Laboratory Network Monitoring: Setup
In this group project, you will design a laboratory monitoring infrastructure used by all cybersecurity courses. In doing so, you will gain experience in:
- Full packet capture
- NetFlow capture
- Logging tools
- Data indexing, searching, and analysis tools
This project is inspired by the SANS whitepaper "Building a Home Network Configured to Collect Artifacts for Supporting Network Forensic Incident Response"
Requirements - Data Collection
Note: This is intended to be a permanent configuration for the lifetime of the lab, and not a temporary student project. As such, written design documents are of high importance.
In Part 1 of this project, you will collect data on network traffic and archive the data for future analysis. The data to be collected includes full packet capture (PCAP), flow summary data (NetFlow), log files for key network services, and protocol specific data.
In network monitoring, there are significant design tradeoffs to be made:
- How much data do I capture?
- Do I capture all packet data? (Contains all information possible, but comes with privacy considerations, massive storage requirements for busy networks, and slow analysis and processing times)
- Do I capture only flow summary data? (Smaller data sets are easier to process, but you won't be able to reconstruct all details of network events)
- How long do I retain data for? Does this answer vary depending on the data type?
- What are the exact ports and links I am monitoring? (At the public-facing router? Which port? At key internal switches? Which ports?) Depending on the choices made, key network events may either be visible or invisible.
- Where is the captured data being stored? How is this storage secured?
Before doing any implementation, you should have a technical discussion with your group and instructor to answer these design questions.
Full Packet Capture
Your project should capture full packet traces ("PCAP" or "PCAPNG" are traditional file formats) and save it to a long-term storage repository in a well organized fashion. Use a tool like tcpdump or another tool of your choosing.
Your project should capture summary packet flow data ("NetFlow") and save it to a long-term storage repository in a well organized fashion. Use a tool like
nfpcapd (part of the nfdump suite) or another tool of your choosing.
Other Data Capture
Although PCAP and NetFlow files are the primary data collection sources, additional valuable data sources are also available and should be saved for analysis.
DNS Monitoring - The PassiveDNS tool reports on network DNS queries. This tool can be configured to either process a raw network stream in real-time or to post-process PCAP files after they are saved.
ARP Monitoring - The ARPWatch tool reports on IP<->MAC address pairings. This tool can process a raw network stream in real-time. When configuring this tool, you should answer the design question: What interfaces would this tool be more or less useful on? Note: Look into the
-u flag for this tool.
Log Files - Log files can be produced by a number of devices, including the firewall, DHCP server, and HTTP proxy. Investigate obtaining log files from the Mikrotik devices, specifically firewall and DHCP logs. These can be sent to a Linux syslog daemon. We do not have a HTTP proxy at this time.
Wireless - Design question - Can we monitor wireless in CTC as well? (What would be required, hardware and software-wise, to monitor access points and spectrum usage in CTC?)
Requirements - Data Analysis
In Part 2 of this project, you will load the data collected into analysis tools for human review.
|Moloch||Full packet capture, index, and database system||PCAP|
|SOF-ELK||Multi-purpose flow and log analysis system||NetFlow, Log data (passivedns, iptables, dhcpd, etc)|
|Snort||Intrusion Detection System||Live data|
|Bro||Network security monitor||Live data|
Requirements - Other
You should design "good looking" warning signs to post throughout the lab with content similar to this:
Cybersecurity Lab - All Internet Access is Monitored and Recorded
WARNING! You should have no expectation of privacy in your use of this network.
Use of this network constitutes consent to monitoring, retrieval, and disclosure
of any information stored within the network for any purpose.
Requirements - Documentation and Testing
The following documentation is required for this project. Remember, this is intended to be a permanent network configuration for the lifetime of the lab, and not a temporary student project. Complete documentation will ensure that the network can be updated and maintained as needed.
Public design document: Prepare a document, suitable for public display on this website, that communicates your overall data capture design to future students that will use the lab. This document should include an overall narrative description of the design, plus network diagram(s), data flow diagrams, and other important details.
Private installation instructions: Provide step-by-step installation instructions for your system. If I started with a generic Ubuntu Linux installation and a generic Mikrotik router, what would I need to do to build your final system?
This documentation should be submitted in Markdown format, suitable for direct posting on this website. There are a number of Markdown editors available, either to install on your computer (MacDown or MarkdownPad), or use online.
You should do spot testing as part of this project to ensure that the systems you build are functional. Additional testing will be conducted in the next project.
This is a group project. The grading breakdown is:
- Functioning lab monitoring - 60%
- Public document - 20%
- Private installation document - 20%
Your goal should be to have the data collection completed in week 1 and analysis tools completed in week 2.
Submit all files to the Canvas CMS site. Only one submission is needed for the group.
Make sure that your submission includes all of the following project deliverables:
- The functioning lab monitoring system in CTC 214
- The public design document in Markdown format plus original editable source files for any images so that I can keep the diagrams updated
- The private installation instructions in Markdown format (OK if they are just a giant code block with embedded comments)
The VMWare ESXi server is available for this project. It is provisioned with two 14-core Xeon E5-2660 v4 CPUs, 256GB of RAM, and 4TB of SSD NVMe storage. Virtual machines can be created as needed. You may wish to configure VMs by data capture type, i.e. have one VM handle full packet capture and analysis, another handle NetFlow capture and analysis, and a final VM handle log file capture and analysis. Or you may with to have a central storage service that is accessible by a number of smaller VMs for analysis purposes. Note that some analysis systems (e.g. Moloch and SOF-ELK) have their own internal database system. They import raw PCAP and log files but all processing is done from their internal database, which could also be quite large.