Webbreacher of the Hacking and Hiking blog wrote the great piece on setting up SecurityOnion to monitor your home network and gave us permission to repost. You can find the original version that he is maintaining here. Enjoy!
If you’ve read any of my other posts you’ll know, I’m a geek. But when it came to my home network, I tried to keep it simple. In fact, for network security, I took a policy-based versus technical approach. The policies were in the form of agreements between my kids and my wife and I that they would “do the right thing” and “tell Daddy if something bad happened”. Well, OK, it was a little more than that.
What I found was that having agreements without security monitoring and enforcement to ensure the agreements were being upheld made a poor system. My network was increasingly used by a large variety of devices from phones and tablets to work devices and streaming TV equipment to game consoles and Arduino gadgets. I had to get control over what was flowing in and out of my home.
Internet Safety Agreements
But first, I want to share that there are some very good sites (see below) that have information for technical and non-technical parents to help keep their kids safe online. The primary methods are be involved in your child’s online activities and education them. These are good starting points.
Download them. Read them. Go over them with your kids. Put them on the walls near where the kids use computers in your home.
Know what? Talk to anyone who will listen about this stuff. I find that a lot of older adults are using the Internet but that my kids know more about cyber-security than they do. Educate adults too! Have parents or a neighbor that use computers, send them those links. Good, easy-to-digest info on those pages.
Monitoring Network Traffic
The first step I wanted to undertake on my home network was to gain insight into what was really happening on it. Were some of my systems and network devices (like printers, Streaming TV units, game consoles) already compromised? What sites were my kids visiting on the Internet? And most importantly, how could I gain this visibility for a low cost or free even? I definitely wanted something that’d give me this insight with a few constraints:
- I wanted it to not affect the performance (the speed of traffic moving to and from the Internet) of my home network
- I wanted something easy that I could set up fast and see things immediately
- It had to work on the existing hardware (old computers) I had laying around the house
Architecture & Equipment
Typical Home Network
Before I get into the SecurityOnion description (see my next blog post), I need to mention about home network architectures. In many home networks in the US, people use the router that their service provider gives them for their WIFI and network connection. If this is the case for your network, you’ll need a little bit more equipment to pull off what I did. The reason has to do with being able to see all the data flowing across your network.
In this layout, a home is connected to the Internet via the router or modem that the service provider (in the US we have some big ones like Verizon, Cox, Xfinity, etc.) gave you when you signed up with them. These devices usually come with WIFI capabilities and several “network ports” on the back of the device to plug in network cables for wired devices.
The issues for network monitoring (and IDS implementation) is “How do we see the traffic on the home-side of the router?” This is easy for the wired connections (see below) but since the router is being used for the WIFI access point, we cannot intercept that traffic before it is sent to the Internet. Due to how the routers work, usually using something called NAT or Network Address Translation, we need to see the traffic before it gets to the router in order to really be able to track what system is sending what data.
Home Network with Monitoring Capabilities
In the above diagram, all devices inside the home sent traffic directly to the router. What we need to do is insert a device in between the devices and the router. The device we’ll use is called a switch. Think of it as something similar to a USB hub. Over a single USB cable running from the hub to the computer, you can connect multiple USB devices and send their data through that uplink USB cable. That is what we’ll do here. We get a switch and uplink it to the router using network cables. All the other devices will connect to it.
So, here is where it gets a little more expensive. See, you’ll need to use a different device for your WIFI and then shut off the WIFI on the router. Check out the diagram below.
I’ve added two orange boxes. One is for the switch I spoke about earlier. The other is for that WIFI access point. Let’s focus on the switch for just a moment. Some of you will know that network switches come in many flavors and designs. We need one with a special feature: a span or mirror port. This capability allows a user to configure one of the network connections on the switch to be able to hear all the traffic from all the other ports. This is ideal for an Intrusion Detection System (IDS) as we need to be able to see all the traffic.
I found just such a switch from Amazon. It is a Netgear ProSAFE 8 port Gigabit Switch. It was small, gigabit Ethernet, and allowed me to set up a mirrored port. Of course you can use other devices such as a passive/active network tap or even a more Enterprise-level switch like a Cisco 2950 (which, incidentally, are selling on eBay for less than the brand new Netgear). But I wanted simple. So for the switch, I bought the Netgear.
I’ll let you decide what kind of wireless access point you get. Whatever one you get, you’ll want to ensure that it only acts as an access point and not a router. We want the provided router/modem to still give devices addresses on the network. The wireless access point should be plugged into the switch.
Now we add the IDS by configuring a mirror port on the switch and connecting the device as shown below. Notice we have added the red “SecurityOnion IDS” device via a one-way connection to the switch and then set up a secondary connection to that same switch for management traffic to the IDS. If we don’t have this second connection, then we cannot perform look-ups on systems and get updates on the IDS. You could also plug this management connection right into the router but, if you do, some of your network traffic will not be alerted on. Traffic from the IDS to the Internet will bypass the IDS. I didn’t want this.
One last thing before moving on to the SecurityOnion configuration. I mentioned that this configuration had to be easy and use existing parts. I had an old laptop laying around and wanted to use it for this purpose. Problem was that it had WIFI and a single wired network port. I used the wired port for the IDS listener (attached to the mirrored port on the switch). I couldn’t get the WIFI card to attach to my home wireless access point so I bought a TRENDnet 10/100 USB to Ethernet adapter that gave me an extra wired adapter (for management traffic). Works beautifully!
This is how my network looks. In my next post, we’ll look into the SecurityOnion device further.
Special thanks to Webbreacher again for allowing us to repost!