I am currently sitting with a dilemma around my firewall (pfSense). I have run VM and bare metal. Honestly I like the VM for the robustness and quick recovery from disasters (it did happen once and I can’t remember what caused it). I can also dedicate a whole device for a bare metal installation, as I have 2 servers available.
What is in part driving this dilemma is the desire to experiment with having Snort run on the firewall to be able to do application level intrusion detection and prevention. Or use Suricata on the firewall to do the same. Alternatively I can run Clear NDR between the LAN devices and the firewall (VM or bare metal). Also run Clear NDR between the WAN connection and the firewall (VM or bare metal). Clear NDR is currently a successor to SELKS. I have looked at Security Onion as an application that does SIEM. If Security Onion can do IDS/IPS, I am keen to revisit it. It just means a lot of research. The way I got SELKS and Clear NDR to work was through bridging interfaces and forwarding traffic on the bridges to detect and prevent intrusions. SELKS and Clear NDR can take detections and transform them into rules. Both use Suricata for IDS/IPS.
Going the Snort route, I would have to go the pfSense installation option (VM or bare metal). This will require fine tuning from what I can remember from one of Tom’s videos on Suricata. Yes it’s also not a set-and-forget scenario. Unfortunately SELKS and Clear NDR are the same, however they offer on the fly rule transformations after detection.
Any suggestions, criticisms and information will be helpful.
Clear NDR seems to include Arkime which has insane hardware requirements and would only be reasonable on a professional setup with a non-skimpy budget. This is also the reason why I have not used Malcolm (take a look at it, it is not as well known but government-driven for critical infrastructures).
Security Onion sensors run Suricata and Zeek by default. They also do full packet capture if some signature matches.
Some people who work professionally with packet capture say that you should prefer bare metal specifically for that part, i.e. run Zeek and Suricata on bare metal. Sorry I cannot give you their reasons, you’d need to research this on your own. You could ask the AC folks on the Active Countermeasure Discord server “Threat Hunting Community” or the people on the Suricata Discord server. Stamus Networks also have a Discord server for their community!
Other excellent sources would be the Zeek or Corelight Slack servers.
The web interface of SELKS is quite intuitive and allows for changing alerts to rules. I haven’t tried that yet. The bridge interfaces allow for traffic to be monitored in real time. Clear NDR is in its infancy and I tried to get it to monitor multiple bridge interfaces with no success at the moment. This is where the fine tuning comes in with SELKS. Since Suricata is the detection engine, any alerts that are triggered need to be changed manually. Options are:-
Transform
Disable
Enable
Threshold
Suppress
The descriptions are pretty self explanatory. Configuring the bridge interfaces and IP traffic forwarding is pretty straight forward. It also gives me an East - West view of traffic triggered aside from the North - South traffic.
The setup is what I am aiming for in the previous two sentences. I’m not confining myself to one IDS/IPS. I want to experiment with various NDR systems that allow transforming detections. For now I’m leaving the pfSense box as bare metal and experimenting with NDRs on a VM. Once I have decided on the one I like, I may commit to bare metal.
Very wise decision to use LAN1 and LAN2 for N-S and E-W traffic, respectively.
By doing this you can later more easily split this into two different boxes with different horse power. I’d expect the E-W to be a lot more demanding on the hardware then the N-S traffic.
Just some more feedback with what I have managed to play with. I got a copy of Malcolm downloaded and installed on a VM on Proxmox. It took a bit of tinkering and following Youtube videos to get it working. It is working and the amount of data capture is impressive. I just need to fine tune the setup to monitor bridge interfaces through which I want the data to flow. Creating the bridge interfaces and getting these to persist after reboots was also a learning curve.
Currently I am running a test on a bridge interface created to observe the traffic flow. It’s setup as follows:-
LAN1 Switch <==> Malcolm Bridge <==> Laptop
Aside from just monitoring the bridge interface Malcolm also shows traffic it finds on the network and adds this to the database for scrutiny. The initial amount of data provided can appear overwhelming, but the interaction with the dashboards is nothing short of damn good. PCAP file viewing is also there and even host monitoring is available. In short, I may just deploy a bare metal. I just need to do more research to get it to work with RAID storage on installation. More RTFM.
Thank you.
fugglefeet
P.S. There goes the whole IDS/IPS around Snort/Suricata for a ball of chalk. Malcolm also has Suricata available for threat detection.
Yeah, Malcolm, Security Onion, SELKS, and Corelight all just use Zeek and Suricata under the hood for threat detection.
My reservation was mainly about Arkime (Malcolm, SELKS) having insane hardware requirements and I would not want to run that in my homelab. Security Onion uses the Suricata or Stenographer for full packet capture instead of Arikme.
I’ll admit I have a server that has the horsepower to run these monster NDR solutions on bare metal. Maybe I should trial run them one by one for a month or so each. Then arrive at a conclusion which is best fit for what I want out of them. For now the experimenting will continue to get au fait with the inner workings and maybe post caveats with workarounds here.
