Doug (and the rest of the folks on this list),
First, thank you very much for your response and the effort you have
put into Security Onion.
I am sure that I want to monitor the traffic that is hitting the WAN
port of my router because the goal is to see all the malicious traffic
going to my public IP, even if my home router/firewall would have
normally blocked it. I do have another instance of SO running inside
my firewall to see the threats that have made it through the
firewall.
Unfortunately my home router does not support any third party firmware
(such as DD-WRT) because it's a rare model.
It sounds like I am potentially best off purchasing an inexpensive hub
and putting it between my cable modem and home router and connecting
it to my SO instance.
But before making the purchase, I wanted to
first try the DMZ route.
My SO environment is entirely virtualized using Vmware Workstation 8
on a Windows platform which has two physical NICS, this provides the
ability to connect a specific NIC card to a specific virtual machine
using the Virtual Network Editor (and I set Windows to not pick up an
IP address on the NIC which I connected via Bridge Mode to Security
Onion).
My initial thought was to use the home router/firewall to assign a DMZ
to the IP address which Security Onion will hold, thus sending all WAN
traffic directly to the Security Onion IP address. I think this will
show me all traffic directed at my WAN, but I am not sure.
I was
thinking I could perhaps use the "ethtool" functionality to disable
the transmit function all together on Security Onion (the "ethtool"
tool is part of Linux), thus services offered by Security Onion
wouldn't be accessible from the internet (such as Snorby)
Hello Jason.
Hak5 sells a cheap lan tap kit as well. It's good enough for a home Internet connection but you'll have to assemble it yourself (includes soldering). For a bit more money they have an assembled version complete with case ($40).
http://hakshop.myshopify.com/products/throwing-star-lan-tap-pro
I'm fortunate to still have some old 100Mb hubs which work well for this type of monitoring but Michael's right about their rarity.
If nothing else you could also try making your own network cable with the transmit pair left out. I've never tried it so YMMV.
Good luck.
Scott
Thank you to Dug and Michael for your responses.
After much research I am also realising that the idea of putting SO in the DMZ directly is not a good one (for one, most of the SO services become accessible from the outside internet).
Here is the solution I am trying now:
It turns out VMware Workstation 8 has the ability to add MULTIPLE virtual network cards to a single virtual machine by simply going into the Virtual Machine Settings, clicking ADD, then selecting Network Adapter. This adds a second virtual network adapter to the virtual machine (eth2, in my case).
This means I can use a Microtik RB250G $40 switch (which supports port mirroring) to feed one network interface of Security Onion which will not hold an IP address (this network port will be spanning my outside WAN traffic via the switch), and the other network card will have an IP assigned on internal network to get Security Onion updates (new snort rules, etc). I will set it up as described at http://code.google.com/p/security-onion/wiki/NetworkConfiguration
I think this should let me watch all the attackers against my external IP address without directly exposing Security Onion itself to external attackers.
The goal is for this project to be an educational experience into IDS since I think it would be fascinating to watch trend of external attacks.
I actually initially wanted to set up a true honeypot to watch attacker's actions, but I'm not sure I would want my school's IP address to be getting too much attention from attackers, so this passive method seems to be the next best idea.
I invite everyone to share their thoughts on this setup. Perhaps there is something I can do better or differently to gain the external visibility.
Thank you!
P.S. - Doug, perhaps you can change or append this thread's title to "Using Security Onion for Watching External Attacks" since it's now better fitting.
--