Docker running a NIDS

Currently reading
Docker running a NIDS

Has anybody set up and run a NIDS via Docker on their NAS?

Is it possible - (possibly not if I think about it, but ...) ?

If you have what do you use? How hard was it? What did you have to do to get it to work pls?

Tks
 

Rusty

Moderator
NAS Support
2,034
616
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
RT1900ac, RT2600ac, MR2200ac
Are we talking about intrusion detection here or something else?
 

fredbert

Moderator
NAS Support
Subscriber
1,371
577
Operating system
macOS
Mobile operating system
iOS
No. How are you thinking of connecting it into the network? Place the NAS inline and use it as a network gateway, or use an interface to connect to a LAN device?

From experience to run a Network-based IDS device then you would connect it in one of three ways:
  1. Inline: place the IDS appliance in the flow of the traffiic being monitored.
    1. This requires interfaces for in and out bound connections.
    2. Usually placed between switches, or firewalls/routers and switches.
    3. As it's a monitor then many appliances offer fail-to-wire/fail-open interfaces so that traffic still flows if the appliance fails. In resilient pairs then the primary would be configured to fail-closed and the backup would fail-open.
  2. Indirect to a switch's SPAN port.
  3. Indirect to a network tap.
    1. Both indirect methods have the copies of the packets sent to the connected IDS appliance it passes the switch/tap.
    2. Failure of the IDS appliance won't affect the flow of traffic.
 
As an addition:
If you would put a container's network device into promiscuous mode, depending on the network type you will end up beeing able to monitor only parts of the traffic (see fredbert's response 3.2)
- macvlan/host: no container traffic
- bridge/overlay: no traffic outside the container network as it would only see packages from the "virtual switch" the containers are attached to.

This usecase simply doesn't fit the layer docker operates on.
 
Thanks All.

I didn't think it was going to be possible, but there are plenty smarter folks than me, so figured it couldn't hurt to ask.

No container traffic would be fine.

I was hoping to do it all in software, but sounds like it might just be not worth the effort.
 

fredbert

Moderator
NAS Support
Subscriber
1,371
577
Operating system
macOS
Mobile operating system
iOS
What are you looking at? Snort? Maybe look at RPi? Enough people looking at that.

The IDS has to be able to keep up with the traffic flow or be able to catchup otherwise it won't be able to do its job. I'd look at a dedicated approach and strip out any unnecessary processes.

I wonder if you can stream the IDS logs to the NAS? Hey you can then try setting up a SIEM too :)
 
I wonder if you can stream the IDS logs to the NAS? Hey you can then try setting up a SIEM too :)
Pretty sure if you got the tap correct, you could run a Docker SIEM to log it all. But it's the capture first that's the tricky bit. I have a couple of switches support mirroring, but the topology would need re-jigging.

I've come to the conclusion - too much grief.



How bad do I want it? .... Not bad enough. (put that one down to just another brainfart.)
 

fredbert

Moderator
NAS Support
Subscriber
1,371
577
Operating system
macOS
Mobile operating system
iOS
I've not used [i.e. bought] many home firewall routers so IDS/IPS may be more prevalent in this sector but I'm happy with Threat Prevention on my RT2600ac. While I knew that there would be lots of drive-by probing of my connection when using my old routers it's the number of blocks on specific potential attacks after scans that's made me set all 'scan' rules to block too.
 
Yeah. The RT2600 sits inside external gateway in an untrusted setup.

I "believe" the external is pretty good; in so much I don't believe I seen any issues, but then I don't know whether or not I don't know - if you know what I mean. And it doesn't log a lot in the UI.

You're always better off with more than less information. Especially in terms of security.
 

fredbert

Moderator
NAS Support
Subscriber
1,371
577
Operating system
macOS
Mobile operating system
iOS
You're always better off with more than less information. Especially in terms of security.
Indeed. Security spend is like insurance: no one likes it, especially the accounts. Reporting is one way to demonstrate the benefits: it's hard to quantify the cost saving to productivity and infrastructure resources being used for non-business activities (CPU, bandwidth, power, cooling, hosting, etc).
 

fredbert

Moderator
NAS Support
Subscriber
1,371
577
Operating system
macOS
Mobile operating system
iOS
1TB WD Elements USB 3 pocket drive. Far too big by nearly 1TB but I had a thumb drive die from (I think) heat and a ‘proper’ drive was only slightly more expensive. Plus I can always re-use it. Speed-wise I’m on 100Mbps and we still get that.

2-3GB is the guidance for TP, so anything bigger than that should be more than enough.
 
Yeap.

With a 4GB card in there; the system database on the card takes about 1GB and the remaining 2.5GB apparently isn't enough for TP.

I imagine otoh, 1TB would do nicely.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Similar threads

Top