Watching the Wire: The How and Why of Implementing a Network Security Monitor

Robert K. Woolson


The internet has become one of the greatest inventions ever. Connecting people all over the world, this network allows large amounts of data to be exchanged globally in mere seconds. To be viable, companies need to be connected to this world wide web of data. Unfortunately, this connection can offer scary drawbacks. Digital thieves don't need to put masks on and wave guns to steal property. These criminals jump into their target's network traffic through a vulnerability; bypassing passwords, firewalls, and other security measures allowing them to steal a company's most guarded treasures, from the comfort of their couch. Watching the traffic within one's network with the right tools can find anomalies, leading to the discovery of IT security compromises and breaches. Within this report I will discuss the importance of network security monitoring, document the implementation of a NSM appliance using open source tools on a production network, tune the NSM to create event reports on suspicious network security occurrences, and demonstrate how to study an incident through the investigation of the Blaster Worm computer virus.