Most security-oriented traffic analysts rely on IDSs such as Bro or Suricata for network security. While we believe that they are good solutions, we have a different opinion on this subject. In fact we believe that it is possible to use network traffic monitoring tools like ntopng to spot many security issues that would make and IDS too complex/heavy to use (if possible at all). What many of our users are asking, is the ability to highlight possible scenarios where there is a potential security issue to be analysed more in details using more-security oriented tools. This while using a lightweight approach that an IDS cannot offer because it can be very verbose and information oriented, rather than providing an overall picture of the network status and help understanding real issues. For instance is a ping to a host a real problem? We don’t think so, but most IDSs would mark this as a warning for “information disclosure”. At the end you will have your hard drive filled up by many security logs like these that probably won’t make your network more secure, but for sure generate many security alerts that will often be ignored.
These presentation slides give you an idea of what you can expect today using ntopng from the security view point. This is just the beginning, it’s a revamp of old concepts we prototyped years ago, and that have a new life in the current ntopng. However this is not all, as in the coming months we plan to make ntopng more powerful and able to go beyond this initial step.