Deploying SecOnion in a large environment
300 views
Skip to first unread message
K Lev
Aug 15, 2013, 3:46:17 PM8/15/13
to securit...@googlegroups.com
I was wondering if I could get some advice we're looking to deploy security onion in a large enterprise environment
we'll have one sensor monitoring external traffic and two monitoring internally, multiple sites.
we'll have one sensor monitoring external traffic and two monitoring internally, multiple sites.
We're trying to find the best solution for a couple of concerns:
First we're piping our events to a remote location to be used in a SIEM - any suggestions on the best way to
limit bandwith use?
Secondly we need a central interface to access packet capture data where we can submit a query for a certain
period of time - is this something Squil (or something else built into SecurityOnion is capable of) I think so, but wanted to confirm?
And is there any instruction on using out there?
Lastly we also will need a pretty big storage option for pcap probably ~20TB. It looks like by default SecOnion stores
the packet capture on each individual sensor (by interface)- it it recommended to mount some kind of NAS and
have all the pcap sent there or what alternative would be recommended to conserve bandwith while providing good access.
If this has already been answered somewhere else a link to the correct resource would be appreciated.
Let me know what additional info would be helpful.
Thank You,
Doug Burks
Aug 15, 2013, 4:02:56 PM8/15/13
to securit...@googlegroups.com
Hi K,
Replies inline.
On Thu, Aug 15, 2013 at 3:46 PM, K Lev <soran...@gmail.com> wrote:
> I was wondering if I could get some advice we're looking to deploy security onion in a large enterprise environment
> we'll have one sensor monitoring external traffic and two monitoring internally, multiple sites.
>
> We're trying to find the best solution for a couple of concerns:
>
> First we're piping our events to a remote location to be used in a SIEM
This may help you get started:
https://code.google.com/p/security-onion/wiki/ThirdPartyIntegration
> - any suggestions on the best way to
> limit bandwith use?
Tune your signatures:
https://code.google.com/p/security-onion/wiki/ManagingAlerts
> Secondly we need a central interface to access packet capture data where we can submit a query for a certain
> period of time - is this something Squil (or something else built into SecurityOnion is capable of) I think so, but wanted to confirm?
Yes, Sguil and CapMe can do this.
> And is there any instruction on using out there?
Screenshots:
http://securityonion.blogspot.com/2012/12/security-onion-1204-is-now-available.html
Video showing Sguil pivoting to pcap:
http://www.irongeek.com/i.php?page=videos/derbycon2/2-2-9-doug-burks-security-onion-network-security-monitoring-in-minutes
Video showing CapMe pivoting to pcap:
http://www.youtube.com/watch?v=0a2WDyBsxzk&feature=youtu.be
> Lastly we also will need a pretty big storage option for pcap probably ~20TB. It looks like by default SecOnion stores
> the packet capture on each individual sensor (by interface)- it it recommended to mount some kind of NAS and
> have all the pcap sent there or what alternative would be recommended to conserve bandwith while providing good access.
You can easily get 20TB of local storage in new servers these days. I
like the Dell PowerEdge R720.
> If this has already been answered somewhere else a link to the correct resource would be appreciated.
>
> Let me know what additional info would be helpful.
>
> Thank You,
>
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/groups/opt_out.
--
Doug Burks
http://securityonion.blogspot.com
Replies inline.
On Thu, Aug 15, 2013 at 3:46 PM, K Lev <soran...@gmail.com> wrote:
> I was wondering if I could get some advice we're looking to deploy security onion in a large enterprise environment
> we'll have one sensor monitoring external traffic and two monitoring internally, multiple sites.
>
> We're trying to find the best solution for a couple of concerns:
>
> First we're piping our events to a remote location to be used in a SIEM
https://code.google.com/p/security-onion/wiki/ThirdPartyIntegration
> - any suggestions on the best way to
> limit bandwith use?
https://code.google.com/p/security-onion/wiki/ManagingAlerts
> Secondly we need a central interface to access packet capture data where we can submit a query for a certain
> period of time - is this something Squil (or something else built into SecurityOnion is capable of) I think so, but wanted to confirm?
> And is there any instruction on using out there?
http://securityonion.blogspot.com/2012/12/security-onion-1204-is-now-available.html
Video showing Sguil pivoting to pcap:
http://www.irongeek.com/i.php?page=videos/derbycon2/2-2-9-doug-burks-security-onion-network-security-monitoring-in-minutes
Video showing CapMe pivoting to pcap:
http://www.youtube.com/watch?v=0a2WDyBsxzk&feature=youtu.be
> Lastly we also will need a pretty big storage option for pcap probably ~20TB. It looks like by default SecOnion stores
> the packet capture on each individual sensor (by interface)- it it recommended to mount some kind of NAS and
> have all the pcap sent there or what alternative would be recommended to conserve bandwith while providing good access.
like the Dell PowerEdge R720.
> If this has already been answered somewhere else a link to the correct resource would be appreciated.
>
> Let me know what additional info would be helpful.
>
> Thank You,
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/groups/opt_out.
--
Doug Burks
http://securityonion.blogspot.com
Michal Purzynski
Aug 15, 2013, 4:41:46 PM8/15/13
to securit...@googlegroups.com
already (by me;) so take a look at the list archive. We have more 10Gbit
uplinks here than I can count ;)
https://groups.google.com/d/msg/security-onion/bMIsOYQJauU/jMo5hkh9XBEJ
I'd go for a central SO server and multiple clients connecting back to
it, and the pcap-ed data stored localy on site. One thing to note is
that when someone steals your remote sensor he's got all the data, which
might be even decrypted, depending on how do you terminate your SSL
connections there.
Read also a very similar if not the exact same case:
http://wirewatcher.wordpress.com/2012/10/08/virtual-private-onions/
As for the big storage - we went with IX systems here, they are selling
a huge (4U) hosts supermicro based. You can throw as much as 36 disks in
there with a 8 port SAS controller + system disks (SSD in RAID1). The
configuration ordered is a 3TiB SATA disks, 8 port SAS controller, 11+1
disks per RAID5 group (one is a hot spare). That should be around 27TB
of usable space (1TiB is a real 930GB give it or take, times three,
times 10 - single disk worth of data for the RAID overhead and a single
hot spare). So far I'm going to receive two of them soon, will share
experience here, we've get them with 12 disks only in each, for a total
of 54TB :) And can grow it three times, throwing more disks only.
Storage servers here come with 64GB of RAM and 2 x 2.0Ghz Xeons, and a
Myricom 10G card. Note - Netsniff-ng is not using libpcap, so any
reasonable card will do, such as anything Intel X520 based. We went for
a Myricom to standardize and have a fork of Netsniff-ng working directly
with the card written as the time permits.
I've seen a write throughput of more than 650MB/sec when testing on a
large few TB file sequentially on the 8 disk RAID5. Bigger RAID5 groups
would be even faster, but watch out - too big and you're going to have a
very long rebuild time when (not if - when) something fails. Actualy,
might be wiser to just wipe the group with all the data and recreate it.
You will loose your data, but at least won't wait a week for the group
to rebuild. YMMV.
If you want the same thing in Europe, than Thomas Krenn (Germany) or
Actina (Poland) can sell you one. Of course you local / favourite vendor
will be happy to send you a quote ;)
Each of the beast is going to be NFS mounted where necessary, so a
single (at least) NFS mount per sensor, and it feels like having the
data localy. Netsniff-ng running on the storage box and none of the
regular sensors of course.
If I made something stupid with the design, let Doug speak :)
Reply all
Reply to author
Forward
0 new messages