Airgapped Networks

weslambert edited this page Jun 28, 2018 · 4 revisions
Clone this wiki locally

Some organizations have airgapped networks with no connection to the Internet. Security Onion works fine on these airgapped networks, although it may be missing some updates due to lack of Internet connection.

DNS lookups

When pivoting to transcript (Sguil client or CapMe), the Sguil server performs DNS lookups on the source and destination IP addresses. You can disable these DNS lookups as shown here: https://github.com/Security-Onion-Solutions/security-onion/issues/905

Updating

You can transfer updates to airgapped networks via DVD, USB, or other media.

@SkiTheSlicer has created a set of scripts to assist in updating airgapped Security Onion installations:
https://github.com/SkiTheSlicer/securityonion-airgap

Docker

For Docker containers, sneakernet updates can be performed by doing something like the following:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Docker#sneakernet-updates