Tools to determine which sites are coming from Akamai

If Akamai is using a fixed set of IP addresses you could create an IP address group for them in NTA.

I'm not entirely clear on what you're trying to do. If you just want to filter on all traffic from Akamai, probably the easiest way is with the BGP Origin-AS feature in NTA--assuming you have a BGP router available with full tables. You could also use an IP address group like Andy suggested, but for a CDN as vast as Akamai that is going to be very difficult to create and maintain.

If you want to see what websites are having their traffic delivered by Akamai, you would need to look at HTTP header content and/or DNS query traffic. Monitoring those is not something that NPM does.

jswan, is there a way (with a Solarwinds addin or any other method) to monitor the HTTP header content and/or DNS query traffic? I am in the same boat as richreitenauer. We have our NTA setup, but there are a lot of endpoints listed under the amamai domain which is less than helpful for any monitoring needs. On a side note, we also have a lot of endpoints that show up as just IP addresses. All of our internal IP's are resolving to hostnames, but probably 50% of the endpoints showing up in the NTA summary are IP addresses for external websites. I have been working with Solarwinds Tech Support, but they have not been able to come up with anything. Any help here would be greatly appreciated!

You can't to it with native Solarwinds tools.

I use Bro (installed as part of the amazing open-source Security Onion) to monitor HTTP headers and DNS queries. With the current 10.04 version of Security Onion you need a fair amount of Linux CLI skill to use the Bro logs effectively. In the 12.04 version (currently in beta) there is a tool called ELSA that gives you a nice web-based GUI front-end to a database of Bro logs.

I can't say enough good things about Security Onion; it's an incredible set of tools. It's free and has a dedicated user base.

I'm sure there are lots of other solutions out there too. There's a guy who posts here who works for a company that sells a DPI add-on to Solarwinds NPM/NTA that might do some of this stuff, but I don't know much about it.

Hi There,

As jswan mentioned we have a product called LANGuardian which integrates with Orion. It uses a DPI engine which looks at HTTP headers and DNS query traffiic. You can see a sample of the output at the link below.

http://demo2.netfort.com/Orion/SummaryView.aspx?viewid=31

Darragh

Thanks for the responses! I took a look at the tools you mentioned and, although LANGuardian looks like exactly what we want, I don't think we are ready to shell out 5k for it... yet. I am looking into Security Onion and Bro, but I do not have much experience with Linux so I am not sure how that will go. Again, thanks for the information.

I do have one more question jswan. I installed the latest version of Security Onion, but I saw that there was an OS update that needed done. I tried to do that and everything broke. I did click discard on a few config files so that may have done it. Can I upgrade successfully by keeping all config files or can I not do the OS update at all? Sorry, this is something that I should probably know if I knew more about the program/environment. Thanks

There is a Security Onion list on Google Groups that can help with that sort of thing. I don't think this is the appropriate place for it. Suffice to say you will need to build some basic Linux skills if you want to get anything out of it.

Alright, I will head over there if I need any other help and I will try to pick up so Linux skills. Thanks for your help.