Network Monitoring with NEMS, NAGIOS and Rasberry Pi

Part of running my lab is ensuring that services I expect to run 24×7 are, in fact, running and doing just what I expect them to do. Unifi offers some level of monitoring around my internet connection but I wanted to go one further and be notified when services are unavailable or if a resource is consumed over a defined threshold.

Up until recently, I had planned on running this on a Linux box until I came across a Rasberry Pi B+ a good low power monitoring solution might be just what I need.

I’ve not gone into detail as to my hypervisor setup at home but running a monitoring solution on the exact server I want to monitor seemed to me like putting too many eggs in one basket. After some Google-Fu I came across NEMS Linux and open source project that offers a scaled-down version of NAGIOS to run on a Rasberry Pi.

This does come with some disadvantages right out of the gate. The Pi though very cost-effective and low power is using an SD card as it’s storage medium. Logging vast quantities of data to an SD card isn’t the brightest of ideas as they tend to burn out quickly with many prolonged writes. However, NEMS seems like a decent lightweight version of NAGIOS so I figured for the price of an SD card I’d give it a go. This version for NAGIOS is also somewhat limited with not as many features or support as the full NAGIOS Core for which are are not running here.

However, even with the disadvantages listed above the fact I’ve got a low power reliable device that’s able to monitor services within the network in a standalone way and gets me working with consoles more is a win-win.

The distro supplied was incredibly easy to install, as simple as installing Raspian OS to the SD card. Equally simple was it’s initial setup (excuse me for lack of photos of this). After that things get a little more complicated, as someone who’s never used NAGIOS monitoring before the UI was confusing at first but several configuration videos later and we’ve got full monitoring of key devices in the network.

I’m fairly comfortable with the consoles and was able to make minor tweaks to the application through it’s shell configuration (getting email notifications working was tricky). It does a healthy job of monitoring my switches, VM’s, hosts and website all through one system.

One of my concerns long term is the overall reliability of the SD card. One thing I know they really don’t like is lots of small reads / writes which is something that a service like this will do. As far as I understand it however with the optimisations applied to this distro it’s been reported as pretty reliable. Only longer term use will show if that’s anything to go by.

Given the low cost of a Rasberry Pi and high efficency I’m happy to have this running and keeping an eye on my network. I think if I expanded the number of endpoints I’d be temped to go for Nagios Core on it’s own dedicated box but for now this seems like a good idea.

Switching & Routing (Part 1)

We exist in an ever-changing threat environment, as a typical tech user I’ve got friends who visit my home and know my WiFi password, I’ve got IoT devices that run inside my home network, Alexa, Google Home, Firestick, TV’s, and Printers. Any of these could have a vulnerability.

So I work from home. Nice right? Great and all but I’m a firm believer of keeping work and home life separate. That’s difficult when you’re sat on a typical home broadband router with 1 WiFi access point.

We exist in an ever-changing threat environment, as a typical tech user I’ve got friends who visit my home and know my WiFi password, I’ve got IoT devices that run inside my home network, Alexa, Google Home, Firestick, TV’s, and Printers. Any of these could have a vulnerability (of course these get patched as per the manufacturer’s recommendations).

How comfortable are you writing code for an organisation working in this way? Though I trust myself enough to not do silly things on my network how can I expect that of anyone who visits? Same goes for what run’s on my work laptop is it going to have a product that scans my home network? I trust my business sure, but I’m subject to their IT security policies.

Finding a way to keep both sides of the fence happy can be tricky. I know that work would probably appreciate it if I segmented their equipment away from my home LAN and I’d be happy protecting my data in my home network.

In the past I’ve run networking for a small business, and I know that logical separation of concerns not only falls under a programming paradigm but also a networking capacity. VLAN seems the most appropriate option here, segmenting network devices so that I’ve got a Guest Network, Home LAN, Work LAN and have inter-VLAN rules to protect the assets either side of the fence seems a good approach in this scenario.

How to achieve such a goal? First port of call is to move away from the stock equipment supplied by broadband suppliers a quick Google search shows why you should consider doing this anyway. Besides that, for a reasonable price, you can obtain either older hardware and set up your own home-brew firewall using something like pfSense (my original approach to this issue). However, I like being inside support and my livelihood relies upon having a stable network connection not just for work but to keep my partner connected while I’m away.

I’ve been running with Ubiquiti’s offering of the USG which is a small dedicated firewall appliance that can sit at the edge of my network. I run speeds of 200Mbps down and 20Mbps up and this firewall has easily kept pace with all of that.

A few other pieces of equipment are required when exploring the Ubiquiti line-up, most notable is the lack of any WiFi capability in the router at all. I’m never a fan of a single appliance performing too many concurrent roles, and so prior to purchasing this I already had my Google Home Wifi which sets up a perfect guest network on the WAN2 port of the USG and has accompanying settings to ensure the guests are isolated in their own. That’s great as the first part of the network segment has been configured and all fits inside of a tiny package.

One thing that you’ve got to be mindful of is ensuring that you either purchase (at additional cost) a Unifi Controller which allows you to track, configure and deploy the USG or multiple USG’s over different networks or have a dedicated device (home server) that can run that software for you.

I’ve got to give credit to Unifi USG their software is pretty easy to get on with for a starting user. The USG itself has console access to be able to access some advanced configuration but for the not so console happy user the Controller software makes deploying configurations and upgrades really easy.

I’ll cover more of that in Part 2