 And welcome to the homelab show episode 97 Network traffic monitoring and filtering. How are you doing Jay? I'm doing pretty good. How are you? I can't believe we didn't cover this topic in depth before so I think this is a great topic It's also We're a lot of people want to start they want to know where all the devices are going They want to jump into a lot of details on it We're gonna give you some tools for that, but I will tell you as your career goes on These are the pretty dashboards won't matter as much to you. There's something that people get excited about the beginning. There's reasons to do Filtering, but we'll also talk about some of the challenges in filtering This was like a back and forth discussion that occupied Jay's like this is it sounds like a brief topic 25 minutes later me and Jay talk about okay. We got to cover this It felt that way, but yeah, we kept talking and talking. I'm like, yeah, okay So there's a lot to talk about actually so there's a lot of aspects of this We want to make sure we read some tools will definitely be talking about open source tools and all that fun too So this is stuff that's very accessible to any of you Watching this you could be able to get a grip on this play with these tools and Understand better where the traffic's going and maybe offer a few tools to help you with filtering it filtering It's gonna be the trickier part, but we'll throw some resources out there for you before that We need to thank a sponsor show and that's going to be the akamai cloud They have been a sponsor since the beginning back back when we called them lanode They were sponsoring us now we call them akamai. Oh, they've been great to work with Me and Jay actually worked recently with them to get some open source stuff talked about books I've tweeted out some links about that But most importantly, they're a great place to host of things you might want in the cloud That you might not want to run on your servers or just because why not run it in theirs? Why not use their marketplace to get things spun up fast and easy? It is a great place to play with things to put them in the public great place to You know host your vpns and all kinds of fun services or maybe a honeypot That was that's an episode we haven't done yet either So that'll be fun. That'll be a fun episode and you know a good place to do it It's going to be in the public cloud not on your servers But we think them for sponsor show we have an offer code down below to get you signed up for that and uh Let's get started on this. Let's do it Um So the feedback Was this show the this is actually someone's feedback is what drove this show So there's actually not much feedback to talk about uh today But the feedback was you guys haven't done a video on traffic analysis So it's which you know let us down the rabbit hole to bring you this particular show Um, so I don't think I have any other feedback to talk about. Uh, did you have anything in your notes on that? No, I don't have anything. Yeah, I didn't see anything else. Um The couple software updates I'd mentioned it was last week under, um Beta but close to release this week the unified dream machine 3.0 0.20 is in full release now Uh, so I'll be doing some finally data videos on it The the highlights of course are their vpn works properly if you just have a normal unified dream machine And I see it properly like they have open vpn aware garden now So that's exciting and yesterday the beta dropped So it's kind of close to being released of pf since plus 2305 So if you're wanting to play with the latest beta, they're you know the call for testing and I will be answering that call Uh, you know, but I didn't do it last night because I was preoccupied with some other stuff But I will be playing with some updating my uh my firewall at least I probably have my office here and one of my lab ones over to the 2305 beta so I can poke at it see what bugs Uh, ran a lot of it But feel free to poke at it and you know use those boot environments So you can just roll back if you need to if it all goes wrong Yep I've seen I've seen a comment in the chat and they're not wrong management loves dashboards if you can create dashboards that Especially pew pew maps if you're working security that's going to make management really think you're working So just just keep those up put them up on big displays like six monitors around you because that's how every You know hacker movie looks and every inside looks like oh, yeah, we got to have all these screens around us, man That's what that's what impresses the people Or you could just have the hollywood Command installed and then when you're at your desk just have all these flashy Things flying around your screen and you know, nobody will know it's not real Definitely have to get install hollywood. You won't regret it man. It's gonna make you look so much more productive There's there's our busy tip. That's our business tip we have for everybody Oh, yeah Ah, should I kick it off here with the um end top? Sure, let's go there. All right, so one of the Probably the only one that really comes to mind here when it comes to really detailed traffic analysis and being able to Get deep into your knowledge of what's going on in your network and that's going to be the end top ng High speed web basis web based traffic analysis and glow collection. It's got your pretty charts It does layer seven to be able to monitor this now. It can run It's very portable. So they've got it all kinds of different ways you can run this from It supports unix platforms linux bsd macOS. I guess you can run on windows as well, which is interesting You can also run this as a docker and the docker is kind of clever because when you deploy it through docker You just point the last parameter is just pointing at which ethernet port you'd like to monitor So if you have a system, you're running you go, you know, I just like to do traffic analysis on this Spin up docker pointed at whatever the main ethernet is that you want to monitor and just all the data starts flowing in from there Because it's doing essentially like a port mirror or a span to be able to pipe all the data in there It's also popular. I've done videos on it for pf sense because it's a plugin in pf sense It just gives you a lot of insight and I always encourage people when they want to start understanding How networks work how traffic gets routed what's being routed and what kind of requests are going out there If you're using pf sense, this is just a great way to dive into it You're going to get uh traffic analysis including criteria such as your ip address ports your layer seven applications the thorough put And it even does the autonomous system numbers So you can actually see and you can in pf sense specifically it makes it easy because you just drop in your max mind ip database id And you can then get geo information as to where all these pies all these different applications are going You can also produce long-term reports over your network segments to kind of summarize where things are going This way you can do some of that cumulative Analysis of going, you know, what goes from here to there? I actually use it to look at things that are going across even my vpn traffic going You know, what are the things being pulled across here? What are the commonalities and sometimes you'll find things that are Inefficiencies or maybe something not routed in the way you think or you can look at it to do some analysis of Capacity routing and go. Hey, I'm gonna need a little more Pipe here because I'm you know, this is too much traffic going across over these times. It's just really neat Software it's it's hard to believe it's a big open source project like that Now they do have commercial licensing options for some extended features And things like that, but it's just it's such a slick program To dive into it because it also has layer 2 support so you can even get your ARP statistics So you're going, you know down at layer 2 and all the way up to your layer 7 stuff here And being able to just capture all that data and then cross reference everything in there There's some ways you can create some alerts and things like that I've never done it too much for any of the alert data's mostly I'm doing it just for traffic analysis when I'm trying to figure out what's sucking up a certain amount of bandwidth Or who in the office is using bandwidth. I have definitely used it for that It will it will identify the culprit and then let you know what the culprit is doing And you're like, why does this employee watch so much youtube at the office or twitch? It's definitely Really neat tool for that And it's, you know, like I said, it's free and still on pf sense. So if you're already using something like pf sense It's one is it is the de facto best tool in pf sense by far to give you that type of analysis all the other tools that are For traffic in pf sense just kind of give you very generic like bandwidth Like it used this many kilobytes with no context around it So it's not necessarily actionable or helpful, but uh end top i'm going to give a shout out to being Really good now a little further down the list is going to be A security onion now i'm not going to dive too deep into it because we did in episode 42 Is where we really dove into security on you and it's awesome It's a really good if if you are looking for hands down the best open source security analysis tool Security onion is it it gives you incredibly good threat hunting features. It gives you traffic analysis Net flow of all the traffic going in and out then it lets you apply rules to it It has an entire reporting suite into it Watch that episode because we talk about it for quite a while because there's so much to talk about with security onion It's and it's improved greatly since episode 42 the versions have gone up. It's extremely act Actively developed and it's by the way used commercially. It's free for you to use it is an open source project But it actually is used in businesses. I've done consulting where companies have had this internally It's not something we use because it's not designed for outside it as much as designed for internal But you're talking about a fully commercial Competitive product with the big expensive companies out there that's fully open source and can be running your home lab No problem to dive deep and heavy into every little bit of traffic and Then apply security to it now security onion is a reporting tool So I see apply security to it from an analysis standpoint, but not from a active blocking standpoint That's not what this does. This is going to be Just analysis if you're looking to actively block. I'll give a shout out to sarah kata and snart once again They're available in pf sense. There's a variation. I believe it's snart. That's an open sense So you can get this those are your standard like ids systems I believe the open sense and someone can correct me only has snart in there, which is fine I only has a sarah kata in there, which is fine. I sarah kata is definitely good They both use similar rule sets for intrusion detection slash intrusion prevention Systems, you know, unify actually uses I believe sarah kata as well. So the unify does have some of that in there That's some of your threat prevention, but ah I I think that falls a little outside of the traffic monitoring Um, but it's a good exercise in understanding that traffic is going on. It's also, um, a fun time of false positives because That's just people people always turn it on and go wait Wait, what is it? It's like is it a false positive? Is it real? I'm like no just google it. You'll see Um, it's a lot of false positives You're gonna get especially if you turn it up to monitoring because monitoring encrypted traffic is really really challenging to do This is even true for n-top or any of these traffic analysis tools They have a lot of things they do based on where the traffic is going to make assumptions But it's not always going to be a hundred percent accurate and for Like an example of looking at the data going across my vpn It just shrugs its shoulders because it can't identify it. It says it's tls encrypted traffic That's like most of it. It doesn't have any insight into the actually where because they're all private ip's It can't apply the same level of traffic analysis to it. So Um, but definitely definitely kind of fun to play with uh and dive into learning all of that for sure Um Then for blocking on that side of it there jade tell me about piehole. I think you're more of a piehole user than me Yeah, it's just a great thing and sometimes it's all in how you implement it because you could use pf blocker And the same list in pf blocker for using pf sense not everyone is Using that but I am using pf sense and I still use piehole. Um, I just really like the interface. It's You know, originally in that and probably primarily designed for raspberry pi, but you don't have to run it on a raspberry pi There's an install script you could run on a devian vm, which is how I do it and where I what I like to do is have You know, basically piehole in the middle between pf sense and the public internet So there's this handoff thing where in pf sense or whatever your router is there's you put in an ip address of the Upstream dns server you're you're subscribed to whatever that happens to be but one thing you could do is send the dns lookups from pf sense to piehole and then if Obviously if it's not internal piehole, it's not going to know about it. Well, it will but basically it's going to Look up externally through the external dns that you add to piehole so you kind of have it in the middle which I think is the best way to do it and it Kind of makes browsing the the internet on phones a lot more bearable because I feel like Browsing on mobile devices is one of the worst things that you could ever do because you get the most Popovers and all these other things so it kind of helps Keep that sane And I just like the ability to just you know say no, thank you to Ads that I'm not trying to see so it's really easy to install. There's an admin interface Very well designed You just you generate a password or it generates a password for you when you install it You log in you can update the block list change the settings And one of the things you have to do is add the trusted networks I forgot what they call this setting because If you're like me and you have it on a different vlan than your other devices Then what's going to happen is it's just not going to want to resolve anything because it's a different network So you have to go in there and allow the subnets that are going to be Doing lookups through it. So that's something to keep in mind But it's really easy to install you can set it up set it up on a vm A raspberry pi or whatever you have and it's just very good for ad filtering. It's probably among the best if not the best I I think one of the challenges they have is they've called it pi whole and everyone wants to use the raspberry pi But then they go, oh, raspberry pies are expensive. They're hard to get So it's it's really like I don't know if they should change your name because everyone knows them is that But it's definitely one of the most popular ad blocking projects out there for sure Yeah, and and it's not uncommon for you know Raspberry pi projects to be installable on debian because raspberry pi os is you know a modified debian So there's the ability to kind of you know make that work But it's as far as I know it seems to be officially supported So yeah, I agree the the name kind of pigeonholes it to raspberry pi But that doesn't mean you have to have a raspberry pi just set up a vm and put it in there and I think that is probably a better way to Do it anyway because you could take an image of it or a snapshot in your hypervisor solution So if anything happens, you can always restore it and not that you can't do that on a raspberry pi because you can image the sd card I always find it a lot easier to snapshot a vm than taking a dd image of an sd card personally So I think that having it as a vm. It just gives it a little bit more power Same could be said for home assistant at one point that was heavily used on raspberry pi but they don't have that in the name so they can You know be on everything and people generally don't think of it that way anymore But there's vm templates for home assistant that give you the same capability Obviously home assistant has backups built in but you could snapshot right in your vm solution as well So there's something to be said about having things in your vm solution to give you that capability and that way, you know you build your pi hold and you don't have to build it again if you Accidentally break it because let's be honest. We're always experimenting with our home lab and breaking things as part of learning So if you break it then it's always good to have a way to get it back Especially when it handles dns lookups and nobody can get to the internet Effectively because it's down. So you'll probably like having it as a vm solution Yeah, and one of the options I seem to see people mentioning docker, but yeah, there's I believe there's um I think it's going to be through true charts. I don't think it's part of the official ones Pi hole can be run in your true nas as well. So you're pretty sure nascale So that's you know, definitely a nice feature on there as well. Now. I'm partial to Using pf blocker ng is because it's integrated in to pf sense and you don't throw anything separate But it's actually can use the same feeds as pi hole So if you have a specific feed or when you're configuring pf blocker and g you'll actually notice some of the similar feed names And that's actually a really nice feature the way the formatting works for adding these extra feeds and determining what things you want to block You you know, there's a standard format. They follow the web URL format Re-download and grab them and they're parsed easily right into the pf pf blocker just as well So you can get that now p pi hole definitely by comparison has way better reporting prettier reports And but that's what we said at the beginning everyone's excited about reports And I go do I want to run a separate surface? Maybe you're doing you're fine with that Or maybe you're like me and go I'm fine just running it all inside of my pf sense and That's a uh, just a simple way to do it out there Yeah, I use pf blocker as well, but I use the country blocking I don't host anything company related that that's externally available, you know when it comes to my home network so there's no reason for Anyone to access my network outside of the united states because I'm the only one that accesses it And I rarely leave the united states if I go to canada or something or if I take a vacation I might allow, you know, that country wherever I happen to be So I I basically use both just not for the same purpose other people use but pf blocker is great for blocking countries that for whatever reason Shouldn't have access or shouldn't be able to reach your pf sense or whatever it happens to be When it comes to a home lab, I mean your home lab is in your home country So again, it's not like you're you know, you're trying to restrict people from accessing your business It's just when it comes to your home network, you know Who is supposed to access it you and maybe a family member or something but outside of that Um, I don't really feel there's any value in allowing any outside country to your home network because unless you're in that country What purpose do you have for that country to have access? So that's also a good way to do it Yeah, the g oi p blocking feature is just really nice I'll be a blocker because especially if you're opening up any ports to the outside world You filter anything incoming to the countries that you would expect them to be coming from helps minimize attack surface Now a couple of dns services out there And this is where I see there's some free resources out there now crowdflare free has their families Which is 1.1.1.3 So cloudflare rolled out their dns a few years back and then they rolled out their family plan Which is dns minus the naughty sites and I thought that was kind of cool that they're Offering that and it's so easy to just set up and install because you could just say hey And for example, you can do custom dhcp reservations where you say These computers that the kids are using let's go ahead and give them 1.1.1.3 And then you could always write firewall restrictions so they don't query dns outside of that Granted there's some other challenges you may have with dns over hcps But that's a good one now is um is clean Browsing.org is that the one you've used j Yeah, so what i'm using now. I don't know if I will continue using it though One thing I want to mention about the cloudflare for families. There's um 1.1.1.3, which is um No porn and no malware, but there's also 1.1.1.2, which is specifically no malware. It doesn't block anything else um And and the reason I bring this up is because if you have if you're like me and you have your pf sense forward Lookups to pi hole then in pi hole you have to set the upstream dns servers to go, you know outside of that Where do you want the traffic to go to be looked up from and 1.1.1.2? I think is good for a lot of people because according to what I've read this morning Um, I haven't implemented it yet, but that one just Only goes after malware and blocks nothing else So um and the reason I bring that up is there's a lot of false positives that can happen sometimes It's happened to me where you know one of my kids is like why can't I access the site and it's a literally a legitimate Website I have a I have a kid taking a um high school class on forensics and serial killers And yes, there's a actual high school class that goes over like serial killers. I I'm blown away by this So of course there's going to be a lot of times where you know, I need this site I need this site and it's legitimate. It it's absolutely for school use So um, but even you know, if you're not in school, there's going to be false positives So sometimes the 1.1.1.2 just might be a good default if you want to just have um, you know Less malware opportunities on your network, but it doesn't block anything else So that's um, they kind of give it up. Leave it up to you Which one you want do you want to block just the malware or the malware and also the Adult sites and you can make that decision. I think that's a really good one now clean browsing Dot org is the one I use now But I'm not necessarily saying that it's going to be like my recommended solution because I could probably try out the cloud fair for families And go that direction interesting note. They released it on april 1st and it's not a joke and On their on their web page. They say every april 1st. They like to release a product for the general public And it's not a joke. They literally will give you a new product From the out of their service and this is one of those but clean browsing dot org is not free though You get a little bit more control because you get a dashboard. I was using I think it was open. Yeah open dns before that I don't remember why switched off of it, but clean browsing Has been fine, but again, it's also not free So, you know, if you're looking for a free solution cloud flare for families is probably the best way to go So that way you don't have to open up your checkbook just to get the blocking for that so Yeah Now we're noting though and this is one of those other challenges Filtering phones is really hard because phone systems don't like your dns. They like to use what they use Uh, so blocking phones. I'll throw it out there is a it's own complicated topic that i'm not an expert on But it's definitely a lot more challenging because the phones will create their own tunnels often Google phones do this like your android base and your iphone similar They kind of get around this pretty easily I feel like it's fast approaching a situation where if you want to Continue to have this control because the companies don't care about you or your needs, right? They're they're trying to block everything and they're not trying to you know Basically cater to the parent that wants to know what their kid is up to even though that's a very valid thing to want to know I feel like we're just fast fast approaching a situation where we're going to be installing certificates in all of our kids devices at a certain point because um, we're it's like this cat and mouse game where we figure out a way like, you know Clean browsing cloud flare for families whatever it is and then once you have a dns over hdps Then you start to lose that and then that's basically where it's going to go and this is You know how the conversation evolved last night between tom and i because um, you know, even if you do all of this And have all of this perfected You know, you look at their look at your kid's discord. You'll be shocked Like like it's like now they they are using discord for everything that they can't get through the proper internet And even if that goes away, they're going to find another way. So I think by the time Kids reach around 12 on average I think it's a losing battle and it's just going to continue to be that Until they're an adult and then they're out of the house or whatever. So yeah You just spend some time actively engaged in it. There's not easy technology solutions for this A little bit deeper on the topic of web filtering specifically We've mentioned all dns options and jay brought up those certificates This is where there's a lot of confusion and i've done a deep dive on this as a as a dedicated video about certificate filtering And what needs to be done now? This is commenting your enterprise environments And this is where because traffic's encrypted from the point of your browser Until it reaches the website. So if it's a normal most websites now The we've now reached a majority of the websites are going to be using hdps I know there's some exceptions out there But when they're doing proper encryption that blinds anything from your browser all the way to the other website This is where people assume is within their network and therefore their firewall should have visibility into it But technically your firewall is just another hop along the journey Therefore also blind unless you install some type of certificate or have some type of proxy on there Proxy filtering is what is the most frequently asked about and also a rabbit hole that will lead you back to Screw this i'm removing it. I don't know anyone who enjoys using squid over time or any Most of the proxy solutions are actually based on squid even though they may be part of some commercial product by a large company Many of them on the back end Are all managed by squid what they've done is put front end management in front of it to make it easier Now you can load squid up as a standalone product or integrate it into many different firewalls including pfSense but What you're going to run into is a ton of problems Where there's this extra certificate and not everything likes it. It's going to break things It's also the only way to really see a lot of the traffic Now the kind of in between that some of the companies do is sni filtering So they can see because before you request a certificate your browser actually has to go and ask for the website Not just through dns, but it says this is the url I want so there is some level of filtering now It doesn't know what the subdomains are but because your browser had to make a request So it knew what certificate to get back the sni type filtering is available on some firewalls Well, they're doing some basics there, but they can go. Hey, I can see that website and I can block it So it's going to vary with some of the firewalls But once you want full visibility into some of the maybe you know the domain.com slash whatever they're going to That level of restriction only really comes if you have a Full certificate management on there and that gets as I said to be a lot trickier It's going to be the solution of your phones, but it's also you have to manage those certificates and It's just a little bit more challenging I feel like if you really want to You know for the average family to monitor everything like, you know to an almost, you know, perfect level There's no such thing as perfect You'll probably be running if if your family uses windows if your kids uses what we use windows for example like an actual domain controller with group policy on there and you know Automation tools for you know computer management and at some point you get to a point where you're you're rolling out an entire You know enterprise network or a couple of people to monitor their Traffic and it does get to be a lot like especially when you're talking about certificates and some websites We'll complain the fingerprint doesn't match and and it's going to Detect and call it like a man in the middle or something like that, which is technically what it is It's a met you're creating a man in the middle attack for your kids. That's exactly what you're doing And you know their websites are getting smarter about this. So it's just um I've had parents come to me. They're very annoyed because it's like every time they Figure something out and the kid does something else and that's kind of how it works, you know, like I brought up discord I mean what other apps are they using that? You know, they're they're using outside of the normal use case. So Like like I said, when you get to be about 12, it's harder to it's gets gets a lot harder to keep this going Yeah, um someone mentioned earlier and I'll give it a shout out for anyone. It's not aware of it I've not used it, but I've seen a lot of people that talk about this as a tool called unify polar, uh, I think it's un po l l e r dot com So un po l l e r dot com or you could search that for the unify polar. It's it's an integration project that offers grafana um beautiful charts that tie to your p uh unify system So it's a it's a pretty slick system. So I won't leave the unify people Out on this because you know, I mentioned open sense and pf sense which has a lot of spilt in But if you're using unifying you want some of those pretty graphs because unify has some graphs But they're not very actionable because they lack proper time series data So there's other ways you can get data out so you can do traffic monitoring with your unify Firewall. I've not run it. So I can't really speak to the uh project. I'm aware of it They have a website with some instructions how to set it up and how to get started on there I've seen a few people asking about it. I just don't use enough of the unify Um firewalls to actually take the time to learn it. I just don't prefer to their firewalls Although I will be reevaluating re-evaluating them a little bit more as I mentioned earlier now that they finally have normal vpn features Yeah, that's uh, it's about darn time um, someone in our chat room I'm trying not to laugh because I'm sure this is frustrating honestly, but um, someone said their kid uh spoofed the printer's mac address to get around the restrictions and I'm thinking to myself, um Your kid is probably going to have a great career in ethical hacking and I would highly recommend You know just buying a security course or something because if they're doing that or at this point I mean, they're we know where their career is going. I think at this point Yeah, that's that's beyond what most kids do I think yeah That's now now now you can start getting into the next topic of security of locking things down doing port level security Using stuff like our watch on pfSense to see what's changing on the network or what's getting spoofed by Wait a minute. There's two of these printers all of a sudden They're just gonna use their phone to tether anyway. So yeah, so there's oh, yeah, or Hack the printer to become a bridge device. So it's still all the traffic does come from the printer still It's just bridged instead. There's actually, um, There's a security hack with some hps like that that had dual network cards You could it was a hack to put it in bridge mode essentially because someone pivoted into side of a network the wi-fi beacon on an hp printer Pivoted to the hardware Ethernet got onto the network by bridging it. I was like, oh, that's a clever hack Yeah, there's a lot of those and I feel like you know spoofing mac addresses as an adolescent I mean that is a brilliant kid and I think um That that's just um, you know, I know it's frustrating and I'm really trying not to laugh because I know like that's a You know could be a really annoying situation for parents to deal with but you know I think you could probably rest easy knowing that they have a career path ahead of them. That's quite profitable Yep, yep, definitely fun But hopefully we've left you with a few insights onto some of the different things you can do out there and things you can Test to play with including the the check out end top. I mean, that's just even on standalone It's a pretty cool thing to get you a lot of analysis check out episode 42 on security onion because boy That's it. It sounds like the person could probably use security onion to help track their kids The threat's coming from inside the house Oh my gosh, that is just I'm surprised but I'm not surprised at the same time I feel like, you know, I when I was 12 I was trying to Max out every character in final fantasy 6 and that was the thing I was the most concerned about And nowadays, you know, we have kids that are doing things that some 20 year olds working in the industry Still don't know how to do. That's pretty pretty crazy But jay's still trying to max out his characters in final fantasy Oh no, I do it every every playthrough like once a year at this point. So some things never change, right? I mean, it's it's a great game. But yeah, yeah, the game still is good. So Well, thank you everyone for joining. This is fun. This is great If you have questions comments concerns feedback at the home lab dot show We love hearing from you and uh, see you next week again