NIC Requirements

[Gramarin]

Hi guys, I'm planning on deploying Security Onion in Proxmox. I'm building a small network of 1 server (which won't be internet facing) and 3-4 workstations.

I am planning on doing this using the distributed architecture type which means 3 separate VMs. But I'm not sure how things will look from a NIC perspective. As per documentation:

Manager Requires 1 NIC port.
Search requires 1 NIC port.
Forward requires 2 NIC ports.

What are these ports used for? Where do TAPs come into play? I don't understand how the network will look with all these components.

The North South TAP makes sense to me from a network traffic perspective. Here, you're looking at all the traffic leaving and entering your whole network. But I'm not sure where this tap plugs into the Security Onion infrastructure? A 1Gbps tap seems to require 2 ports? Where do these plug in? Forward Node?

The East-West TAP doesn't make any sense to me at all. A switch doesn't broadcast traffic, so to me it seems you need to tap into every ethernet cable that goes to each workstation? But that means you're using 6-8 ethernet cables for the 3-4 workstations respectively + 2 more for the server? I'm guessing that's not right?

Can someone please clarify?

[reyesj2]

Every Security Onion node uses 1 NIC as the 'Management interface' this is the interface that exposes services to you like ssh or the Security Onion Console (Web UI).
Forward nodes need atleast 1 additional interface. Any additional interfaces on the Forward node can be used as a 'Monitor interface'. These are ports where you can plug in something like a TAP or SPAN port. The sensor will then process that traffic.

Here's how ingesting north-south and east-west traffic could look for you where you are tapping the connection into your network AFTER the firewall (this way you can review traffic that has made it through your firewall and onto your network) and then tapping a trunk port between two switches for your East-West traffic allowing monitoring internal communications.

I am not sure what kind of TAP you have, but a lot will come with 3 ports. Two are for the upstream and downstream and the third being output for your tooling, in this case a Security Onion Forward node. Some TAPs will come with 4 ports, two are upstream and downstream with the other two being mirrors of the upstream and downstream.

[Gramarin]

Hi Jorge,

Thanks for the response. Sorry it has taken so long to reply. I'm doing a million things at once and haven't had a chance to look into this further till now. From what I'm seeing, yes there are two types of TAPs available i.e. the ones with a single and dual port outputs for upstream and downstream traffic. I don't have any TAPs yet, just doing research at the moment. But lets take the dual port ones as examples, if I have 4 links that I want to tap into, that's 8 ports that I'll need somewhere for a Security Onion box to listen in on the traffic. I had a quick look and your official Security Onion Appliances and obviously they don't have this many ports but I'm sure they do the job they were designed to do. So there's something else in the mix that I'm not aware of or am overlooking. After some searching, I stumbled on to aggregators, but I'm not sure if that's the solution I'm looking for either. Information is very sparse in this regard or I may be looking for the wrong thing. Basically it seems like there some kind of device that goes between the TAPs and the Security Onion device which is actually capable of having enough ports to support all the TAPs you want to do.

[reyesj2]

In your original post you mentioned monitoring traffic for 1 server and 3-4 workstations. What are those workstations connected to ? A managed network switch? If that is the case you may find that the switch has "port mirroring" which can make a copy of traffic on port x and send it out port y. That allows you to then use that y port for a Security Onion sensor to monitor network traffic.

Typically individual workstations would not have a inline tap to feed a sensor, however if you had more workstations and switches connected east-west you could tap the east-west connection to gain visibility for those workstations. The image in my earlier post shows example of north-south / east-west.

Don't forget that you have the Elastic Agent available with Security Onion aswell so, rather than worrying about tapping the individual workstations you can instead install the Elastic Agent on your endpoints / server for endpoint logs (which includes network connections).

[Gramarin]

Thanks Jorge, some food for thought.

[Gramarin]

After additional digging, I believe the solution that I was looking for is called an aggregator or packet broker.