Security Onion with pfSense
3,103 views
Skip to first unread message
Mike
May 19, 2015, 4:09:21 PM5/19/15
to securit...@googlegroups.com
Currently I have a pfSense firewall working as a router, firewall, and IDS (Snort), sitting between the modem and my LAN. I'd like to add SO into the network to work as an IDS.
I know that I can hook SO into pfSense to receive Snort alerts using Snorby and send logs to ELSA. However, it is my understanding that that approach will only show logs and not actually record data, which means that I can't really do forensics using all the other SO tools.
My question is: How would I implement SO so that it can work as in IDS? I was thinking about getting a switch and spanning/mirroring the LAN onto that port and hooking that port into a NIC on my SO machine (and the second NIC into the LAN so that I can manage it). So that my setup will look like this:
[INTERNET]<===>[MODEM]<===>[PFSENSE]<===>[LAN]
||
=>[SO]
If I do that, wouldn't my IPS catch (hopefully) all the alerts/attacks before they ever make it into the LAN, which will make attacks harder to investigate? Or am I missing something? I really do not want to turn off my IPS so that it can keep protecting the network (it already saved me a number of times).
I know that I can hook SO into pfSense to receive Snort alerts using Snorby and send logs to ELSA. However, it is my understanding that that approach will only show logs and not actually record data, which means that I can't really do forensics using all the other SO tools.
My question is: How would I implement SO so that it can work as in IDS? I was thinking about getting a switch and spanning/mirroring the LAN onto that port and hooking that port into a NIC on my SO machine (and the second NIC into the LAN so that I can manage it). So that my setup will look like this:
[INTERNET]<===>[MODEM]<===>[PFSENSE]<===>[LAN]
||
=>[SO]
If I do that, wouldn't my IPS catch (hopefully) all the alerts/attacks before they ever make it into the LAN, which will make attacks harder to investigate? Or am I missing something? I really do not want to turn off my IPS so that it can keep protecting the network (it already saved me a number of times).
Doug Burks
May 19, 2015, 4:21:15 PM5/19/15
to securit...@googlegroups.com
Hi Mike,
Replies inline.
On Tue, May 19, 2015 at 2:03 PM, Mike <michael...@gmail.com> wrote:
> Currently I have a pfSense firewall working as a router, firewall, and IDS (Snort), sitting between the modem and my LAN. I'd like to add SO into the network to work as an IDS.
Good choice!
> I know that I can hook SO into pfSense to receive Snort alerts using Snorby and send logs to ELSA. However, it is my understanding that that approach will only show logs and not actually record data, which means that I can't really do forensics using all the other SO tools.
Correct.
> My question is: How would I implement SO so that it can work as in IDS? I was thinking about getting a switch and spanning/mirroring the LAN onto that port and hooking that port into a NIC on my SO machine (and the second NIC into the LAN so that I can manage it). So that my setup will look like this:
>
> [INTERNET]<===>[MODEM]<===>[PFSENSE]<===>[LAN]
> ||
> =>[SO]
If I understand your diagram correctly, Security Onion would be seeing
traffic on the external side of your firewall, so all traffic would
look like it was coming from and/or going to your public IP address.
Instead, I'd recommend monitoring on the inside of the firewall to see
the real internal IP addresses.
> If I do that, wouldn't my IPS catch (hopefully) all the alerts/attacks before they ever make it into the LAN, which will make attacks harder to investigate? Or am I missing something? I really do not want to turn off my IPS so that it can keep protecting the network (it already saved me a number of times).
Prevention eventually fails. Keep your IPS enabled but use Security
Onion to see what gets through the IPS.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Replies inline.
On Tue, May 19, 2015 at 2:03 PM, Mike <michael...@gmail.com> wrote:
> Currently I have a pfSense firewall working as a router, firewall, and IDS (Snort), sitting between the modem and my LAN. I'd like to add SO into the network to work as an IDS.
> I know that I can hook SO into pfSense to receive Snort alerts using Snorby and send logs to ELSA. However, it is my understanding that that approach will only show logs and not actually record data, which means that I can't really do forensics using all the other SO tools.
> My question is: How would I implement SO so that it can work as in IDS? I was thinking about getting a switch and spanning/mirroring the LAN onto that port and hooking that port into a NIC on my SO machine (and the second NIC into the LAN so that I can manage it). So that my setup will look like this:
>
> [INTERNET]<===>[MODEM]<===>[PFSENSE]<===>[LAN]
> ||
> =>[SO]
traffic on the external side of your firewall, so all traffic would
look like it was coming from and/or going to your public IP address.
Instead, I'd recommend monitoring on the inside of the firewall to see
the real internal IP addresses.
> If I do that, wouldn't my IPS catch (hopefully) all the alerts/attacks before they ever make it into the LAN, which will make attacks harder to investigate? Or am I missing something? I really do not want to turn off my IPS so that it can keep protecting the network (it already saved me a number of times).
Onion to see what gets through the IPS.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Mike
May 19, 2015, 7:31:04 PM5/19/15
to securit...@googlegroups.com
Doug,
Thank you for the reply. Looks like the formatting of my diagram got a little messed up. I meant to put the SO machine between the pfSense machine and the LAN. I'm actually planning on having two interfaces on the SO machine, one going to the LAN for the SO management/usage and one going to a span port on the switch that will mirror the LAN traffic (from what I've read about SO, this seems to be the best setup. Please correct me if I'm wrong).
"Prevention eventually fails. Keep your IPS enabled but use Security
Onion to see what gets through the IPS."
That's mainly my reason for installing SO. I'd like to load the Snort Community rules (I actually have a VRT subscription so I'd rather use those) and the ET rules (but use the more complete set as opposed to the "liter" set I use for the IPS on pfSense for performance/false-positive reasons), and monitor SO in case of a breach so that I can do forensics.
Is that a good setup or would you recommend an alternative?
Also, what are the recommended system requirements for SO? I know that HD depends on traffic (even though I'm not sure if there's a way to set max database size or time where the system will start to roll over once it passes the threshold), but what are the RAM/CPU requirements? This is for a small to medium network with no more than two dozen computers.
Thank you for the reply. Looks like the formatting of my diagram got a little messed up. I meant to put the SO machine between the pfSense machine and the LAN. I'm actually planning on having two interfaces on the SO machine, one going to the LAN for the SO management/usage and one going to a span port on the switch that will mirror the LAN traffic (from what I've read about SO, this seems to be the best setup. Please correct me if I'm wrong).
"Prevention eventually fails. Keep your IPS enabled but use Security
Onion to see what gets through the IPS."
Is that a good setup or would you recommend an alternative?
Also, what are the recommended system requirements for SO? I know that HD depends on traffic (even though I'm not sure if there's a way to set max database size or time where the system will start to roll over once it passes the threshold), but what are the RAM/CPU requirements? This is for a small to medium network with no more than two dozen computers.
Doug Burks
May 20, 2015, 6:58:57 AM5/20/15
to securit...@googlegroups.com
Replies inline.
On Tue, May 19, 2015 at 7:26 PM, Mike <michael...@gmail.com> wrote:
> Doug,
>
> Thank you for the reply. Looks like the formatting of my diagram got a little messed up. I meant to put the SO machine between the pfSense machine and the LAN. I'm actually planning on having two interfaces on the SO machine, one going to the LAN for the SO management/usage and one going to a span port on the switch that will mirror the LAN traffic (from what I've read about SO, this seems to be the best setup. Please correct me if I'm wrong).
Yes, you need (at least) 2 network interfaces:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Hardware#nic
> "Prevention eventually fails. Keep your IPS enabled but use Security
> Onion to see what gets through the IPS."
>
> That's mainly my reason for installing SO. I'd like to load the Snort Community rules (I actually have a VRT subscription so I'd rather use those) and the ET rules (but use the more complete set as opposed to the "liter" set I use for the IPS on pfSense for performance/false-positive reasons), and monitor SO in case of a breach so that I can do forensics.
>
> Is that a good setup or would you recommend an alternative?
Yes, you can choose both VRT and ET in our Setup wizard. However,
keep in mind that this will result in LOTS of rules and you will
probably want to then disable LOTS of rules to get your ruleset down
to a manageable size.
> Also, what are the recommended system requirements for SO? I know that HD depends on traffic (even though I'm not sure if there's a way to set max database size or time where the system will start to roll over once it passes the threshold), but what are the RAM/CPU requirements? This is for a small to medium network with no more than two dozen computers.
Please see the Hardware Requirements page on our Wiki:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Hardware
On Tue, May 19, 2015 at 7:26 PM, Mike <michael...@gmail.com> wrote:
> Doug,
>
> Thank you for the reply. Looks like the formatting of my diagram got a little messed up. I meant to put the SO machine between the pfSense machine and the LAN. I'm actually planning on having two interfaces on the SO machine, one going to the LAN for the SO management/usage and one going to a span port on the switch that will mirror the LAN traffic (from what I've read about SO, this seems to be the best setup. Please correct me if I'm wrong).
https://github.com/Security-Onion-Solutions/security-onion/wiki/Hardware#nic
> "Prevention eventually fails. Keep your IPS enabled but use Security
> Onion to see what gets through the IPS."
>
> That's mainly my reason for installing SO. I'd like to load the Snort Community rules (I actually have a VRT subscription so I'd rather use those) and the ET rules (but use the more complete set as opposed to the "liter" set I use for the IPS on pfSense for performance/false-positive reasons), and monitor SO in case of a breach so that I can do forensics.
>
> Is that a good setup or would you recommend an alternative?
keep in mind that this will result in LOTS of rules and you will
probably want to then disable LOTS of rules to get your ruleset down
to a manageable size.
> Also, what are the recommended system requirements for SO? I know that HD depends on traffic (even though I'm not sure if there's a way to set max database size or time where the system will start to roll over once it passes the threshold), but what are the RAM/CPU requirements? This is for a small to medium network with no more than two dozen computers.
https://github.com/Security-Onion-Solutions/security-onion/wiki/Hardware
Reply all
Reply to author
Forward
0 new messages