Just joined the list and had a question … that I apparently sent to customer support ..oops.
anyways Im building a freebsd server and was wondering what the best practice / placement for bro would be
Essentially It’s a forward facing firewall based on freebsd. SO I was wondering if its best to deploy on the host OS, or create a jail or two and funnel traffic through that? I also wanted to know if there were any special considerations with jails / setup.
some options I came up with ..
internet > firewall > lan/dmz
internet > firewall > nginx proxy > lan/dmz
internet > firewall > dmz jail > NO lan
internet > firewall > bro jail > proxy jail > lan/dmz
In the FreeBSD sense, jail all the things. You will be able to find some write-ups for Snort, but not so much for Bro, which I will look to create and blog about.
The main thing is that when you setup the jail, make sure the jail is configured for the interface you wish to monitor. You world normally monitor the LAN side, but you could have a separate jail configured to monitor the external side in a separate jail looking for threats and traffic making it in and out of your firewall.
A couple of additional items I myself have not had the chance to play with but should be possible in Bro 2.5 is the ability to interact with ipfw/pf with the NetControl Framework to use update the firewall on the fly, also for shunting flows.
As far as logging, I normally stick to the standard Bro log files, and you can run tools from the host OS to process the log files in the jail if you want.
I wrote up a basic how-to for getting Bro working within a FreeBSD jail.
Thanks, Michael! I've been meaning to look into this for a while. I'll
have to give this a shot.
Michael Shirk <email@example.com> writes: