Published: May 2, 2020
A switch capable of port mirroring and VLAN tagging is an essential purchase for every home lab. For your home IDS to work, you’ll need to mirror network traffic traversing the switch to a dedicated port. This switch port should be connected to a NIC dedicated as the sniffing interface for your IDS. In future tutorials, I’ll show you how to setup Security Onion as an IDS and analyze this traffic.
Based on the first article in the series (Home Router- DMZ/Transparent Mode), we’ve already configured our ISP’s router for DMZplus mode. All traffic inbound for our public IP is being sent to the WAN port of a Sophos FW.
In this article, I’ll review the setup of my Netgear ProSafe Plus 8 port managed switch. I’ll also setup 2 VLANs on the switch, one for internal traffic, the other for DMZ traffic. I’ll also review setting up the DMZ network on my Sophos firewall.
Make sure any port of the Netgear switch is connected to the internal LAN port of the firewall.
In my example, I’ve connect port 1 of my Netgear switch to the LAN port of my Sophos FW.
Connect the main NIC of your machine to port 2 of the Netgear switch.
Connect port 8 (Can be configured for any port) to a secondary NIC on your computer. This switch port will mirror all the traffic that traverses the switch and send it to the connected NIC for sniffing and analysis.
Login to your managed switch. In my case, the 8 port Netgear ProSAFE Plus Switch
When we login we’ll go to System -> Monitoring
Then click on “Mirroring”
Make sure ports 1-7 are checked, mirroring is “Enabled” and Destination Port is set to “8”
Click Apply to save the settings
Since we’re in the switch, I recommend setting up an additional VLAN. My Sophos FW has an additional NIC labeled “DMZ,” which allows us to segment traffic from my internal network. You need a separate NIC to mirror this setup, but setting up a DMZ is a recommended best practice.
Click on VLAN -> 802.1Q -> Advanced -> VLAN Configuration
Enable Advanced 802.1Q VLAN
Add a new VLAN ID
Set ports 6 & 7 to VLAN ID 2, we’ll use these for our home DMZ.
VLAN Membership- set ports 1-6 & 8 as untagged under VLAN ID 1
VLAN ID 2 has ports 6 & 7 selected as untagged
Once that’s setup, I plug in an ethernet cable to port 7, then into the DMZ port of my firewall.
Login to my firewall, under Interfaces & Routing -> Interfaces
You should have an Internal network already setup, so we’ll run through this example by creating a new interface, which I called honeynet. This will be my DMZ network.
Make sure the honeynet can resolve DNS at the firewall
Also make sure the network is getting an IP with DHCP
Setup a masquerade rule so outbound traffic is sourced from our public ip
And were done! Now we’re able to mirror our internal and DMZ network traffic to port 8. We’ll connect port 8 to the sniffing interface of Security Onion for analysis, which we’ll review in the next article.
Now you can connect another computer/raspberry pi to port 6 to get an IP address in the Honeynet(DMZ). We can create firewall rules to control hosts on both the LAN and DMZ networks, ensuring we properly segment networks.
From the main Sophos Dashboard