Network Security
Comprehensive guide to SysManage network security configuration including firewalls, network segmentation, VPN integration, and intrusion detection systems.
Network Security Overview
SysManage implements comprehensive network security controls to protect communication between components and defend against network-based attacks. The security architecture emphasizes defense-in-depth with multiple layers of protection.
Network Security Architecture
┌─────────────────────────────────────────────────────────────────┐
│ Network Security Layers │
├─────────────────────────────────────────────────────────────────┤
│ ┌─────────────┐ ┌──────────────┐ ┌─────────────────────────┐ │
│ │ Perimeter │ │ Network │ │ Application │ │
│ │ Defense │ │ Segmentation │ │ Layer Security │ │
│ └─────────────┘ └──────────────┘ └─────────────────────────┘ │
├─────────────────────────────────────────────────────────────────┤
│ ┌─────────────┐ ┌──────────────┐ ┌─────────────────────────┐ │
│ │ Firewall │ │ Intrusion │ │ DDoS Protection │ │
│ │ Rules │ │ Detection │ │ & Rate Limiting │ │
│ └─────────────┘ └──────────────┘ └─────────────────────────┘ │
├─────────────────────────────────────────────────────────────────┤
│ ┌─────────────┐ ┌──────────────┐ ┌─────────────────────────┐ │
│ │ VPN Access │ │ TLS/mTLS │ │ Network Monitoring │ │
│ │ Control │ │ Encryption │ │ & Analytics │ │
│ └─────────────┘ └──────────────┘ └─────────────────────────┘ │
└─────────────────────────────────────────────────────────────────┘
│
Encrypted Traffic
│
┌─────────────────────────────────────────────────────────────────┐
│ Network Infrastructure │
├─────────────────────────────────────────────────────────────────┤
│ ┌─────────────┐ ┌──────────────┐ ┌─────────────────────────┐ │
│ │ DMZ │ │ Internal │ │ Management │ │
│ │ Network │ │ Network │ │ Network │ │
│ └─────────────┘ └──────────────┘ └─────────────────────────┘ │
│ ┌─────────────┐ ┌──────────────┐ ┌─────────────────────────┐ │
│ │ Load │ │ Database │ │ Agent │ │
│ │ Balancers │ │ Cluster │ │ Networks │ │
│ └─────────────┘ └──────────────┘ └─────────────────────────┘ │
└─────────────────────────────────────────────────────────────────┘
Network Segmentation
Segmentation Strategy
SysManage implements network segmentation to isolate different system components and limit the impact of potential security breaches.
Network Zones
🌐 DMZ (Demilitarized Zone)
- Load balancers and reverse proxies
- Public-facing web servers
- SSL termination points
- Limited access to internal networks
VLAN: 10.0.1.0/24
🏢 Internal Application Zone
- SysManage application servers
- API gateways and microservices
- Internal load balancers
- Application-level components
VLAN: 10.0.10.0/24
🗄️ Database Zone
- PostgreSQL database servers
- Redis cache instances
- Database backup systems
- Restricted network access
VLAN: 10.0.20.0/24
⚙️ Management Zone
- System administration tools
- Monitoring and logging systems
- Certificate authority services
- Security scanning tools
VLAN: 10.0.30.0/24
🤖 Agent Zone
- Managed hosts with agents
- Production servers
- Development environments
- Test systems
VLAN: 10.0.100.0/22
🔒 Security Zone
- Intrusion detection systems
- Security information systems
- Vulnerability scanners
- Security appliances
VLAN: 10.0.40.0/24
Network Segmentation Configuration
# Network segmentation configuration example
# Using VLAN configuration on Cisco switches
# DMZ VLAN configuration
vlan 10
name DMZ-SYSMANAGE
state active
# Internal Application VLAN
vlan 20
name INTERNAL-APP
state active
# Database VLAN
vlan 30
name DATABASE
state active
# Management VLAN
vlan 40
name MANAGEMENT
state active
# Agent VLAN
vlan 100
name AGENTS
state active
# Security VLAN
vlan 50
name SECURITY
state active
# Interface configurations
interface GigabitEthernet0/1
description Load Balancer DMZ
switchport mode access
switchport access vlan 10
spanning-tree portfast
interface GigabitEthernet0/2
description SysManage Server
switchport mode access
switchport access vlan 20
spanning-tree portfast
interface GigabitEthernet0/3
description Database Server
switchport mode access
switchport access vlan 30
spanning-tree portfast
# VLAN routing with access controls
interface Vlan10
description DMZ-SYSMANAGE
ip address 10.0.1.1 255.255.255.0
ip access-group DMZ-IN in
ip access-group DMZ-OUT out
interface Vlan20
description INTERNAL-APP
ip address 10.0.10.1 255.255.255.0
ip access-group APP-IN in
ip access-group APP-OUT out
interface Vlan30
description DATABASE
ip address 10.0.20.1 255.255.255.0
ip access-group DB-IN in
ip access-group DB-OUT outFirewall Configuration
Firewall Rules Strategy
SysManage employs a default-deny firewall policy with explicit allow rules for required communications.
Core Firewall Rules
| Source | Destination | Port | Protocol | Purpose |
|---|---|---|---|---|
| Internet | DMZ | 443 | HTTPS | Web interface access |
| DMZ | App Zone | 8000 | HTTP | Backend API access |
| App Zone | DB Zone | 5432 | PostgreSQL | Database connections |
| Agent Zone | App Zone | 8000 | HTTPS | Agent communication |
| Mgmt Zone | All Zones | 22 | SSH | System administration |
| Security Zone | All Zones | 161 | SNMP | Monitoring |
iptables Configuration
#!/bin/bash
# SysManage iptables firewall configuration
# Clear existing rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
# Set default policies (deny all)
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# Allow loopback traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow established and related connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# DMZ Rules - Allow HTTPS from internet
iptables -A INPUT -p tcp --dport 443 -s 0.0.0.0/0 -d 10.0.1.0/24 -j ACCEPT
# Application Zone Rules
# Allow DMZ to App Zone (port 8000)
iptables -A FORWARD -p tcp --dport 8000 -s 10.0.1.0/24 -d 10.0.10.0/24 -j ACCEPT
# Allow App Zone to Database Zone (PostgreSQL)
iptables -A FORWARD -p tcp --dport 5432 -s 10.0.10.0/24 -d 10.0.20.0/24 -j ACCEPT
# Allow App Zone to Redis (port 6379)
iptables -A FORWARD -p tcp --dport 6379 -s 10.0.10.0/24 -d 10.0.20.0/24 -j ACCEPT
# Agent Zone Rules
# Allow agents to connect to app servers (mTLS)
iptables -A FORWARD -p tcp --dport 8000 -s 10.0.100.0/22 -d 10.0.10.0/24 -j ACCEPT
# Management Zone Rules
# Allow SSH from management zone to all zones
iptables -A FORWARD -p tcp --dport 22 -s 10.0.30.0/24 -j ACCEPT
# Allow SNMP from security zone for monitoring
iptables -A FORWARD -p udp --dport 161 -s 10.0.40.0/24 -j ACCEPT
# Outbound rules for application servers
# Allow DNS queries
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
# Allow NTP
iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
# Allow HTTPS for package updates and external API calls
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
# Allow HTTP for package repositories
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
# Logging for denied packets
iptables -A INPUT -j LOG --log-prefix "DENIED INPUT: " --log-level 4
iptables -A FORWARD -j LOG --log-prefix "DENIED FORWARD: " --log-level 4
iptables -A OUTPUT -j LOG --log-prefix "DENIED OUTPUT: " --log-level 4
# Save the configuration
iptables-save > /etc/iptables/rules.v4Advanced Firewall Features
Connection Rate Limiting
# Rate limiting to prevent DoS attacks
# Limit new connections to 10 per minute from single IP
iptables -A INPUT -p tcp --dport 443 -m recent --set --name WEB
iptables -A INPUT -p tcp --dport 443 -m recent --update --seconds 60 --hitcount 10 --name WEB -j DROP
# Limit agent connections to prevent abuse
iptables -A INPUT -p tcp --dport 8000 -m recent --set --name AGENT
iptables -A INPUT -p tcp --dport 8000 -m recent --update --seconds 300 --hitcount 5 --name AGENT -j DROP
# SYN flood protection
iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j ACCEPT
iptables -A INPUT -p tcp --syn -j DROP
# Ping flood protection
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j DROPGeographic IP Blocking
# Block traffic from specific countries (example using ipset)
# Create ipset for blocked countries
ipset create blocked_countries hash:net
# Add country IP ranges (example for blocking specific regions)
ipset add blocked_countries 1.2.3.0/24
ipset add blocked_countries 5.6.7.0/24
# Block traffic from blocked countries
iptables -A INPUT -m set --match-set blocked_countries src -j DROP
# Allow only specific countries for management access
ipset create allowed_countries hash:net
ipset add allowed_countries 192.168.0.0/16 # Internal networks
ipset add allowed_countries 10.0.0.0/8 # RFC 1918 private
iptables -A INPUT -p tcp --dport 22 -m set --match-set allowed_countries src -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROPVPN Integration
VPN Access Control
SysManage supports VPN integration for secure remote access to management interfaces and agent networks.
Supported VPN Technologies
🔐 OpenVPN
- SSL/TLS-based VPN solution
- Certificate-based authentication
- Support for site-to-site and client access
- Network and routing table management
🛡️ IPsec/IKEv2
- Standards-based VPN protocol
- Strong encryption and authentication
- Mobile device support
- Automatic reconnection capabilities
⚡ WireGuard
- Modern, high-performance VPN
- Simplified configuration
- Lower overhead and better performance
- Built-in roaming support
🌐 Zero Trust Network Access
- Application-specific access
- Identity-based authentication
- Continuous verification
- Micro-segmentation support
OpenVPN Configuration Example
# OpenVPN server configuration for SysManage access
# /etc/openvpn/server/sysmanage.conf
# Network settings
port 1194
proto udp
dev tun
# Certificate and key files
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/sysmanage-vpn.crt
key /etc/openvpn/server/sysmanage-vpn.key
dh /etc/openvpn/server/dh2048.pem
tls-auth /etc/openvpn/server/ta.key 0
# Network configuration
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
# Route management network to VPN clients
push "route 10.0.30.0 255.255.255.0"
# Route agent networks (if needed for troubleshooting)
push "route 10.0.100.0 255.255.252.0"
# DNS settings
push "dhcp-option DNS 10.0.30.10"
push "dhcp-option DOMAIN sysmanage.local"
# Security settings
cipher AES-256-GCM
auth SHA256
tls-version-min 1.2
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
# User permissions and logging
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/sysmanage-status.log
log-append /var/log/openvpn/sysmanage.log
verb 3
explicit-exit-notify 1
# Client-specific configurations
client-config-dir /etc/openvpn/server/ccd
# Security policies
duplicate-cn
client-to-client
script-security 2
# Authentication plugin for LDAP integration
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpnWireGuard Configuration
# WireGuard server configuration for SysManage
# /etc/wireguard/wg0.conf
[Interface]
Address = 10.8.0.1/24
ListenPort = 51820
PrivateKey =
SaveConfig = true
# Post-up and pre-down scripts for routing
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PreDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
# Client configurations
[Peer]
# Admin user 1
PublicKey =
AllowedIPs = 10.8.0.2/32
[Peer]
# Admin user 2
PublicKey =
AllowedIPs = 10.8.0.3/32
[Peer]
# Security team access
PublicKey =
AllowedIPs = 10.8.0.10/32
# Client configuration example
# /etc/wireguard/sysmanage-client.conf
[Interface]
Address = 10.8.0.2/24
PrivateKey =
DNS = 10.0.30.10
[Peer]
PublicKey =
Endpoint = vpn.sysmanage.company.com:51820
AllowedIPs = 10.0.0.0/8
PersistentKeepalive = 25 Intrusion Detection & Prevention
IDS/IPS Implementation
SysManage integrates with intrusion detection and prevention systems to monitor network traffic and detect malicious activities.
IDS/IPS Components
🔍 Network IDS (Suricata)
- High-performance network monitoring
- Rule-based threat detection
- Protocol analysis and anomaly detection
- Integration with threat intelligence feeds
🛡️ Host-based IDS (OSSEC)
- File integrity monitoring
- Log analysis and correlation
- Rootkit detection
- Active response capabilities
🚨 Fail2ban
- Automatic IP blocking
- Log-based intrusion detection
- Configurable ban policies
- Integration with firewall rules
📊 Security Analytics
- Behavior analysis and baselines
- Machine learning-based detection
- Correlation across multiple sources
- Risk scoring and prioritization
Suricata Configuration
# Suricata configuration for SysManage monitoring
# /etc/suricata/suricata.yaml
# Network interfaces
af-packet:
- interface: eth0
cluster-id: 99
cluster-type: cluster_flow
defrag: yes
# Home networks
vars:
address-groups:
HOME_NET: "[10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12]"
EXTERNAL_NET: "!$HOME_NET"
DMZ_NET: "[10.0.1.0/24]"
APP_NET: "[10.0.10.0/24]"
DB_NET: "[10.0.20.0/24]"
AGENT_NET: "[10.0.100.0/22]"
port-groups:
HTTP_PORTS: "80"
HTTPS_PORTS: "443"
SSH_PORTS: "22"
SYSMANAGE_PORTS: "8000"
# Rule sets
default-rule-path: /var/lib/suricata/rules
rule-files:
- suricata.rules
- emerging-threats.rules
- sysmanage-custom.rules
# Detection settings
detect:
profile: medium
custom-values:
toclient-groups: 3
toserver-groups: 25
# Logging configuration
outputs:
- eve-log:
enabled: yes
filetype: regular
filename: eve.json
types:
- alert:
payload: yes
packet: yes
metadata: yes
- http:
extended: yes
- dns:
query: yes
answer: yes
- tls:
extended: yes
- ssh:
enabled: yes
- stats:
totals: yes
threads: no
# Custom rules for SysManage
# /var/lib/suricata/rules/sysmanage-custom.rules
# Detect potential agent spoofing
alert tls any any -> $APP_NET $SYSMANAGE_PORTS (msg:"Potential Agent Spoofing - Invalid Certificate"; tls.subject:!"CN=agent-"; sid:1000001; rev:1;)
# Detect brute force against SysManage API
alert http any any -> $APP_NET $SYSMANAGE_PORTS (msg:"SysManage API Brute Force Attempt"; http.uri; content:"/api/auth/login"; http.status; content:"401"; threshold: type both, track by_src, count 10, seconds 300; sid:1000002; rev:1;)
# Detect unusual data exfiltration
alert tcp $APP_NET any -> $EXTERNAL_NET any (msg:"Large Data Transfer from SysManage"; dsize:>1000000; threshold: type both, track by_src, count 5, seconds 60; sid:1000003; rev:1;)
# Detect potential command injection
alert http any any -> $APP_NET $SYSMANAGE_PORTS (msg:"Potential Command Injection"; http.uri; pcre:"/[;&|`$()]/"; sid:1000004; rev:1;)Fail2ban Configuration
# Fail2ban configuration for SysManage
# /etc/fail2ban/jail.local
[DEFAULT]
# Ban settings
bantime = 3600
findtime = 600
maxretry = 5
backend = systemd
# Email notifications
destemail = security@company.com
sender = fail2ban@sysmanage.company.com
mta = sendmail
action = %(action_mwl)s
# SysManage-specific jails
[sysmanage-auth]
enabled = true
port = 8000
protocol = tcp
filter = sysmanage-auth
logpath = /var/log/sysmanage/access.log
maxretry = 3
bantime = 7200
[sysmanage-api]
enabled = true
port = 8000
protocol = tcp
filter = sysmanage-api
logpath = /var/log/sysmanage/api.log
maxretry = 10
bantime = 3600
[nginx-sysmanage]
enabled = true
port = 443
protocol = tcp
filter = nginx-sysmanage
logpath = /var/log/nginx/sysmanage_error.log
maxretry = 5
bantime = 1800
# Custom filters
# /etc/fail2ban/filter.d/sysmanage-auth.conf
[Definition]
failregex = ^.*Authentication failed for user .* from .*$
^.*Invalid JWT token from .*$
^.*Failed login attempt from .*$
ignoreregex =
# /etc/fail2ban/filter.d/sysmanage-api.conf
[Definition]
failregex = ^.*API abuse detected from .*$
^.*Rate limit exceeded for .*$
^.*Suspicious API usage from .*$
ignoreregex = DDoS Protection & Rate Limiting
Multi-Layer DDoS Protection
SysManage implements comprehensive DDoS protection at multiple network layers.
DDoS Protection Layers
🌐 Network Layer (L3/L4)
- SYN flood protection with SYN cookies
- UDP flood filtering and rate limiting
- ICMP flood protection
- Connection rate limiting per source IP
🔗 Transport Layer (L4)
- TCP state tracking and validation
- Connection timeout management
- Port scan detection and blocking
- Protocol-specific rate limiting
📱 Application Layer (L7)
- HTTP/HTTPS request rate limiting
- API endpoint protection
- User-agent and referrer validation
- Content-based filtering
🧠 Behavioral Analysis
- Traffic pattern analysis
- Anomaly detection algorithms
- Machine learning-based filtering
- Adaptive threshold adjustment
Nginx Rate Limiting Configuration
# Nginx rate limiting for SysManage
# /etc/nginx/conf.d/rate-limiting.conf
# Define rate limiting zones
limit_req_zone $binary_remote_addr zone=sysmanage_login:10m rate=5r/m;
limit_req_zone $binary_remote_addr zone=sysmanage_api:10m rate=100r/m;
limit_req_zone $binary_remote_addr zone=sysmanage_web:10m rate=10r/s;
# Connection limiting
limit_conn_zone $binary_remote_addr zone=addr:10m;
# Geographic rate limiting (using GeoIP)
map $geoip_country_code $geo_rate_limit {
default 10r/s;
CN 1r/s; # Stricter limits for certain countries
RU 1r/s;
KP 0r/s; # Complete block
}
limit_req_zone $binary_remote_addr zone=geo_limited:10m rate=$geo_rate_limit;
server {
listen 443 ssl http2;
server_name sysmanage.company.com;
# Apply connection limits
limit_conn addr 10;
# Rate limiting for different endpoints
location /api/auth/login {
limit_req zone=sysmanage_login burst=3 nodelay;
limit_req_status 429;
proxy_pass http://backend;
}
location /api/ {
limit_req zone=sysmanage_api burst=20 nodelay;
limit_req zone=geo_limited burst=5 nodelay;
limit_req_status 429;
proxy_pass http://backend;
}
location / {
limit_req zone=sysmanage_web burst=50 nodelay;
limit_req_status 429;
proxy_pass http://backend;
}
# Error page for rate limiting
error_page 429 @rate_limit_error;
location @rate_limit_error {
return 429 '{"error": "Rate limit exceeded", "retry_after": 60}';
add_header Content-Type application/json always;
}
}Application-Level Rate Limiting
# Application-level rate limiting in SysManage
from fastapi import FastAPI, HTTPException, Request
from slowapi import Limiter, _rate_limit_exceeded_handler
from slowapi.util import get_remote_address
from slowapi.errors import RateLimitExceeded
import redis
# Initialize rate limiter with Redis backend
redis_client = redis.Redis(host='localhost', port=6379, db=0)
limiter = Limiter(
key_func=get_remote_address,
storage_uri="redis://localhost:6379"
)
app = FastAPI()
app.state.limiter = limiter
app.add_exception_handler(RateLimitExceeded, _rate_limit_exceeded_handler)
# Advanced rate limiting with user-based limits
class UserBasedLimiter:
def __init__(self, redis_client):
self.redis = redis_client
self.default_limits = {
'admin': '1000/hour',
'operator': '500/hour',
'viewer': '100/hour',
'anonymous': '10/hour'
}
async def check_rate_limit(self, user_id: str, user_role: str, endpoint: str):
"""Check rate limit for specific user and endpoint"""
key = f"rate_limit:{user_id}:{endpoint}"
limit = self.default_limits.get(user_role, self.default_limits['anonymous'])
# Parse limit (e.g., "100/hour" -> 100 requests per 3600 seconds)
count, period = limit.split('/')
count = int(count)
if period == 'minute':
window = 60
elif period == 'hour':
window = 3600
elif period == 'day':
window = 86400
else:
window = 3600 # Default to hour
# Check current usage
current = await self.redis.get(key)
if current is None:
current = 0
else:
current = int(current)
if current >= count:
raise HTTPException(
status_code=429,
detail=f"Rate limit exceeded. Limit: {limit}"
)
# Increment counter
pipe = self.redis.pipeline()
pipe.incr(key)
pipe.expire(key, window)
await pipe.execute()
return True
# Apply rate limiting to endpoints
@app.post("/api/auth/login")
@limiter.limit("5/minute")
async def login(request: Request, credentials: UserCredentials):
"""Login endpoint with strict rate limiting"""
# Authentication logic here
pass
@app.get("/api/hosts")
@limiter.limit("100/minute")
async def get_hosts(request: Request, current_user: User = Depends(get_current_user)):
"""Host listing with user-based rate limiting"""
# Check user-specific rate limit
limiter = UserBasedLimiter(redis_client)
await limiter.check_rate_limit(
current_user.id,
current_user.role,
"get_hosts"
)
# Host retrieval logic here
pass
@app.post("/api/hosts/{host_id}/packages/install")
@limiter.limit("10/minute")
async def install_package(
request: Request,
host_id: str,
package_data: PackageInstallRequest,
current_user: User = Depends(get_current_user)
):
"""Package installation with conservative rate limiting"""
# Additional security checks for sensitive operations
if not current_user.has_permission("packages:install"):
raise HTTPException(403, "Insufficient permissions")
# Package installation logic here
passNetwork Monitoring & Analytics
Network Visibility
Comprehensive network monitoring provides visibility into traffic patterns, security events, and performance metrics.
Monitoring Stack
📊 Prometheus + Grafana
- Network metrics collection
- Real-time dashboards
- Alert management
- Historical data analysis
🔍 ELK Stack
- Log aggregation and analysis
- Security event correlation
- Search and visualization
- Anomaly detection
🌊 ntopng
- Network traffic analysis
- Flow monitoring
- Application protocol detection
- Performance metrics
🔐 Security Analytics
- Threat intelligence integration
- Behavioral analysis
- Risk scoring
- Incident correlation
Prometheus Network Metrics
# Prometheus configuration for network monitoring
# /etc/prometheus/prometheus.yml
global:
scrape_interval: 15s
evaluation_interval: 15s
rule_files:
- "network_alerts.yml"
scrape_configs:
# Node Exporter for system metrics
- job_name: 'node'
static_configs:
- targets:
- 'sysmanage-server:9100'
- 'sysmanage-db:9100'
- 'sysmanage-lb:9100'
# SNMP monitoring for network devices
- job_name: 'snmp'
static_configs:
- targets:
- switch1.company.com
- firewall1.company.com
- router1.company.com
metrics_path: /snmp
params:
module: [if_mib]
relabel_configs:
- source_labels: [__address__]
target_label: __param_target
- source_labels: [__param_target]
target_label: instance
- target_label: __address__
replacement: snmp-exporter:9116
# Nginx metrics
- job_name: 'nginx'
static_configs:
- targets: ['nginx-exporter:9113']
# Custom SysManage metrics
- job_name: 'sysmanage'
static_configs:
- targets: ['sysmanage-server:8000']
metrics_path: /metrics
# Alert rules for network security
# /etc/prometheus/network_alerts.yml
groups:
- name: network_security
rules:
- alert: HighNetworkTraffic
expr: rate(node_network_receive_bytes_total[5m]) > 100000000
for: 2m
labels:
severity: warning
annotations:
summary: "High network traffic detected"
description: "Network traffic on {{ $labels.instance }} is {{ $value }} bytes/sec"
- alert: SuspiciousConnections
expr: rate(nginx_http_requests_total{status=~"4.."}[5m]) > 10
for: 1m
labels:
severity: critical
annotations:
summary: "High rate of HTTP 4xx errors"
description: "Rate of 4xx errors is {{ $value }} requests/sec"
- alert: DDoSAttack
expr: rate(nginx_http_requests_total[1m]) > 1000
for: 30s
labels:
severity: critical
annotations:
summary: "Potential DDoS attack detected"
description: "Request rate is {{ $value }} requests/sec"
- alert: CertificateExpiringSoon
expr: (ssl_cert_not_after - time()) / 86400 < 30
for: 0m
labels:
severity: warning
annotations:
summary: "SSL certificate expiring soon"
description: "Certificate for {{ $labels.instance }} expires in {{ $value }} days"Network Flow Analysis
# Network flow analysis with nfcapd and nfdump
# /etc/nfcapd.conf
# Collector configuration
nfcapd -w -D -p 9995 -l /var/lib/nfcapd -P /var/run/nfcapd.pid
# Flow analysis queries
# Top talkers by bytes
nfdump -r /var/lib/nfcapd/nfcapd.current -s srcip/bytes -n 10
# Detect potential data exfiltration
nfdump -r /var/lib/nfcapd/nfcapd.current -c 100 'bytes > 1000000 and dst net not 10.0.0.0/8'
# Monitor SysManage-specific traffic
nfdump -r /var/lib/nfcapd/nfcapd.current 'dst port 8000'
# Security-focused flow analysis
nfdump -r /var/lib/nfcapd/nfcapd.current -s srcip/flows -n 20 'flows > 1000'
# Custom flow monitoring script
#!/bin/bash
# /usr/local/bin/flow-security-check.sh
NFCAPD_DIR="/var/lib/nfcapd"
ALERT_THRESHOLD_BYTES=1000000000 # 1GB
ALERT_THRESHOLD_FLOWS=10000
# Check for unusual traffic patterns
LARGE_TRANSFERS=$(nfdump -r $NFCAPD_DIR/nfcapd.current -c 1 -q "bytes > $ALERT_THRESHOLD_BYTES and dst net not 10.0.0.0/8")
if [ ! -z "$LARGE_TRANSFERS" ]; then
echo "ALERT: Large data transfer detected"
echo "$LARGE_TRANSFERS"
# Send alert to security team
curl -X POST "https://alerts.company.com/webhook" \
-H "Content-Type: application/json" \
-d '{"alert": "Large data transfer detected", "details": "'$LARGE_TRANSFERS'"}'
fi
# Check for high connection counts (potential DDoS)
HIGH_FLOWS=$(nfdump -r $NFCAPD_DIR/nfcapd.current -s srcip/flows -n 1 -q "flows > $ALERT_THRESHOLD_FLOWS")
if [ ! -z "$HIGH_FLOWS" ]; then
echo "ALERT: High connection count detected"
echo "$HIGH_FLOWS"
# Automatic blocking could be implemented here
fiNetwork Security Hardening
Operating System Network Settings
Kernel Parameter Tuning
# Network security hardening via sysctl
# /etc/sysctl.d/99-network-security.conf
# IP forwarding (disable if not needed)
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0
# Source routing protection
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
# ICMP redirect protection
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
# Send ICMP redirects (disable)
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# SYN flood protection
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5
# IP spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Ignore ICMP ping requests
net.ipv4.icmp_echo_ignore_all = 1
# Ignore broadcast ICMP requests
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Bad ICMP error message protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
# TCP window scaling
net.ipv4.tcp_window_scaling = 1
# TCP timestamp
net.ipv4.tcp_timestamps = 0
# TCP keep-alive settings
net.ipv4.tcp_keepalive_time = 120
net.ipv4.tcp_keepalive_intvl = 30
net.ipv4.tcp_keepalive_probes = 3
# Connection tracking
net.netfilter.nf_conntrack_max = 131072
net.netfilter.nf_conntrack_tcp_timeout_established = 3600
# Apply settings
sysctl -p /etc/sysctl.d/99-network-security.confSSL/TLS Hardening
# SSL/TLS security configuration for Nginx
# /etc/nginx/conf.d/ssl-security.conf
# SSL protocols and ciphers
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_ecdh_curve secp384r1;
# SSL session settings
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/certs/ca-bundle.crt;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Security headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self'; frame-ancestors 'self';" always;
# Hide server information
server_tokens off;
more_set_headers "Server: SysManage";
# SSL configuration testing
# Test SSL configuration
openssl s_client -connect sysmanage.company.com:443 -servername sysmanage.company.com
# Test with different TLS versions
openssl s_client -connect sysmanage.company.com:443 -tls1_2
openssl s_client -connect sysmanage.company.com:443 -tls1_3
# Cipher suite testing
nmap --script ssl-enum-ciphers -p 443 sysmanage.company.com
# SSL Labs testing (external)
curl -s "https://api.ssllabs.com/api/v3/analyze?host=sysmanage.company.com"Network Security Troubleshooting
Common Network Issues
🚫 Connection Timeouts
- Symptoms: Agents unable to connect, timeouts
- Causes: Firewall blocking, network congestion
- Diagnosis: Check firewall logs, test connectivity
- Solutions: Adjust firewall rules, optimize network
🔒 TLS Handshake Failures
- Symptoms: SSL/TLS connection errors
- Causes: Certificate issues, cipher mismatches
- Diagnosis: Check certificate validity, test ciphers
- Solutions: Update certificates, configure ciphers
📊 High Latency
- Symptoms: Slow response times
- Causes: Network congestion, routing issues
- Diagnosis: Monitor network metrics, trace routes
- Solutions: Optimize routing, increase bandwidth
🛡️ False Positive Blocking
- Symptoms: Legitimate traffic blocked
- Causes: Overly strict rules, misconfiguration
- Diagnosis: Review firewall logs, analyze patterns
- Solutions: Tune rules, whitelist legitimate traffic
Diagnostic Commands
# Network connectivity testing
# Test basic connectivity
ping -c 4 sysmanage.company.com
# Test specific port connectivity
telnet sysmanage.company.com 443
nc -zv sysmanage.company.com 443
# Trace network path
traceroute sysmanage.company.com
mtr sysmanage.company.com
# Check listening ports
netstat -tlnp | grep :443
ss -tlnp | grep :443
# Firewall status and rules
iptables -L -n -v
ufw status verbose
# Check network interface statistics
ip -s link show
cat /proc/net/dev
# Monitor real-time connections
watch -n 1 'netstat -an | grep :443'
# SSL/TLS testing
openssl s_client -connect sysmanage.company.com:443 -showcerts
curl -I -v https://sysmanage.company.com
# DNS resolution testing
dig sysmanage.company.com
nslookup sysmanage.company.com
# Network performance testing
iperf3 -c sysmanage.company.com -p 5201
speedtest-cli