Network visibility at home?

[m0x]

Hi everyone! I was curious what sort of solutions you all are running in your home networks and/or home labs when it comes to network security monitoring? 

On my end I have a network tap sending traffic to a box that is running Zeek and an Elastic Stack for log ingestion and viewing / triage. Curious to know what else is out there and what folx have had success with!

 

 

[Name_Too_Long]

Right now it's pretty minimal, just an OPNSense router with Suricata and a super-basic Graylog setup.

But then, I live alone, don't do anything overly sketchy these days, and keep the "smart" stuff to a minimum; so even when instrumented to the hilt, my house is pretty boring.

[Unknown]

Not much but I try to lock in as much as possible, like the wireless networks, I have three types: One for smart home things, one for guests and one main network. The guest and smart home cannot reach any other network. My main network have access to the other networks since it makes maintenance easier. Smart home network is not visible. All networks have long proper passwords. And to connect, wireless or wired, you have to have the MAC address registered. Running proper hardware that gets updates regularly. And I have static IP set for everything witch also makes it easier to keep track of all the devices. Also get messages whenever some unit is connecting to the network. And blocks of course every incoming through firewall. I am not ready with all outgoing rules yet though since i have not had time to finish that part off (this setup as is now is fairly new).
I even send IP TV through my own equipment instead of the TV/Internet providers equipment. Easier because less shit connected and less cables, and I have full control of what is going on instead of relying on a cheapo strange box provided by the operator.
Also on the to-do-list is to fix some easy way of keeping the logs longer than now, through some log server or similar. But life sometimes get in the way of my ideas.

So, well, not perfect of course. But I think it is a good start at least. Must remember that this is at home and reality also needs to work.

[zme]

I set up Suricata and Elastic Stack in front of my gateway yet have not had the energy to trim out all the rules I don't care about. It can be fun to watch the logs appear while doing any sort of hacking. A couple honeypots that alert on interaction are also running.

[clarkee]

unifi stack with their threat monitoring (IDS / IPS).

segregating IOT from end user devices. separate vlan for work stuff, separate vlan for lab stuff.

crowdstrike on the endpoints.

[m0x]

13 hours ago, Name_Too_Long said:

Right now it's pretty minimal, just an OPNSense router with Suricata and a super-basic Graylog setup.

But then, I live alone, don't do anything overly sketchy these days, and keep the "smart" stuff to a minimum; so even when instrumented to the hilt, my house is pretty boring.

It has been a while since I've looked at Graylog. Is that something you are self hosting? How does it compare to Elasticsearch + Kibana?

 

5 hours ago, Unknown said:

Not much but I try to lock in as much as possible, like the wireless networks, I have three types: One for smart home things, one for guests and one main network. The guest and smart home cannot reach any other network. My main network have access to the other networks since it makes maintenance easier. Smart home network is not visible. All networks have long proper passwords. And to connect, wireless or wired, you have to have the MAC address registered. Running proper hardware that gets updates regularly. And I have static IP set for everything witch also makes it easier to keep track of all the devices. Also get messages whenever some unit is connecting to the network. And blocks of course every incoming through firewall. I am not ready with all outgoing rules yet though since i have not had time to finish that part off (this setup as is now is fairly new).
I even send IP TV through my own equipment instead of the TV/Internet providers equipment. Easier because less shit connected and less cables, and I have full control of what is going on instead of relying on a cheapo strange box provided by the operator.
Also on the to-do-list is to fix some easy way of keeping the logs longer than now, through some log server or similar. But life sometimes get in the way of my ideas.

So, well, not perfect of course. But I think it is a good start at least. Must remember that this is at home and reality also needs to work.

That segmentation is similar to what I am doing. Do you have VLANs for each of these? 

 

4 hours ago, zme said:

I set up Suricata and Elastic Stack in front of my gateway yet have not had the energy to trim out all the rules I don't care about. It can be fun to watch the logs appear while doing any sort of hacking. A couple honeypots that alert on interaction are also running.

Having monitoring at the gateway on a residential IP block can provide some interesting logs. I've been thinking about running Suricata in addition to Zeek; was it pretty easy to get Suricata up and running?

 

4 hours ago, clarkee said:

unifi stack with their threat monitoring (IDS / IPS).

segregating IOT from end user devices. separate vlan for work stuff, separate vlan for lab stuff.

crowdstrike on the endpoints.

I've been playing around with the threat monitoring stuff on the UniFi Dream Machine Pro; it seems a bit limited though has gotten better over time. I still haven't found a nice way to modify the detection rules or to add my own. Does Crowdstrike have a sensor package for home / personal use? 

[synackbar]

I have a pfsense box as the edge firewall with a span for inbound external traffic going to a sec-onion box. I have a tap on the internal interface that sends all pre-nat traffic to the same sec-onion box. I also have a dev license(free 10gb/day) for splunk enterprise that I send sysmon and wazuh data to for correlation. Both the splunk and sec-onion vm's are just running on an old R620 server with esx that I bought and run in the basement so my wife won't murder me because of the noise.

Edited November 8, 2022 by synackbar

[zme]

1 hour ago, m0x said:

Having monitoring at the gateway on a residential IP block can provide some interesting logs. I've been thinking about running Suricata in addition to Zeek; was it pretty easy to get Suricata up and running?

Oh yeah, very interesting. I almost want a dedicated monitor just for the honeypots and tail -f on the Suricata log. I could watch it in bed.

I spent maybe an hour setting up Suricata, just using rulesets from emergingthreats.net. Setting up ELK with it took way longer, I still haven't finished the guide for that.
 

[ChickenKing]

Tangentially related here but I always recommend people try out making and implementing a PiHole

[Name_Too_Long]

2 hours ago, m0x said:

It has been a while since I've looked at Graylog. Is that something you are self hosting? How does it compare to Elasticsearch + Kibana?

Yeah, I just have an Ubuntu VM with the free Graylog installed.  Not really doing much with it beyond log aggregation, but for that purpose it was easier to get up and running than any of the ELK stuff I've done.

[Unknown]

2 hours ago, m0x said:

That segmentation is similar to what I am doing. Do you have VLANs for each of these? 

Yes. Using pfsense as the router/firewall/gateway and trunking it to the switch and wireless ufo. I then do separation of the nets in pfsense. TV comes through VLAN and is just jumped through pfsense box (that has built in switch) via Layer 2 and that works like a charm, and then trunked to the switch to two ports, one for each TV box. So no need to fiddle around with rules, routing and shit for TV VLAN, and that makes things very easy on that part. A few clicks and the TV went online and i was like "Oh, it was to easy. I must have made something wrong."

I actually have a fourth VLAN on wireless that is inactive and using it to test stuff, so i can just activate it with a click and test different settings here and there and then deactivate it again. Like a small playaround environment.

[ek1n]

34 minutes ago, ChickenKing said:

Tangentially related here but I always recommend people try out making and implementing a PiHole

+1. been enjoying this for some time. I wonder if there's other related stuff I can do using some other leftover rpis I have.

Suricata looks interesting :noted:. In my case I'd be mostly interested in keeping an eye out on my ISP.

[fatred]

For those on a budget, the Netgear GS108E series of switches are like 30 bucks, give you full VLAN features (via a crappy web interface), but most interestingly, get you full port mirroring features. Cheapest 1G line rate LAN tap ever. 

What I used to do was mirror the internet port over to a zeek machine, then send that to graylog, but since Zurich has FTTP, I now get 10 Gbit symmetrical, which requires noisy ass hardware to capture at line rate. 
 

The ISP also offers 25G for the same price so I’m going to upgrade soon and see if I can work something into the Linux router as part of the project. 
 

 

[Name_Too_Long]

3 minutes ago, fatred said:

What I used to do was mirror the internet port over to a zeek machine, then send that to graylog, but since Zurich has FTTP, I now get 10 Gbit symmetrical, which requires noisy ass hardware to capture at line rate. 
 

The ISP also offers 25G for the same price so I’m going to upgrade soon and see if I can work something into the Linux router as part of the project. 

Not gonna lie, super jealous right now.

But yeah, that's something I've noticed, once you get above 1Gbit the options for hardware that supports it get scarce, expensive, and noisy.  Never would have thought we'd get to the point where the common wired local network infrastructure was the bottleneck, but here we are...

[fatred]

48 minutes ago, Name_Too_Long said:

Not gonna lie, super jealous right now.

But yeah, that's something I've noticed, once you get above 1Gbit the options for hardware that supports it get scarce, expensive, and noisy.  Never would have thought we'd get to the point where the common wired local network infrastructure was the bottleneck, but here we are...

It’s a fun problem to have, esp as a network geek. 
 

when Init7 started offering 25g, a bunch of us tried to make it affordable and literally can’t. The only commodity stuff out there is either crap (MikroTik), noisy af (2nd hand DC switches), or generally too expensive/impractical. 
 

Mellanox connect-x5 cards and open vSwitch might be enough now tho finally. 
 

what I did land on is documented on problemofnetwork.com is anyone is interested. 

[clarkee]

18 hours ago, m0x said:

Does Crowdstrike have a sensor package for home / personal use? 

I use a commercial license.

[lost-troll]

My home defense setup is kind of a weird evolution. My ISP has me sitting on the open Internet - no NAT IP.  So that got me down the honeypot path. Eventually I setup a VMWare ESXi server and built out a DMZ that uses PFSense for firewalling and keeps those honeypots contained.  I then started pumping all the PFsense firewall logs and honeypot logs to Graylog, which I eventually replaced with a free license of Splunk.

Now I have NXLog running on all my Windows clients (mine, wife, kids) and that is sending over Defender, Security, Sysmon logs to the Splunk setup.  Because Splunk free doesn't do alerting I wrote a Discord bot to run queries and send me alerts if there are matches.  I also send my router firewall logs, and pihole logs, and some Apache logs from my various web servers (also in the DMZ).  I run some Minecraft servers for my kids and also send those logs in.

[m0x]

On 11/8/2022 at 11:59 AM, ChickenKing said:

Tangentially related here but I always recommend people try out making and implementing a PiHole

great thing to mention, I totally forgot!

I recently found out that you can run a PiHole on the UDM Pro appliance 😮