Standalone vs Distributed Deployment

[devstrauss]

I am having a hard time finding the right answer. For a standalone the docs say use for "testing, Labs, POCs, very low throughput". A distributed deployment does not give specifics. However, if I am in a Windows environment with several VMs running different servers, do I need to run a distributed deployment? From there, what would I consider my forwarding nodes? DNS, DHCP, DC servers? Which components do these servers need to host? Also, our firewall is a hardware piece (Fortigate) I can see in the standalone SO server that we have setup there is an integration for fortigate but I'm unsure how to get this integration to communicate with the SO console? Starting to feel super lost and documentation seems to be geared towards people who are not running SO on an enterprise size environment. Anyways, any thoughts or considerations (I will not take anything personally if I sound dumb) would be much appreciated.

[dougburks]

Hello and welcome to Security Onion Discussions!

I am having a hard time finding the right answer. For a standalone the docs say use for "testing, Labs, POCs, very low throughput". A distributed deployment does not give specifics. However, if I am in a Windows environment with several VMs running different servers, do I need to run a distributed deployment?

Yes, for enterprise environments we recommend distributed deployments. From https://docs.securityonion.net/en/2.4/architecture.html#distributed:
This architecture may cost more upfront, but it provides for greater scalability and performance, as you can simply add more nodes to handle more traffic or log sources.

From there, what would I consider my forwarding nodes?

We use the term forward node to describe a Security Onion network sensor that collects network traffic from a tap or span port and forwards the alerts and metadata logs to the Security Onion backend. From https://docs.securityonion.net/en/2.4/architecture.html#forward-node:
A forward node is a sensor that forwards all logs via Elastic Agent to Logstash on the manager node, where they are stored in Elasticsearch on the manager node or a search node (if the manager node has been configured to use a search node).

DNS, DHCP, DC servers?

You may want to deploy Elastic Agent to these servers to collect their logs:
https://docs.securityonion.net/en/2.4/elastic-agent.html

Which components do these servers need to host?

From https://docs.securityonion.net/en/2.4/architecture.html#forward-node:
Forward nodes run the following components:
Zeek
Suricata
Stenographer

Also, our firewall is a hardware piece (Fortigate) I can see in the standalone SO server that we have setup there is an integration for fortigate but I'm unsure how to get this integration to communicate with the SO console?

You should be able to send Fortigate logs via syslog to a Security Onion node and use an Elastic Integration to collect those logs:
https://docs.securityonion.net/en/2.4/elastic-agent.html#integrations
https://docs.securityonion.net/en/2.4/elastic-fleet.html#integrations
https://docs.elastic.co/integrations
https://docs.elastic.co/integrations/fortinet_fortigate
#11321

Starting to feel super lost and documentation seems to be geared towards people who are not running SO on an enterprise size environment. Anyways, any thoughts or considerations (I will not take anything personally if I sound dumb) would be much appreciated.

Security Onion is designed by enterprise defenders for enterprise defenders and we have lots of folks using Security Onion in enterprise environments. Many of them choose to supplement our documentation with our training, professional services, and other offerings:
https://securityonionsolutions.com/training
https://securityonionsolutions.com/support
https://securityonionsolutions.com/hardware