PFSense - securityonion - centralised IDS, logging & monitoring
608 views
Skip to first unread message
OLCE
Aug 1, 2015, 9:48:06 AM8/1/15
to security-onion
Hi,
I've a "small" production/lab network (about 50 hosts maximum)
Currently using EFW (Endian community firewall).
But I want to move to pfsense (I prefer a powerful enhanced firewall over "nice looking gui")
At the same time, I would like to add Security Onion into the mix.
I want to collect info, get insight in the lab network, have IDS, able to investigate network activity etc... it looks like SO is the (only) product for it, and good at it.
So here is what I was thinking :
My network :
INTERNET == MODEM == PFSENSE == LAN --- about 15 physical hosts
|
--- ESXI host --- 10 to 30 VM hosts
|
------ VM with SecurityOnion
- the WAN interface of pfsense has a public IP
- the ESXI has physical NIC's ofwhich 3 are in use (kept 1 free for future use like .. capturing or monitoring or so)
- the ESXi is using virtual switches
- pfsense has snort active also
- all LAN is connected to one 24 port Gigabit switch (physical devices and ESXi nic's)
- pfsense is version 2.2.4-RELEASE (amd64)
Here is what (I think) I want :
- Install a standalone version of SO (server+sensor) in a VM, and have the sensor monitor my LAN for activity
- keep snort on pfsense active, so I can "see what is coming from the outside" in other words, what is hitting the firewall from the outside and if necessary start blocking (for now, I only have snort listening on the WAN interface here)
+ but send the snort info, alerts, logging to SO, or "mirror" the data to SO (this way, on SO, I can see both internal as external activity)
- send all other logging from pfsense to SO (syslog with system logging and firewall logging) to SO (that would be ELSA I guess, I've seen the post that there is a patch needed, to make sure those messages are converted to "one line" messages)
- the VM in SO should see all traffic from all other VM's (probably need to allow the vSwitch in promisc mode for this), but I still need to figure out how best to capture the lan traffic from physical hosts
- send the syslog messages from all my network devices, and some servers to SO
The end goal :
I can use SO as a single console for my network activity
Is the above workable? Are there things which which cannot be done, or advised not to be done?
Thanks
O.
Doug Burks
Aug 1, 2015, 10:20:39 AM8/1/15
to securit...@googlegroups.com
Hi OLCE,
Replies inline.
On Sat, Aug 1, 2015 at 9:46 AM, OLCE <olivier....@gmail.com> wrote:
>
>
> Hi,
>
> I've a "small" production/lab network (about 50 hosts maximum)
> Currently using EFW (Endian community firewall).
> But I want to move to pfsense (I prefer a powerful enhanced firewall over "nice looking gui")
> At the same time, I would like to add Security Onion into the mix.
> I want to collect info, get insight in the lab network, have IDS, able to investigate network activity etc... it looks like SO is the (only) product for it, and good at it.
>
> So here is what I was thinking :
>
> My network :
>
> INTERNET == MODEM == PFSENSE == LAN --- about 15 physical hosts
> |
> --- ESXI host --- 10 to 30 VM hosts
> |
> ------ VM with SecurityOnion
>
>
>
> - the WAN interface of pfsense has a public IP
> - the ESXI has physical NIC's ofwhich 3 are in use (kept 1 free for future use like .. capturing or monitoring or so)
> - the ESXi is using virtual switches
> - pfsense has snort active also
> - all LAN is connected to one 24 port Gigabit switch (physical devices and ESXi nic's)
> - pfsense is version 2.2.4-RELEASE (amd64)
>
> Here is what (I think) I want :
> - Install a standalone version of SO (server+sensor) in a VM, and have the sensor monitor my LAN for activity
> - keep snort on pfsense active, so I can "see what is coming from the outside" in other words, what is hitting the firewall from the outside and if necessary start blocking (for now, I only have snort listening on the WAN interface here)
> + but send the snort info, alerts, logging to SO, or "mirror" the data to SO (this way, on SO, I can see both internal as external activity)
>
> - send all other logging from pfsense to SO (syslog with system logging and firewall logging) to SO (that would be ELSA I guess, I've seen the post that there is a patch needed, to make sure those messages are converted to "one line" messages)
I think the patch you're referring to is for an older version of
pfSense. With pfSense 2.2.4, you should just be able to configure it
to send syslog to your Security Onion box and it should work just
fine.
> - the VM in SO should see all traffic from all other VM's (probably need to allow the vSwitch in promisc mode for this), but I still need to figure out how best to capture the lan traffic from physical hosts
Have you considered a tap or span port?
> - send the syslog messages from all my network devices, and some servers to SO
>
> The end goal :
> I can use SO as a single console for my network activity
>
> Is the above workable? Are there things which which cannot be done, or advised not to be done?
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Replies inline.
On Sat, Aug 1, 2015 at 9:46 AM, OLCE <olivier....@gmail.com> wrote:
>
>
> Hi,
>
> I've a "small" production/lab network (about 50 hosts maximum)
> Currently using EFW (Endian community firewall).
> But I want to move to pfsense (I prefer a powerful enhanced firewall over "nice looking gui")
> At the same time, I would like to add Security Onion into the mix.
> I want to collect info, get insight in the lab network, have IDS, able to investigate network activity etc... it looks like SO is the (only) product for it, and good at it.
>
> So here is what I was thinking :
>
> My network :
>
> INTERNET == MODEM == PFSENSE == LAN --- about 15 physical hosts
> |
> --- ESXI host --- 10 to 30 VM hosts
> |
> ------ VM with SecurityOnion
>
>
>
> - the WAN interface of pfsense has a public IP
> - the ESXI has physical NIC's ofwhich 3 are in use (kept 1 free for future use like .. capturing or monitoring or so)
> - the ESXi is using virtual switches
> - pfsense has snort active also
> - all LAN is connected to one 24 port Gigabit switch (physical devices and ESXi nic's)
> - pfsense is version 2.2.4-RELEASE (amd64)
>
> Here is what (I think) I want :
> - Install a standalone version of SO (server+sensor) in a VM, and have the sensor monitor my LAN for activity
> - keep snort on pfsense active, so I can "see what is coming from the outside" in other words, what is hitting the firewall from the outside and if necessary start blocking (for now, I only have snort listening on the WAN interface here)
> + but send the snort info, alerts, logging to SO, or "mirror" the data to SO (this way, on SO, I can see both internal as external activity)
>
> - send all other logging from pfsense to SO (syslog with system logging and firewall logging) to SO (that would be ELSA I guess, I've seen the post that there is a patch needed, to make sure those messages are converted to "one line" messages)
pfSense. With pfSense 2.2.4, you should just be able to configure it
to send syslog to your Security Onion box and it should work just
fine.
> - the VM in SO should see all traffic from all other VM's (probably need to allow the vSwitch in promisc mode for this), but I still need to figure out how best to capture the lan traffic from physical hosts
> - send the syslog messages from all my network devices, and some servers to SO
>
> The end goal :
> I can use SO as a single console for my network activity
>
> Is the above workable? Are there things which which cannot be done, or advised not to be done?
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
OLCE
Aug 1, 2015, 5:01:11 PM8/1/15
to security-onion
Doug,
thanks for the feedback
- pfsense logging : I'll try that when I move my pfsense into place
what about mirroring the snort info from the snort instance on the firewall itself, to security onion? can it be done?
- as for the tap/spanport : I was planning to try a spanport on the switch first, yes
Other question : I saw in some screenshots about the SO build, the extra menu options like these : NSM, IDS Rules, etc...
for example : http://blog.securityonion.net/2011/06/security-onion-20110614.html
I saw your comment in another post :
The desktop shortcuts aren't created by any packages. I created them
manually when building our ISO image. If you need them, you can
create them manually or copy them from our ISO image.
(https://groups.google.com/forum/#!searchin/security-onion/desktop$20menu/security-onion/3otO5CQbqr4/7Lm247TJU7QJ)
I used the latest ISO to install SO on a VM, should the menu options be there? or are they only in the live CD ?
Thanks
Doug Burks
Aug 1, 2015, 7:40:16 PM8/1/15
to securit...@googlegroups.com
Replies inline.
On Sat, Aug 1, 2015 at 5:01 PM, OLCE <olivier....@gmail.com> wrote:
> Doug,
>
> thanks for the feedback
>
> - pfsense logging : I'll try that when I move my pfsense into place
> what about mirroring the snort info from the snort instance on the firewall itself, to security onion? can it be done?
Yes, it can be done, but it is beyond the scope of this mailing list.
> - as for the tap/spanport : I was planning to try a spanport on the switch first, yes
>
>
>
>
> Other question : I saw in some screenshots about the SO build, the extra menu options like these : NSM, IDS Rules, etc...
> for example : http://blog.securityonion.net/2011/06/security-onion-20110614.html
That blog post is from 2011 and is for an old version of Security
Onion. It doesn't reflect the menu and shortcuts of the current
version of the Security Onion.
> I saw your comment in another post :
>
> The desktop shortcuts aren't created by any packages. I created them
> manually when building our ISO image. If you need them, you can
> create them manually or copy them from our ISO image.
> (https://groups.google.com/forum/#!searchin/security-onion/desktop$20menu/security-onion/3otO5CQbqr4/7Lm247TJU7QJ)
>
> I used the latest ISO to install SO on a VM, should the menu options be there? or are they only in the live CD ?
If you used our ISO image, you should have some desktop shortcuts and
some menu options (although not the same menu options as shown in your
2011 hyperlink above).
On Sat, Aug 1, 2015 at 5:01 PM, OLCE <olivier....@gmail.com> wrote:
> Doug,
>
> thanks for the feedback
>
> - pfsense logging : I'll try that when I move my pfsense into place
> what about mirroring the snort info from the snort instance on the firewall itself, to security onion? can it be done?
> - as for the tap/spanport : I was planning to try a spanport on the switch first, yes
>
>
>
>
> Other question : I saw in some screenshots about the SO build, the extra menu options like these : NSM, IDS Rules, etc...
> for example : http://blog.securityonion.net/2011/06/security-onion-20110614.html
Onion. It doesn't reflect the menu and shortcuts of the current
version of the Security Onion.
> I saw your comment in another post :
>
> The desktop shortcuts aren't created by any packages. I created them
> manually when building our ISO image. If you need them, you can
> create them manually or copy them from our ISO image.
> (https://groups.google.com/forum/#!searchin/security-onion/desktop$20menu/security-onion/3otO5CQbqr4/7Lm247TJU7QJ)
>
> I used the latest ISO to install SO on a VM, should the menu options be there? or are they only in the live CD ?
some menu options (although not the same menu options as shown in your
2011 hyperlink above).
OLCE
Aug 2, 2015, 4:31:37 AM8/2/15
to security-onion
Ok,
thanks for the info
Reply all
Reply to author
Forward
0 new messages