ZeroTier for a Reliable and Private Security Monitoring Network


ZeroTier (ZT) is an application that provides the ability to create private networks between endpoints. For those of you who remember the golden years of Hamachi, ZT is somewhat similar.

In this guide we will leverage that capability to build a private network where security event data can traverse securely no matter where a device is in the world. For example, if you take a laptop to your favorite coffee shop, it will continue to forward logs or events back through to your central monitoring solution such as Security Onion.

This will utilize the ZeroTier hosted controller. You are free to implement your own version of the controller, but that is outside the scope of this guide. It does not go in-depth on how ZeroTier works, nor best practices for ZeroTier configuration. If you plan to implement this in a production environment, I highly recommend you look into Enterprise Support.

It is assumed you have a functioning installation of Security Onion, and endpoints with a log shipper such as filebeat or winlogbeat, or a host intrusion detection (HIDS) such as OSSEC. You can just as easily use any other solution you can dream up, as we're merely providing the transport mechanism.

Contents

  1. Prerequisites
  2. Create a new ZeroTier network
  3. [Optional] Configure DNS
  4. Download and install ZeroTier clients for your endpoints
  5. Test
  6. Security Onion Configuration
  7. Endpoint Configuration
  8. Flow Control

Prerequsities

You'll need the following before proceeding:
  1. A ZeroTier account
  2. Network addressing scheme (see diagram above for reference)
  3. [Optional] DNS provider
  4. Security Onion server
  5. filebeats or ossec agents on endpoints

Create a new ZeroTier network


Create a new network with the following settings:

Copy down the Network ID. You will need it for adding ZT clients to your network.

Choose a name and enter a description for your network, e.g. Security Monitoring.

Set Access Control to PRIVATE. This will enforce authorized clients only, along with the flow control configuration later on.

Set the IPv4 to Auto-Assign (you do have the ability to choose your own range if desired).

Leave the IPv6 Auto-Assign to default, or uncheck to disable IPv6 capabilities through the ZT network.

Leave the rest as defaults unless you desire further modifications.

[Optional] Configure DNS

If you have a DNS server, you can configure your ZT nodes to respond via DNS. Since ZT addresses are RFC1918, the requests won't route to the public internet, but will instead, be available to your ZT nodes. If you have enabled IPv6 within ZT, you can also create AAAA records with the IPv6 addresses assigned in your network's management dashboard.

As stated earlier, you can configure DNS for your ZT clients. I used Hurricane Electric DNS in the screenshow below, but the concept is the same across DNS providers.

Download ZeroTier clients for your endpoints

Installers are available for Microsoft Windows, MacOS, Apple iOS devices, Andriod, Linux, and more. According to the documentation the Windows agents will automatically update with the latest version, and Linux agents will update when you run the update function on your package manager (e.g. apt update && apt upgrade).

Once the agent is installed, you will need to connect it your ZT network, and authorize it.

Windows: Right-click the ZT agent icon in the system tray and click 'Join Network'. Enter your ZT network ID and click 'Join'.

Linux: 

sudo zerotier-cli join <networkid>

Open your ZeroTier Network Management console and scroll down to members. It may take a minute or so to populate, but you should see your endpoint if configuration was successful. Enter a name and description for your endpoint, and then assign a managed IP (assuming you want something different from the default). When ready, click the authorize button.

Test

Once your clients are installed and authorized, verify they are showing as members in your ZT Network. 

sudo zerotier-cli listpeers
ping 10.242.1.1

Security Onion configuration

We will need to allow access from the ZeroTier interface through the firewall within Security Onion for accepting logs. 

# Allow syslog
sudo ufw allow in on <zerotier interface> to any port 514

# Allow Elastic Beats
sudo ufw allow in on <zerotier interface> to any port 5044

# Allow OSSEC agent
sudo ufw allow in on <zerotier interface> to any port 1515

# Allow OSSEC agent registration
sudo ufw allow in on <zerotier interface> to any port 1514
Or you can use so-allow, the commandline tool built into Security Onion for managing the firewall: 
sudo so-allow

Note you may wish to harden this firewall configuration further locking down by specific IP or protocols.

Endpoint configuration

You will need to point any log shippers or agents at your Security Onion ZT IP. For example, with filebeat using a default Windows install to C:\Program Files\Filebeat, edit the filebeat.yml file to include the IP address you assigned your Security Onion system in ZerotTier:

Implement Flow Control

We'll setup some initial flow control specific to managing traffic from filebeat, winlogbeat, and ossec agents. This will restrict traffic to only what we authorize, and prevent anything else from accessing the ZT network. Add the following to the Flow Rules for your ZT network: 

#
# Only allow ICMP, Elastic Beats, and OSSEC application traffic
#
accept
  ipprotocol tcp
    and ipdest 10.242.1.1/32
  and dport 5044 or dport 1514 or dport 1515
;

accept
  ipprotocol udp
    and ipdest 10.242.1.1/32
  and dport 514
;

accept
  ipprotocol icmp
    or ipprotocol icmp6
  and ipdest 10.242.0.0/16
;

You should now have a functioning private network capable of spanning any IP network on the globe. If you have any questions or comments, please contact me.