As I was looking at the bro cluster documentation, I noticed there wasn’t any information / configuration parameters to authenticate / authorize the communication between the manager, worker and proxy components.
How do we protect against malicious processes from impersonating real components?
Can you mitigate the risk by running a local firewall (e.g. IPTables on Linux, or PF on FreeBSD) on each component with explicit rules pairing manger<->workers<->proxies on the appropriate ports?
I guess I could, though that wouldn’t protect from attacks coming from authorized hosts.
Anyway, I’m just trying to figure out what level of security is there builtin!
True, but I’d argue that if an attack is sourcing from a Bro component an authorization/authentication mechanism would be the least of concerns.
A common setup would be to have the cluster privately addressed and behind a bastion host, using ssh host keys between trusted hosts.