Extending the home lab with Security Onion

2019/12/04

Current setup

I currently have a home lab set up in the meterkast (the circuit breaker panel cupboard – every Dutch house has one. Electricity meter, water meter, breaker panel, gas meter, it’s all in there.). The home lab consists of an Intel i5 NUC that runs Proxmox, an awesome virtualization platform similar to VMware’s ESX but open source and free for private use. Currently, I have the following components running on it:

Some of them are run as a container, some as a VM. Note that you see some Raspberry Pi based projects. I like them because they come pretty self-contained and are ideal to run in containers without too much hassle. As long as you don’t just pipe the install script to bash, and actually understand what they’re doing, these projects are an awesome and quick way to get stuff up and running. Using dockers for projects like this would probably work just as well, but they are even less transparent and this would also mean having to run a VM that runs Docker that runs Docker containers. Virtualizationception.

I also used to have the Unifi wifi controller running on a container but since my last reinstall I did not rebuild it yet.

Now for the …

Objectives

I want to experiment a bit with network monitoring using Security Onion. To that end I’d like to have a port mirror running into a Security Onion machine. That way I should be able to check traffic from the Unifi acces point and its clients.

So my next steps are as follows:

Lab notes

The Netgear switch

When I first got the Netgear switch, I plugged it into my existing network. It got a DHCP adress; I made it static, and I accessed the web interface to configure a port mirror. That seems to have worked – unplug it, walk downstairs, hook it up in the meterkast, replacing an existing 5 port switch.

After that, all connected devices function, but I cannot reach it over the IP that I bound to it. According to the Netgear mgmt tool, it defaulted to its hardcoded address at 192.168.0.239 – a different subnet. For now that should be fine, let’s find out later if the span port works.

Proxmox

The port that was configured as port mirror destination has been attached to the NUC running Proxmox through a USB-C converter. I didn’t think to check beforehand what the interfaces currently existing are called, so I had to take a guess when creating a new virtual bridge. It’s called vmbr1 and it’s attached to enx00e04c3602fe. I think device names like that are usually attached to USB type network adapters.

Security Onion

I have two NICs, ens18 and ens19. As ens18 has received an IP address, that should be the management interface I suppose.

After setup, it seems that the span port is not functioning. For now, I’ll have to check if the USB/Ethernet adapter works correctly on the Proxmox server first. A tcpdump of interface enx00e04c3602fe tells me that indeed, traffic is mirrored to it. Huzzah! That part is working. Now, apparently, I did not succesfully configure that on the Proxmox → Onion VM side.

Running tcpdump on the ens19 interface shows way less traffic – only ARP stuff. Some googling around finds me someone with the exact same problem. Per some of the posts on the Proxmox forums I’ve added the following line to the vmbr1 interface config in /etc/network/interfaces:

bridge_ageing 0

so the total becomes:

auto vmbr1
iface vmbr1 inet manual
        bridge-ports enx00e04c3602fe
        bridge-stp off
        bridge-fd 0
        bridge_ageing 0

Some up-and-downing of the interface made that work.

Now we have Security Onion up and running!! Next step; make the webinterface available externally.

Next steps