Thursday, May 1, 2014

Suricata with Logstash - Part 1: Planning and installation

IDS or IPS?

Before you start testing Suricata, understand first what will you need. If you are new or does not have knowledge the difference between an IPS and IDS. Let me give you a brief background below. If you are an advance user then you may skip this and move to Part 2: Setup and Configure Suricata

What is an IDS?

IDS stands for Intrusion Detection System. Like its name, the main role of this security device is to detect threats passing on your network. Nowadays, IDS uses different kind of method to detect and identify threats. It use signature based detection which vendor always provide an update, it may also use a behavioral detection (signature less) so that it may identify an unknown threat. This are the two most common feature it has, depending on the vendor, they may introduce other or more advance features of detecting threats.

IDS is deployed usually in one arm (using SPAN port or TAP) to detect threats on the network. It may also be deployed in-line (between two network device. i.e. firewall and core switch).

What is an IPS?

IPS stands for Intrusion Prevention System. This security device have capability to react when a threat was detected on the network, unlike IDS which usually has SYN reset feature most of the time. IPS can definitely block, drop or quarantine malicious traffic. In terms of deployment, an IPS requires to be deployed in-line since that is the only way it can stop the traffic passing through.

Unlike IDS (appliance or mode), IPS will require higher server/appliance that is capable of handling the whole network throughput. When dealing with encrypted traffic, this will require more CPU resources to decrypt and analyze.

Deployment option

When deploying an IPS/IDS there are things you or each organization need to consider. One may start looking on how other organization implement it on their environment. And from that they may evaluate if they can also apply it to them. But take note, there are cons and pros on each type of deployment.

In-line mode

When deploying in in-line, understand first this thing in your organization, like:
- Your all ingress and egress point (where the traffic goes in and goes out)
- The zone you want to protect (DMZ, Internal and etc...)
- The total throughput of each zone (say, DMZ has 10 servers with each has 10Gbps and Internal has 1Gbps traffic)
- Type of interface the other network device have
- High Availability setup (since placing a device in-line will become a single point of failure)

Below is an example how in-line is placed.



Pros:
- Able to do actions on the malicious traffic
- Can identify source and destination more accurately
- Does not need much configuration on other network devices (i.e. router or switch)

Cons:
- Single point of failure if not implemented properly
- Expensive
- Continuous monitoring
- Requires a lot of interface if need to monitor different segments

TAP / SPAN mode


When deploying in this mode, take note of the following requirements:
- Need to place a TAP device (for TAP mode)
- Need to add SPAN configuration on one of the network device interface
- Review any security settings on the network device (i.e. MAC address filtering)
- If VLAN is being use for different zone/department, admin must know which one to include on the SPAN configuration



Pros:
- Cheap
- Not a single point of failure
- Faster to deploy

Cons:
- Limited views on the attack
- Limited actions on the attack
- Not very accurate on the source and destination address

Suricata Implementation

Suricata support both In-Line and SPAN mode configuration. If you decide to do In-line, then you require at least 2 NIC on your hardware. For this tutorial, I'm just covering for now the SPAN mode since I only want to do IDS for Suricata.

move to Part 2

No comments:

Post a Comment

Kindly respect the author website and its reader.