Setting up bonding networking -Ubuntu IDS Part 2

by on May.04, 2011, under Hardware, How-To's, Linux, Security, Software

In an earlier article, I demonstrated how you can build a passive monitoring device for an Ethernet network as the first part to a three part project to build a home IDS device.  In this article, the second in the series, I will describe how to set up the networking for an IDS using the passive tap that I built earlier.This setup will involve using a technique called bonding to take two physical interfaces and bond them together, creating a logical interface that we can use for Snort.  This article will also explain where is the best location to place the tap and what you can expect to see once the networking is set up using common Linux utilities like tcpdump.

Requirements

  • A Passive Tap as mentioned in “Build a Passive Ethernet Tap” or similar device.
  • Three network cards or a single network card with  three interfaces.
  • A new installation of Ubuntu Server. (I am using Ubuntu Server 10.04LTS).
  • Beer. (Always)

The requirements for this project aren’t that extensive and chances are you have most if not all the equipment you need in your parts bin. The most significant item in this list is the three network cards.  If you followed the steps in my first article in this series, you already have a machine with two or three network cards in it so you’re pretty much there. If not, then go ahead and get three network cards in your Ubuntu server and ensure that all three cards re properly recognized by the system even if there’s no IP address. for them.

The first two network cards will be combined together to form the monitoring interface while the third card will be for our management interface.  The management interface will be assigned an IP address and will be how we acccess the server’s commandline (via SSH), and the scanning and reporting tools we will install in Part 3.

Getting things set up

With the proper hardware in hand, we can now set about performing the configuration necessary to getting our interfaces configured properly. In the code below, you can see the interfaces (eth0, eth1 and eth2) and that eth0 has been configured with an IP address.  If you haven’t configured yours with an IP address, this will be covered while we perform the configuration.

matt@ids-01:~$ ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:18:f3:18:1c:25 
 inet addr:192.168.0.222  Bcast:192.168.0.255  Mask:255.255.255.0
 inet6 addr: fe80::218:f3ff:fe18:1c25/64 Scope:Link
 UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
 RX packets:45458 errors:0 dropped:0 overruns:0 frame:0
 TX packets:23861 errors:0 dropped:0 overruns:0 carrier:2
 collisions:0 txqueuelen:1000
 RX bytes:55984695 (55.9 MB)  TX bytes:2326303 (2.3 MB)

eth1      Link encap:Ethernet  HWaddr 00:e0:b6:00:a2:06 
 UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
 RX packets:11505094 errors:2 dropped:0 overruns:0 frame:2
 TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:1000
 RX bytes:3057886364 (3.0 GB)  TX bytes:218 (218.0 B)

eth2      Link encap:Ethernet  HWaddr 00:e0:b6:00:a2:06 
 UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
 RX packets:8061127 errors:1 dropped:0 overruns:0 frame:1
 TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:1000
 RX bytes:1434430796 (1.4 GB)  TX bytes:250 (250.0 B)

lo        Link encap:Local Loopback 
 inet addr:127.0.0.1  Mask:255.0.0.0
 inet6 addr: ::1/128 Scope:Host
 UP LOOPBACK RUNNING  MTU:16436  Metric:1
 RX packets:48 errors:0 dropped:0 overruns:0 frame:0
 TX packets:48 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:0
 RX bytes:3948 (3.9 KB)  TX bytes:3948 (3.9 KB)

In this output, you can see eth0 is my management interface as it has been assigned an IP, eth1 and eth2 are both going to become a new interface called bond0.  When we set up Snort, we will use bond0 as our monitoring interface so that way we can take advantage of Snort’s stateful analysis and because it will be critical for any network analysis to hear both sides of the conversation on the passive tap.

In order to set up bonding, we will need to install the ifenslave package.  As root, run the below command:

# apt-get install ifenslave

Once apt-get completes, let’s check a few things.  First, let’s take a look at /etc/modprobe.d/aliases.conf.  Make sure that the two lines below appear in the file:

alias bond0 bonding
options mode=0 miimon=100 downdelay=200 updelay=200

If you will be making more than one bonding interface, you will need to add another alias line to coincide with the bond interfaces you wish to add (bond1, bond2, etc..) and you will need to add max_bonds=X to the end of the options line. Set X to the maximum number of bonding interfaces you will be using.

Now this is where things get interesting.  In order to test this out, we will bond the interfaces using the command below:

# ifenslave bond0 eth1 eth2

It does not matter which order the two eth interfaces appear, however bond0 must come first.  This command tells the Linux kernel to take eth1 and eth2 and pair them together into a single interface (bond0).  Now that we have done that, ifconfig -a will present a new interface:

root@ids-01:~# ifconfig -a
bond0     Link encap:Ethernet  HWaddr 00:e0:b6:00:a2:06 
 inet6 addr: fe80::2e0:b6ff:fe00:a206/64 Scope:Link
 UP BROADCAST RUNNING PROMISC MASTER MULTICAST  MTU:1500  Metric:1
 RX packets:19568527 errors:3 dropped:0 overruns:0 frame:3
 TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:0
 RX bytes:198240524 (198.2 MB)  TX bytes:468 (468.0 B)

eth0      Link encap:Ethernet  HWaddr 00:18:f3:18:1c:25 
 inet addr:192.168.0.222  Bcast:192.168.0.255  Mask:255.255.255.0
 inet6 addr: fe80::218:f3ff:fe18:1c25/64 Scope:Link
 UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
 RX packets:45907 errors:0 dropped:0 overruns:0 frame:0
 TX packets:24117 errors:0 dropped:0 overruns:0 carrier:2
 collisions:0 txqueuelen:1000
 RX bytes:56024505 (56.0 MB)  TX bytes:2411029 (2.4 MB)

eth1      Link encap:Ethernet  HWaddr 00:e0:b6:00:a2:06 
 UP BROADCAST RUNNING SLAVE MULTICAST  MTU:1500  Metric:1
 RX packets:11506043 errors:2 dropped:0 overruns:0 frame:2
 TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:1000
 RX bytes:3058301702 (3.0 GB)  TX bytes:218 (218.0 B)

eth2      Link encap:Ethernet  HWaddr 00:e0:b6:00:a2:06 
 UP BROADCAST RUNNING SLAVE MULTICAST  MTU:1500  Metric:1
 RX packets:8062484 errors:1 dropped:0 overruns:0 frame:1
 TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:1000
 RX bytes:1434906118 (1.4 GB)  TX bytes:250 (250.0 B)

lo        Link encap:Local Loopback 
 inet addr:127.0.0.1  Mask:255.0.0.0
 inet6 addr: ::1/128 Scope:Host
 UP LOOPBACK RUNNING  MTU:16436  Metric:1
 RX packets:48 errors:0 dropped:0 overruns:0 frame:0
 TX packets:48 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:0
 RX bytes:3948 (3.9 KB)  TX bytes:3948 (3.9 KB)

Now that we have the bonding interface up, we need to write the configuration in /etc/networking/interfaces so that they will be brought up at boot time.  After struggling with this for a few moments, I finally found out the proper rules needed in order to do this:

  1. You have to define your bonding interface first.
  2. You must use an “up” statement to specify how to bring up the interfaces. We will be using the parameter promisc to ensure that the interfaces are ready for when we install Snort.
  3. We must use bonding-specific statements to specify how the bonding interface will be created and for each interface’s role in the bonding configuration.

Edit /etc/networking/interfaces and remove the existing information.  Leave the configuration for “auto lo” in place. Add the below lines, but be sure to add the proper IP addressing information for your management interface.

# The primary network interface
auto eth0
iface eth0 inet static
 address 172.20.1.253
 netmask 255.255.255.0
 broadcast 172.20.1.255
 gateway 172.20.1.250

auto bond0
iface bond0 inet manual
 bond-slaves none
 bond-mode 0
 bond-miimon 100
 up ifconfig bond0 promisc up

auto eth1
iface eth1 inet manual
 up ifconfig eth1 promisc up
 bond-master bond0
 bond-primary eth1 eth2

auto eth2
iface eth2 inet manual
 up ifconfig eth2 promisc up
 bond-master bond0
 bond-primary eth1 eth2

In the above configuration, the up parameter tells the network scripts to bring up the selected interface up with the promiscuous mode enabled so we can prepare the interfaces at boot time for  listening to network traffic. The bond-master and bond-primary parameters indicate which bonding interface the physical interface should be added to.  Granted for one bond interface it would appear faster to just single keywords however if you decide to set up multiple bonded interfaces, the keywords would lose meaning quickly.

When all is said and configured, reboot the computer.  When the computer comes back up, check ifconfig -a and see if you see something like the below.

root@ids-01:~# ifconfig -a
bond0     Link encap:Ethernet  HWaddr 00:e0:b6:00:a2:06 
 inet6 addr: fe80::2e0:b6ff:fe00:a206/64 Scope:Link
 UP BROADCAST RUNNING PROMISC MASTER MULTICAST  MTU:1500  Metric:1
 RX packets:19570074 errors:3 dropped:0 overruns:0 frame:3
 TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:0
 RX bytes:198918392 (198.9 MB)  TX bytes:468 (468.0 B)

eth0      Link encap:Ethernet  HWaddr 00:18:f3:18:1c:25 
 inet addr:172.20.1.253  Bcast:192.168.0.255  Mask:255.255.255.0
 inet6 addr: fe80::218:f3ff:fe18:1c25/64 Scope:Link
 UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
 RX packets:46106 errors:0 dropped:0 overruns:0 frame:0
 TX packets:24224 errors:0 dropped:0 overruns:0 carrier:2
 collisions:0 txqueuelen:1000
 RX bytes:56042559 (56.0 MB)  TX bytes:2427777 (2.4 MB)

eth1      Link encap:Ethernet  HWaddr 00:e0:b6:00:a2:06 
 UP BROADCAST RUNNING PROMISC SLAVE MULTICAST  MTU:1500  Metric:1
 RX packets:11506719 errors:2 dropped:0 overruns:0 frame:2
 TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:1000
 RX bytes:3058600599 (3.0 GB)  TX bytes:218 (218.0 B)

eth2      Link encap:Ethernet  HWaddr 00:e0:b6:00:a2:06 
 UP BROADCAST RUNNING PROMISC SLAVE MULTICAST  MTU:1500  Metric:1
 RX packets:8063355 errors:1 dropped:0 overruns:0 frame:1
 TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:1000
 RX bytes:1435285089 (1.4 GB)  TX bytes:250 (250.0 B)

lo        Link encap:Local Loopback 
 inet addr:127.0.0.1  Mask:255.0.0.0
 inet6 addr: ::1/128 Scope:Host
 UP LOOPBACK RUNNING  MTU:16436  Metric:1
 RX packets:48 errors:0 dropped:0 overruns:0 frame:0
 TX packets:48 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:0
 RX bytes:3948 (3.9 KB)  TX bytes:3948 (3.9 KB)

Now to install it…

In order to install this machine where it will be most effective in your network, there are some things to consider:

  • What kind of Internet access do you have? (Cable, DSL, FiOS, etc…..)
  • Does your ISP require running a program on your router to connect? (like PPPoE clients, RASPPPoE, others..)
  • What is considered the “edge” of your network?
  • Where is the location where the IDS would have most visibility to the network traffic generated by your computers either wired or wireless?

In most corporate networks, there is a single switch that handles all the traffic for a network. This makes things a loss less complex as the network traffic is in one place however in most homes, this is simply not the case.  At least in my network, there’s at least four switches between the router (my edge) and the innermost device (my Wireless Access Point). Since I wanted all the traffic monitored, I elected to connect the passive tap between my router and the first switch.  Any internet activity generated by any device on the network will be monitored by the IDS and if malicious will generate an alert.  If you have only a couple of PCs that are wireless but have several embedded devices like gaming consoles or media streaming boxes (not media center PCs, more like Boxee boxes and the like) you may want to move the passive tap between your wireless access point and the switch connecting the embedded devices as they are a lot less likely to generate malicious traffic.  Your configuration may be different, but when in doubt, installing the passive tap and your soon-to-be IDS between your edge router and the rest of your network is a safe bet.

What’s Next?

We’ve covered how to build a passive tap. We just covered how to configure bonding for the passive tap.  In the final article in the series, we will discuss how to install Snort and make this machine into a full blown IDS device.

Happy Hacking!

 

FIRESTORM_v1

 

root@ids-01:~# ifconfig -a
bond0     Link encap:Ethernet  HWaddr 00:e0:b6:00:a2:06
inet6 addr: fe80::2e0:b6ff:fe00:a206/64 Scope:Link
UP BROADCAST RUNNING PROMISC MASTER MULTICAST  MTU:1500  Metric:1
RX packets:19570074 errors:3 dropped:0 overruns:0 frame:3
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:198918392 (198.9 MB)  TX bytes:468 (468.0 B)bond1     Link encap:Ethernet  HWaddr 00:e0:b6:00:a2:04
inet6 addr: fe80::2e0:b6ff:fe00:a204/64 Scope:Link
UP BROADCAST RUNNING PROMISC MASTER MULTICAST  MTU:1500  Metric:1
RX packets:24303821 errors:2 dropped:0 overruns:0 frame:2
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:777005710 (777.0 MB)  TX bytes:468 (468.0 B)

eth0      Link encap:Ethernet  HWaddr 00:18:f3:18:1c:25
inet addr:192.168.0.222  Bcast:192.168.0.255  Mask:255.255.255.0
inet6 addr: fe80::218:f3ff:fe18:1c25/64 Scope:Link
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
RX packets:46106 errors:0 dropped:0 overruns:0 frame:0
TX packets:24224 errors:0 dropped:0 overruns:0 carrier:2
collisions:0 txqueuelen:1000
RX bytes:56042559 (56.0 MB)  TX bytes:2427777 (2.4 MB)

eth1      Link encap:Ethernet  HWaddr 00:e0:b6:00:a2:06
UP BROADCAST RUNNING PROMISC SLAVE MULTICAST  MTU:1500  Metric:1
RX packets:11506719 errors:2 dropped:0 overruns:0 frame:2
TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3058600599 (3.0 GB)  TX bytes:218 (218.0 B)

eth2      Link encap:Ethernet  HWaddr 00:e0:b6:00:a2:06
UP BROADCAST RUNNING PROMISC SLAVE MULTICAST  MTU:1500  Metric:1
RX packets:8063355 errors:1 dropped:0 overruns:0 frame:1
TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1435285089 (1.4 GB)  TX bytes:250 (250.0 B)

eth3      Link encap:Ethernet  HWaddr 00:e0:b6:00:a2:04
UP BROADCAST RUNNING PROMISC SLAVE MULTICAST  MTU:1500  Metric:1
RX packets:16316361 errors:0 dropped:0 overruns:0 frame:0
TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3675415003 (3.6 GB)  TX bytes:238 (238.0 B)

eth4      Link encap:Ethernet  HWaddr 00:e0:b6:00:a2:04
UP BROADCAST RUNNING PROMISC SLAVE MULTICAST  MTU:1500  Metric:1
RX packets:7987460 errors:2 dropped:0 overruns:0 frame:2
TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1396558003 (1.3 GB)  TX bytes:230 (230.0 B)

lo        Link encap:Local Loopback
inet addr:127.0.0.1  Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING  MTU:16436  Metric:1
RX packets:48 errors:0 dropped:0 overruns:0 frame:0
TX packets:48 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3948 (3.9 KB)  TX bytes:3948 (3.9 KB)

root@ids-01:~#

:, , ,

2 Comments for this entry

Leave a Reply