NMS Overview
NMS is a SaaS based software solution designed to monitor various Network devices, collect metrics on the device health and utilisation and also provide alerting to a support team in case of failure. Originally designed to monitor the health of Riverbed Steelheads, it uses an extensible framework, allowing for multiple vendors to be monitored.
It comprises of 4 main elements:
Master server
The Master Server is the central hub of all the NMS Functionality. Its where the Collectors report all data to, it is then parsed and secured in the database.
It also runs the alerting engine - which sends alerts directly to your NOC or support department on any detected system failure. Alerts are prioritised, and can be silenced, or muted / masked for individual devices or sites.
The Master server also runs the portal for managing all the collectors - and runs a reporting system to generate monthly/quarterly reports for the collectors.
Our systems have been security tested by external pen testers, and found to be secure. We regularly check our systems for security vulnerabilities and roll out security updates when needed.
Collectors
Collectors are deployed on customers networks - usually behind a firewall or in a DMZ.
They connect regularly to the individual devices, using native commands, API's or web based connectivity and gather the data needed. Designed to be secure, it anonymises all data from the network devices before the master server processes them and ingests them into the master database. The Collectors use a REST based API to communicate with the Master server.
Collectors use an OTP key to get their configuration from the Master Server. It is essential that you keep this key safe, as it will not be regenerated - it is unique to the collector.
We use a proprietary double encryption engine to pass all data between the Collector and Master server. OTP security ensures that the Collectors are registered with the master server and the data originates from an authentic source.
Data only ever flows outbound from the collector, so no inbound ports need to be opened on your firewall. - This allows you to pinhole just ports 443 and DNS outbound for the collector to work.
Collectors run a hardened Linux OS with a simple vm-based deployment
Customers can control the built in VPN system to enable/disable support staff from being able to connect to the systems for troubleshooting. Once disabled, the Collector can only be renabled locally using the GUI (if enabled) or CLI.
Collectors hold no personal information, or personal data from the network. They purely gather anonymised metrics from their target network devices.
VPN Gateway
This is an optional one to one VPN concentrator which brings up on-demand randomised VPN sessions between the Collector and a single host.
The Connection will allow a support engineer to look at the Collector, and just the devices it is configured to monitor.
This can be completely disabled on the individual Collectors
Once the connection has been terminated, the connection is torn down, and the vpn configuration is cleared.
NMS Communication
As the diagram above shows - the only data ports needed outbound are:
- 443 to 2 external hosts
- DNS (53) (DNS can be provided by an internal host - as long as it uses an external forwarder to resolve external domains.)
The Collectors CAN NOT use a proxy to access these services
The Collectors will need access internally to the networking devices they monitor. They will need access to a host of ports - such as ICMP, HTTP, HTTPS, SSH and SNMP