RockNSM is an open-source network sensor platform that focuses on being reliable, scalable, and secure. Check out the full docs for more details. This is a companion article to the rock@home video series.
“So what’s the quickest and easiest way to get ROCK up and running with live data?”
This is a common question from users wanting to get started with Network Security Monitoring (NSM). We understand that not everyone has the ability to monitor live traffic on a production network, so the obvious first step is to build your skills by logging and analyzing your own network traffic. This is the first of a three part series will that will answer this question, and approach things from as minimal of a budget as possible.
Here’s an overview of what to expect:
Article #1 — Introduction (you are here)
Article #2 — Install & Deploy
Article #3 — Operate & Maintain
This is this first post we’ll cover the following:
Quick disclaimer: these network monitoring should only be performed on an environment that you own.
There are 3 main challenges to running NSM at home:
Sensor — computer to use as a sensor
Data Feed — a network device that provides a duplicate stream of data to monitor
Wireless AP — a wireless device in addition to the typical ISP modem/router
Let’s cover the basics of these in order:
Processing live network data is resource intensive and there are a lot of variables to the “how beefy of a box do I need?” question. The biggest consideration is the throughput of the environment. At the end of the day, the more resources you throw at the sensor the higher IOPS and the happier she’ll be. But let’s talk minimum specs:
The minimum spec for RAM is 8 Gigs. This should work just fine on a typical home LAN.
We recommend installing ROCK with a minimum of 2 distinct drives (or partitions). SSDs are obviously preferred whenever possible.
a drive for the base operating system
a larger drive used for network logs & data
ROCK also requires a minimum of 2 NICs:
1 interface for management: that and connected to the LAN and assigned an IP address that is used to admin ROCK
1 gigabit interface for monitoring: data will be mirrored here in order for ROCK to create logs.
If the box you’re repurposing as a sensor has only one onboard interface, use it as the monitoring interface. An add-on card (or even a usb adapter) can be added to use for management.
Forking the Packets
Now that we’ve got the base specs for a sensor box running ROCK, let’s dive into how we get packets flowing to that listening interface and keep the network layout as basic as possible.
Network Taps and Switch Span / Mirror Ports — these are two easiest options to get a duplicated feed of traffic into ROCK. Your choice will depend upon your level of dedication a.k.a. budget.
A network tap is a piece of hardware that duplicates all traversing packets to another location. Packet loss is generally low with a tap as the duplication is happening at the hardware level. But this performance comes as a price, with taps costing quite a bit more than cheaper options. Plan on spending around $200 (recommendations below).
Switch Span Port
The second, and cheaper option is to use a switch — a layer 2 device that uses MAC addresses to direct packets. But there are also layer 3 smart switches that provide some additional features like VLANs, QoS, and more. Most importantly, in our context a smart switch has the ability to assign a span or “mirror” port. When configuring a span, you can specify what port(s) ingress and egress traffic get copied and sent over to the span (mirrored) port.
The biggest difference between a tap and a switch span is that a tap is dedicated hardware for that purpose, whereas a span port is another duty for a switch OS to take care of. A switch should be considered fully utilized when it hits around 50% load. Assigning a span port is resource intensive, so take your network’s total throughput into consideration. The cheaper managed switch option will usually start around $50 for 5 or 8 port models.
The final piece of this puzzle is to have a separate wireless AP in addition to your ISP modem/router. This allows us to place the tap or switch and ROCK sensor between the edge (ISP) router and the inside router to capture traffic For more clarity reference the network diagrams above, the additional AP is at the bottom of each.
This 2nd (inside) router would be running in “AP Mode” and be configured to get services like DNS and DHCP from the edge device. There are innumerable options these days for cheaper routers with this capability. If you would like to spend a bit more money I can personally recommend the Netgear Orbi series if you need a mesh system.
To be clear, I’m not endorsing specific hardware over the next, or guaranteeing that your experience will be issue-free. This information is to serve as some starting suggestions of equipment that myself and colleagues have had good experiences with. A summary of this information can be found in this gist.
repurposed hardware - 2 nic / 4 cores / 8G RAM / SSD if possible
*lots* of option to BYO sensor from $400–1000
latest Intel NUC8I7HVK (dual NIC)
Select a motherboard or card that uses Intel NICs whenever possible.
TP-Link TL-SG108E ~$40
Netgear GS108Ev3 ~$50
Dualcomm ETAP -2003 gigabit tap ~ $200
I hope this was helpful in clearing up some of the most common questions about preparing your home network for NSM. In next week’s installment we’ll cover ROCK installation, configuration, and deployment. Thanks for your time!