Knoppix-NSM Project Page

Introduction

Knoppix-NSM is dedicated to providing a framework for individuals wanting to learn about Network Security Monitoring (NSM) or who want to quickly and reliably deploy a NSM capability in their network. Our goal is to provide an introduction to NSM and a distribution that can be used as a launch pad to bigger and better things. We have tried to do most of the hard work to help you get up and running as fast as possible so you can spend more time learning about NSM, leaving the details as a latter exercise once familiar with the concepts.

Knoppix-NSM is based on KNOPPIX Technology, which means that you can test all the tools in a live session running on the CD without the need for a HardDisk Drive (HDD) installation. Knoppix-NSM has the added bonus of being able to install to a HDD so you can deploy a NSM framework into your production network and use it for realtime monitoring.

Some of the benefits include:

• Rapid deployment

  Boot the CD, test the configuration and then install to your HDD, once installed a couple of quick settings and everything is ready to go all in a matter of minutes.

• Complete out of channel Intrusion Detection and Analysis center

  With Knoppix-NSM you can deploy a complete NSM network to monitor your existing network infrastructure. Knoppi-NSM comes pre-configured for deployment of multiple sensors and databases, all you need to do is create the sensor accounts in the database and change some passwords.

• Secure

  Knoppix-NSM has been built with security in mind. All remote communications are over ssl tunnels so that you do not have to be concerned about eaves droppers if you decide to run Knoppix-NSM in your main network channels. Another feature is the use of iptables to ensure that only allowed hosts can connect and only necessary services are visible to the network.

• Easy console deployment

  Need another console, just boot from the cd (setting the host and ip at boot time) and you are up and running straight away.

The intent of Knoppix-NSM is to provide a distrubtion with accompanying documentation on the tools that we have selected and how they are put together in the NSM framework.

For more information see the documentation pages.

This started out as a project to simplify the installation of an open source tool set that would provide a consistent framework in which to learn about Network Security Monitoring.

The orignal project started with MySQL, snort, BASE and ntop but after learning more about NSM it became apparant that it was very difficult to identify real alerts from false positives and the analyst didn't see things in real time. Snort is very good at providing alert data but BASE can be limiting when you need to perform further analysis on an alert. Another disadvantage of BASE is the lack of real-time alerting, you need to refresh the web page and then dig around to find out what just occured. What was also missing was the lack of persistent statistical and session data which makes it near impossible to trace the history of a suspect ip/host.

After further investigation and reading the project was rescoped to inlcude more tools. The new tools identified, primarily sguil, would provide valuable information to the analyst and new console to better identify real alerts from the noise and provide real time notification.

The objectives of Knoppix-NSM include:

1. live CD for demonstration purposes,
2. rapid deployment,
3. consistant build,
4. easy installation and configuration,
5. simple lightweight user interface,
6. ease of maintenance,
7. unified system deployment,
8. secure management

For the most part Knoppix-NSM has achieved the above objectives. It is still a work in progress although most of the effort will focus on fine tuning and the addition of new tools to provide a complete NSM, incident repsonse and risk assessment framework.

Copyright © www.securixlive.com 2005-2008