Changing Home Network around to support Security Onion
993 views
Skip to first unread message
natv
Jun 19, 2016, 11:44:54 AM6/19/16
to security-onion
Hi guys,
(btw - I'm not that great with networking, otherwise this would be a Visio document attached ;)
Attached is my *current* home network set up. I want to add Security Onion to the mix. I know I either need a switch that has a mirror port, or I need some kind of tap.
My router/wifi device (the Linksys) is pretty old, and I'm willing to replace it for something better if needed. I'm just not sure what to get or best way to transform what I have now.
My goal though is that I want the Security Onion device to be able to see ALL my home traffic (both wired and wifi, ingress/egress)
Would a tap between the Netgear Cable Model and Linksys Router/Wifi access point work? Maybe that's all I need, I'm not sure.
(and then of course the mirror port or tap will go to something running SecurityOnion, either a PC with Security Onion in a VM (probably this), or otherwise a PC or Laptop with Security Onion installed.
I'm looking for advice on what changes to make to my current set up (and I'm willing to replace my Linksys router/wifi device if needed), but if a tap is easier or less expensive that would be best.
If I do replace my router, then I'll probably want something that maybe supports 2 WiFi SSID's (so I can later segment IoT).
Ideally nothing too complicated, like buying a used Cisco router isn't the best idea for me since I don't have a networking background.
Thanks in advance for any ideas/guidance.
(btw - I'm not that great with networking, otherwise this would be a Visio document attached ;)
Attached is my *current* home network set up. I want to add Security Onion to the mix. I know I either need a switch that has a mirror port, or I need some kind of tap.
My router/wifi device (the Linksys) is pretty old, and I'm willing to replace it for something better if needed. I'm just not sure what to get or best way to transform what I have now.
My goal though is that I want the Security Onion device to be able to see ALL my home traffic (both wired and wifi, ingress/egress)
Would a tap between the Netgear Cable Model and Linksys Router/Wifi access point work? Maybe that's all I need, I'm not sure.
(and then of course the mirror port or tap will go to something running SecurityOnion, either a PC with Security Onion in a VM (probably this), or otherwise a PC or Laptop with Security Onion installed.
I'm looking for advice on what changes to make to my current set up (and I'm willing to replace my Linksys router/wifi device if needed), but if a tap is easier or less expensive that would be best.
If I do replace my router, then I'll probably want something that maybe supports 2 WiFi SSID's (so I can later segment IoT).
Ideally nothing too complicated, like buying a used Cisco router isn't the best idea for me since I don't have a networking background.
Thanks in advance for any ideas/guidance.
Wes Lambert
Jun 19, 2016, 11:58:46 AM6/19/16
to securit...@googlegroups.com
natv,
Try having a look at the following:
Thanks,
Wes
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
natv
Jun 19, 2016, 9:41:04 PM6/19/16
to security-onion
I reviewed the post at https://groups.google.com/forum/#!msg/security-onion/kxvnQ3QeoqY/wwNSpArSFAAJ (Nick's chart specifically)
In my case, my "firewall/router/NAT/wifi access point" are all one and the same device (Linksys)
Would it work if I put the tap between the Cable modem and the Linksys?
Thanks
Jeff H
Jun 19, 2016, 10:50:52 PM6/19/16
to securit...@googlegroups.com
On Sunday, June 19, 2016, natv <nva...@gmail.com> wrote:
Thanks Wes,
I reviewed the post at https://groups.google.com/forum/#!msg/security-onion/kxvnQ3QeoqY/wwNSpArSFAAJ (Nick's chart specifically)
In my case, my "firewall/router/NAT/wifi access point" are all one and the same device (Linksys)
Would it work if I put the tap between the Cable modem and the Linksys?
Thanks
This should technically work, but Security Onion will only see the traffic post NAT. You won't see any internal IPs, only your public IP and will have no easy way to determine what traffic belongs to which internal hosts.
Jeff
natv
Jun 20, 2016, 7:33:18 AM6/20/16
to security-onion
That makes sense and definitely is not what I want, as I'll want to see which of my internal devices is sending or receiving what data.
If I use Nick's method and purchase a wired router and place it just after my cable model and have that do the NAT for the network... then the tap, then the Linksys Wifi/Wired router... would my entire home network still be on the same subnet or would I end up with two subnets?
Alternatively, if I was willing to start over with one or two new devices.. any recommendations? I'm thinking I might eventually want a better firewall anyway (as once I see what's coming in or out of my network I'm probably going to want to get a bit granular on blocking things)
So maybe a router/firewall that has a built-in mirror port?
Sabbo
Jun 21, 2016, 2:39:19 AM6/21/16
to security-onion
This should be fairly easy.
1. Upgrade the GS105 to the GS105E that supports a SPAN and is still only around $30.
2. You will need to move the wireless to ensure the wireless trafic is routed via the switch, either remove the Linksys and redeploy as an access point. or disable the wireless and get a standalone AP that plugs into the Switch
Reply all
Reply to author
Forward
0 new messages