Lab network assistance requested

SephStorm

Hello all,

I was hoping you guys could help me with redoing my lab. I originally posted this on another forum, but I just cant wait! lol, actually its more that I prefer not to browse the net on an IDS computer...

I am adding in NIDS and HIDS capability, and hopefully I suppose this is a decent time to get hands on with IPTables or whatnot.

In any case, this is a quick rundown of the lab

cable modem
|
IDS-PC: Laptop running Security Onion. Snort IDS/ OSSEC, other tools 2 NIC's
|
Home router running DD-WRT Private IP's
| | |
3 PCs running Windows 7 and VMs.

heres a diagram:


My issue at this point is configuring the first PC. (IDS-PC)

It is plugged into the the modem on eth0. It recieved a public IP from the ISP

It is plugged into the router on eth2 I assigned it a public IP near the ISP assigned one.

the interface is up but of course there is no data transfer. My PCs on the internal LAN (2/3/4) cannot reach the Internet.

I'm fairly certain this is a routing issue, but I wanted to ask since, it might have to do with the IDS PC not being really set up? Perhaps when I go through the setup, it will configure the interfaces as needed?

I know that were IDS-PC a router it would have a public IP on one side and an internal IP on the other, is tuis an issue here?

I'll leave the questions here for now. I look forward to hearing from you.

RobertKaucher

SephStorm wrote: »

I know that were IDS-PC a router it would have a public IP on one side and an internal IP on the other, is tuis an issue here?

I'll leave the questions here for now. I look forward to hearing from you.

Yes, this is the issue. Your IDS is between the "router" and the Internet it is not sharing a mirrored port or something similar so it must route the traffic to the other device.

SephStorm

How do I resolve this? It sounds like port mirroring would be the best idea?

RobertKaucher

SephStorm wrote: »

How do I resolve this? It sounds like port mirroring would be the best idea?

Since this is a home lab I would say buy a cheap hub at your local Best Buy as your router is not likely to support that. Place it between the router and the Internet connection and plug the IDS PC in to that as well. If it does support it, then yes, that is what I would do!

Bl8ckr0uter

RobertKaucher wrote: »

Since this is a home lab I would say buy a cheap hub at your local Best Buy as your router is not likely to support that. Place it between the router and the Internet connection and plug the IDS PC in to that as well. If it does support it, then yes, that is what I would do!

He could also build a tap as discussed here:
Make a Passive Network Tap

Hubs WILL slow down your network. Also do you plan on putting OSSEC on your Windows 7 machines?

SephStorm

Thankfully they dont seem to regularly sell hubs here where I am. I do have aswitch that supports port mirroring. My concern was whether that would have any effect on my traffic from that PC on the mirrored port.

Bl8ckr0uter

SephStorm wrote: »

Thankfully they dont seem to regularly sell hubs here where I am. I do have aswitch that supports port mirroring. My concern was whether that would have any effect on my traffic from that PC on the mirrored port.

You can order one. You could also order a tap online as well.

SephStorm

okay, here is the current, reconfigured lab.



Now at this point it looks like everything has network access, but I am wondering about the IDS pc.

It has two interfaces, one of which is connected to the mirrored port, what goes into the other?

I know snort deals with two networks the internal network, and the external network. but I'm not sure how this knowledge should be applied...

Fugazi1000

A typical IDS will have 2 ports in use. An 'out of band' management (OOBM) port and the port 'watching' the traffic via a SPAN/mirror port. The OOBM is what you use to access remotely, or to send logs/alerts back to a central location. The port connected to the mirror port should transmit no data at all. If your IDS is a PC with appropriate software you could access the UI directly with no need for the OOBM port.

SephStorm

okay, out of band, got it. what should that port be connected to? is there any configuration needed?

I assume by appropriate software you mean something like SSH?

Fugazi1000

I'm not familiar with Security Onion, but I see reference to a local GUI on the LiveCD. If so - no need to use the OOBM port. If you want to access the IBM laptop remotely (for any reason) then you would enable and use the port. It would connect (in your case) to your internal network. Enabling SSH will let you admin the instance. There should be no routing and no way for packets to traverse 'through' the IBM laptop - so still secure. Production deployments would generally have dedicated subnets/vlans firewalled for the OOBM network.

SephStorm

wouldnt the laptop need an IP address to be reached via SSH?

Fugazi1000

Of course. The comment above 'enable and use the port' implied a suitable IP configuration.

SephStorm

I'm sorry, there is a point of conflict here, im going to try something here, see if it works.

Basically what im going to do is try to install SnortSP Beta3, Integrate it with Sguil, then set it for inline bridging, throw it on the mirror port and run the setup.

I'll let you guys know how it works out.

Bl8ckr0uter

SephStorm wrote: »

I'm sorry, there is a point of conflict here, im going to try something here, see if it works.

Basically what im going to do is try to install SnortSP Beta3, Integrate it with Sguil, then set it for inline bridging, throw it on the mirror port and run the setup.

I'll let you guys know how it works out.

Make sure you put your laptops nic in "monitor mode". I am going to take a look at Security Onion this weekend. I have the ISO downloaded, just need to get to it.

MentholMoose

SephStorm wrote: »

I'm sorry, there is a point of conflict here, im going to try something here, see if it works.

Basically what im going to do is try to install SnortSP Beta3, Integrate it with Sguil, then set it for inline bridging, throw it on the mirror port and run the setup.

I'll let you guys know how it works out.

You should only use bridging if the device is inline. If one NIC is connected to a mirrored switch port, you don't want the traffic received to be sent out the other NIC (which is what will happen if the NICs are bridged).

Configure Snort to passively listen on a NIC (the one connected to the mirrored switch port). You could then setup the management interface on the other NIC. I used to have a similar setup on my home network and it works fine.

SephStorm

okay, i see where part of the disconnect is. Inline bridging vs mirroring. So lets try two different scenarios.

1. Can I use bridging in my current setup and how?

2. If I want to do port mirroring, (I assume snort will activate 1 port automatically as the listening port (if not, I could use a pointer), how do I set up the management interface?

Bl8ckr0uter

SephStorm wrote: »

okay, i see where part of the disconnect is. Inline bridging vs mirroring. So lets try two different scenarios.

1. Can I use bridging in my current setup and how?

no. You would have to change your setup. Port mirroring would work better.

SephStorm wrote: »

2. If I want to do port mirroring, (I assume snort will activate 1 port automatically as the listening port (if not, I could use a pointer), how do I set up the management interface?

I would have to look in security onion's gui but it should be pretty easy if you have two nics

MentholMoose

So what's the latest, have you made any progress?