Report on Internet (outside) originated traffic

This isn't really a function of NPM -- it doesn't capture flow data. that's a function of NTA.

look at enabling netflow on your border router and pointing it at NTA... that can show some interesting traffic patterns.

Also, who really owns the IP addresses you are using?

If you own your own IP addresses [i.e. you have been allocated them directly by ARIN] then it's a small matter of you simply creating a new BGP peering with the new ISP and you don't need to renumber.

If you are using provider-provided IP addresses then you're going to have to renumber averything, so the answer is every ip address we've been assigned by our provider.

That data is going to be more easily gathered from Netflow off your border firewalls/routers. Or if you're just looking to see what addresses respond to requests (providing you allow ICMP) then IPAM will show your used address space.

Hi,

Yes we have NPM & NTA.

We have several addresses that point to devices in the DMZ & others servers.

The problem is, there appears not to be a clear & conclusive list of what external ip addresses are active & what they point to inside here.

That's why my boss asked me to figure out a way to use whatever resource within SolarWinds (reports, NTA , syslogs etc...) which can capture or display data from a 30 day period & by so doing, show us what is active (from the outside coming in).

So far I have been hitting a brick wall in my own efforts to figure out how to filter traffic based on its origination source.

The real world addresses are Verizons, not ours BUT we don't actually use every real world address & that's why I need some way to create a list of whats originating on the outside & where is it going on my premise.

Hi There,

We develop a product called LANGuardian and some of our customers use it for situations like the ones you describe. Something to show who\what is hitting hosted services. LANGuardian uses a DPI engine to capture flow and application info from network traffic. It does not age data so you would be able to look at records over a 30 day period.

As it integrates with Orion you can retain the SolarWinds products as your main frontend. You can see an example of this on our online demo which is available at this link. Just use guest as the logon.The reports on the right (inbound and outbound) use filters to focus on traffic coming into and out of a network. You can use whatever filter you like.

Hope this helps

Darragh

Hi -

If you know the IP range of your public addresses, then a very quick and dirty way of finding out what is "live" is to perform a NESSUS scan from another location. At the very least, this will give you an idea of what IPs are responding, what ports are open etc. and will even give you a rough idea of what OS the IP is running (although this isn't always too accurate!).

Once you know which IP addresses are live, then you can match with what you know about your internal servers and work from there. You may even find you've got servers open to the Internet that shouldn't be :-)

Regards,

John

You can also check your firewall/internet edge router inbound rules. You should have NAT/PAT translations for public access to your DMZ or internal network. The translated rules will give you not only the public IPs in use but also the mapped internal IPs and the TCP/UDP port numbers.

Solarwinds has FSM that can help as well.

All you really need to do is get your firewall team to assign a fixed NAT address for your Orion server that will do the polling for devices on the internet side of the firewall.  Then they need to open snmp, icmp, as well as telnet and ssh if you are using NCM.  Once that's done you need to get the data team to configure these devices for SNMP with an access list that only allows the Orion poller to access the devices with snmp, icmp, telnet, ssh.  From that point on, these devices look just like any other device.  What I've done for my security team is created and SNMP cheat sheet that shows all the require snmp configs and access list for devices inside the firewalls and outside the firewalls.  I then created polices in NCM to check all devices for these required configs.  That way the engineers know what to put in and I check just in case they forgot.