The difficulties of home network intrusion detection

Why?

It occured to me that one of the devices in my network could be compromised and I would not know a thing.

I recently read the books Dark Territory by Kaplan and Cyber War by Clarke, who describe how this more or less applies to all of North America.

So I did some research into firewall/intrusion detection systems that were free, easy to configure, and could run in a VM or on a Raspberry Pi type computer. My goal was to find something like OpenMediaVault for intrusion detection; OMV is free (and open source), has a great web UI that can do almost everything, performs well on minimal hardware, and has a generally high degree of It just works.

I wanted to find something that is as easy and affordable to run as OpenMediaVault, and could be the kind of thing you set up at your parent’s house or for a friend to detect malware/botnet activity. To make it even harder, it would be nice if we could do this without accidentally invading the privacy of everything everyone in their house does on the internet.

Options

Some classic names like Snort and Bro can be very powerful; but the setup time and effort is way too much just for some peace of mind at home.

The general selection of software (generally applicance-like distributions) that I found:

  • pfsense, especially with plugins (x86 only)
  • Security-Onion, appliance, aggregates a lot of common tools (didn’t find it for a while somehow, also x86 only)
  • BriarIDS - designed specifically for Raspbery Pi, but it is not clear what it does or how your network has to be setup
  • SweetSecurity, also aggregates a lot of tools. Appliance, but deploys from a Python script! Does have Raspberry Pi support, but is limited
  • OpenWRT and Zeroshell: Linux router distributions. They do have releases for Raspberry/Orange Pi but seems to be one-off builds.

A few general problems emerge

  • Anything really useful with graphs and alerts quickly requires 3-4GB of RAM and x86, costs C$150 at a minimum and C$300+ for something power efficient.
  • Most setups assume some kind of capability of forwarding all packets, which most home routers can’t do; or assume that they ARE the router and all packets must pass through them

pfsense

I actually did install pfsense on an old laptop with a USB gigabit adapter this year, and placed it between my ISP’s modem/router and the TPLink wireless router I actually use.

Benefits:

  • It’s full pfsense and it runs pretty well on any old laptop with a USB ethernet adapter.
  • Good community and plugins
  • Can run in a VM pretty well but it’s going to be a bit janky.
  • Once you’re running pfsense you have a lot of flexibility. You can directly use plugins, or forward packet data to a dedicated IPS server.

Problems

  • x86 only for the publicly available builds due to spotty FreeBSD support everywhere else
  • If on a laptop, that laptop’s screen is now always on with no hardware brightness control
  • By default, pfsense beeps CONSTANTLY at the command line and also beeps loudly for several seconds when it turns on. I was configuring it at about 11PM in my room while my girlfriend and dogs were peacefully sleeping, and it played a little 8 bit tune at full volume that scared the crap out of everybody in the room. The terror of this beeping has to be experienced to be believed.
  • Anything with appropriate power consumption for running 24/7 and not doing much most of the time is ARM or much more expensive Intel/AMD processors. Furthermore, the cheaper x86 options like the Intel J1900 do not have AES-NI support, which the next version of pfsense requires.
  • To make this work for most people you’d probably have to make it their router and wireless access point, or at the very least be placed inline between their ISP modem/router and a second wireless router. Both require the placing of a medium to large size box near the ISP box, which in my experience always ends up somewhere with barely any space.

pfsense is also a firewall first and foremost, not intrusion detection. So you may also need another server running something like Graylog or the Elastic Stack to make sense of the data you get.

Security Onion

I somehow missed this one until after doing everything else. By far this is the most active in terms of development and community that I encountered, given that pfsense is more about firewalls and routing, and everything else is too complicated. The github wiki is well populated and there have been conferences, training courses, etc.

  • It’s a full featured NSM (network security monitoring), intrusion detection, event analysis and visualization appliance.
  • As such the requirements are pretty hefty at minimum 4 CPU cores and 8GB RAM (for home use I imagine we can stick to the minimum, or even drop a bit below).
  • With full packet capture, the typical home user would store somewhere between 10GB (medium usage) to 250GB (heavy usage and downloading) of PCAPs per day. They recommend you use local disks to keep things simple and reduce performance problems. My goto approach of VMs on a 10 year old CPU all using the same 2TB disk for data over one gigabit interface may have problems here 🙈.

They also recommend having a dedicated NIC for management (preferably on a seperate network) and UPS (battery power), but those can probably be omitted for home use. It’s not totally clear how you need to set up the SecurityOnion server within your network, but they mention tap or span both work.

There seems to be some variety in what tap/TAP and span/SPAN mean, but to me tap is ‘inline’ where the packets must pass through your device, where you collect them; and span (also called port mirroring?) is when one or more devices forward all the packets they get to your packet collection device.

It seems the tap is usually a passive device that just take every packet and sends it both on its original path and to your collection device, but the data collection effect is the same as having your collection device in the middle.

As home routers are unlikely to have port mirroring features, it seems like some kind of tap is the best approach.

Security Onion is very interesting and I will have more on it in the future, especially on setting it up as simply as possible for home users.

OpenWRT and Zeroshell

OpenWRT and Zeroshell are of course linux-based routers, and in the case of OpenWRT a great replacement for stock router firmware where possible.

A few posts discussed running Snort on them with a reasonable amount of success, and it seemed like Zeroshell even had an easy one click install type addon for Snort.

For both distros I found OrangePi Zero and Raspberry Pi versions, but I only tried Zeroshell on the Orange Pi Zero. It actually works pretty well with a USB gigabit NIC (of course, we are not going to get anywhere close to gigabit speeds out of USB2).

I have a future post coming up on how to install and configure Zeroshell on the Orange Pi Zero. As a summary: great router, no IDS features.

Zeroshell’s Raspberry and Orange Pi images can be found on their download page and are the usual deal of burning to an SD card with something like dd or Etcher.

OpenWRT has the Raspberry Pi images under ‘Firmware OpenWrt Install’

Xunlong, the company behind OrangePi, directly provides an OpenWRT images that I did not test.

However, OpenWRT’s wiki seems to say that the Orange Pi Zero has not had a port yet, except incidentally as part of the MiZy project. The MiZy project seems fine but it’s made by a Russian living in Thailand. So, pick whether you want your OpenWRT image to be Russian or Chinese.

Sweet Security

Claims “Scripts to setup and install Bro IDS, Elasticseach, Logstash, Kibana, and Critical Stack on any device”, and this is mostly true. It requires 2GB of RAM, so to have both collection and analysis you need to have something more powerful than a Pi3, or multiple devices to split the load.

As far as I can understand, the ‘Sweet Security Client’ software would need to be installed on all computers you have, or on one computer that ends up forwarding all your traffic (like an OpenWRT or Zeroshell router, or something you mash together on Debian with IPTables). The client software also looks for exposed ports on itself.

The client(s) forward all their data to the ‘Sweet Security Server’, which stores the logs and puts them through Elasticsearch and Kibana. Exact numbers on storage size are not given, but it does say within a few weeks of home network use you will have hit 85% disk capacity. I assume this is for a typical SD card size of 16-32GB, so maybe we can expect 250MB/day of logs on a typical home network. Not a problem in the days of cheap 64GB SD cards or 3TB hard drives.

Unfortunately, this project appeared to have received its last major update in July 2017 and has had no activity from the single main developer since. This looks promising, but would need more work to be generally recommendable.

BriarIDS

This looked promising, as it advertises fully working from a single Raspberry Pi. However, I could not figure out what kind of network setup I would need to make this work from the documentation. The web UI also looked like it would be incredibly painful to use. BriarIDS is someone’s personal project, so fair enough, it does enough to work for them.

Written on December 15, 2018