Deployment Specifications
  • 27 Feb 2023
  • 8 Minutes to read
  • Dark
    Light
  • PDF

Deployment Specifications

  • Dark
    Light
  • PDF

Article Summary

Netreo uses existing manufacturer APIs to collect data from systems without having to install additional agents. The following is a guide to preparing the devices in your environment to get the best results when deploying Netreo.

Whenever practical, Netreo recommends installing Netreo on a core network, inside any firewalls used for perimeter protection. Because Netreo uses a wide variety of protocols for management (including direct connections to applications for monitoring and management), implementation is greatly simplified by this approach. Firewall port and protocol information is included here for your convenience, and destination port numbers are specified.

Preparing for Netreo

See Preparing for Deployment

Outbound Firewall Configuration

See Firewall Requirements

Device Management

Network Devices

This section covers network devices such as routers, switches, UPSs, load balancers, wireless, firewalls, etc.

Netreo uses SNMP to collect data from these types of devices. Your devices should be configured to respond to SNMP from the IP address of the Netreo appliance. Only read-only access is required. Netreo recommends SNMPv2c for performance reasons. Netreo includes a device configuration manager used for backing up device configurations and tracking changes. Netreo will need privileged login credentials to these devices in order to use the configuration management features.

Windows Servers

Netreo uses the Windows Management Interface (WMI) or Windows Remote Management (WinRM) to collect data from these systems. In order to use WMI, you will need to setup a service account in your network that Netreo can use to log into your servers. This account should not be shared with other monitoring systems, and should not be restricted as to the number of concurrent logins. The account will need the “DCOM” permission, have local administrative privileges on the system to be monitored, or be part of the “Domain Admins” group. See Windows Device Monitoring and Management for additional information on Windows account privileges and setup.

Linux / Unix Servers

For these devices Netreo uses SNMP and the Host Resources MIB. Most of these servers include a package called “Net-SNMP” to provide SNMP access for management systems. Make sure this package (or similar) is installed and the agent (SNMPD) is running.

vCenter

To collect metrics for virtual resources in vCenter, Netreo uses the APIs VMware has made available for that purpose. Netreo invokes a limited number of the API operations available and requires a service account that includes the System.Anonymous, System.Read and System.View privileges. More detailed information can be found in the vSphere 5 Documentation Center.

UPS Devices

As with the switches, routers, and servers Netreo can also get SNMP status information off your power, HVAC, or environmental monitoring equipment. Make sure an SNMP agent is listening and the proper access-list entries (if applicable) are set up.

Application Monitoring

Requirements for monitoring specific applications can vary widely, but a few applications which are often mission-critical that you should consider monitoring at the application level include SQL (MSSQL, Oracle, MySQL), Web Applications (including shared or cloud-hosted applications), Email (locally hosted or cloud-based), and DNS. Netreo is generally configured to send alerts via email. Our best practice recommendation is to allow Netreo to communicate outbound to the Internet on port TCP/25, as this allows direct connections to smartphone gateways that you want to receive alerts. If that access is not possible, you can relay SMTP mail through an internal server, however this creates a single point of failure for alerts if that relay host stops responding, so we recommend this configuration only as a last resort or for testing purposes.

Firewall Rules

  • SQL: Netreo will require SQL access to the server in question. MSSQL is often on the default port of TCP/1433. Oracle uses a complex series of ports, documented here. MySQL is often on port TCP/3306.
  • Web/Cloud: Port TCP/80 or TCP/443, or occasionally a custom port.
  • Email: SMTP on port TCP/25, TCP/587, or TCP/465; and IMAP on port TCP/143 or TCP/993.
  • DNS: Port UDP/53

See Credentials and Connectivity Test to check ports for connectivity from within Netreo.

Protocol Types

SNMP

SNMP (Simple Network Management Protocol) is the main protocol used for Linux servers and network devices (such as routers, switches, firewalls, and load balancers). It provides a simple, efficient, standardized way of collecting data from devices. SNMP uses the concept of a "community string" (which functions much like a password) to authorize connections to the device.

Recommendations

  • Netreo recommends the use of SNMPv2c for most customer environments.
  • Configure the SNMP community string with read-only permissions.
  • Restrict SNMP access by using the filter or access-list functionality of the device under management to limit access to the specific IP address of the Netreo appliance.
    • Note: In "High-Availability" environments, you will want to make sure all of the Netreo appliance IP addresses are included on this list.
  • Read-write access is not generally required for Netreo to fully monitor devices and should not be left enabled.
  • Ensure your edge routers or firewalls are blocking SNMP traffic from the Internet and from non-controlled networks.

Although SNMP v2c does not provide encryption, as long as you are monitoring internal systems from inside your security perimeter, this generally does not create a significant security threat, as the information that can be gathered with read-only permissions is fairly limited.

If you are monitoring systems over the public Internet or other shared networks (where packet capture and eavesdropping is a potential security risk), Netreo supports the use of SNMPv3 for greater security. Under these conditions, Netreo recommends the use of AUTHPRIV mode only. Be sure to check that the devices you wish to manage support SNMPv3 in the AUTHPRIV mode. Other SNMPv3 modes add overhead without enhancing security.

Due to the higher overhead and lower performance offered by SNMPv3, customers should consider the implications carefully before deciding to standardize on SNMPv3. For assistance and advice specific to your environment and configuration, please review the article SNMP Security Best Practices or feel free to contact Netreo Support.

Firewall Rules

  • SNMP: Port UDP/161 for polled data collection and port UDP/162 for Trap messages (originating from the device to Netreo).

See Credentials and Connectivity Test to check ports for connectivity from within Netreo.

WMI/WSMAN

WMI and WSMAN (for WinRM) are protocols used to collect data from Windows servers. WMI is enabled by default on all versions of Windows since 2003. WSMAN is installed by default on Windows servers since 2008, but must be enabled manually. The primary difference is that WSMAN uses an encrypted web API for data collection—which is much simpler to configure if the traffic has to traverse a firewall. WSMAN does not require https for encryption.

Either of these requires an account with administrator privileges or DCOM permissions on the device to be managed. See Limiting WMI permissions for more information on how to use non-administrator accounts to access Windows statistics.

Firewall Rules

  • WMI: Port TCP/135 and all high ports (1024-65535), bidirectionally.
  • WSMAN: Port TCP/5985 originating from Netreo.

See Credentials and Connectivity Test to check ports for connectivity from within Netreo.

Windows Event Log

In order to collect Windows Event Log (WEL) data, Netreo has to retrieve it from the device under management. This is in contrast to Syslog, where the device sends the data to Netreo. To do so, Netreo must be configured to manage the device via WinRM/WSMAN.

Recommendations

  • Netreo will not generate alerts for WEL messages unless you create specific alert notification rules to do so.
  • Netreo uses the same Windows account credentials for WEL collection as it does for WMI/WSMAN, and the permissions required are the same.

Firewall Rules

  • WEL requires access to portTCP/5985 originating from Netreo.

See Credentials and Connectivity Test to check ports for connectivity from within Netreo.

Syslog

Syslog is a protocol used to push messages on demand from the devices under management back to Netreo. The biggest issue with syslog is that it can generate a large number of messages, obscuring important details with routine or trivial ones.

Netreo recommends configuring syslog on critical infrastructure devices, but that you configure those devices to limit the messages sent to warning level or higher.

Recommendations

  • Netreo will collect any syslog messages sent to it, but will not generate alerts for those messages unless you create syslog alert rules to do so.
  • It's good practice to restrict the syslogs being sent to warning or more severe levels.
  • Netreo recommends against sending syslogs from firewalls into Netreo, as it is not designed to be a dedicated high-volume log processing tool.

Firewall Rules

  • Syslog uses port UDP/514, originates from the device and is received by Netreo.

See Credentials and Connectivity Test to check ports for connectivity from within Netreo.

Configuration Management/Looking Glass

Netreo provides device configuration management (push/pull) as well as real-time command execution (looking glass and active response) to devices.

Netreo can use either SSH or Telnet to connect to CLI devices for these features. Where possible, Netreo recommends the use of SSH since it includes encryption functionality. Telnet is insecure and should only be used if the device under management does not support SSH v2. Netreo does not support the SSH v1 protocol, as it is insecure and obsolete.

Recommendations

  • Use SSH where supported by the device under management.
  • Do not use Telnet unless you must, as it is insecure.
  • If your environment uses a centralized login such as Radius or TACACS for authentication, use a dedicated Netreo account to manage access.
  • If you are using filters or access lists to restrict CLI access, be sure to include the specific IP address of the Netreo appliance.
    • Note: In High-Availability environments, you will want to make sure all of the Netreo appliance IP addresses are included on this list.

Firewall Rules

  • SSH uses port TCP/22
  • Telnet uses port TCP/23

See Credentials and Connectivity Test to check ports for connectivity from within Netreo.

Netflow/sFlow/IPFIX

Netreo supportsNetFlow (version 5 or 9), sFlow and IPFIX export from devices for traffic and protocol analysis and volume information. Flow export technologies such as these cause the network devices (typically layer 3 devices like routers) to send 'accounting level' information to Netreo (which includes source and destination address, port, protocol, and volume data) for reporting purposes, in order to provide deeper performance information.

When configuring flow technologies such as these, the goal is to configure the fewest number of exporters possible while still ensuring that Netreo can collect data on all the required traffic. Netreo automatically detects and processes duplicate flows to avoid creating incorrect traffic counts, but this is not always possible in complex network configurations.

Recommendations

  • Netreo supports multiple versions ofNetFlow, including IPFIX.
  • UsingNetFlow Version 5 or greater is recommended.
  • ConfigureNetFlow to export to the host address of Netreo using port UDP/2055.
  • Configure sFlow to export to the host address of Netreo using port UDP/2056.
  • ConfigureNetFlow on the outbound interfaces of layer 3 devices whenever possible.
  • Avoid creating duplicate flow reporting by not configuring flow on every possible interface.
  • Netreo uses subnet information to correlate traffic with source/destination sites, so ensure that you have configured or detected the required subnets in Netreo.

Firewall Rules

  • NetFlow is typically configured on port UDP/2055 originating from the device, but the port number can vary by environment.

Was this article helpful?