Hacker News new | ask | show | jobs
RTM: flow-based network monitoring (rtm.rdit.ch)
33 points by Ente 3689 days ago
6 comments
sschueller 3689 days ago
RUAG was hacked over a year ago an didn't notice until recently when the intelligence agency informed them. It's a huge scandal here.

http://www.swissinfo.ch/eng/ruag-affair_sensitive-personal-i...

http://www.blick.ch/news/wirtschaft/beunruhigender-hack-wie-...

link
Ente 3689 days ago
you're right. An other example why it's a good idea to invest into smart people supported by good products in order to defend against such attacks. From my personal point of view, the risk of a data-breach is beeing underestimated in almost all companies. Which leads toh harsh budget restrictions for security responsibles.

Note: in my opinion Blick.ch [1] is not the best ressource for information. Please consider [2], [3].

[1]: http://www.blick.ch/ [2]: http://www.derbund.ch/wissen/technik/organisation/ruag/s.htm... [3]: http://www.nzz.ch/nzzas/cyber-attacke-gegen-ruestungskonzern...

link
xs 3689 days ago
Wait. How do I actually download this and where's the documentation?
link
Ente 3689 days ago
Currently this is more of an ad-page for a propietary product. Devs are 'in discussion' with management in order to make the product available for a wide public audience. Actually the goal is a (at least) partial open source commitment.

- stay tuned

link
lafay 3689 days ago
Kentik (http://www.kentik.com) is doing something very similar, as a cloud-based service or on-prem cluster. Accepts standard flow formats (netflow, sflow, IPFIX) from routers and switches, and also "augmented" flow from nprobe running on hosts or sensors.
link
xs 3689 days ago
How does this differ from Silk+Flowbat?
link
detaro 3689 days ago
Links for those that hadn't heard about that pair before (like me):

https://tools.netsa.cert.org/silk/

http://www.flowbat.com/

link
jawn- 3689 days ago
Judging from screenshots, RTM does a deeper level of packet inspection than netflow based system (silk/flowbat).

As Silk/Flowbat are based on netflow records, which doesn't inspect the traffic passing across the network. It just records surface level information about the traffic. Source/Dest ports and addresses, UDP vs TCP and length and size of the conversation.

Deeper packet inspection probably results in rtm being able to inspect less traffic. Though depending on how RTM is written and the network drivers being used and your network size, you still might be able to have this monitor your egress points.

link
Ente 3689 days ago
You're right. RTM, or rather, its internal flow assembling component RTS can be extended with plugins in order to extract and append more information for a flow. For example there are plugins for:

* regex matching * tcp state machine following * http * dns * bgp * smtp * icmp * pcap splitting by flows * ...

Using them will have an impact on performance, which is why there are no numbers regarding speed on this page. It's always a fit between: what one can see and what one wants to see. It's beeing sold as a privacy feature ;). Nevertheless a security expert has to configure the software so that it fits the environment.

In contrast to other projects, the general assumption is that RTM is not the 'one solution you implement and you're secure' but rather a platform on which you can build your security upon.

Sorry for the generic answer: I don't know Silk/Flowbat well enough in order to provide a in depth comparison.

link
mhurron 3689 days ago
> Flowbat

Thank you for that.

link
ollybee 3689 days ago
fastnetmon is another solution for this https://github.com/pavel-odintsov/fastnetmon
link
mansilladev 3689 days ago
#SWISSNESS
link