In the last article about network assessment, I documented the steps required to perform a network assessment starting from the preparation stage to the documentation stage. In that article, we highlighted a few network assessment tools but because of length constraints, we could not go into much detail about them. Today I will review of some of those network assessment tools including their strengths and not so strong areas.
CCNA Training – Resources (Intense)
In the last article, I divided the network assessment tools into three categories:
Network inventory, analysis and network diagram
Network performance assessment
Our focus will mostly be on the first category because the bulk of a network assessment is usually done using these tools. Moreover, other tools used for network performance assessment like Wireshark already have enough coverage in other articles on this site.
Network inventory, analysis, and network diagram
The tools we will discuss here will help you: discover the network devices running in the organization; perform analysis, such as end-of-life, on these devices; and even produce network diagrams automatically from the discovered devices.
Solarwinds is a suite of applications, some of which can be used to perform a network assessment. The Solarwinds Network Configuration Manager (NCM) has a network discovery tool (Network Sonar Discovery) that can be used to automatically discover devices on the network using SNMP, although you can also add devices manually to the NCM database.
Assuming your customer uses mostly Cisco devices, you can then use the Solarwinds Network Discovery Service Tool (NDST) to perform analysis on the Cisco devices in the Solarwinds NCM database. The Solarwinds NDST will connect to the Cisco Discovery Service to provide an analysis of Cisco devices. This analysis includes end-of-life (now Last Date of Support [LDoS]) information, software and hardware vulnerabilities and so on. Basically, the reports you get from the Cisco Discovery Service reduces the work you have to do interpreting the results of your network assessment.
Note: You need a valid CCO account to use the Cisco Discovery Service.
Lastly, you can use the Solarwinds Network Topology Mapper to automatically discover and produce network diagrams.
The advantage of using Solarwinds is that many companies (that I have seen) already use it as network management software so you may be able to ride on that fact. In cases where the company is not already using it, you can always pitch it to them as a network management solution.
The disadvantage is that you need different Solarwinds applications/modules to achieve your goal and these modules have their own licensing costs. Also, the Network Topology Mapper needs to perform its own discovery of devices – it cannot get data from the NCM. This can be quite time-challenging especially if you are performing the assessment on a large network.
Finally, Solarwinds modules are targeted more towards customers than system integrators/solution providers. You can download free 14-day or 30-day trials of many of the Solarwinds applications to evaluate them.
NetformX is targeted at service providers and system integrators to help them quickly design proposals and win bids. I have used the NetformX DesignXpert for network designs and I can tell you that the application is really deep and cool. But DesignXpert is not my focus for this article – NetformX Discovery is. This tool will discover your network, give you network diagrams and also perform analysis using the Cisco Discovery Service. Another great thing about NetformX is the visualization of devices – it doesn’t just use default symbols; it uses real visualizations of the devices. For example, I took the diagram below from their datasheet:
NetformX used to offer evaluation licenses but stopped recently. If you perform a lot of network assessments or even network designs for proposals, you may want to consider buying a license.
I recently evaluated this software and it’s actually great for network inventory and network diagrams generation. It works similar to the first two we described above and can also perform analysis using the Cisco Discovery Service.
One really good feature about this particular tool is that you can use the neteXpose Knowledge Server to get similar information to what you will get using the Cisco Discovery Service. This is very beneficial to non-Cisco partners. An example of the report produced by neteXpose is shown below:
On a side note though, I feel neteXpose can improve the format of its reports. Apart from that, it is a great tool that can be used flexibly, on a computer or even run from a USB stick. You can request for an evaluation license from their site.
Update: Since writing this article, I have received feedback from neteXpose regarding their reports. Apparently, the tool offers flexible structure of reports allowing users to customize the reports using templates and other fun stuff. I didn’t get to try out this feature in my evaluation.
Note: Although I have spoken mostly about discovery of Cisco devices, these tools actually provide multi-vendor support.
Network performance assessment
Like I already said, I will not discuss Wireshark in this article because there are other articles that explain how Wireshark can be used for analysis. However, I will briefly talk about NetFlow analyzers. NetFlow provides a deep view into your IP network including information such as bandwidth consumption, top talkers, application profiling and so on.
Solarwinds has a NetFlow analyzer called the NetFlow Traffic Analyzer (NTA) but it requires that you also have the Solarwinds Network Performance Monitor (NPM) installed. Below is a diagram taken from the Solarwinds NTA guide that shows the devices responsible for most of the network traffic:
Personally, I have not used NetFlow before but I have heard of the immense information you can get from it. There are other ‘Flow’ (NetFlow, J-Flow, etc.) analyzers including ntop and one from Paessler PRTG.
Nessus can be used to perform a complete security assessment on your network but for this article, I am more interested in the Cisco IOS compliance check that Nessus can perform. It can audit configurations based on a best practice benchmark provided by the Center for Internet Security (CIS). You can find one of such benchmarks here.
Another tool that I have to assess the security compliance of network device configurations is Nipper. It is very simple to use: you just upload the configuration file you want it to assess and then you get results fairly quickly. I think you can now also retrieve device configurations using remote access protocols such as SSH. Below is the start page of Nipper:
In this article, we have discussed the different tools that can be used to perform network assessments. These tools are by no means exhaustive and I have used or evaluated other tools such as Spiceworks, Dave, Open-AudIT and so on. Please drop your comments below to tell us about the tools you have used for performing network assessments.