Best way to setup for my home lab
Heisenberg1977
I'm interested in learning about traffic analysis and IDS technologies
and recently came across "Security Onion". I have a pfsense firewall/
router device and was originally thinking of adding the SNORT package
and getting into some in depth reading as a starting point, however
after discovering the features of Sec-Onion I would like to find a way
to use the product so I can explore all of these tools if need be.
My current hardware/configuration
DSL modem
|
pfSense firewall ( 3 nic's - one not currently used)
| (LAN1) | (LAN2)
Microtik sw Dlink Wifi gateway (Set as a bridge)
| |
Mix of wired machines Mix of wired and wi-fi machines
(linux and windows) (linux and windows)
I was wondering how to implement security onion as a dedicated box to
act as a security appliance for my whole network.
Some of my main questions/concerns are:
Where do I place the device to use in conjunction with my pfsense
box?
Do I need a device to span network traffic? I've been reading some
suggestions for dualcomm products for low cost solutions, however I am
not a networking guy and get a bit confused on how to implement these
devices.
Any Tips/suggestions would be greatly appreciated. I'm willing to buy
a mini-itx box to use as a dedicated Sec-Onion box and possibly a
dualcomm applinace if it will not break the bank. My budget is limited
to around $700 give or take.
Doug Burks
--
Doug Burks | http://securityonion.blogspot.com
Don't miss SANS SEC503 Intrusion Detection In-Depth in
Augusta GA 6/11 - 6/16 | 10% discount for ISSA Members!
http://augusta.issa.org/drupal/SANS-Augusta-2012
Joseph Hargis
Since we have remarkably similar LAN setups, here is what I have - hope
it helps...
I have a Dualcomm DCSW-1005 cabled in-between the firewall, the WAP, and
the distribution switch ($75 from Amazon). The beauty of this device is
that all traffic coming into port 1 is automatically mirrored to port 5.
Plug and play. No config necessary. Port 1 is connected to the firewall.
Ports 2 and 3 are connected to the WAP and the distribution switch
respectively. Port 5 is connected to an HP machine I bought at a local
electronics store. I swapped out the hard drive that came with the
machine for a 1TB drive - since I too am new to all of this and wasn't
sure how much storage was going to be required, I picked up the 1TB
drive. In the end the price for it was comparable to a 5ooGB drive anyway.
The only bit I want to add to SO is the "Nepenthes" honeypot service -
its the next project on my list. So... if anyone has any experience with
this, I would very much like to hear it.
Mr. Burks - Thank You so much for SO. It has been an incredibly
educational experience!
Joe Hargis.
Heisenberg1977
pure genius and I must give you credit towards your contributions to
the infosec community and for raising interest in N00bie's like myself
with a thirst for learning and expanding knowledge.
1. It is unclear if I can configure a span port on my pfsense box. My
NIC is a 3 port Jetway AD3INLAN-G. I've read about how some folks are
creating a span interface with the ifconfig command but it appears
inconclusive on whether this works effectively or not.
2. As for the Dualcomm solution do you mean that I connect it behind
my pfsense firewall? So if I have 2 LAN segments that means I could
only use security-onion on one segment?
For example
pfsense
|
| (LAN 1) | (LAN2)
Dualcomm Mix of machines
|
Mix of machines
I would do some experimenting but I don't have time to break my lab at
the moment. I have a few projects going on at the moment and I'm just
doing some prior research on my requirements so I know what it is
going to cost me. When it is time to rebuild my lab I plan on
upgrading my pfSense from version 1.2.3 to 2.0.1 probably on a new
fanless box and using my current mini-itx hardware as the dedicated
"Security Onion" appliance. Not sure if pfSense 2.0.1 has the option
to create a span port easily or not but I'm hoping to get it working
this way so I can avoid buying a Dualcomm box.
If I need to buy a Dualcomm box is there a particular model that you
can recommend for a home lab? Something that supports GbE for future
compatibility.
Heisenberg1977
would have to buy 2 of these if I want to keep my 2 LAN segments that
are isolated from each other using CIDR /26
In other works using the Dualcomm DCSW-1005 to span traffic to the SO
box I would only be able to monitor either LAN 1 or LAN 2
individually.
...Heisenberg
Vivek Rajagopalan
On 21-04-2012 20:15, Heisenberg1977 wrote:
> Nice, the DCSW-1005 is not that expensive but from looking at it I
> would have to buy 2 of these if I want to keep my 2 LAN segments that
> are isolated from each other using CIDR /26
>
> In other works using the Dualcomm DCSW-1005 to span traffic to the SO
> box I would only be able to monitor either LAN 1 or LAN 2
> individually.
Do you want to monitor the WAN port ? That would represent traffic
entering / leaving your perimeter.
Have you considered a simple bridge ?
+------------------+
| |
| dsl modem |
++-----------------+
|
|
| +--------------+
| +----+ |
+-----|eth0| SEC-O |
| | |
| |br0 |
+-----|eth1| |
| +----+ |
| | |
| +--------------+
|
+---|-------------------------+
| + |
| |
| pfSense |
| |
+--+---------------------+----+
| |
+ +
to microtik to wifi
On a related note, I love using ASCIIFLOW http://www.asciiflow.com for
these diagrams.
Heisenberg1977
I'm just going to try and span one of my LAN ports to my spare
interface and connect the SEC-O box. This will give me the opportunity
to practice traffic analysis and some of the other tools that the
distro has to offer. This way I can avoid buying any other hardware
besides the parts I buy to make the dedicated SEC-O box.
Somebody has a post on the pfSense forum on how to do this by using
ifconfig. Not 100% sure if this will work or not.
eth0 - WAN
eth1 - LAN
eth2 - SPAN
#ifconfig bridge0 create
#ifconfig eth2 up monitor
#ifconfig bridge0 addm eth1 span eth2 up
On Apr 21, 11:37 am, Vivek Rajagopalan <vi...@unleashnetworks.com>
wrote:
Heisenberg1977
supports full ingress/egress port mirroring. This should get me
started so I can experiment with Security Onion. I guess it pays to
read the manual sometimes. I just figured that there was no way this
inexpensive switch would offer this feature.
Thanks for all of the recommendations
...Heisenberg
Joseph Hargis
OK - so you have your network segmented? Interesting - sorry I missed
that the first time around. Now I'm really curious. I've been reading up
on the documentation for my Cisco distribution switch and it turns out
that it will support spanning vlans to separate ports. I.e. mirror all
vlan1 traffic to one port and mirror all vlan2 traffic to another port.
Then the SO box will need two separate NICS - one for each span port. At
this point I'm really not sure how to configure applications such as
Sguil (for example) to read traffic from both NICS? This is a great
setup question as I would imagine that many/most production environments
have segmented networks. I do not here at the house, so I am very
curious to know what you finally settle on for a solution.
Thanks,
Joe Hargis.
Doug Burks
Joseph Hargis
> Hi Joe,
>
> When you run the Setup wizard on Security Onion, it will allow you to
> select multiple interfaces and then automatically configure them for you.
>
> Doug
>
> On Sunday, April 22, 2012, Joseph Hargis wrote:
>
>> On 4/21/2012 16:45, Heisenberg1977 wrote:
>>> Nice, the DCSW-1005 is not that expensive but from looking at it I
>>> would have to buy 2 of these if I want to keep my 2 LAN segments that
>>> are isolated from each other using CIDR /26
>>>
>>> In other works using the Dualcomm DCSW-1005 to span traffic to the SO
>>> box I would only be able to monitor either LAN 1 or LAN 2
>>> individually.
>>>
>>> ...Heisenberg
>>>
>>>
>>>
I'm a full-time student in a "Cyber Security and Information Assurance"
bachelor's program. As such I currently have many projects in the works
for current and future classes that are all centered around SO. I
believe I've read somewhere that you would like assistance with some of
the documentation needs for SO. I would consider it a great personal
honor to be able to contribute something, anything, to such an
outstanding project. Therefore, as I work to complete some of these
projects I would be more than willing to submit the project details to
the list to be reviewed for possible inclusion in the SO documentation.
Thank you for your time and consideration,
Joe Hargis.
Doug Burks
>> on the documentation for my Hi Doug,
I'm a full-time student in a "Cyber Security and Information Assurance"
bachelor's program. As such I currently have many projects in the works
for current and future classes that are all centered around SO. I
believe I've read somewhere that you would like assistance with some of
the documentation needs for SO. I would consider it a great personal
honor to be able to contribute something, anything, to such an
outstanding project. Therefore, as I work to complete some of these
projects I would be more than willing to submit the project details to
the list to be reviewed for possible inclusion in the SO documentation.
Thank you for your time and consideration,
Joe Hargis.