Perched | Security Education, Consulting, and Support
Security Solutions

Perched Blog

ROCK@home—Introduction (1/3)

rocknsmlogo.png

RockNSM is an open-source network sensor platform that focuses on being reliable, scalable, and secure. Check out the full docs for more details. This is a companion article to the rock@home video series.

“So what’s the quickest and easiest way to get ROCK up and running with live data?”

Approach

This is a common question from users wanting to get started with Network Security Monitoring (NSM). We understand that not everyone has the ability to monitor live traffic on a production network, so the obvious first step is to build your skills by logging and analyzing your own network traffic. This is the first of a three part series will that will answer this question, and approach things from as minimal of a budget as possible.

Here’s an overview of what to expect:

Agenda

This is this first post we’ll cover the following:

  • requirements

  • network topology

  • hardware recommendations

Quick disclaimer: these network monitoring should only be performed on an environment that you own.

Requirements

There are 3 main challenges to running NSM at home:

  1. Sensor — computer to use as a sensor

  2. Data Feed — a network device that provides a duplicate stream of data to monitor

  3. Wireless AP — a wireless device in addition to the typical ISP modem/router

Let’s cover the basics of these in order:

Sensor

Processing live network data is resource intensive and there are a lot of variables to the “how beefy of a box do I need?” question. The biggest consideration is the throughput of the environment. At the end of the day, the more resources you throw at the sensor the higher IOPS and the happier she’ll be. But let’s talk minimum specs:

Memory

The minimum spec for RAM is 8 Gigs. This should work just fine on a typical home LAN.

Disk

We recommend installing ROCK with a minimum of 2 distinct drives (or partitions). SSDs are obviously preferred whenever possible.

  • a drive for the base operating system

  • a larger drive used for network logs & data

Network Interfaces

ROCK also requires a minimum of 2 NICs:

  • 1 interface for management: that and connected to the LAN and assigned an IP address that is used to admin ROCK

  • 1 gigabit interface for monitoring: data will be mirrored here in order for ROCK to create logs.

If the box you’re repurposing as a sensor has only one onboard interface, use it as the monitoring interface. An add-on card (or even a usb adapter) can be added to use for management.

Network Topology

Forking the Packets

Now that we’ve got the base specs for a sensor box running ROCK, let’s dive into how we get packets flowing to that listening interface and keep the network layout as basic as possible.

Network Taps and Switch Span / Mirror Ports — these are two easiest options to get a duplicated feed of traffic into ROCK. Your choice will depend upon your level of dedication a.k.a. budget.

Dedicated Tap

Basic Topology with a TAP

A network tap is a piece of hardware that duplicates all traversing packets to another location. Packet loss is generally low with a tap as the duplication is happening at the hardware level. But this performance comes as a price, with taps costing quite a bit more than cheaper options. Plan on spending around $200 (recommendations below).

Switch Span Port

Basic Topology with a Smart Switch

The second, and cheaper option is to use a switch — a layer 2 device that uses MAC addresses to direct packets. But there are also layer 3 smart switches that provide some additional features like VLANs, QoS, and more. Most importantly, in our context a smart switch has the ability to assign a span or “mirror” port. When configuring a span, you can specify what port(s) ingress and egress traffic get copied and sent over to the span (mirrored) port.

Differences

The biggest difference between a tap and a switch span is that a tap is dedicated hardware for that purpose, whereas a span port is another duty for a switch OS to take care of. A switch should be considered fully utilized when it hits around 50% load. Assigning a span port is resource intensive, so take your network’s total throughput into consideration. The cheaper managed switch option will usually start around $50 for 5 or 8 port models.

Wireless AP

The final piece of this puzzle is to have a separate wireless AP in addition to your ISP modem/router. This allows us to place the tap or switch and ROCK sensor between the edge (ISP) router and the inside router to capture traffic For more clarity reference the network diagrams above, the additional AP is at the bottom of each.

This 2nd (inside) router would be running in “AP Mode” and be configured to get services like DNS and DHCP from the edge device. There are innumerable options these days for cheaper routers with this capability. If you would like to spend a bit more money I can personally recommend the Netgear Orbi series if you need a mesh system.

Hardware Recommendations

To be clear, I’m not endorsing specific hardware over the next, or guaranteeing that your experience will be issue-free. This information is to serve as some starting suggestions of equipment that myself and colleagues have had good experiences with. A summary of this information can be found in this gist.

Sensor

  • repurposed hardware - 2 nic / 4 cores / 8G RAM / SSD if possible

  • *lots* of option to BYO sensor from $400–1000

  • Shuttle Barebones

  • latest Intel NUC8I7HVK (dual NIC)

Select a motherboard or card that uses Intel NICs whenever possible.

Network

Managed switches:

  • TP-Link TL-SG108E ~$40

  • Netgear GS108Ev3 ~$50

Consumer Taps:

  • Dualcomm ETAP -2003 gigabit tap ~ $200

Conclusion

I hope this was helpful in clearing up some of the most common questions about preparing your home network for NSM. In next week’s installment we’ll cover ROCK installation, configuration, and deployment. Thanks for your time!