Welcome to part four of my in-depth guide on configuring a Virtual Home Lab specifically for Blue Team Security. In this section, our primary focus will be on Security Onion. If you haven’t yet explored the preceding tutorial, which discusses the installation of pfSense in detail, I strongly suggest taking a look for a holistic understanding. To revisit the previous segment, click here.
Introduction
The second virtual machine in our Virtual Home Lab is dedicated to establishing the Network Security Monitoring (NSM) platform. This NSM platform is multifunctional, acting not only as an Intrusion Detection System (IDS) but also handling log management tasks. I’ve opted for Security Onion for this role for several reasons. The first reason is because it offers a wide range of security tools that are already integrates and pre-configured. The second reason is because of the strong community support. This platform has a large active community that provides a wealth of information to learn from. The final reason is because of the ease of user. The interface is user-friendly and relatively easy for beginners to navigate while still offering advanced features for more experienced users. Next, I’ll outline the specifications for the virtual machine that will serve as the NSM platform:
- CPU: 2 Processors
- Memory: 16 GB
- Hard Disk: 200 GB
- Network Adaptors: 3x
- NAT
- VLAN4
- VLAN5
This virtual machine will be connected to the pfSense firewall via VLAN4. The other network adapter operating on VLAN5 will act as the Span Port. The span port is a designated port used to mirror network traffic from one or more network segments, allowing for detailed analysis and monitoring. This enables security tools to capture real-time data flow for purposes like intrusion detection, packet analysis, and logging.
The following image showcases the settings I have configured:
Setup Security Onion within VMware
This section of the blogpost will outline the steps to setup the Security Onion virtual machine within VMware.
Download the Security Onion ISO file from here
In the top left end of the VMware Workstation window click File -> New Virtual Machine
A window should appear similar to the one pictured below. Make sure that the Typical (recommended) option is selected and click Next
Click Browse and navigate to the pfSense ISO file that you downloaded in the previous step.
Click Next
The guest operating system will be Linux
The version of the Linux operating system will be CentOS 7 64-bit
Click Next
Feel free to name the virtual machine as you like; I’ll be calling mine SecurityOnion
Click Next
The maximum disk size of 200 GB should be sufficient for this virtual machine.
This Network Security Monitoring (NSM) platform will require a significant amount of disk space for its operations. The need for ample storage arises from the continuous logging of network traffic, storage of historical data, and archiving of detected security events, all of which can quickly consume disk resources.
Make sure that the Split virtual disk into multiple files option is selected.
Click Next
Click Customize Hardware…
While in the Customize Hardware window you should:
- Increase the memory to 16GB
- Increase the number of processors to 2
- Attach 2 Network Adapters and align them with the VMnet interfaces as demonstrated below.
Click Close and you should be brought back to the previous window again.
Click Finish
The Security Onion virtual machine will initiate automatically.
Installation of Security Onion
his section of the blog will detail the steps for installing Security Onion.
It’s recommended to create multiple snapshots while working with a virtual machine, allowing for a smooth rollback to previous states if needed.
This action can be accomplished in VMware Workstation by navigating to the upper left corner of the window and choosing VM -> Snapshot -> Take Snapshot…
You can either choose the first item on the list or wait for it to boot automatically.
To proceed, you’ll need to permit the erasure of the partition that was previously configured. To do so, simply type the word yes.
To proceed, you’ll need to create an administrative username and password.
Let the installation process run its course; the system will automatically restart once it’s finished with its task.
Select Yes
Select Install
Select the Eval option
You can choose the option by pressing the space key.
Type the word Agree to accept the Elastic License
Input a hostname that you’d like to assign to Security Onion for easier identification.
Select the ens33 interface card for the management NIC.
Select DHCP
Select Standard
Select Direct
Let the installation perform certain tasks in the background.
The ens35 interface will be the interface that is monitored.
Select Automatic
Keep the home network(s) section at its default setting.
Here, you have the option to choose the specific services you’d like to install on your virtual machine. For this installation, I’ll be activating all available services.
Select Yes
Input an email address that will serve as your login credentials for accessing Security Onion’s browser interface.
Enter a password for the account.
Select IP
Select Yes
Leave the configuration as the deafult
Select No
Store this information securely; the most crucial detail from this display is the access URL.
This step will execute the configuration settings you’ve just input and initiate the installation of Security Onion. Be prepared; this process will take a considerable amount of time to complete.
Select Ok
Conclusion
That wraps up this blog post on installing Security Onion, where we discussed how to set up the virtual machine and carry out the installation. Future posts will delve into managing configurations via the web interface. Our next article will concentrate on configuring the attacker Kali Linux machine.
If you encounter any issues or have questions about setting up the Security onion virtual machine, don’t hesitate to leave a comment. I’m here to assist!