From: Dominik G. <dg...@in...> - 2009-01-27 21:09:40
|
Hi Jim, I would love to hear how your tests are going ! If you need any help, please don't hesitate to ask, Dominik On 23-Jan-09, at 3:14 PM, Jim Mellander wrote: > Thanks Dominik: > > I appreciate the advice. Is there any interest in collaboration in > this? > > Some background information: > > I started using the linksys routers as network probes a few years ago, > actually running our IDS (Bro) on them to monitor tapped 100MB links - > although this worked adequately, we've upgraded to 1 Gig (and 10 > Gig, in > some cases) to the desktops, so they weren't adequate for the job. > > I then conceived of the notion of using them as transparent bridges > giving us, initially, a view into each subnet, at the bargain price > of ~ > $50/installation (Who says government has to be inefficient?). Now I > want the use the devices in an active role. BTW: I'm turning off the > radio, and using it exclusively for wired networks, although there > is no > reason that the scheme I'm using couldn't be used in a wireless > context > as well. > > So, at this point, I am building an infrastructure that will > essentially > have a master system or systems with (virtual) network interfaces in > every subnet - and I'm trying to visualize what can be done with this > technology - packetfence seems like an ideal fit, since it also > fulfills > another need of ours. > > I suppose my primary concern would be that of performance: > > Will a system with ~100 virtual network interfaces be able to respond > quickly enough to an arp request to be effective in spoofing an arp > reply in response? The routing table on such a system will be > enormous, > which will introduce delays. I'm less concerned about TCP timeouts, > due > to the nature of TCP. I suppose I will just need to test, as its > unlikely that any implementation of this nature has been attempted > before.. > > > > > Dominik Gehl wrote: >> Hi Jim, >> >> this definitely sounds doable from a PacketFence point of view. >> >> Please keep in mind that you'll have to apply a patch send to the >> mailinglist in May 2008. The subject of the message was 'Patch to >> enable >> arp spoofing in 1.7 RC4' and you should still find it in the list >> archives. >> >> Let us know if you have any further questions, >> Dominik >> >> On 22-Jan-09, at 7:06 PM, Jim Mellander wrote: >> >>> Hi: >>> >>> Just signed onto this mailing list. >>> >>> I have installed Linksys WRT54GL routers, running openwrt, with >>> custom >>> code to function as network probes - one per subnet on our internal >>> network. Currently, they capture traffic via tcpdump and pipe it >>> thru >>> ssh to a master system, which then strips the pcap headers and >>> pushes >>> the packets onto a virtual interface for monitoring purposes. We >>> run >>> our homegrown IDS (BRO - http://www.bro-ids.org ) and, in >>> particular, >>> are monitoring arp packets for scan detection within a subnet. >>> This is >>> already working on linux with ~100 different subnets reporting. >>> >>> One of my goals has been to replace this crude mechanism with a >>> transparent bridge, which will effectively allow the master system >>> to >>> have virtual bi-directional network interfaces in all of our >>> subnets. I >>> envision this to allow us to do such things as: >>> >>> 1. Continue our IDS operations by monitoring of these interfaces >>> 2. Allow us to run a honeypot on the master system which reponds to >>> accesses on any of the subnets >>> 3. Allow us to run a host registration system - Packetfence (I >>> hope), >>> and use arp spoofing to force hosts to a registration page if a >>> new MAC >>> address is detected. >>> >>> I've modified etherpuppet ( http://www.secdev.org/projects/etherpuppet/ >>> ) to perform the transparent bridge function crudely. I'm exploring >>> honeymole ( http://www.honeynet.org.pt/index.php/HoneyMole ) as a >>> better >>> alternative for this. >>> >>> So, I guess from a packetfence pespective, does this sound doable? >>> Essentially I would be running a central system (or could be a >>> cluster >>> of systems) which has a (virtual) interface into every local subnet >>> (we're talking about ~ 100 network probes). >>> >>> Any comments, suggestions? >>> >>> >>> >>> -- >>> Jim Mellander >>> Incident Response Manager >>> Computer Protection Program >>> Lawrence Berkeley National Laboratory >>> (510) 486-7204 >>> >>> The reason you are having computer problems is: >>> >>> The kernel license has expired >>> >>> ------------------------------------------------------------------------------ >>> >>> This SF.net email is sponsored by: >>> SourcForge Community >>> SourceForge wants to tell your story. >>> http://p.sf.net/sfu/sf-spreadtheword >>> _______________________________________________ >>> Packetfence-users mailing list >>> Pac...@li... >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> >> > > > -- > Jim Mellander > Incident Response Manager > Computer Protection Program > Lawrence Berkeley National Laboratory > (510) 486-7204 > > The reason you are having computer problems is: > > Decreasing electron flux |