Netplan Configuration for Network Intrusion Detection Systems (IDS)

Netplan Configuration for Network Intrusion Detection Systems (NIDS) 🛡️

Netplan is a network configuration tool in Ubuntu and other Linux distributions. Configuring it correctly is crucial for a NIDS to function effectively. Here's a comprehensive guide:

1. Understanding the Basics 🌐

Before diving into configuration, understand that Netplan uses YAML files to define network interfaces. These files are typically located in /etc/netplan/. The NIDS needs to monitor network traffic, often requiring interface mirroring or promiscuous mode.

2. Identifying the Monitoring Interface 🔍

Determine which interface the NIDS will monitor. This could be an existing interface or a virtual interface created specifically for monitoring.

3. Configuring Netplan YAML File 📝

Edit the Netplan YAML file (e.g., /etc/netplan/01-network-config.yaml) to configure the necessary settings. Here’s an example:

network:
  version: 2
  renderer: networkd
  ethernets:
    eth0:
      dhcp4: no
      dhcp6: no
      addresses: [192.168.1.100/24]
      gateway4: 192.168.1.1
      nameservers:
          addresses: [8.8.8.8, 8.8.4.4]
    monitornic:
      dhcp4: no
      dhcp6: no

In this example:

• eth0 is a standard Ethernet interface with a static IP.
• monitornic is a dedicated monitoring interface. It is configured without an IP address as it will operate in promiscuous mode.

4. Applying the Configuration ⚙️

After editing the YAML file, apply the configuration using the following command:

sudo netplan apply

This command applies the changes without requiring a reboot.

5. Enabling Promiscuous Mode 🚦

For the monitoring interface (monitornic in our example), enable promiscuous mode using ip command:

sudo ip link set monitornic promisc on

This allows the interface to capture all traffic on the network segment.

6. Verification ✅

Verify that the interface is in promiscuous mode:

sudo ip link show monitornic

Look for the PROMISC flag in the output.

7. Considerations for SPAN/Mirror Ports 🪞

If using a SPAN or mirror port on a switch, ensure the switch is correctly configured to forward traffic to the monitoring interface. No IP address is needed on the monitoring interface in this setup.

8. Firewall Rules 🧱

Adjust firewall rules to allow traffic to the NIDS. Ensure that the NIDS can communicate with necessary services and that the monitoring interface is not blocked by the firewall.

9. Example with Virtual Interface 💻

Create a virtual interface for monitoring:

sudo ip link add link eth0 name eth0.100 type vlan id 100
sudo ip link set eth0.100 up
sudo ip link set dev eth0.100 promisc on

Then, configure Netplan to manage this virtual interface.

10. Persistent Promiscuous Mode 💾

To make promiscuous mode persistent across reboots, you can add a script to /etc/network/if-up.d/:

sudo nano /etc/network/if-up.d/promisc

Add the following content:

#!/bin/sh
if [ "$IFACE" = "monitornic" ]; then
  /sbin/ip link set $IFACE promisc on
fi

Make the script executable:

sudo chmod +x /etc/network/if-up.d/promisc

Conclusion 🎉

Properly configuring Netplan is essential for effective NIDS deployment. By setting up the monitoring interface correctly and enabling promiscuous mode, you ensure that the NIDS can capture and analyze network traffic accurately. Remember to test and verify your configuration to ensure optimal performance and security.