OPNsense Forum
English Forums => Intrusion Detection and Prevention => Topic started by: ruggerio on July 23, 2019, 07:55:35 am
-
Hello,
I know, i am in the wrong forum, but @opnidp no chance on answer.
I installed opnidp as separate idp from my firewall, using a TAP-device. Unfortunately, i am completely unexperienced in that matter. :(
Even if it's a tap-device, i think my networks have to be aware of this. And as it isn't an inline idp, it makes no sense, placing it as default route.
Could anybody help me with the architecture? Where does the device, which has the ips need to be connected? To the WAN-Port, in front of the firewall?
How would you do this? Thanks for any proposals or ideas. As it is still WIP for me, i appreciate any information.
-
I think it might be hard for people to help without more information as there are so many ways to do this...
What is your goal
What is your hardware (virtualisation if any)
How is your network setup currently
Answering these might get a few more replies
I have installed OPNIDS as a virtual appliance to see what it was, however I believe it is still a work in progress and not ready for production deployment. So your intended path of having it as a passive TAP in a LAB would be correct from my perspective.
-
first, you are right with work in progres, as the last "release" is 18.9 - but the website says its production. But after installing it, i got the same impression as you.
What i hoped to get is some ideas, like other do, but i makes it easier for other to see how i would like. And just for information: it's a small home network. So, first le me design the existing network:
evil --- WAN-Port --- LAN --- LAN-Network --- NAS, devices, Wifi
internet PC-Engines APU4 PC-Engines APU-4 8-Port Switch several VLAN's
(Port 1) (Port 3)
(DHCP) (Private Adress)
(Opnsense 19.7)
--- DMZ --- DMZ-Network --- Several LXC Contain.
PC-Engines APU-4 8-Port Switch
(Port 2)
(Private Adress)
Remarks: The PC-Engines APU-4 is the same machine for alle mentionned above.
For me, it would be the idea to split suricata off the opensense and having opnids as passive (i know, it's not inline...) monitor.
- Surveying the internal networks
- Surveying the DMZ
- If possible, surveying the WAN-Port too.
I think, having the openids in front of the opnsense would not work for me, as this would make it complicated for servers (web, mail, etc...), as i use letsencrypted. I am searching the "correct" place for the opnids and i still did not really understood how i get it "sniffing" the networks. Do i still have to do some port mirroring/span for this?
Thx for any ideas how others have something equal running. I read lots of information, but sill have a knot.
Ruggerio
-
I heard that OPNids is allegedly considering becoming a pure OPNsense plugin. That would simplify these setups...
Cheers,
Franco
-
It would certainly be easier if it was a plugin to OPNsense!
The main issue I see will be needing multiple interfaces on OPNids in your instance.
So your intention is only to monitor your traffic using 'IDS' but not be able to control it using 'IPS'.
I believe you would need an interface on OPNids for each network you want to monitor, being WAN, LAN and DMZ. From what I understand, OPNids has two interfaces out of the box being WAN and LAN, but most likely its easy to add additional interfaces assuming you have them physically.
With a TAP setup, the traffic will transparently flow through the TAP, effectively in-line with your network and then a third port on the TAP out to OPNids. So this may not be appropriate as you would need multiple TAP's, one for each network
Assuming you can create Mirror ports on each of these networks (on the switches that support them), I would probably attempt this and then terminate these to your OPNids appliance.
This would be the least intrusive solution to get to viewing your traffic and be able to help progress the OPNids solution.
There are some caveats though...
Mirror ports only copy traffic at full speed as long as the switch is not overloaded. So at times of high utilisation, you may miss packets etc.
On the LAN and DMZ, you will most likely not be seeing all traffic directly between two physical servers connected to the same switch, as these ports will not be mirrored.
Basically a lot of networking and reading up :)
Fun though!
I hope this helps...
-
@franco: this could explain, why i rested on 18.9 though, but would be good nows. having an idp instead ips with machine learning would be great stuff and much more arguments for opnsense. And yes, it would simplify things...
@bunchofreeds: the project itself seems to be very interesting, having a tap-interface by network was what i expected to have. But as a completely unexperiencend on that, i am glad to have those informations. Read lots of, but never ever got the way.
lots of caveats i think. i prepared now the "WAN"-Port inside my network (it's called mgt, so i believe it's just kind of management port, as the tap shouldn't get an ip, as i read in opnids-forums). So either you have one separate device with one tap on your network, where wan is the effective lan and a tap in behind. I did not quite understand the flow, as i did not find any kind of bridge.
Having multiple taps per network would make an ip on the tap necessary, is i cannot imagine how else routing should be defined.
would you install the opnidp in front of the regular firewall?
Thx
-
What are you using as your TAP device?
-
sorry for no reply so long time.
i'll try to:
- installing opnids on one pcengines apu2
-- having one tap interface per physical network
-- then port mirroring
i still not understand right about the tap-thing, i thought, the opnids-box will act as a tap? it seems, i still have some knots in comprehension about this.
-
Sorry but I think you will get better advice from the OPNIDS forum https://discourse.opnids.io/
I would not consider myself knowledgeable enough with OPNIDS to provide adequate advice.
My advice however would be to read up on IDS https://en.wikipedia.org/wiki/Intrusion_detection_system and network TAP's https://en.wikipedia.org/wiki/Network_tap
This will hopefully give you some guidance on how to proceed.
Everyone will have a different set of requirements and network capabilities so you will need to complete some learning.
OPNIDS by name would be designed for Intrusion Detection, not Prevention (IPS). This I would 'assume' means it's not intended to be in-line and therefore not intended to stop unwanted network packets. It is only to make you aware that something is happening. To achieve this you would usually put an IDS at the end of a network TAP or off a mirrored port on a switch. The IDS is only receiving copies of the network traffic.
Each interface of an IDS is 'usually' to consume data. The WAN port will consume data from the WAN port, LAN from LAN...
It would not pass though WAN to LAN
Again I recommend you try the OPNIDS forum for further guidance sorry
-
i've been there, but no replies at all. Either my questions are to noob oder the forum is kindof "death".
-
i still not understand right about the tap-thing, i thought, the opnids-box will act as a tap? it seems, i still have some knots in comprehension about this.
A TAP is a monitoring port/device, nothing more. Usually you configure a monitor port on the switch to copy all traffic going to port 1 copied to port 2. On port 2 you can place Wireshark, Ntop, OPNids, whatever and analyze.
Benefit is, even it the analyzing device is at 100% CPU you have no network impact.
Second option is to put a system with OPNids installed as a layer2 bridge. This works the same but the REAL traffic is going via OPNids, so when CPU is full, you'll have latency. Also I have no idea if OPNids can work in L2 mode.
-
Usually you configure a monitor port on the switch to copy all traffic going to port 1 copied to port 2.
thats port mirroring, isn't it?
-
yes
-
thx a lot for clearing!
-
Here is an example to try in a lab environment to help with your learning.
Virtualisation is great for this type of thing.
Two networks being WAN and LAN.
Between these networks is a Firewall/Router++ like OPNsense - With two interfaces being WAN and LAN.
The OPNsense WAN Interface connects to the outside world (or a similar network that is able to present alert traffic).
The OPNsense LAN Interface connects to a LAN switch, Port 1.
The LAN Switch is configured to Mirror Port 1 to Port 2 (Copies all traffic from Port 1 to Port 2).
Port 2 is connected to the LAN interface of an OPNids appliance.
All other LAN devices are connected to remaining LAN switch Ports. You will want a test machine on the LAN to consume 'alert' traffic.
In this scenario, the OPNids will see all traffic between OPNsense and the LAN (Basically WAN <> LAN), but may not see traffic directly between two devices on non-mirrored ports of the LAN switch.
I hope this helps - And I'm assuming OPNids operates as I expect as I do not have any experience with it!!
And of course ensure IPS is not being used in OPNsense.
-
@bunchofreeds, @mimugmail: thx, now i understood. i will test this with my 2nd pcengines, which has 2 interfaces. I also will have to look how to configure the nic's on the opnips (they seem to want to have tap-interfaces without ip).
for me it's an interesting project, not only about ids as a tap with screen mirroring, i am also interested in how it works with the machine learning engine from over there.
as i have a 600mbps download, i have disabled ips on my sense, it reduces down to 80 mbps, which my family doesn't make that happy (transparent proxy with ssl inspection also enabled). Without the ips, i get at least more than 200 mbps and no one cries for the moment :)