Saddled with increasing support costs and regulatory requirements, many companies may be aided by a tool to map users to IP addresses. eTelemetry's Locate appliance correlates users with IP address, MAC address and port information, so that administrators can quickly track down the physical location of a device and the specific user associated with an IP address. In our Clear Choice Test, we found that while Locate fills a significant regulatory hole, it’s still got a few rough edges that need smoothing over.
We recently tested A10 Networks' IDSentrie, which provides some IP to ID mapping functionality. eTelemetry's Locate is dedicated to this service and expands the functionality we saw in IDSentrie by adding the ability to associate a network address to a physical network port, integrated support tools and real-time queries.
How we tested Locate
Deploying the 1U Locate appliance is a quick process. It sits on a mirrored switch port and passively monitors network traffic, watching specifically for logon information. It then associates the traffic to specific users by reading an imported flat-file staff list or polling an enterprise directory, such as Windows Active Directory or Novell eDirectory.
We installed the device in our test network by connecting the Locate appliance to a mirror port on our switch monitoring all network ports and configuring Locate to query Active Directory for user information and a Cisco Catalyst switch for network data (see How we tested Locate).
We ran into an issue on initial setup with the device not seeing the mirrored network traffic. Working with eTelemetry support, we found the installation instructions mislabeled the mirror port. According to support, hardware and system configuration changes frequently move the mirror port location and the documentation does not always keep up.
To map users -- that is, to associate them with such details as IP or MAC or e-mail address -- Locate monitors the traffic for logon information to services, such as IM, e-mail, and Active Directory. Locate also ties an IP address to a physical switch-port location by polling network devices.
Configuring Locate to communicate with Active Directory and the Cisco switch required creation of a comma-separated value file in a specific format, defined in the Locate documentation. This CSV file is then uploaded to the appliance through the admin interface to apply the configuration. While this gets the job done, overall ease of management could be improved by integrating this configuration setup directly into the administration interface.
Once the CSV file is uploaded, you are then able to export it, which helps ease the process of future configuration changes. One problem we encountered, though, is the CSV export functionality is not working over HTTPS connections, only HTTP. This is a known bug in the product and eTelemetry is working on a fix.
We also encountered a situation where Locate was not properly reading data from the Cisco Catalyst 3500 switch we had in the lab network. eTelemetry support installed a patch on the appliance to properly read the output being provided by the switch. Once this patch was installed, we were able to successfully tie an identity to a computer and a physical network location.
|ETelemetry Locate appliance helps map IP addresses and other data.|
System administration and data queries occur through a Web-based interface. After Locate correlates a user to an IP address, active maps are bolded for easy viewing in query results.
Administrators can use the Locate management interface to launch remote desktop connections to systems for troubleshooting or a disable network switch port used in an attack, a convenient feature.
Once Locate has been configured and running on the network long enough to start gathering data, administrators can query the appliance to quickly find the information they're seeking. The search section of the Locate interface is where administrators will likely spend most of their time.
Current mappings can be searched by IP address, MAC address, switch port, user account, staff name, building, department, and a number of other attributes. Historical mappings can also be searched if you need to identify who was using a specific IP address during a historical period. There's no physical limit to the number of users you can map or the number of ports or IP or MAC addresses you can be mapping.
An IP address can have multiple current maps if multiple accounts are accessing data or services so it’s quite easy to get lost in the plethora of data Locate provides. For example, a user can be logged in to the Windows domain, using IM, accessing a pop mail account, and a service account on the system can be making a network connection.
How we tested Locate
We installed the Locate appliance on our test network, which comprised 20 systems, including Windows XP, Windows 2003 servers, and Red Hat Linux servers. We then integrated it with Windows Active Directory 2003 and a port on a Cisco Catalyst 3500 configured to mirror traffic. Both devices were running standard configurations, no customizations had been added.
We performed various logon activities across multiple lab machines to see which actions were caught by Locate and make sure all logons to Active Directory and other stated monitor services were captured. Once we had a population of data, we ran multiple queries to see how the data was presented and could be manipulated. We created alerts to call out when a system changed IP addresses and we sent an e-mail to all users actively mapped to a subset of switch ports. We also launched a remote desktop connection to an active map.
From that, we could easily drill down to individual account information and see all the IP addresses from which users were accessing the network. You also can send e-mails directly from Locate based on the results of a query, which allows for the possibility of e-mailing all users on a switch if it is encountering a problem. Alerts can be set to identify when a change to a MAC address or an IP address occurs. This is helpful if there is a specific user or address you want to monitor more closely.
Locate also provides integrated tools to help ease system support. From the user record, a remote desktop connection can be launched to the last mapped system. Administrators can use the Locate management interface to disable network ports,preventing any traffic from traversing the network. This can help improve the efficiency and time-to-respond for support personnel.
Locate is limited to five accounts in its current configuration. While you can change the passwords on the accounts, you are unable to change the account username or add new accounts, a limitation that conflicts with most standard security practices. This functionality should be enhanced to provide a standard access control service, including custom account names, granular access and the ability to integrate with an enterprise user directory for authentication and authorization.
Locate also displays account passwords in clear text. Passwords should be masked when displayed in an administration console. We were not provided console access to the appliance during testing, but the vendor confirmed account passwords are not encrypted.
We would like to see enhanced reporting capabilities in Locate, such as the ability to export the graphs, not just the raw data into a CSV file as is Locate’s ability now. We would also appreciate the ability to customize the data available to be mapped. This would help any organization that has custom attributes outside of the standard Active Directory fields that are relevant to day-to-day functionality and identity of a user, such as a corporate identity number.
Locate performs a much-needed function and gets the job done. Ironing out the bugs and adding some enterprise-level enhancements -- such as account management, access control and enhanced reporting -- will make this product that much more in demand.
Andress is president of ArcSec Technologies, a security company focused on product reviews and analysis. She can be reached at email@example.com.
Andress is also a member of the Network World Lab Alliance, a cooperative of the premier reviewers in the network industry, each bringing to bear years of practical experience on every review. For more Lab Alliance information, including what it takes to become a member, go to www.networkworld.com/alliance.
Learn more about this topicOracle jumps to the forefront of ID-management market
1/22/07Identity Engines enables central policy management
12/18/06A10 provides simple, ID-based provisioning tool