bro cluster security

Luis_Miguel_Silva · January 30, 2015, 7:40am

All,

As I was looking at the bro cluster documentation, I noticed there wasn’t any information / configuration parameters to authenticate / authorize the communication between the manager, worker and proxy components.

How do we protect against malicious processes from impersonating real components?

Thank you,
Luis

Dave_Crawford · January 30, 2015, 12:17pm

Can you mitigate the risk by running a local firewall (e.g. IPTables on Linux, or PF on FreeBSD) on each component with explicit rules pairing manger<->workers<->proxies on the appropriate ports?

-Dave

Luis_Miguel_Silva · January 30, 2015, 12:33pm

I guess I could, though that wouldn’t protect from attacks coming from authorized hosts.

Anyway, I’m just trying to figure out what level of security is there builtin!

Thanks,
Luis

Dave_Crawford · January 30, 2015, 1:25pm

True, but I’d argue that if an attack is sourcing from a Bro component an authorization/authentication mechanism would be the least of concerns.

Slagell_Adam_J · January 30, 2015, 1:31pm

A common setup would be to have the cluster privately addressed and behind a bastion host, using ssh host keys between trusted hosts.

Topic		Replies	Views
Possible Bro Cluster communication issue? Zeek	6	98	May 6, 2022
Bro Cluster Firewall Rules Documentation Development development	1	73	May 6, 2022
Bro Cluster using Vagrant Issues Zeek	6	116	May 6, 2022
bro cluster setup questions Zeek	2	81	May 6, 2022
New Cluster configuration Zeek	4	75	May 6, 2022

bro cluster security

Related topics