Is this even possible? Motherboard/Wifi Question (pfsense/snort/kismet/snorby)
-
Hi everyone - complete newb pfsense guy incoming..
Considering a proof of concept if you will. My main goal is to have the following on ONE box in a HOME environment to test some pen testing scenarios out, and I want to see if this is possible from a hardware perspective. Admittedly Freebsd is not a strength of mine, so I don't know the state of drivers of the OS today for what I'm considering.
Assume I have either a comcast or Uverse modem, and that device is also acting as the wireless router too, broadcasting away. I want to set up another all in one box to act as an access point, among other things.
Let's assume I have only one box (a good one, but one all the same, so no ability to get a 2nd box for a router or another router for wireless duties altogether). What I'd like to do is put pfsense, snort, kismet on a mini itx machine (Dual core celeron or I3/8GB ram), containing one GBE NIC and an embedded wifi controller/radio. There will also be a second usb 300n wifi card as well (this card will be in promiscuous mode sniffing away at the other embedded/internal wifi on the box).
My thought is to treat the embedded wifi card as an accesspoint to route all wireless traffic through the box so that pfsense can do its thing from a ruleset perspective. I don't know if ANY onboard wifi card can put out enough radio signal to cover whole house (2 floors/3000 plus sqft) duty. So my next thought is to get either a mini pci-e wifi card that is powerful enough or just get a pci-e dual band wifi card with antenna to solve that problem.
Either way, all wireless endpoints connect in through wlan0, and wlan1 points to wlan0 to sniff/packet capture away. Sound feasible so far? Any driver gotcha's i need to look for? I know some cards do and do not support HOSTAP, so any recommendations in 2014 to ones that do? The other thing I don't know of either, and testing will help affirm this, is whether these consumer grade cards can handle 1-10 people coming through it streaming movies, surfing, playing games, etc..without dropping packets. I'm hoping that with the better I3 CPU, any cpu intensive processing will be able to cope.
So in terms of topology, this is where i get kind of confused: CONSUMER ISP ROUTER/MODEM –--- PFSENSE ALL IN ONE FIREWALL/SNIFFER/ROUTER-----WIRELESS ENDPOINTS
So do I give the new AP a different subnet address :192.168.10.10 and it gives all end points something in that range (192.168.x.x/24)...and the ISP modem doles out it's own subnet IP to the pfsense box via the GBE? That's what I assume as I'm drawing this up..any gotchas yet? Is this feasible?
Thanks for any insight you guys could give.
-
Is it possible- yes.
Is it possible easily without virtual machines? - I doubt it - I am also a pfsense newbie, so please correct me if I am wrong.
You would want one virtual machine for pfsense and one for linux/otherOS which has your kismet/snorby setup. You would passthrough the hardware you want to pfsense, and likewise to linux et al. Kismet doesn't come with pfsense, and retrofitting it could be challenging.
You are better off having an access point (or router in access point mode) for the coverage you're talking, my personal recommendation would be the Asus RT-AC66u as the coverage is excellent with it, and you can run tomato or ddwrt on it. You are better off not using pfsense for wireless if you can avoid it due to limited wireless card support.
The question I have is: what level of sniffing do you want? - if you're looking at a network packet level, pfsense can handle that (and does it well) if you're looking at wireless signal level, then you're best looking elsewhere.
Just fyi - as far as I know, there is no dual core Celeron, there are plenty of dual core Pentiums however, but they don't include the VT-D extensions to do passthrough, to get that you need an i3 and as a bonus you get AES-NI (for openVPN in the future/longevity). For your purposes that is probably a better option.
-
"Is it possible easily without virtual machines? - I doubt it - I am also a pfsense newbie, so please correct me if I am wrong.
You would want one virtual machine for pfsense and one for linux/otherOS which has your kismet/snorby setup. You would passthrough the hardware you want to pfsense, and likewise to linux et al. Kismet doesn't come with pfsense, and retrofitting it could be challenging.
You are better off having an access point (or router in access point mode) for the coverage you're talking, my personal recommendation would be the Asus RT-AC66u as the coverage is excellent with it, and you can run tomato or ddwrt on it. You are better off not using pfsense for wireless if you can avoid it due to limited wireless card support.
The question I have is: what level of sniffing do you want? - if you're looking at a network packet level, pfsense can handle that (and does it well) if you're looking at wireless signal level, then you're best looking elsewhere.
Just fyi - as far as I know, there is no dual core Celeron, there are plenty of dual core Pentiums however, but they don't include the VT-D extensions to do passthrough, to get that you need an i3 and as a bonus you get AES-NI (for openVPN in the future/longevity). For your purposes that is probably a better option.
"
–-----------------------------------------------
Thanks for the response, I was dreading the 0 reply monster that some threads encounter on this forum!I believe that you can install snort on FreeBSD, since it's a package install from Pfsense. Kismet may have to be installed manually since i don't believe there is a package for it. Unfortunately in this setup, VM's won't be available.
I think the biggest challenge will be finding that internal card that supports HOSTAP and offer dual band service as well. Not uncharted territory but will take a little bit of research.
I already have a microusb wifi dongle that is supported for monitoring mode and can pull down packets. Remember, I'm limited to ONE box to do this exercise :D
I think you're right on the I3 versus Celeron argument. The AES instruction set was one I wasn't even considering, thanks for pointing that out. The cpu I was considering due to price point and overhead ability was the Celeron 1037u.
In regards to sniffing, I'm solely aiming for the wireless level to pull down full frames, and I'm contemplating using snort on a tun/tap for kismet. I know it may be overkill since Kismet has it's own ruleset usage as well, but I'll be pairing Sagan into all of this as well for correlation. Having Snorby as a web gui interface to read/analyze incidents is the main benefit there.
I'm still master planning this out, so again, thanks for the suggestions!
-
Well, OpenVPN only really matters if you are going to pipe large amounts of data across a vpn, or do site to site connections. If you do it from client machines it is less of problem (I am considering using my linux server to vpn through the pfsense box to another endpoint).
Why the aversion to running 2 VMs on the same machine? There are plenty of good hypervisors that pfsense will play well with. (proxmox, esxi, xen.. to name a few) - this will enable you to use whatever software you want.
What is the purpose of doing what you are intending? (fun doesn't count for a setup this complicated)