-
Notifications
You must be signed in to change notification settings - Fork 277
Initial Setup Network card (NIC) setup
NOTE:
SELKS already includes and implements disabling of NIC offloading on all available interfaces by default. To check you can just do ethtool -k INTERFACENAME. This article is with the purpose of explanation, information and/or if you would like to do some customizations.
SELKS comes with a few ready to use admin/support scripts located (packaged as selks-scripts-stamus and already pre-installed) at:
/usr/bin/selks-reconfigure-listening-interface_stamus
Some of the scripts include sniffing interface tune up - mainly disable NIC offloading. You need to disable all offloading on the sniffing network card in order for the IDS/IPS to be able to see the traffic as it is supposed to be (without checksums,tcp-segmentation-offloading and such..) Otherwise your IDPS would not be able to see all "natural" network traffic the way it is supposed to and will not inspect it properly.
You can check the current status if a particular interface using ethtool:
ethtool -k eth3
Disabling NIC offloading is a must when doing IDS/IPS. You can disable the NIC offloading one time (non boot persistent) like so -> if your sniffing interface is for example eth3 you could do the following:
root@SELKS:~# selks-reconfigure-listening-interface_stamus
Please supply a network interface for inspection (mirror or inbound)
Example - eth1
The script will make adjustments for(or in):
1) the interface provided
2) kernel tuning
INTERFACE:
eth3
The supplied network interface is: eth3
The script will continue to do some extra tasks and call other scripts for execution. When done you will be presented with some statistics of what was done.You can run the script multiple times - there is no problem.
To do a boot persistent disabling of the NIC offloading features on SELKS you should make sure your /etc/network/interfaces looks like so (example eth3 is the sniffing interface):
root@SELKS:~# cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
auto eth3
iface eth3 inet manual
pre-up ifconfig $IFACE up
post-down ifconfig $IFACE down
post-up /etc/network/if-up.d/selks-idps-interface-tuneup_stamus
The script idps-interface-tuneup_stamus is part of the selks-scripts-stamus package bundle of scripts and is already pre-installed and located in /etc/network/if-up.d/
Reboot.
To verify you can use the following:
root@SELKS:~# ethtool -k eth3
Features for eth3:
rx-checksumming: off
tx-checksumming: off
tx-checksum-ipv4: off [fixed]
tx-checksum-unneeded: off [fixed]
tx-checksum-ip-generic: off
tx-checksum-ipv6: off [fixed]
tx-checksum-fcoe-crc: off [fixed]
tx-checksum-sctp: off [fixed]
scatter-gather: off
tx-scatter-gather: off
tx-scatter-gather-fraglist: off [fixed]
tcp-segmentation-offload: off
tx-tcp-segmentation: off
tx-tcp-ecn-segmentation: off [fixed]
tx-tcp6-segmentation: off [fixed]
udp-fragmentation-offload: off [fixed]
generic-segmentation-offload: off
generic-receive-offload: off
large-receive-offload: off [fixed]
rx-vlan-offload: off
tx-vlan-offload: off [fixed]
ntuple-filters: off [fixed]
receive-hashing: off [fixed]
highdma: off [fixed]
rx-vlan-filter: on [fixed]
vlan-challenged: off [fixed]
tx-lockless: off [fixed]
netns-local: off [fixed]
tx-gso-robust: off [fixed]
tx-fcoe-segmentation: off [fixed]
fcoe-mtu: off [fixed]
tx-nocache-copy: on
loopback: off [fixed]
root@SELKS:~#
That's it.