4

I'm configuring a raspberry pi IDS/IPS with ELK stack on a separate machine, my problem is to connecting it to the router in a way it can read traffic on the whole network and drop the suspicious packets.

The way I came up with is to configure Pi as a network gateway, connect it to the router through the Ethernet and force all the devices through that. I was wondering if there is a better solution.

Vidura supun
  • 43
  • 1
  • 4

2 Answers2

6

If you want to passively monitor the whole network a monitor port on the router or similar would be sufficient - although most common home routers (the ones with WLAN and cable/DSL modem in it) don't have anything like this.

If you want to monitor data and also actively block traffic the IDS has to be in the path of the traffic. This means it either needs to be setup as the gateway for all systems in the internal network and then forward the traffic to the router, or the router remains the gateway but the IDS is between the router and the ISP. In the latter case the Raspi needs to care about the ISP connectivity too, i.e. it needs to have the physical ability (which might require a DSL, cable or FFTH modem depending on the kind of connectivity to the ISP you have) and also have the login information, can speak PPPoE or whatever protocol is required for the ISP etc.

So your current idea of setting up Raspi as the network gateway is likely the easiest to implement way. But, as Josef noted in a comment: it should be setup in a way that users simply cannot bypass the IDS just by changing the gateway. This would be best achieved by having the router/modem physically behind the Raspi so that no internal system could be directly reach it and thus the only way for any internal system to the router/modem and then to the internet is through the Raspi.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Could you include in the answer the performance impact of putting the Pi as a gateway VS passive monitoring? I don't know how much throughput a Pi can handle but with a 100Mbps-1Gbps fiber connection for instance, I suspect it would be a serious bottleneck. – zakinster Jan 14 '19 at 10:08
  • I think I would go with the Pi between router and internal network because it requires minimum configuration. Since I'm having bit of a performance problem running IDS in pi. Thank you for your clarification. – Vidura supun Jan 14 '19 at 10:15
  • @zakinster: Please don't ask a new question (performance impact of active vs. passive) as a comment but ask a new question instead. In general: the performance impact of active mode depends on the model of Raspi, the specific configuration of snort like the depth of inspection and the amount of rules and the amount of traffic in the network. Passive mode never has a performance impact since the original traffic does not pass through the Raspi but it just gets duplicated there. Of course, Raspi might just loose traffic for analysis in this case. – Steffen Ullrich Jan 14 '19 at 10:38
  • 1
    @Josef: good point. I've integrated this into the answer. – Steffen Ullrich Jan 14 '19 at 13:08
  • Snort has the ability to terminate connections by sending a forged RST packet to both ends. This shouldn’t require routing all traffic through the pi. I believe it could be monitored on a passive mirrored port, and the resets sent through a second adapter to an active port. – John Deters Jan 14 '19 at 13:24
-1

Just connect your Raspberry Pi with an ethernet cable to your home router and get it to monitor local network traffic. Should work similar to the Snort NIDS, listening in on all local traffic in promiscuous mode.

How to set up mirror ports on various open source consumer router firmware

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • 5
    "and get it to monitor local network traffic" that's not a trivial task and is the part that needs a *lot* more explaining. Also, you do not explain how to drop packets. Can you expand this answer? – schroeder Jan 14 '19 at 09:22
  • I updated my question to usage of Pi as IDS/IPS, even though I stated packet dropping later. Promiscuous mode is a viable solution for only an IDS as it inspects a copy of traffic but i think this will solve the bottleneck problem stated above – Vidura supun Jan 14 '19 at 10:26