Placing Security Onion on the Internet Perimeter (in DMZ)
1,968 views
Skip to first unread message
Jason
Jun 1, 2012, 3:36:01 PM6/1/12
to security-onion
Hello,
I would like to understand if it's reasonable to place a Security
Onion instance on the Internet perimeter. The idea is to get a view
into all the malicious traffic that is being directed at my network.
I was thinking of making the Securiy Onion instance completely
available (all ports) from the public Internet.
The obvious danger is that a service which is running by default in
Security Onion could become compromised.
I do not have the ability to Span traffic or Port Mirror traffic since
this is a home router I am using. Any thoughts on how I could harden
Security Onion for placement on the internet would be much
appreciated.
Thank you
I would like to understand if it's reasonable to place a Security
Onion instance on the Internet perimeter. The idea is to get a view
into all the malicious traffic that is being directed at my network.
I was thinking of making the Securiy Onion instance completely
available (all ports) from the public Internet.
The obvious danger is that a service which is running by default in
Security Onion could become compromised.
I do not have the ability to Span traffic or Port Mirror traffic since
this is a home router I am using. Any thoughts on how I could harden
Security Onion for placement on the internet would be much
appreciated.
Thank you
Doug Burks
Jun 1, 2012, 4:44:37 PM6/1/12
to securit...@googlegroups.com
Hi Jason,
First, are you sure you want to place it on the outside of your
firewall? You'll be seeing a bunch of traffic that's just being
blocked by the firewall anyway. You might want to consider keeping it
on the inside of your firewall.
What kind of home router do you have? Depending on the model, you may
be able to install third-party firmware which would then allow you to
do some form of port mirroring.
Alternatively, you could purchase an inexpensive tap, like the ones
mentioned here:
http://code.google.com/p/security-onion/wiki/Hardware
Thanks,
Doug
--
Doug Burks | http://securityonion.blogspot.com
Don't miss SANS SEC503 Intrusion Detection In-Depth in
Augusta GA 6/11 - 6/16 | 10% discount for ISSA Members!
http://augusta.issa.org/drupal/SANS-Augusta-2012
First, are you sure you want to place it on the outside of your
firewall? You'll be seeing a bunch of traffic that's just being
blocked by the firewall anyway. You might want to consider keeping it
on the inside of your firewall.
What kind of home router do you have? Depending on the model, you may
be able to install third-party firmware which would then allow you to
do some form of port mirroring.
Alternatively, you could purchase an inexpensive tap, like the ones
mentioned here:
http://code.google.com/p/security-onion/wiki/Hardware
Thanks,
Doug
Doug Burks | http://securityonion.blogspot.com
Don't miss SANS SEC503 Intrusion Detection In-Depth in
Augusta GA 6/11 - 6/16 | 10% discount for ISSA Members!
http://augusta.issa.org/drupal/SANS-Augusta-2012
Jason
Jun 5, 2012, 3:07:53 PM6/5/12
to security-onion
Doug (and the rest of the folks on this list),
First, thank you very much for your response and the effort you have
put into Security Onion.
I am sure that I want to monitor the traffic that is hitting the WAN
port of my router because the goal is to see all the malicious traffic
going to my public IP, even if my home router/firewall would have
normally blocked it. I do have another instance of SO running inside
my firewall to see the threats that have made it through the
firewall.
Unfortunately my home router does not support any third party firmware
(such as DD-WRT) because it's a rare model.
It sounds like I am potentially best off purchasing an inexpensive hub
and putting it between my cable modem and home router and connecting
it to my SO instance. But before making the purchase, I wanted to
first try the DMZ route.
My SO environment is entirely virtualized using Vmware Workstation 8
on a Windows platform which has two physical NICS, this provides the
ability to connect a specific NIC card to a specific virtual machine
using the Virtual Network Editor (and I set Windows to not pick up an
IP address on the NIC which I connected via Bridge Mode to Security
Onion).
My initial thought was to use the home router/firewall to assign a DMZ
to the IP address which Security Onion will hold, thus sending all WAN
traffic directly to the Security Onion IP address. I think this will
show me all traffic directed at my WAN, but I am not sure. I was
thinking I could perhaps use the "ethtool" functionality to disable
the transmit function all together on Security Onion (the "ethtool"
tool is part of Linux), thus services offered by Security Onion
wouldn't be accessible from the internet (such as Snorby)
I would appreciate any feedback on this setup. Please let me know if
any of the above makes sense.
Thank you
First, thank you very much for your response and the effort you have
put into Security Onion.
I am sure that I want to monitor the traffic that is hitting the WAN
port of my router because the goal is to see all the malicious traffic
going to my public IP, even if my home router/firewall would have
normally blocked it. I do have another instance of SO running inside
my firewall to see the threats that have made it through the
firewall.
Unfortunately my home router does not support any third party firmware
(such as DD-WRT) because it's a rare model.
It sounds like I am potentially best off purchasing an inexpensive hub
and putting it between my cable modem and home router and connecting
it to my SO instance. But before making the purchase, I wanted to
first try the DMZ route.
My SO environment is entirely virtualized using Vmware Workstation 8
on a Windows platform which has two physical NICS, this provides the
ability to connect a specific NIC card to a specific virtual machine
using the Virtual Network Editor (and I set Windows to not pick up an
IP address on the NIC which I connected via Bridge Mode to Security
Onion).
My initial thought was to use the home router/firewall to assign a DMZ
to the IP address which Security Onion will hold, thus sending all WAN
traffic directly to the Security Onion IP address. I think this will
show me all traffic directed at my WAN, but I am not sure. I was
thinking I could perhaps use the "ethtool" functionality to disable
the transmit function all together on Security Onion (the "ethtool"
tool is part of Linux), thus services offered by Security Onion
wouldn't be accessible from the internet (such as Snorby)
I would appreciate any feedback on this setup. Please let me know if
any of the above makes sense.
Thank you
Michael Iverson
Jun 5, 2012, 8:34:02 PM6/5/12
to securit...@googlegroups.com
Notes below.
On Tuesday, June 5, 2012, Jason wrote:
Doug (and the rest of the folks on this list),
First, thank you very much for your response and the effort you have
put into Security Onion.
I am sure that I want to monitor the traffic that is hitting the WAN
port of my router because the goal is to see all the malicious traffic
going to my public IP, even if my home router/firewall would have
normally blocked it. I do have another instance of SO running inside
my firewall to see the threats that have made it through the
firewall.
Keep in mind that there is a lot of noise on the outside. It is rather sobering and educational to watch.
Also, because of NAT, you won't see the internal ip addresses, makin it hard to determine what is happening.
Unfortunately my home router does not support any third party firmware
(such as DD-WRT) because it's a rare model.
It sounds like I am potentially best off purchasing an inexpensive hub
and putting it between my cable modem and home router and connecting
it to my SO instance.
This would be my recommendation. You might also consider a cheap smart switch that supports a span port. Hubs are rather rare nowadays.
But before making the purchase, I wanted to
first try the DMZ route.
My SO environment is entirely virtualized using Vmware Workstation 8
on a Windows platform which has two physical NICS, this provides the
ability to connect a specific NIC card to a specific virtual machine
using the Virtual Network Editor (and I set Windows to not pick up an
IP address on the NIC which I connected via Bridge Mode to Security
Onion).
My initial thought was to use the home router/firewall to assign a DMZ
to the IP address which Security Onion will hold, thus sending all WAN
traffic directly to the Security Onion IP address. I think this will
show me all traffic directed at my WAN, but I am not sure.
I was
thinking I could perhaps use the "ethtool" functionality to disable
the transmit function all together on Security Onion (the "ethtool"
tool is part of Linux), thus services offered by Security Onion
wouldn't be accessible from the internet (such as Snorby)
Just set up the nic without an ip, making it listen only. However, rules updates are difficult this way. A better solution is to have two nics: one listen only, one with an ip.
--
Dr. Michael Iverson
Director of Information Technology
Hatteras Printing
--
Dr. Michael Iverson
Director of Information Technology
Hatteras Printing
Scott
Jun 21, 2012, 8:30:58 PM6/21/12
to securit...@googlegroups.com
Hello Jason.
Hak5 sells a cheap lan tap kit as well. It's good enough for a home Internet connection but you'll have to assemble it yourself (includes soldering). For a bit more money they have an assembled version complete with case ($40).
http://hakshop.myshopify.com/products/throwing-star-lan-tap-pro
I'm fortunate to still have some old 100Mb hubs which work well for this type of monitoring but Michael's right about their rarity.
If nothing else you could also try making your own network cable with the transmit pair left out. I've never tried it so YMMV.
Good luck.
Scott
On Jun 20, 2012 3:46 PM, "Jason" <test.accou...@gmail.com> wrote:
Thank you to Dug and Michael for your responses.
After much research I am also realising that the idea of putting SO in the DMZ directly is not a good one (for one, most of the SO services become accessible from the outside internet).
Here is the solution I am trying now:
It turns out VMware Workstation 8 has the ability to add MULTIPLE virtual network cards to a single virtual machine by simply going into the Virtual Machine Settings, clicking ADD, then selecting Network Adapter. This adds a second virtual network adapter to the virtual machine (eth2, in my case).
This means I can use a Microtik RB250G $40 switch (which supports port mirroring) to feed one network interface of Security Onion which will not hold an IP address (this network port will be spanning my outside WAN traffic via the switch), and the other network card will have an IP assigned on internal network to get Security Onion updates (new snort rules, etc). I will set it up as described at http://code.google.com/p/security-onion/wiki/NetworkConfiguration
I think this should let me watch all the attackers against my external IP address without directly exposing Security Onion itself to external attackers.
The goal is for this project to be an educational experience into IDS since I think it would be fascinating to watch trend of external attacks.
I actually initially wanted to set up a true honeypot to watch attacker's actions, but I'm not sure I would want my school's IP address to be getting too much attention from attackers, so this passive method seems to be the next best idea.
I invite everyone to share their thoughts on this setup. Perhaps there is something I can do better or differently to gain the external visibility.
Thank you!
P.S. - Doug, perhaps you can change or append this thread's title to "Using Security Onion for Watching External Attacks" since it's now better fitting.
--
Marshal Graham
Jun 21, 2012, 10:03:53 PM6/21/12
to securit...@googlegroups.com
This is a DIY version of the throwing star LAN tap. I have not built
one of these but this is the same design that is sold on the Hak5
shop.
http://ossmann.blogspot.com/2011/02/throwing-star-lan-tap.html
> --
one of these but this is the same design that is sold on the Hak5
shop.
http://ossmann.blogspot.com/2011/02/throwing-star-lan-tap.html
Reply all
Reply to author
Forward
0 new messages