[Os-sim-devel] OSIM arquitecture: too many components?

[Jose V. N. Z. <jo...@us...>]

Greetings,

I saw the project and i think is definitely worth the effort; If you
have a medium to large network under you control you will notice pretty
soon than without the appropiate tools you will not be able to correlate
and investigate event the most basic events.

The idea of using readily available tools like Snort, OpenNMS, NMAP etc
is very attractive because a large number of sites are already using
them so a 'glue' that ties all that information together is more than
welcome.

Still, there are some points related with the arquitecture of the
project that doesn't seem to fit appropriately.

All my comments are based on the information contained on the
arquitecture diagram published by the os-sim developers
(http://os-sim.sourceforge.net/docs/ossim3.jpg) and the tools mentioned
on their web site (http://os-sim.sourceforge.net/home.html)


1) Too many OpenSource tools, some overlapping: For example NTOP could
be replaced with custom OpenNMS graphs and custom polling of SNMP OIDS
on the target machines; MGRT could be replaced directly with RRDD tool
and again OpenNMS can show the custom graphs too; You mention NMAP for
network discovery, but OpenNMS already does that job.

Two databases? PostgreSQL can do the job of MySQL (and OpenNMS already
uses it). Snort can log events directly to PostgreSQL. MySQL probably is
too simple for an enterprise solution like this one.

Sortova consulting was doing some works to integrate Nessus with OpenNMS
(currently nobody is working on that tough). Maybe is better to
contribute code to integrate them than reinventing the wheel here.

2) Too many languajes and platforms to maintain: The arquitecture itself
is composed of at least two databases (PostgreSQL and MySQL), at least
two web presentation layers (PHP, JSP), several programming languajes
(Perl, PHP, Java, C). This is a mainteinance disaster waiting to happen
unless a hughe team of developers with a large skillset is ready to
maintain all the pieces that tie together the application.

The team should reconsider to rewrite at least some of the analisys
components. Also only one database shold be used.

3) What about other devices like switches, firewalls that doesn't even
speak SNMP but Syslog?. What about machine that run only Syslog deamons?
A custom Syslog listener could be a very good glue to gather information
from several places like Snort sensors, IPTables firewalls, Switches.
One problem with SNMP traps is than they are not very secure and once
you know the password you can tamper the contents or even flood the SNMP
trap daemon.

4) PHP and JSP, which one is better? My Opinion is that PHP is not
prepared for the enterprise. PHP doesn't have the optimizations than
Java do on the server side and also ties the presentation too close with
the logic. It's true than Java takes more time to master, but is also
true than is much more flexlible and standarized than PHP (PHP doesn't
have a common database layer AFIK). The team should try to replace tools
like ACID (wich source code is freely available) and maybe thing about
integrating those changes with OpenNMS (as a custom web app) or
developing the tool using Java as a separate web app.

In my opinion, a tigher integration with OpenNMS will solve many of
these issues;

What do you think about this?

JV.