OpticNerve automatically discovers nodes within a specified network range using ICMP sweeps. Once it finds a node, the node is probed for supported services by Service Pollers, which simulate transactions for DNS, DHCP, FTP HTTP, IMAP, POP3, SNMP, SMTP, SSH and other protocols, and applications and databases, including Lotus Notes, Informix, Oracle, SQL, Sybase and Postgres. Discovered nodes and associated services are added to OpticNerve's SQL database. Services are polled every five minutes and nodes are rescanned periodically for new services.

OpticNerve's Iris Agents run on Microsoft Windows 98, Me, NT4, 2000 and XP. Using less than 500 KB of memory, these agents run in the background and report system health and configuration information to OpticNerve. Iris Agents are event-driven: They detect window creation, file operations, faults and exceptions as well as application installations and launches. They also generate information regarding the OS, CPU, memory, network adapter, drives and installed applications. After creating users and associating them with management groups, we installed the optional Iris Agents 2.0 on Windows 2000 servers and Windows 98 and XP workstations by downloading the installation file from the OpticNerve.

Good • Synthetic transactions poll network services. • Configurable event notifications. • Filters screen out unwanted notifications. Bad • Thresholds are not configurable. • Set polling periods (approximately 5 minutes). • SSL not supported.

To see events from polling information, SNMP traps and Iris Agents, you simply access a Web interface, supply a user name and password, and the home page draws all the events reported by devices on your network (see screen at right). An eventd subsytem processes all events and classifies them according to a rules engine. If an outage--any event that impacts an end user's ability to access a resource--occurs, it is registered and an actiond process notifies users.

Lights Out

Using both preconfigured and customized pollers, OpticNerve detected node and service outages on multiple subnets in our labs. We tested this by suspending FTP, HTTP, SMTP and telnet services on a Sun Microsystems SunFire 280R. OpticNerve detected the event and notified users that the services were unresponsive though the port was still available. It successfully detected FTP, HTTP, SMTP and SQL database outages on a Windows 2000 server as well. OpticNerve also scanned open ports to determine available services and report on known vulnerabilities. It found remote DCE services and anonymous FTP sites in our tests.

The optional Eyelid device provides higher levels of vulnerability scanning by detecting network intrusions and reporting them to the OpticNerve. Eyelid also attempts minor intrusions and exploits against the system to test for vulnerabilities. It successfully detected both a SSH Kerberos and a DoS (denial of service) vulnerability against our SMTP server and identified rfpoison and IIS buffer overflow vulnerabilities. OpticNerve also provides helpful solutions and common vulnerabilities and exposures (CVE) entries.

Ocustat gives basic network usage information by listing the most requested Web sites, top DNS host names and top talkers of the network. Both Eyelid and Ocustat monitor network traffic from a shared hub or a mirrored switch port.

Notifications flow to users within preconfigured groups by priority based on users' ranks and work schedules. The first user listed in the reporting group receives notification and has 15 minutes to resolve the outage and acknowledge the notification. If an acknowledgement is not received within 15 minutes, the next listed user is notified. Notifications are escalated to a management group if they are not acknowledged within a set period of time.

Vendor Info OpticNerve 3.1, subscription service starts at $300 per month through resellers. Oculan Corp., (919) 534-0500, (800) 247-5080, Opt. 3. www.oculan.com

Once notifications are acknowledged or service returned to normal, the notifications are removed from active status but are archived for one year so they can be used to calculate service-level availability and included in standard reports on network availability, outages and SNMP performance. Reports are available in PDF, HTML or raw XML format for further processing.

Dilip Advani is a research associate at the Center for Emerging Network Technologies at Syracuse University. Sean Doherty is a technology editor and lawyer based at our Syracuse University Real-World Labs®. Write to them at dadvani@nwc.com or sdoherty@nwc.com.