Follow

Installing and Registering the redborder Community Edition IPS

Requirements

redBorder IPS is a software that has minimum requirements in order to function correctly.The minimum essential elements required for installation as well as those recommended for correct performance are referenced at every SNORT instance being executed. They are shown in the following table:

     Minimum per instance
Recommended per instance
RAM 2 GB 4 GB
Processor 1 Core 1 Core

For example, if we want four SNORT instances in the recommended configuration, we need a machine with 16 GB and four cores.

Downloading the ISO

In order to download the ISO image, we must be registered. Once we are logged in to the redborder web, we must go to Community -> Downloads. On this page we will find all of the redborder editions along with their corresponding specifications and characteristics.

To download the Community edition, click on DOWNLOAD in the Community section.

 

 

Burning the ISO Image

The ISO image is prepared to perform the boot from a DVD reader, USB device or as an ISO file for a virtual machine.

In order to burn the ISO image from a Linux system to a USB device, the following command needs to be used if the USB device is mapped in /dev/sdd:

[root@machine ~]# dd if=redBorder-3.1.68-1-x86_64-6.5-community.iso of=/dev/sdd bs=10M

 

Installing the ISO

Once we have booted the redborder ISO, we will see the installation menu. To perform the installation, select the option: Install Community IPS Sensor:

 

 

Once in the installation process, the user only needs to confirm the installation destination and root password. redborder is prepared for unattended installations and so we should be especially careful with the time we have to respond to these three questions if we wish to modify the default options:

 

 

Once this page has been confirmed, the installation will carry out all of the necessary processes to prepare the system for configuration.

By default, the root password will be redborder.

 

Basic Configuration

Upon completing the installation process, we have two configuration options depending on whether or not there is a DHCP server.

  1. Dynamic IP (DHCP): in this case, redborder will have acquired an IP in its network interface.
  2. Static IP: in this case redborder will not have any IP assigned.

In both cases we will have to access the system in order to configure and register the sensor in the manager. We will access with the root user and password that was selected during installation.

 

 

Once inside the system we will start the configuration manager. To do this, we will execute:

[root@rbmanager ~]# rb_sysconf

A menu with different options will appear:

 

 

Select option number 2 for Network configuration:

 

 

Select option number 1 for Management Network configuration:

 

 

Select option “n” to create a new bonding. We’ll configure the management IP in the first bonding (bond0).


We type "0" to create bond0.

 

 

Now we choose the first interface (port) for bond0. The second interface in optional:

 

 

In the next steps we set the IP address, netmask and defaullt gateway. Remember that the sensor requires visibility with the manager.

The option “Insert a route for this bonding” defines a static route. If you are going to use the default gateway, select “N” for this option.

 

 

To finish the configuration of the management IP, we need to apply the changes. Then we must return to the previous menu (Network configuration menu) and select option “a”.

 

 

When the above processes finish, the management interface will be configured.

In this section we must keep in mind whether we want an Intrusion Detection System (IDS) or an Intrusion Prevention System (IPS). For the former, we only need a management network interface and another which we will use to analyze traffic. For the latter, in addition to the management interface, we will need two or more network interfaces.

In this guide we will assume that there are two network interfaces in our system. We have already configured the first in the previous steps and this is the interface that we will use to communicate with the sensor. With the second network interface we are going to create a segment with a listening port to analyze the traffic that flows through the said interface.  Likewise, we need to send the desired traffic to this second interface. One option is to use a network listening device (Network TAP) which will be configured to resend traffic through the interfaces where it has not received traffic (see image). A diagram is included where the configuration can be seen:

 

 

 

 

Now select option number 3 for Segment settings.

If you have a segment with bypass support, this capability will be auto-configured by default when detected. In our case we are going to assume that we don't have bypass support. So, you must select the option "n" (new segment) in order to configure a segment and follow the wizard:

  1. Insert segment number (0-1) [0]: Press ENTER to select 0.
  2. Insert segment first port [1]: Press ENTER to select 1.
  3. Assign a second port to the segment (Y/n): Select N and press ENTER.

 

After creating the segment, you must apply the changes.

Lastly we can change, in Network Configuration, the DNS configuration and the desired domain. To do this, we select option 2 -  DNS and domain settings:

 

 

We must apply the changes again.

 

Registering the IDS Sensor in the Manager

Now we are going to register the sensor, configured previously, in the Manager. To do this, we must go to the main menu and select option 1 - System configuration:

 

 

Option 1 allows us to create a host name for the IDS/IPS sensor.

Option 2 allows us to indicate the local time of the IDS/IPS sensor.

In option 3 we must insert the domain or IP that the Manager has in its management interface.

 

 

Lastly, we must select option 4 Register rB Sensor/ manager. This wizard will ask us for the username and password to access the web interface of the Manager (by default, the username is admin and the password is redborder).

 

 

If we have followed these instructions, the sensor will be registered:

 

 

Likewise, it will appear in the web interface of our Manager as configured. To verify this, we can access Sensors in the web interface to see if the last check in was satisfactory:

 

 

Registering the IDS Sensor in redborder Live

In order to register the sensor in redborder Live, we must have a redborder account.

In order to register in redborder Live, we must access: https://www.redborder.com. Click on try redborder, in the upper right of the screen.

 

 

Fill out the form and click on Register. We will need to confirm the email in order to finish the process.

 

 

Now, we must go the redborder Live login page. The link for this page is: https://live.redborder.com. We will log in with the same email address and password that we used in the registration.

 

 

Now, we will access the sensor as the root user.

Once inside the system we will start the configuration manager. To do this, we will execute:

[root@rbmanager ~]# rb_sysconf

A menu with different options will appear:

 

 

We must select option 1 - System configuration:

 

 

First of all, Option 1 must be selected to create a host name for the IDS/IPS sensor because default hostname rbsensor is not allowed.

Then, select Option 5 to start the registration process to redBorder Live. A Sensor UUID will be showed.

 

 

Copy the UUID and go to the redborder Live web page. If we are logged in, go to Sensors and press + Claim Sensor:

 

 

A pop-up window will appear where we must enter a name for the sensor and paste the UUID that we copied before in the field below.

 

 

Click on  save and wait until the sensor is configured correctly. We can then verify that the sensor is working both in redborder Live and by executing the the rb_sysconf command and selecting option 1 in the menu:

 

 

Assigning Resources to Segments

We need to go to Sensor Tab and select Edit Option:

 

 

Go to Groups and in this view you can see the number of segments and cores you have. We only need to check the segment and assign the number of cores we want. Then press Update.

 

 

 

Have more questions? Submit a request

Comments

Powered by Zendesk