksheet, available here: https://thwack.solarwinds.com/docs/DOC-203350

 

So, what’s the best way to think about the relationship between utilization and flow-reported application traffic?

 

  • Utilization is my leading indicator for interface capacity. This is the trigger for investigating bandwidth hogs.
  • Generally, utilization will alert me when there’s sustained traffic over my polling interval.
  • Application traffic volumes are almost always the driver for high utilization.
  • I should expect that the utilization metric and the application flow metrics will never be identical. The longer the time period, the closer they will track.
  • SNMP-based interface utilization provides the tools to answer the questions:
    • What is the capacity of the interface?
    • How much traffic is being sent or received over an interface?
    • How much of the capacity is being used?
  • Flow data provides the tools to answer the questions:
    • What application or applications?
    • How much, over what interval?
    • Where’s it coming from?
    • Where is it going?
    • What’s the trend over time?
    • How does this traffic compare to other applications?
    • How broadly am I seeing this application traffic in my network?

 

Where can I learn more about flow and utilization?

 

An Overview of Flow Technologies

https://www.youtube.com/watch?v=HJhQaMN1ddo

 

Visibility in the Data Center

https://thwack.solarwinds.com/community/thwackcamp-2018/visibility-in-the-data-center

 

Calculate interface bandwidth utilization

https://support.solarwinds.com/Success_Center/Network_Performance_Monitor_(NPM)/Knowledgebase_Articles/Calculate_interface_bandwidth_utilization

 

sFlow Traffic Characterization Worksheet

https://thwack.solarwinds.com/docs/DOC-203350

Choosing the right monitoring tool can be difficult. You have fires to put out, time is limited, and your allocated budget may rival that of a first grader's allowance. When budgets are tight, there's nothing better than free, and many of you may lean on open-source solutions. These tools usually have no price tag and are essentially "free," but we have a saying here at SolarWinds®... "Is it free like a puppy, or free like a beer?"

 

While there isn't an actual cost through a purchase with open-source software, the caveat is that you usually need to put extensive work into getting them up and running. What if you had an alternative? A monitoring solution already purpose built for you, that is intuitive and helps cover the essentials. I'd like to introduce you to SolarWinds ipMonitor® Free Edition. The free edition of ipMonitor offers all the same functionality as paid software and supports up to 50 monitors.

 

ipMonitor is a comprehensive monitoring solution for your network devices, servers, and applications in a consolidated view. The tool is streamlined for simple agent-less monitoring of availability, status, and performance metrics in a lightweight tool that can be installed almost anywhere.

 

Perfect for even the smallest satellite office, ipMonitor sets up in minutes, uses minimal resources, and is completely self-contained, so there is no need to install a web front end or separate database and be forced to maintain it.

 

 

Use and customize built in dashboards to organize the critical data in your environment.Easily track response time, hardware health, or bandwidth of your firewalls, routers, and switches.Monitor servers for cpu, memory, drive space, and even critical services.

(Click image to enlarge)

(Click image to enlarge)

(Click image to enlarge)

 

 

Drill down to investigate in more granular detail and view historical statistics.Click a chart to instantly generate an automated report to share, print, or save.

Leverage built in service monitors or assign port checks.

Pull performance counters or simulate user experience through built in wizards.

(Click image to enlarge)

(Click image to enlarge)

(Click image to enlarge)

 

  Take advantage of simplified NOC views to quickly pinpoint areas of concern.

(Click image to enlarge)

 

 

There is a ton of power packed in such a small package, and best of all - it's FREE!  Download it for yourself. Check it out here: ipMonitor Free Edition | SolarWinds

 

Want to learn more? Check out the upcoming webinar: https://launch.solarwinds.com/essential-monitoring-with-ipmonitor-re-broadcast.html

 

Share feedback or see how others are leveraging ipMonitor in the ipMonitor forum on THWACK.

 


Need to expand beyond the free edition? ipMonitor offers the ability to scale to help stay ahead of the next crisis, without emptying the pocket book. Whether you run a small business or need dedicated monitoring for a particular project fast, ipMonitor is designed to simplify the day-to-day.

 

Check out the ipMonitor documentation in the SolarWinds Success Center

Filter Blog

By date: By tag:

SolarWinds uses cookies on its websites to make your online experience easier and better. By using our website, you consent to our use of cookies. For more information on cookies, see our cookie policy.