Installing Security Onion

OK, so referring back to our diagram one more time, we are now going to set up and
deploy our Security Onion server. So, we are going to install the Security Onion
software onto the physical hardware that we have for it, We are going to connect
its management interface to our network via a LAN connection, and we are going to
connect the sniffing port on it to our mirroring port on our switch. So, let's go
ahead and get started.

OK, so what I have done here is I have taken the server hardware, and I have placed
it above the rest of our network here. I have also connected its power cord to the
outlet strip. Now I have connected the network interface that I want to use as our
management interface to port 4 on the tp-link switch, and I have left the interface
that I want to use as our sniffing interface disconnected. And, the reason I've
done that is because it makes it easy to tell which interface is which when we are
installing the server software. You'll see that here in a little bit. I have also
connected a VGA cable to my monitor so that I can interact with the computer, and I
have connected a USB keyboard and a USB mouse to two of the open USB ports.

Now the rest of the network is set up the way that it was in the end of the WiFi
bridge set up video: that is, we have our WiFi bridge, it is connected to the
switch, we have our wired clients connected to the switch, we have our switch
connected to our router, and we have our router connected to the internet.

Now what I'm going to do is I'm going to take our flash memory stick that we
flashed the installation software onto in the last video, and I'm going to put it
into one of the open USB ports here. Then I'm going to reach around the front of
this computer and I'm going to turn it on.

So, we are now looking at the monitor output of that computer, and when we first
start the computer up, we have a few seconds to get into the BIOS in order to
instruct the computer to boot off of our USB stick. And, if you don't know what a
BIOS is, it is basically just the system that runs all of the components on a
computer's motherboard, and it runs underneath your main operating system like
Windows 10 or Linux.

Right now I have this boot screen paused so that I can talk about it for a little
bit, and this one is being nice and telling me up here in the upper right hand
corner that F12 will get me into boot options. That means that if I tap the F12 key
while this computer is first booting up, then the BIOS will give me options on my
screen.

Now very often new computers won't give you any of this information at all: they'll
just go straight to the operating system that they come pre-installed with like
windows 10 or Windows 11, for example. And, if your computer does that to you don't
worry, there's still a way to get into the BIOS. You do it by tapping on a specific
key on your keyboard right when you first turn your computer on, and you do it that
way even if your computer doesn't tell you that when it's first starting up. And,
in fact, this computer wasn't being so nice the first time I turned it on: it just
went straight to Windows 10. I had to restart it several times and try tapping
different keys on the keyboard until I found the right one. Only after finding the
right one and using it did it then start telling me what the right one was.

So, if you find yourself in that situation, the most common keys in my experience
are F10, F11, F12, Delete or Escape. The F1 and F2 keys are also possibilities. In
any event, you are going to need to get into the BIOS of whatever computer you are
using for Security Onion so that you can tell it to boot off of the USB stick.
So, I'm gonna go ahead and unpause this boot screen video now, and I am tapping on
F12, and as you can see it is preparing a one time boot menu for me. So, the actual
duration of this boot screen, if I hadn't paused it, was maybe five seconds. And,
as you can see, the BIOS is giving me some information and some options.

Now we navigate up and down these options that it's giving me just by pushing the
up and down arrows on the keyboard, and when you want to select one of these
options, you just hit enter on the keyboard. Now if when you do this, your USB
stick is given as one of the boot options, then you may be able to select that and
you may not have to do anything else.

Actually, as you can see, we are not being given the option of the USB stick as a
boot device even though I have plugged it into this computer, so we are going to
have to make some changes to the BIOS here.

So, we are going to select BIOS setup. Now, this screen is the BIOS interface for
this computer. There is a lot of variability in the layout of these BIOS interface
screens from computer to computer. However, all of the settings that I'm going to
be changing here are pretty standard, so any computer that you have should have
very similar settings somewhere in the menu structure of its BIOS interface. If
your BIOS interface screen looks a lot different than this one, you may just have
to look around in the menu structure of your specific example for the equivalent
settings here.

So, in this example I'm first going to go to the boot sequence here over on the
left, and in order to get our USB stick to show up in our list of bootable devices,
we need to enable legacy boot options. And, as you can see here, it is grayed out.

So, the next thing that I'm going to do is go to advanced boot options, and here we
need to enable legacy boot options. Now when I try to do that, it spits this error
out at me and informs me that legacy option ROMs are not allowed if secure boot
mode is enabled. And, it's telling me that because apparently I didn't read where
it already said that right here, and some of you may have noticed during the boot
screen when we first got our BIOS options offered to us, it actually informed us
that secure boot was enabled.

So, we're going to click OK here, and we're going to go over to secure boot over on
the left, and we are going to expand that menu, and we're going to select secure
boot enable, and we are going to set that to disabled.

And, it's going to warn us that disabling the secure boot will reduce the system
security, and unfortunately we are removing a barrier to compromising the boot
sequence here and boot sequences do get compromised. So, this is not a meaningless
warning. In this example, we have no choice if we want Security Onion to run, so we
are going to select yes and we are going to trust that the Security Onion team is
providing us with secure software. Nevertheless, you are warned that this is a
potential problem and you are accepting the responsibility here for saying yes if
you choose to do that.

Now we have to hit apply so that these changes take effect. And, we can go back to
advanced boot options and select enable legacy boot ROMs and apply those changes.
And, now we can go to the boot sequence again, and in the boot list option legacy
is no longer grayed out, so we can select that and we can apply that change. Now we
will actually be able to boot off of this USB stick that we made.

There is one more thing I am going to do, though, while we are already here, and
that is configure this computer to automatically restart if the power to it gets
cut off. And, that can happen if the power goes out. This will just make it so that
Security Onion will automatically turn back on when power is restored to it. So,
now I am going to expand the power management menu over here on the left, and I am
going to select AC recovery, and I'm going to select power on. Then I'm gonna hit
apply.

So, just to recap: I have set the AC recovery so that the computer will
automatically power back on if power gets cut to it, I have disabled the secure
boot in the advanced boot options, I have enabled legacy option ROMs, and in the
boot sequence I have set boot list option to legacy. So, we can exit out of the
BIOS interface here, and we should be allowed to boot off of this USB stick now.

And, I began tapping on the F12 key immediately when this computer began to reboot,
and now it is preparing a boot menu for me, and there are our legacy boot options.
And, as you can see our USB stick is now in our list of options, so we can go ahead
and boot off of that.

Now I'm going to select it and hit enter. And, here we are: the Security Onion
installer boot screen. As you can see, there are a number of options here for
different installation modes. We are just going to do the top one which is install
Security Onion, so we can allow the automatic boot timer to go to zero, and that
will take us to the next step here.

Now after several seconds the Security Onion installer will warn you that
installing Security Onion onto a computer will erase all of the data that is
already on that computer, and they want you to write the entire word ‘yes’ if you
really want to do that. So, that's what we're going to do: we're going to type in
Yes.

And, it is going to ask you for an administrative user name. It will also prompt
you for a password for that user. Later on in this installation process, we will be
prompted for an analyst user name and password, and that is a less privileged user
that you will use when you are logging into Security Onion to do network analysis
tasks. This user they're prompting us for now is an extremely privileged user, so
set a good password and don't forget it so that you can log into the Security Onion
server and administer it later if you need to. So I'm gonna go ahead and set a user
name. Classnsm is the user name I'm using. And, I'm going to go ahead and enter a
password, and that will actually start the first phase of the installation process.

Now, when I did this, it took about a half an hour for the installer to write all
of the initial files to the hard drive, so this is gonna take a little while and
I'm gonna go ahead and skip to when it is done. And, just as a note, if the
installer shuts your screen off during this process, you can get it back by just
tapping on the space bar on your keyboard. Also, it sits on this running post
installation script step for a long time.

So, when the initial process of writing files does finally complete, it will prompt
you to press enter on your keyboard to reboot the installer. So, we're gonna go
ahead and do that and the system will take a few moments to shut down and restart.
And, when it does we will be directed to the sent OS boot screen, which is good,
and by default it has the correct option selected for us. So, we can just allow
this boot timer to go to zero, and that takes us to a local host login prompt. And,
this is the user name and password that we set in the previous step. So, I'm gonna
go ahead and enter that user name and password, and now the installer is going to
start asking us lots of questions.

So, the first screen that pops up here is some general information and some
instructions on how to use this interface. Basically, you don't have a mouse, so
you have to use your keyboard. Now you all can read these directions and they are
not too difficult. I will mention that you can also use tab to toggle between what
you have selected on the screen, and they don't mention that here. So they have the
answer yes highlighted here for us already. And, we are going to go ahead and hit
enter to select that one.

And, we are going to be doing the standard installation, so I am just going to

press tab here on my keyboard, and that will highlight OK. And, I'm just going to
press enter now.

We definitely do not want to do the evaluation mode here. What we are doing here is
the standalone installation, so I'm going to push the down arrow on my keyboard so
that standalone is highlighted there. Then I am going to press my space bar so that
the standalone is selected. Then I'm going to hit tab so that OK is selected, and
I'm going to press enter.

Now here we have to agree to the Elastic license agreement, so we are going to type
in ‘agree’ hit tab and press enter.

Now here you can name your host whatever you wish. I'm just going to name this one
classnsm and I'm going to move on here.

Now here you are given the option to name a node for this server, and I only have
one server here, so I'm just gonna leave this blank. If you want to put a name
here, you can. I'm going to select OK and move on here.

And, here you can see why it is useful that I left the network interface card that
I want to use as our sniffing interface unplugged, because as you can see the name
that Linux gives to network adapters is pretty cryptic, and not all that useful
when you're trying to determine which one is which. But, since I left one of them
unplugged, I have a link up and a link down indication here. So, the one that we
want to use as our management network interface card is the one that has the link
up right now. So, I'm going to push the down arrow to highlight that one. I am
going to push the space bar to select it, and I'm going to hit tab so that I select
OK down here, and I'm going to push enter.

Now it is going to ask us if we want the IP address for our management interface to
be configured statically or dynamically. And, we are going to choose dynamically,
so go ahead and select DHCP, and select OK, and move on to the next step.

And, here it warns us about using DHCP: if the IP address changes that can be a
problem for us. It also tells us that we can just set a DHCP address reservation,
and that's exactly what we're gonna do. So, we are going to stick with DHCP here.
And, it has yes selected for us already, so we can just go ahead and hit enter.

And here we definitely want it to initialize networking, so hit enter.

And, now it is asking us if we want to have a standard network connection to this

server or if we want this server to be air gapped. And, we are not air gapping this
server, so go ahead and select OK and move on to the next step.

Next the installer asks us if we have a direct connection to the internet or we are
going through a proxy, and we are not going through a proxy, so select direct, and
select OK, and press enter.

Now the installer will run some system checks and this can take a couple of
minutes, so I'm going to go ahead and skip to when it's done.

Next it will ask us which network interfaces we want to use as sniffing interfaces,
monitor interface it calls it here, and we only have one, so we are going to select
that one and we are going to select OK.
Now it is going to ask us about the update schedule, and we are going to set this
to automatic. And, that will just make sure that the Linux distribution that
Security Onion is running on top of will automatically stay up to date. And, many
of those updates are security updates when they get pushed out, so this will help
keep your system more secure without you having to think about it. And, as you can
see, it says here that this automatic update schedule will not update Security
Onion related tools, and Security Onion tools are actually updated by a separate
script. And, I will show you that later, and automatic updates is already selected
here so we can just move on to the next step.

Next it is going to ask us about our home network IP address range, and you don't
actually have to do anything here. All of these IP address ranges that it has
listed here are local area network address ranges. It is really an awful lot of IP
addresses that they have included here by default, so what I'm gonna do is actually
restrict it down to only IP addresses that are being served by our router in this
example. And so, what I'm gonna do here is put in 192.168.8.0/24, and what that
does is it restricts the IP address range that is considered to be our home network
to the IP addresses from 192.168.8.1 to 192.168.8.254, so that's gonna restrict it
down a lot. And, that is actually what our home network is in this example, so I'm
going to go ahead and do that. Once I've done that, I'm just gonna select OK and
move on.

So, next we are going to tell it that we will do the basic install using
recommended settings. We do not want to do additional configurations here, so go
ahead and hit OK and move on to the next step.

So, next it asks us which application we want to generate metadata for us, and we
are just gonna stick with zeek here.

Now it asks us about intrusion detection system rule sets, and go ahead and stick
with Emerging Threats open unless you have accounts with emerging threats or with
Snort.

Next it is going to ask us which optional services we want to have running on our
server, and we are going to leave them all enabled and move on to the next step
here.

Next we are going to go ahead and keep the default docker IP range.

So, now it prompts us to create an administrator account for the web interface for
Security Onion, and this is the account that we are going to use when we want to
log into Security Onion to do network analysis tasks. It is a less privileged
account than the account that we created earlier that has root privileges on the
Linux server that Security Onion runs on top of. That account that we made earlier
is for administering the server, and this account is for doing network analysis
tasks.

Now go ahead and use whatever email address you want to create this account, and it
will prompt you to create a password. It is probably a good idea to set a different
password for this account than for the server administrator account.

It will then ask us how we are going to access the web interface, and we are going
to be using an IP address, so we can just leave this set the way it is and move on
to the next step.

So, now we are left with no option but to say OK, so we are just gonna say OK. And,
we are not going to be adding any remote sensors anyway. But, we're gonna go ahead
and set a password here.
So, we are going to do the basic configuration using the recommended settings, So
we can go ahead and select OK here and move on to the next step.

We are going to stick with one process for zeek, and we are also going to stick
with one process for Suricata.

And, we are going to go ahead and select yes when it asks us if we want to
configure network time servers, and we are going to go ahead and stick with the
default time servers that it gives us here.

And, we are going to go ahead and stick with the recommended settings for search
node.

And when it asks if we want to run the so-allow command to allow other machines to
connect to this server's web interface for us the answer is definitely yes.

It will then ask us which IP address or which IP address range we want to allow to
have access to this server, and if you want to restrict this to a single IP
address, you can here. I am just going to allow machines that are on my home
network to access the web interface, so that is actually going to be the same thing
that I entered earlier when it was asking me about home networks: 192.168.8.0/24.
And, once we hit OK on that one.

We are finally done making configuration choices here. So, it's going to give us a
list of all of the choices that we've made, and once we select yes it will continue
the installation process. And, when I was making this recording this part of it
took about 50 minutes, so I'm gonna go ahead and skip ahead to when it is done.

And, it is almost done here, and it has told us that it has finished setting up the
standalone installation. And, it has also given the IP address of the server on our
home network here, so that is 192.168.8.134. So, that is how we are going to log
into it remotely. So, I'm gonna go ahead and hit enter and that will reboot the
server.

Now once this server finishes rebooting, it is actually fully configured. It is

ready for us to start using it, but I do still need to connect the sniffing port on
the server to the mirror port on the switch. And, it is now configured to be a
headless server that is deployed into our network and accessed remotely, so I want
to disconnect some of the things that are connected to the outside of it. So, what
I'm going to do is shut it down and make those changes. And, I'm going to do that
by logging into it using the first user name and password that I created during the
installation process. And, once we've done that, I'm going to type in ‘sudo init 0’
at the command prompt.

Now for those of you that don't know, issuing a command as sudo is the same as
issuing the command as root, and that means that you can do anything that you want
to to the computer, so many Linux systems give you this little warning the first
time that you issue a command as sudo. And init 0 is just the command to shut the
computer down.

So, I'm going to type in the administrator password again and that is the same
password that I just entered up here when I was logging in, and the server will now
shut down.

So, now that we have finished setting up this server, we don't need so much stuff
attached to the outside of it anymore. So, I'm going to disconnect the USB stick
from it, I'm going to disconnect the VGA cable from it, I'm going to disconnect the
mouse and the keyboard from it, and also we need to attach the sniffing interface
on the server to the mirroring port on the switch. So, I'm going to take a new cat6
cable here and connect those two ports. Then I'm going to reach around the front of
the server again and turn it back on. And, now we are monitoring all network
traffic that travels through this network and that is really cool.

Our network is completely set up: we have the router, it is connected to the
internet; we have the switch, it is connected to the router; we have our wired
clients connected to the switch; We have our wireless clients bridged into the
switch; we have Security Onion connected to the switch; and we have Security Onion
analyzing all traffic that comes through this network. So, if you have gotten to
this point, congratulations. You've done it. You have Security Onion deployed into
your network, and that is so cool.

In the next video, we are going to log into the server through SSH and bring the
software on it fully up to date. So I will see you there.