Time
3 hours 10 minutes
Difficulty
Beginner
CEU/CPE
3

Video Transcription

00:01
we'll write. Our three servers have come back up
00:05
so we can continue one with her configuration.
00:10
I running Sudo has so sad up again that beginning password.
00:18
Okay,
00:19
so look at the first screen will be the same.
00:24
But we get the message. Looks like etc. Network in two races have has already been configured by the script. Would you liketo skip network configuration? Yes, we want to skip it.
00:38
All right,
00:40
so in
00:41
this case, we want to do production mode and we want to do the manager first. So production mode means that
00:49
will be potentially using it in production. This is difference than the stand alone mode, like we did earlier because that was evaluation mode.
00:59
So
01:00
this case will be doing more than one server.
01:03
And since we're configuring the master note first we want to say new.
01:15
All right, first user account,
01:19
we will
01:21
just put my name in there
01:25
Password,
01:27
password again.
01:34
All right. So here we can customize our deployment, or we can use best practices. I'm happy using best practices.
01:45
All right, So what ideas for rule said, Do we want to use?
01:49
There are a couple of options we can do emerging threats open pro, uh, or smart or two? Subscriber. Talos rule set.
01:57
Ah, since I do not have any bank codes will just use emerging threats open, which should work just fine for us.
02:07
And we do want to use the snort i D. S engine. In this instance,
02:14
you can also use terra cotta, if you would like.
02:16
I know that there are a lot of people who really enjoy using Sarah Cottle over snort. It's just
02:22
matter of preference and what you're comfortable with.
02:28
Oh, right. So do we want to enable network censor service is
02:34
on the manager. That means do we want to sniff the traffic that is hitting
02:38
our network? Are we're manager in this case, we do not,
02:44
um,
02:46
we we won't be throwing any traffic at it. And
02:51
just for, uh, performance purposes I'd recommend, and they would recommend as well disabling that.
03:04
All right, do we want to store logs locally? We are set going to set up our S O storage node so we don't need to store anything on the manager, so, no, I will lad storage notes for load balancing.
03:22
Okay, so we're about to do these things, said the OS Time Zone to UTC. Delete any existing SM data configuration. That's fine. Create a squeal database there. Squeal Server named
03:35
Security Onion. We're adding the user account for Carl.
03:38
We're downloading the emerging threats, open rule sets, configuring elastic stack
03:44
and we will load balance two additional storage nodes.
03:47
And so, yes, we want to proceed with changes,
03:52
and this one could potentially take a couple of minutes.
03:55
Well, that's running. Let's get going on our forward node.
04:11
All right? Same start screen.
04:15
We do not need to reconfigure the network settings
04:20
we want to do production mode.
04:28
Now, this time we want to select existing because we will be connecting eso forward to S o master.
04:41
So right here it's asking for either a host name or an I p address of the master server.
04:46
Um, typically, it'll be best practice to put in your
04:50
fully qualified domain name for your master server.
04:55
Since I don't really trust my home d n a server to have s o master and they're properly I'm just going to use the I P address,
05:05
huh?
05:13
It's It's a good idea to use the
05:16
host named because the host name is less likely to change them. The i P address.
05:25
Okay, So
05:27
if you'll recall the first thing that we did when we were setting up or when we were prepping to do this demo was we set up a couple of user names on the master server.
05:36
So we want to put in this
05:41
user name that we set up in this case it was
05:44
forward,
05:45
child.
05:50
And then
05:51
here is asking, What kind of note will this be?
05:55
This one has forward in the name. So we will say forward server.
06:01
And once again, we'll be using best practices.
06:09
What would we like to set RPF? Minimum number of slots too.
06:13
The default is 4096 4 busy networks. You might want to increase it to a higher number.
06:18
How? This will not be a very busy network. So default is fine.
06:26
And we want to monitor these two sniffing interfaces nine and 10.
06:36
So this is a configuration that will go into snort. It will define what our home network is.
06:46
Ah, right now, the I P addresses in here are the RFC 1918 private.
06:51
Uh, I p address ranges.
06:55
Um, if you have if your organization or if you have ah, I p address range that you own and you use on internal i p addresses. Then by all means, put those in here.
07:05
But
07:08
the faults are fine for us here.
07:12
All right, so that is everything. Here, we're setting time zone to a UTC deleting old configuration monitoring these two
07:19
nix
07:21
configuring the sensors to report to the manager.
07:26
Uh,
07:28
we're running a single ideas engine process per interface.
07:31
Single bro crosses per interface.
07:34
Now, the more cores that you have dedicated to your server,
07:39
the more instances you'll be able to devote per interface.
07:44
You have 32 cores on your
07:46
server, then you'll have a lot more ideas. And bro process is running. This is a fairly simple deployment, so we only have four cores going. So
08:00
So all we need here,
08:01
then configuring our home net and disabling elastic stack because the Ford nodes, if you'll recall from our architecture discussion, discussion,
08:11
uh,
08:11
we do not have elastic stack running, So you want to proceed with the changes there?
08:18
Okay,
08:20
so we have s o storage.
08:26
Oh, God.
08:37
You want to get that going so right here we have a terminal pop up asking us to approve
08:43
authenticity of that server.
08:46
And now we want to put in the
08:50
password that we set up for. Our forward child user
09:09
may have typed it in and correctly the first time.
09:16
All right, let's get going on storage mode.
09:20
Yes. Skip Network configuration
09:24
production mode
09:30
existing again.
09:33
All right,
09:46
that storage child.
09:52
In this case, we're doing this storage node
09:56
as we can see up here, there's a quick explanation of the different server types. The Ford Nodes generate and collect logs and forward them to the master server.
10:05
The full pack capture remains on the forward nodes. Do not run in the elastic stack processes.
10:13
I really miss about passwords that bad.
10:24
Okay,
10:26
we will talk about that window in a second.
10:31
So forward notes required less hardware than heavy nose, but typically use more network bandwidth. So that's
10:37
you can understand that
10:39
So middle one here is our heavy note architecture. Er
10:46
thes to terminal sessions are very meaty,
10:50
so
10:50
heavy nose generate and collect logs and store them locally heavy nodes to rent elasticsearch and log stash. A master, Sir Herbert queries heavy nodes by a cross cut Lester search and heavy no, to require more hardware than forward notes, but typically use less network bandwidth. So
11:09
the heavy note architecture is one that is not really recommended that we use anymore just because everything is running on this one server, so it has to dedicate more resource is,
11:20
uh, cross more processes.
11:24
So
11:26
the third note here that we're
11:28
deploying now is the storage node. They do not generate logs themselves. So thus we do not have any sniffing interfaces here, but they simply extend the storage of the master server.
11:39
And they do require that the master server has already been configured to load balance
11:43
toe additional storage nodes. Okay, So if we have multiple storage notes than the manager rule, load balance between them
11:50
and storage notes do run elasticsearch and log stash and the master crazed Mr Orange nodes by across cluster search.
11:56
Yeah.
11:58
So when you were actually deploying that you can read all of that yourself and research it to your heart's content.
12:09
All right, so how much discs based we want to devote to elasticsearch? We'll just use the default of nine.
12:16
You have a 20 gig hard drive on this server. So
12:20
nine is just under half.
12:22
Okay, so we're setting the always time zone to UTC deleting any existing configurations and confessed configure as elastic storage. Knowed All right? Yes. We want to continue.
12:39
Okay, so we have a master will say OK,
12:41
it's now complete.
12:43
You can check on our running service's with eso stats.
12:48
Yes. We want to prove this server.
12:50
Yes. We want to put in the password correctly. The first time
12:58
rule was added. Apparently I could type this time.
13:03
So little bit of info. One s o stat.
13:09
We have a bit of information on our rules location of the rules, where we can add rules, modify rules, how to update rules, things like that.
13:22
Bit of information about the firewall, how we can
13:24
and
13:26
rules to the firewall to allow further access. Something that we will need to do if we want to connect over the browser.
13:35
Okay, but if information on where to find war information,
13:39
we want more training, security on in solutions dot Net
13:41
and we are all done.
13:45
So that is
13:48
that is how you configure distributed environment. Basically, if you want to add any more forward nodes or
13:58
storage knows you just run through this process again with new servers and
14:03
have them to your configuration.
14:05
Don't need toe show you clicking through these again so
14:09
we can call it good on this video. Thanks for watching
14:13
in this lesson. We had a brief discussion on the architecture of a distributed environment. We reviewed the installation and set up process. We looked at the tools that I used to make this demo work, and we had a demonstration on how to configure a distributed security onion architecture.
14:31
In our next lesson, we will take a look at what we installed on our standalone instance, CNN.

Up Next

Security Onion

Security Onion is an open source Network Security Monitoring and log management Linux Distribution. In this course we will learn about the history, components, and architecture of the distro, and we will go over how to install and deploy single and multiple server architectures, as well as how to replay or sniff traffic.

Instructed By

Instructor Profile Image
Karl Hansen
Senior SOC Analyst
Instructor