Home IDS/IPS setup

zenlakin

Morning all. I am looking to do some more with my lab and want to expand a bit now that I have a larger space for some more equipment in my new place. I am looking to deploy an IPS inline between my modem and wireless router and was just wanting to start a thread to get some current recommendations on what you all might be doing in your home labs. Looking to be able to monitor all traffic coming into and going out of my network. Additionally I am thinking I may also want to deploy an IDS in the inside of my wireless router as well to get a better view of traffic going out of my network prior to hitting my router? Thanks all and look forward to hearing what you guys have in mind and what equipment you are using.

nelson8403

Do you have the ability to run virtual machines or an ESXi host? You can download the Cisco NGIPSv and run that on your machine and set that in line. For an IDS I'd recommend setting up a virtual machine running security onion and forwarding your logs there (or using splunk they have a free trial) to collect your logs then compare it in security onion

zenlakin

Yes, I do have the ability to run VM's and was even thinking about building another machine or possibly 2 and make those my IPS on the outside and IDS on the inside. Then I am thinking I just need a managed switch capable of port mirroring for the IDS? Or maybe just run 2 NICs on my IDS and IPS machine and run everything inline?

zenlakin

Any thoughts or better suggestions? I was thinking of running out and getting a managed switch today before rush hour traffic hits. LOL!

BlackBeret

I have an older machine running eSXI with pfSense and Security Onion. I did it mostly to learn them more indepth, but it sounds like it would work great for what you want. If I had two boxes I would have pfsense on the outside and Security Onion on the inside monitoring what got through.

zenlakin

Awesome and thanks BlackBeret. And for your machine on the outside did you do dual NICs so that you would have one NIC connected to the internet and the other cable to your router to ensure that all traffic ingress and egress would pass through your monitoring machine?

alias454

And for what it's worth, I too am working with security onion and can attest to its simplicity of setup. Stuff doesn't get much easier than that to get running. Learning what all it does is a different story but getting started is cake.

zenlakin

Good to hear Alias. Could you share a little more about your hardware setup as well?

zxshockaxz

I was running alienvault's OSSIM on an ESXI host for a while. It was running mostly as an out of band IDS, but it does have some interesting features.. I ran into unrelated hardware problems and ended up taking it offline, but it may be worth looking into as well

BlackBeret

I do have dual NICs on it, I used eSXI to configure multiple virtual NIC's as well as that there's a different IP for the management interfaces of each. pfsense is configured as the IPS so everything has to pass through it, security onion is configured as the IDS and monitoring workstation and monitors "all" on the virtual NIC so that it sees everything passing by, but isn't actually sitting in line.

zenlakin

Awesome. Thanks again BlackBeret. I think that is what I will end up doing as well given that it is just for my home setup. Just need to put together some specs for a decent ESXi server and get that built and throw a couple NICs in it.

renacido

zenlakin wrote: »

Awesome. Thanks again BlackBeret. I think that is what I will end up doing as well given that it is just for my home setup. Just need to put together some specs for a decent ESXi server and get that built and throw a couple NICs in it.

Check Craigslist and you might find very good hardware for your ESXi server very cheap. I recently picked up a used Dell PowerEdge 2950 server with 2x4 Xeon CPUs, 16GB RAM, 2x1Gbps NICs, 3xPCIe slots, and 2X500GB SATA HDD's for $130. Perfect for home lab. Got vSphere running on mine and was using Sophos UTM and pfsense for my FW/IPS combo but I might switch up soon and play with something else. Security Onion looks very interesting.

zenlakin

I was thinking of doing something like this, https://s3.amazonaws.com/snort-org-site/production/document_files/files/000/000/069/original/Snort-IPS-Tutorial.pdf?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1455305433&Signature=5v0WbfUPhUnFLQ6pKXQHHPXhmpA%3D but I was thinking I wanted my IPS on the outside of my router in between my cable modem and wireless router.

alias454

I also am running it on an ESXi host for testing. The Onion VM is only using 40GB of disk, 2vCPU's, 2GB of RAM and a single NIC. I don't have it setup inline because I am just feeling it out to get some familiarity with the components.

zenlakin

Awesome, thanks again for the replies. I think I am going to build 2 systems and run one in between my cable modem and wireless router which will have 3 NICs and be used as my IPS and another on the inside of my network that won't be inline and that will run as just an IDS. Now I just need to get my hardware specs in order for both machines. I am thinking that I won't need too much power since it is just my home network.

dmoore44

One of the guys at TripWire has a blog post about deploying Bro with Logstash and Kibana on a RPi2 - it looks pretty slick, and is certainly cheap enough.

alias454

^^ that is awesome. I have my PI sitting right here on my desk and have been trying to think of something cool to do with it. this looks like it could be it.

zenlakin

That definitely looks like a fun project for sure and something I could definitely do for my IDS on the inside of my network. Then I would just need to build one machine for the outside to use as my IPS. Should be fun.

HugePerch

Where do I get hold on NGIPSv if Im not a Cisco partner?

dhay13

well i will help resurrect this thread...lol. my 'demarcation' point is in my living room and my wife will not go for me having a full-sized appliance/server for IDS/IPS. i have a few extra wireless routers laying around. anyone have any luck installing IPCop or any other OS on one and use it as a firewall/IDS? or is it possible to convert one to a hub? i could then install that between my modem and router and tap into that to connect to my IDS in my basement

iBrokeIT

Why not go this route? https://www.pfsense.org/products/

dhay13

pfsense would be great. i have used it before. but i am trying to keep costs down and install it on something i already have and try to maintain a small footprint to keep the wife happy. i was thinking if i could install it on one of my old routers then i could run an ethernet cable to my basement. or if i could take my existing router (Linksys E2000 and also have a Linksys E3200) and have it transmit all data to all ports then i could just tap into that. actually that may be my best bet if that is possible. my main objective is for training purposes more than actual network hardening. it has been awhile since i have done any IDS work, or even firewall configuration and i wanted to refresh my memory and get back into it again. i could just install a host based IDS on my laptop but what fun is that

dhay13

after thinking it over, i figured out a good way of doing it but i need to come up with another box to install the IDS and i can have it set up in my basement