 So I did a video about a week ago about PF sense and transparent bridging and how you can do intrusion detection and I wanted to do a follow-up video to talk more specifically about the use case for that and how it works So I'm going to break this down specifically with an SG 3100 running Saracata now the original idea for this in the project that a client has contracted me to do was Design this with snort and not Saracata. Well, it was kind of my suggestion. I thought it would work. Well turns out This chokes on snort, but seems to run fine with Saracata So this video is kind of to walk over the configuration talk about the use case talked about the implementation of this particular project So what we have here is an SG 3100. Why did we choose this? Well the particular use case in this Project with the client hired me for is they're going to be deploying a large number of these to monitor very specific Systems on their network special control systems, and they want to be able to babysit them And this is one of the things that some people go over the top with they try to apply this to their own Computers and things like that and there's just a ton of connections going on But when you're dealing with the business world there's very specific connections and very specific filtering for those connections That you may want to do and that's what this is going to break down how to set that up and how to completely and specifically Watch that filtering now with systems such as Saracata or any IDS system One of the things it does is monitor routed traffic Normally because you run it inside your firewall the way to not have it only monitor routed traffic would be to Mere a port and send it over that can be very time-consuming, but you can do it that way What I mean by that is when two devices are on the same network So you're moving laterally within the network not routing through the device So the two IPs are in the same range. It just talks to each other Your IDS has no way of seeing that unless you do like I had said an Import mirror where you duplicate all that data and send it to an IDS system for inspection In this case though with transparent bridging This allows us to easily monitor without changing any of the existing network infrastructure or setting up a port mirror It does require an extra piece of hardware And that's why they chose the SG-3100 and the question was is it fast enough to route? Will it work for this project turns out it will as I say it as long as you're using Saracata So what we've done is turn the WAN port into the management port So this will be managed by a separate network separate range on the WAN The WAN will have an IP address assigned to it then we have opt one This is essentially our in this is where the network feed will come in and then over here We have four ports and we're gonna go over how we have these configured in a second These four ports are all the same It's just a essentially a four-port switch that means one to four devices can all be monitored now when you plug These in for monitoring whether you were to take these two wires Even though they go through here for the transparent bridge if you were just connecting straight together It would work perfectly fine in terms of like it gets the same IP addresses We're not doing any changing of IP We're basically turning this into an observer a Transparent bridge of the traffic and then feeding that traffic into the IDS system Which is going to be snort and I'm gonna walk over that configuration and exactly how that works So with snort it's going to be able to see any of the traffic that comes here But the devices themselves are blind to the fact that there was a change So no IP ranges have to be changed on the devices The these literally just have to be dropped in the only thing that has to be programmed is the WAN port to Match whatever the management side is for each location that these are going to be at So they have access to it now further but beyond the scope of this video I will show where the login goes And you can dump these logs to an external server for monitoring and such but the goal of this is to create very specific rules essentially pinholes between the Devices that are going to be plugged into the four ports here and that and what I mean by pinholes are they know what they need already They already know the IP addresses They know exactly what things should be allowed within the firewall and they want to exclude it to that that way of Someone tried to attempt on the same network to try a different range of IPs or a different port than the control system is on The system would just block it by default further They also want to inspect the traffic with Saracada So if the ports that are open are then also subjected to Some other potentially middle list is traffic that will also be logged and cataloged And they'll be able to inspect the traffic is maybe you don't always know if traffic is suspicious until you put it through something And it matches some type of pattern So let's get in exactly go over the settings on this thing I don't know the physical layer which is pretty simple WAN is management opt is there in in our four ports for up to four devices I only have one device right here. It's my laptop and it's going to be the device that we're going to use for Just showing how the system Connects to it and kind of given us some alerts so we can actually generate some noise on the log and show how it works Well, let's dive into all the settings Management was formerly the WAN interface and what we've done is assigned it DHCP and we'll click on it real quick I just renamed it from WAN to management because technically it's not a WAN port anymore But physically it's where we're plugged in to manage this device and This is set to DHCP, but can be set to static so we can have an assigned Static IP so this can be managed and this is how we will communicate with them because as you notice here We only have an IP address assigned to that particular interface all the other ones do not Occupy any IP space within the bridge But here's those four LAN ports and we did enable out of the box. This is only thing different from stock enabled opt one So opt one enabled allow us to build the bridge and let's talk about the bridge settings. So over here assignments Bridge so we turned on opt one And we just created this land and opt one called a transparent bridge didn't there's all kinds of advanced settings You can do in bridges beyond the scope of this talk But we left all those at default this for the purposes of what this is going to do just monitor that traffic We don't need any of those advanced settings turned on Then we go over here to interfaces assignments and we assigned the bridge the interface bridge now something else I did over here real quick Anti-lockout rule we did disable that and the reason why is because we go over here to firewall rules We have the management interface. This is how we plan to manage it. I've got SSH externally opened to management and we have 443 so we can get to this web interface, which is how we're logged in now your land I want no rules at all under opt I want no rules at all and I want only the bridge to be where I get all my rules from that way from a Clarity of how I'm managing this device right now We have it set to wide open as in any port any gateway, etc, etc Go ahead and go wherever all we're doing is managing it wide open right now But when we get specific we only have to create rules and get granular Inside this bridge and the final way the final little system tunable that was changed was under advanced System tunables packet filter on bridge interface set to one you can look this up There's a write-up inside of pfSense their documentation on this But this does instead of having either the land or opt to be the interface by which you set those rules This means put all the packet filtering on the bridge interface like I said It's kind of just a clarity thing. So there's no confusion and you know where your rules are Now the other things we had to do we go over here and we see bridge That's what we're going to be over on suricata monitoring suricata. It's monitoring the bridge interface Now let's look at it real quick here First thing before we go in there Let me show you and I covered this in my other video But suricata because it does not have and this is me just mousing over the Nalias so you can see what we're doing here The bridge IP range aliases are important. So we created this called bridge watch Edit it real quick. It's called bridge watch. I P address is to watch over the bridge then this is just an alias and You can click on this only have one. I'll show you how we created it real quick But you have to monitor the IPs within that range because suricata, although it will monitor the traffic It will disregard the alerts if it doesn't know what to monitor by default suricata looks at the local interfaces Attached to the system and monitors them. So that's how it gets its IP ranges that should be monitoring I added an alias called bridge IP range You go to interfaces you edit its suricata That's just set right here under home net you change it to bridge watch Because that's what I called it. And if we look over here under the aliases You can see I have all the IPs related to everything under one nine two Free range so anything in there now I could get specific and only put the IPs I wanted in there and also I didn't have to hand type these that's why it says entry created Saturday, etc, etc. You can type in slash 24 Or 23 or 22 or whatever you want and when you save it It'll auto populate that entire subnet range without you having to hand type it So however, you want to monitor this you can I just do everything in the three range because I wanted to do a bunch Of thorough testing to make sure the alerts were getting picked up I also have this right here, which is the temperature monitor and the reason for that is a few people commented that the SG 3100 gets kind of hot and I wanted to say not really even with the testing and the Updates and pushing a bunch of data through this and you can see I've already got alerts because I was testing it prior to the video I haven't had an issue with it overheating matter of fact If we let it idle and don't push data through it it goes down pretty cool Down to 139. This is the thermal sensor not the whole bottom plate You can still put your hand on the bottom of this and it's passively cooled Though it still works really well for that without causing an issue Now let's dive into actually doing the tests The first thing we want to do is SSH into our management port Open up a shell open up top and we see Sarah kind of sitting there now. Let's go over here and Log in to my laptop My laptop running through that transparent bridge and then my computer is local right here. Let's just run IPerf SSH so IPerf 3-server and then we're gonna go IPerf 3-client line 2 1 6 8 3 that 101 So you're seeing about 900 megs Not bad not it's just a slightly underlined speed and it does push Saracota to about the 89% mark Watching all that traffic. Let's fire wall All right services Saracota. Look at the alerts And there we go, we got some alerts stream a slash a packet out of window 5201 What it's doing is it didn't understand some of the stuff So it started seeing packet out of window it started generating alerts as far as how I have Saracota configured in here When you look at this I did a pretty basic rule setup. So as far as categories and rules I just grabbed all of them. There's no fine tuning done I just grabbed the ET emerge and the sort GPL rules through remain here and Just said select all of them basically more than you probably want to know But the goal is to be able to get the streams to start creating some data and then filter it back out because these have a very specific use case And there's always some amount of tuning you'll have to do of going through these alerts and deciding which ones are bail alerts Which ones are just gonna be false positives and going from there I will comment as well for those wondering well, how do you get the alerts out of the system? You can get them out a couple different ways with easy way to do it We go enable barnyard to you can send them to syslog bro IDS even dump them to some type of sequel database That's beyond the scope of this is like the monitoring side of this But yes, since I support external syslog both for specifically Saracota and globally for the PF sense system itself You can just go into the log system and externally export the logs under status system logs settings And send it to a syslog server and dump whatever it is you want to dump the whole system or get specific and granular Let's go back over here, and we do see that immediately jumped it up a couple degrees just by running that test on there But it's still working and we have some of these alerts from Saracota picking off and going in here Go back over to the alerts. What else does it see? Well, let's go over here and Clear the alerts So we don't have anything in there. Let's generate some new ones. Well update my laptop real quick apt yet update All right, no no packages to install, but I'm feeling though Definitely grabbed a bunch of stuff because some of it went out of report 80 to grab the updates And it says hey Gnu Linux apt user agent up on likely related to package management It's not suspicious traffic But once again when you turn all the rules on and say watch everything we're getting a lot of detail and from the Sandpoint of being Wanting to being the desired goal to watch one of these Machines that's going out to the network you want to know everything about it because you it has a very specific purpose And you want to make sure you're tracking everything on there if you're trying to do this with your home computer or System you're gonna find just it kicks off all or if I just start using my laptop as like a regular user You'll spend a lot of time doing this But like I said the goal of this is to go into very specific use cases on there But as you can see here, it's really not taxing it too much now I do know like I purpose is gonna be less than ideal in terms of real world testing because it's just doing one specific stream But you get the idea doesn't have a problem handling the traffic And it's capable of still routing at a very reasonable speed with the sg-3100 with Saracada now Snort like I said, I try this with snort was all over the place and did have a lot of just hang-ups Trying to do this. It just didn't seem to work as well on that processor Now, let's talk about rules We'll exit out so we're not breaking any sessions right now I can ping my two and six eight three dot one I currently have the firewall completely shut down on my laptop for these demonstration purposes for the wondering So easily I can ping it and that also means if we go diagnostic here. Let's go over to pftop We're gonna go to host one I two and six eight three one oh one We can see everything that's connecting to it Including everything from nine here So right there is the TCP UDP connections going out. Let's go ahead Bing it and now we see the ICMP connections going there So everything's working fine. And like I said before the firewall rule is I open so it's allowing that Go ahead and stop the ping Then go here and edit it say we don't want ping to be supported we only want TCP connections So specifically TCP only I will go TCP UDP. So that would give me two demos here save now We've said only thing can go across here is TCP and UDP, which means SSH will work fine So I can go over here SSH right into that computer again. No problem. But if we try to ping it ICMP has been blocked. So we're dropping that so note four packets transmitted zero received Now if you notice I have this on let's look at this rule real quick. I do have it logging the rule and The logging the rule is that way we can go over here go to firewall and See what is going on if this is going to be matched or dropped So right here because we have it set to drop it. We're showing a drop of these And a pass of these rules so you get the idea of going back and forth now You can get to that fine green filtering and understand especially like I said These are going to be control machines what they're doing and how they're doing it So you can get to these fine details on here. What else can we do with that? Well? We go here and we'll do that I perf again And one of the things I perf has an option to doing is both hit see for this and it's working over TCP You can actually do I perf over UDP. You just add the U option So now it's doing it over UDP Which actually gives you a little bit more performance because it doesn't need three-way handshake for each packet But you can see it was working Let's go over here services firewall rules bridge Edit this again now We're only gonna allow TCP connections Save Why so now the only thing that can cross here is TCP connections So we'll try out first with standard TCP No problems. We're able to go across there and then we'll do dash you for UDP That's it now you notice I do get accepted connection from but it doesn't finish. We'll do that one more time Except to connect from that's because the connection is initialized via TCP port 5201 But then UDP as the transport to try and do the test And if we go over here status system logs firewall and You can see how it was dropping those connections that are coming in there So try in and drop in a way. So that's how you would control the firewall rules within there And once again and let's actually run a repetitive test because it's you notice me flipping through here It's causing it to heat up a little bit. So let's go ahead and we'll do this While that's running See if this thermal management gets in there But you can see with this running it pushing this it doing this right here. We hit what 144 I'm just bringing this up to show You know based on use case here that yes, it's stable. Yes, it will get warm if we keep doing this We'll be more times 148 can we overheat it not likely and like I said, we're pushing it harder than it would probably likely be pushed with there But I mean it does push the CPU pretty hard We're at about 50% of only two gigs of RAM usage So you can see that one even with suricada with more rules that are likely be loaded in a real-world snare Oh, because I loaded a hundred percent of the rules. We're still only at half RAM usage We are pushing the temperature a little bit in a CPU usage and you can see the peaks in The land and when and ideally when you're watching traffic You're only gonna really want to watch traffic over the bridge interface because land has one half opt has half bridge shows All the traffic as you can see the traffic going back and forth But it's really reasonable as far as how fast the traffic goes across and it quickly as soon as we slow down Lowers back down to 339 and my office is in about let's say 70 degrees ambient temperature So kind of an average comfortable office Temperature so nothing nothing too extreme here I don't believe this shows kind of the use case and how you would Deploy one of these and how you would configure one of these and whether or not they're viable And of course one of the questions a lot of people want to know is why are you choosing actually? 3100 and this goes back into the use case this client has they need to deploy a large quantity of these One of the things you can do with psSense Is go through create the config file read all the tuning for these type of systems And there's going to be a quantity of these deployed at all the different locations Modify the file do all the tuning do everything and then now you can easily duplicate it and going into that XML file And only changing for example like if you set the management IP to be static You could then set the XML file change the management IP of each one or set it to be DHCP and you know create reservations And they're depending on which we are going to employ them But now all once you configure one machine in your lab and build it out You then can deploy this Universally to all the machines and as far as if there was ever a problem or replacement needed to be done No problem same with when you have to make a modification You can then push this XML file to all those machines And there's ways if you did things like if you want to get a little more complicated SSH and Ansible you could push these configs out via that via In there and enforce a restart of all these machines and tell them to use the new config file You could go real in depth with this But this is one of the advantage when you use common hardware and I know this is the neck eight box But because we're going to all be the same we can easily just drop that config file in each of these and rebuild it Very quickly, so we make the change in the lab and without having to go read through especially like 30 changes You just reupload the XML file to it It'll restart and away you go as always if you want to keep the discussion going head over to our forums And if you have questions concerns and comments go over there and post them. Thanks And thank you for making it to the end of the video if you like this video Please give it a thumbs up if you'd like to see more content from the channel hit the subscribe button and hit the bell icon If you like YouTube to notify you when new videos come out If you'd like to hire us head over to Lawrence systems calm fill out our contact page and Let us know what we can help you with and what projects you'd like us to work together on If you want to carry on the discussion head over to forums not Lawrence systems calm or we can carry on the Discussion about this video other videos or other tech topics in general even suggestions for new videos They're accepted right there on our forums, which are free Also, if you like to help the channel out in other ways head over to our affiliate page We have a lot of great tech offers for you and once again. Thanks for watching and see you next time