Options
Lab network assistance requested
Hello all,
I was hoping you guys could help me with redoing my lab. I originally posted this on another forum, but I just cant wait! lol, actually its more that I prefer not to browse the net on an IDS computer...
I am adding in NIDS and HIDS capability, and hopefully I suppose this is a decent time to get hands on with IPTables or whatnot.
In any case, this is a quick rundown of the lab
cable modem
|
IDS-PC: Laptop running Security Onion. Snort IDS/ OSSEC, other tools 2 NIC's
|
Home router running DD-WRT Private IP's
| | |
3 PCs running Windows 7 and VMs.
heres a diagram:
My issue at this point is configuring the first PC. (IDS-PC)
It is plugged into the the modem on eth0. It recieved a public IP from the ISP
It is plugged into the router on eth2 I assigned it a public IP near the ISP assigned one.
the interface is up but of course there is no data transfer. My PCs on the internal LAN (2/3/4) cannot reach the Internet.
I'm fairly certain this is a routing issue, but I wanted to ask since, it might have to do with the IDS PC not being really set up? Perhaps when I go through the setup, it will configure the interfaces as needed?
I know that were IDS-PC a router it would have a public IP on one side and an internal IP on the other, is tuis an issue here?
I'll leave the questions here for now. I look forward to hearing from you.
I was hoping you guys could help me with redoing my lab. I originally posted this on another forum, but I just cant wait! lol, actually its more that I prefer not to browse the net on an IDS computer...
I am adding in NIDS and HIDS capability, and hopefully I suppose this is a decent time to get hands on with IPTables or whatnot.
In any case, this is a quick rundown of the lab
cable modem
|
IDS-PC: Laptop running Security Onion. Snort IDS/ OSSEC, other tools 2 NIC's
|
Home router running DD-WRT Private IP's
| | |
3 PCs running Windows 7 and VMs.
heres a diagram:
My issue at this point is configuring the first PC. (IDS-PC)
It is plugged into the the modem on eth0. It recieved a public IP from the ISP
It is plugged into the router on eth2 I assigned it a public IP near the ISP assigned one.
the interface is up but of course there is no data transfer. My PCs on the internal LAN (2/3/4) cannot reach the Internet.
I'm fairly certain this is a routing issue, but I wanted to ask since, it might have to do with the IDS PC not being really set up? Perhaps when I go through the setup, it will configure the interfaces as needed?
I know that were IDS-PC a router it would have a public IP on one side and an internal IP on the other, is tuis an issue here?
I'll leave the questions here for now. I look forward to hearing from you.
Comments
-
OptionsRobertKaucher Member Posts: 4,299 ■■■■■■■■■■I know that were IDS-PC a router it would have a public IP on one side and an internal IP on the other, is tuis an issue here?
I'll leave the questions here for now. I look forward to hearing from you.
Yes, this is the issue. Your IDS is between the "router" and the Internet it is not sharing a mirrored port or something similar so it must route the traffic to the other device. -
OptionsSephStorm Member Posts: 1,731 ■■■■■■■□□□How do I resolve this? It sounds like port mirroring would be the best idea?
-
OptionsRobertKaucher Member Posts: 4,299 ■■■■■■■■■■How do I resolve this? It sounds like port mirroring would be the best idea?
-
OptionsBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□RobertKaucher wrote: »Since this is a home lab I would say buy a cheap hub at your local Best Buy as your router is not likely to support that. Place it between the router and the Internet connection and plug the IDS PC in to that as well. If it does support it, then yes, that is what I would do!
He could also build a tap as discussed here:
Make a Passive Network Tap
Hubs WILL slow down your network. Also do you plan on putting OSSEC on your Windows 7 machines? -
OptionsSephStorm Member Posts: 1,731 ■■■■■■■□□□Thankfully they dont seem to regularly sell hubs here where I am. I do have aswitch that supports port mirroring. My concern was whether that would have any effect on my traffic from that PC on the mirrored port.
-
OptionsBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□Thankfully they dont seem to regularly sell hubs here where I am. I do have aswitch that supports port mirroring. My concern was whether that would have any effect on my traffic from that PC on the mirrored port.
You can order one. You could also order a tap online as well. -
OptionsSephStorm Member Posts: 1,731 ■■■■■■■□□□okay, here is the current, reconfigured lab.
Now at this point it looks like everything has network access, but I am wondering about the IDS pc.
It has two interfaces, one of which is connected to the mirrored port, what goes into the other?
I know snort deals with two networks the internal network, and the external network. but I'm not sure how this knowledge should be applied... -
OptionsFugazi1000 Member Posts: 145A typical IDS will have 2 ports in use. An 'out of band' management (OOBM) port and the port 'watching' the traffic via a SPAN/mirror port. The OOBM is what you use to access remotely, or to send logs/alerts back to a central location. The port connected to the mirror port should transmit no data at all. If your IDS is a PC with appropriate software you could access the UI directly with no need for the OOBM port.
-
OptionsSephStorm Member Posts: 1,731 ■■■■■■■□□□okay, out of band, got it. what should that port be connected to? is there any configuration needed?
I assume by appropriate software you mean something like SSH? -
OptionsFugazi1000 Member Posts: 145I'm not familiar with Security Onion, but I see reference to a local GUI on the LiveCD. If so - no need to use the OOBM port. If you want to access the IBM laptop remotely (for any reason) then you would enable and use the port. It would connect (in your case) to your internal network. Enabling SSH will let you admin the instance. There should be no routing and no way for packets to traverse 'through' the IBM laptop - so still secure. Production deployments would generally have dedicated subnets/vlans firewalled for the OOBM network.
-
OptionsSephStorm Member Posts: 1,731 ■■■■■■■□□□wouldnt the laptop need an IP address to be reached via SSH?
-
OptionsFugazi1000 Member Posts: 145Of course. The comment above 'enable and use the port' implied a suitable IP configuration.
-
OptionsSephStorm Member Posts: 1,731 ■■■■■■■□□□I'm sorry, there is a point of conflict here, im going to try something here, see if it works.
Basically what im going to do is try to install SnortSP Beta3, Integrate it with Sguil, then set it for inline bridging, throw it on the mirror port and run the setup.
I'll let you guys know how it works out. -
OptionsBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□I'm sorry, there is a point of conflict here, im going to try something here, see if it works.
Basically what im going to do is try to install SnortSP Beta3, Integrate it with Sguil, then set it for inline bridging, throw it on the mirror port and run the setup.
I'll let you guys know how it works out.
Make sure you put your laptops nic in "monitor mode". I am going to take a look at Security Onion this weekend. I have the ISO downloaded, just need to get to it. -
OptionsMentholMoose Member Posts: 1,525 ■■■■■■■■□□I'm sorry, there is a point of conflict here, im going to try something here, see if it works.
Basically what im going to do is try to install SnortSP Beta3, Integrate it with Sguil, then set it for inline bridging, throw it on the mirror port and run the setup.
I'll let you guys know how it works out.
Configure Snort to passively listen on a NIC (the one connected to the mirrored switch port). You could then setup the management interface on the other NIC. I used to have a similar setup on my home network and it works fine.MentholMoose
MCSA 2003, LFCS, LFCE (expired), VCP6-DCV -
OptionsSephStorm Member Posts: 1,731 ■■■■■■■□□□okay, i see where part of the disconnect is. Inline bridging vs mirroring. So lets try two different scenarios.
1. Can I use bridging in my current setup and how?
2. If I want to do port mirroring, (I assume snort will activate 1 port automatically as the listening port (if not, I could use a pointer), how do I set up the management interface? -
OptionsBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□okay, i see where part of the disconnect is. Inline bridging vs mirroring. So lets try two different scenarios.
1. Can I use bridging in my current setup and how?
no. You would have to change your setup. Port mirroring would work better.2. If I want to do port mirroring, (I assume snort will activate 1 port automatically as the listening port (if not, I could use a pointer), how do I set up the management interface?
I would have to look in security onion's gui but it should be pretty easy if you have two nics -
OptionsMentholMoose Member Posts: 1,525 ■■■■■■■■□□So what's the latest, have you made any progress?MentholMoose
MCSA 2003, LFCS, LFCE (expired), VCP6-DCV