SecOnion setup for MSSP #10558
-
|
Hi Everyone, I was wondering if anyone has SecOnion setup in an MSSP configuration, and how that was done? What I had in mind is having a forwarder node at each client, and a separate search node for each client tied into a centralized manager node. The clients would then connect back via to the manager via a site to site VPN? Would this be possible/ practical or would it work better if the manager was setup in an AWS or AZURE instance? Thank you in advance |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 1 reply
-
|
Just a note - it's not really possible to isolate a site's traffic to a particular Search Node like this. All Forwarders send their data back to the Manager, where it goes into a Redis queue, and the Search Nodes then pull from the queue. A zeek or suricata log entry from a particular Forward node could end up on any Search Node in the grid. If you want to isolate the data like this, you'd probably want to use a Heavy Node instead, but that has some performance penalties when you need to search across them. |
Beta Was this translation helpful? Give feedback.
-
|
Thank you very much. Makes sense as Sec Onion does not support multi tenant deployments. I will look into if a heavy node would be a good fit |
Beta Was this translation helpful? Give feedback.
-
|
So that, is it possible to use both Search Node and Heavy Node in single Security Onion distributed deployment? |
Beta Was this translation helpful? Give feedback.
Just a note - it's not really possible to isolate a site's traffic to a particular Search Node like this. All Forwarders send their data back to the Manager, where it goes into a Redis queue, and the Search Nodes then pull from the queue. A zeek or suricata log entry from a particular Forward node could end up on any Search Node in the grid.
If you want to isolate the data like this, you'd probably want to use a Heavy Node instead, but that has some performance penalties when you need to search across them.