Have you ever counted how many computer devices, smart IoT gadgets, TV’s, kitchen appliances, smartphones, or CCTV cameras in your home or office are connected to the internet currently? Do you know that even many cars now connect to the internet? Have you ever wondered who’s on your WiFi, or what your family members or coworkers are doing on the network? Do you want to see what your overall network usability picture looks like?
With the help of SELKS™, you don’t have to wonder about these questions anymore. With this new blog series, we will guide you through the process of enabling network visibility in your home or office to terminate the blindness of the cyber activities happening around you. As they say, seeing is believing, so let’s begin our journey.
For an introduction to SELKS, read this blog post on SELKS 7.
In this blog post, we will begin the process of setting up SELKS as a complete IDS/NSM solution for the home or office. We’ll be feeding it with the live network traffic from our local network. This can be done quickly, cheaply, and easily. The first step, covered in this post, is to select the right equipment and set clear goals for the system. This ensures that you can effectively mirror and collect the network traffic for inspection.
Let's delve into the process of goal setting and equipment selection. Before making any hardware purchases, it is crucial to create a list of such objectives and outline the steps required to attain them.
By setting these goals, we establish a clear direction for the implementation of SELKS as your network visibility tool. Now let's proceed to the next steps in the process.
When building a system that collects network traffic, it is important to start from the ground up. Begin by measuring the bandwidth requirements and inspecting the types of traffic present on your network. This will help determine the suitable equipment needed to achieve your goals effectively.
To accurately measure your network's bandwidth requirements, consider using basic network monitoring. These tools provide insights into the current traffic patterns and bandwidth utilization. By monitoring the network over a period of time, you can determine the peak usage and average bandwidth requirements, enabling you to select the appropriate hardware for your needs.
We can do that with the help of open source tools such as: IPTraf (for Linux) or Glances (for Windows). The image below shows the basic user interface of IpTraf.
Understanding the types of traffic on our network is crucial for effective network visibility. In order to do this, you have to analyze the different protocols and applications being used within our environment. This analysis helps identify potential security risks and informs the selection of specific detections and filters to be used with SELKS. Additionally, it enables us to focus on monitoring the traffic that is most relevant for us. Of course, what is relevant is determined through the process of filtering out interesting traffic from non-interesting traffic, based on criteria such as: sources, destinations, use cases, users currently logged on the network, and protocol overview. For example, in a home network you would have a large variety of traffic types and protocols: http, tls, mqtt, etc. In an office network you would expect to see more smb and dcerpc traffic.
Once you have determined the bandwidth requirements and inspected the traffic types, we need to establish a method for forwarding the mirrored network traffic to SELKS for inspection. This can be achieved through various techniques such as using a network tap or configuring port mirroring on the network switch. The choice will depend on the network infrastructure and specific requirements.
Typical home/small office network traffic breakdown by protocol:
Based on the goals, bandwidth measurements, traffic types, and forwarding method, you can now select the appropriate hardware. Consider factors such as processing power, network interface capabilities, and storage capacity.
Preferably, you would choose a router that has enough processing power to forward and mirror the network traffic. It is also worth mentioning that you should select a brand that can be flashed with an open source firmware like OpenWRT with Linux. This way, you will unlock the full capabilities of the router and smart switch, which will allow you to use tools like the tc (traffic control) – the user-space system administration utility program used to configure the Linux kernel packet scheduler. This will fully enable you to mirror any layer 2 or layer 3 defined traffic on any Ethernet port on the switch and even create a dedicated tunnel for it.
Example SOHO routers to choose from include:
Please note that OpenWrt compatibility can vary depending on the hardware version of the router, so it's always a good idea to double-check the OpenWrt website or forums for the specific model and hardware revision you are interested in before making a purchase.
Linksys MR 8300 with OpenWRT - dual purpose device: home router and packet broker:
OpenWRT’s shell:
OpenWRT’s admin interface showing the home page:
For an optimal hardware server to use with SELKS, we recommend a configuration that includes a minimum of 16GB of memory, a 4-core CPU, and 500GB of HDD space. This setup ensures sufficient resources to handle the processing and storage requirements of SELKS effectively. With 16GB of memory, the server can efficiently handle the real-time analysis of network traffic and intrusion detection for a small home/office network of about 100 to 300 mbps. The 4-core Intel CPU with a base clock of at least 2Ghz+ provides the necessary computational power to process network packets and perform complex security analytics. It is also important to note that most of these micro PC’s have SoC CPU (soldered on the motherboard). Additionally, the 500GB HDD space allows for ample storage capacity to retain the captured network traffic and logs generated by SELKS, enabling further analysis and investigations. This hardware combination guarantees a robust and reliable server for achieving comprehensive network visibility and security with SELKS.
One common misconception is that you need a huge server box using a lot of electricity. What you actually need is something simple, low noise, and energy efficient. Nowadays you can get your hands on really cheap, low power, small form factor, used mini PCs that can be brought back for a second life as a SELKS IDS/NSM network analyzer. They’re the size of a small home switch (7.0" W X 7.2" D X 1.4" H , 179mm W X 182mm D X 34.5mm H, weight 2.9 lb, 1.3 kg) and the best thing is that some even come with a passive cooling, making them silent. With the right upgrade to the storage and memory, it could be the ideal consumer SELKS box for any home or micro network.
Unlike traditional PCs, fanless computers dissipate heat through the case and the heatsinks, so the device is completely silent. Even if there’s a fan inside, it’s a small one considering the low power and low heat produced by the CPU and board overall.
A few starting points to look for such a micro server could be:
In future installments of this blog series, we will explore implementing SELKS to achieve full network visibility. Stay tuned for a step-by-step guide on configuring the system and analyzing the collected network traffic.
Remember, by using SELKS as your IDS/NSM solution, you can gain valuable insights into your network's activities, enhance security, and ensure a safer and more efficient network environment. Let's embark on this journey together and unlock the power of network visibility.
Stay tuned for the next part of this series where we dive into the setup process of SELKS to achieve comprehensive network visibility in our home or small office. To be notified of new blog posts and other news, make sure to subscribe to the Stamus Networks blog, follow us on Twitter, LinkedIn, and Facebook, or join our Discord.