ZeroTier (ZT) is an application that provides the ability to create private networks between endpoints. For those of you who remember the golden years of Hamachi, ZT is somewhat similar.
In this guide we will leverage that capability to build a private network where security event data can traverse securely no matter where a device is in the world. For example, if you take a laptop to your favorite coffee shop, it will continue to forward logs or events back through to your central monitoring solution such as Security Onion.
This will utilize the ZeroTier hosted controller. You are free to implement your own version of the controller, but that is outside the scope of this guide. It does not go in-depth on how ZeroTier works, nor best practices for ZeroTier configuration. If you plan to implement this in a production environment, I highly recommend you look into Enterprise Support.
It is assumed you have a functioning installation of Security Onion, and endpoints with a log shipper such as filebeat or winlogbeat, or a host intrusion detection (HIDS) such as OSSEC. You can just as easily use any other solution you can dream up, as we're merely providing the transport mechanism.
Create a new network with the following settings:
Copy down the Network ID. You will need it for adding ZT clients to your network.
Choose a name and enter a description for your network, e.g.
Access Control to
PRIVATE. This will enforce authorized clients only, along with the flow control configuration later on.
Set the IPv4 to Auto-Assign (you do have the ability to choose your own range if desired).
Leave the IPv6 Auto-Assign to default, or uncheck to disable IPv6 capabilities through the ZT network.
Leave the rest as defaults unless you desire further modifications.
If you have a DNS server, you can configure your ZT nodes to respond via DNS. Since ZT addresses are RFC1918, the requests won't route to the public internet, but will instead, be available to your ZT nodes. If you have enabled IPv6 within ZT, you can also create AAAA records with the IPv6 addresses assigned in your network's management dashboard.
As stated earlier, you can configure DNS for your ZT clients. I used Hurricane Electric DNS in the screenshow below, but the concept is the same across DNS providers.
Installers are available for Microsoft Windows, MacOS, Apple iOS devices, Andriod, Linux, and more. According to the documentation the Windows agents will automatically update with the latest version, and Linux agents will update when you run the update function on your package manager (e.g.
apt update && apt upgrade).
Once the agent is installed, you will need to connect it your ZT network, and authorize it.
Windows: Right-click the ZT agent icon in the system tray and click 'Join Network'. Enter your ZT network ID and click 'Join'.
sudo zerotier-cli join <networkid>
Open your ZeroTier Network Management console and scroll down to members. It may take a minute or so to populate, but you should see your endpoint if configuration was successful. Enter a name and description for your endpoint, and then assign a managed IP (assuming you want something different from the default). When ready, click the authorize button.
Once your clients are installed and authorized, verify they are showing as members in your ZT Network.
sudo zerotier-cli listpeers ping 10.242.1.1
We will need to allow access from the ZeroTier interface through the firewall within Security Onion for accepting logs.
# Allow syslog sudo ufw allow in on <zerotier interface> to any port 514 # Allow Elastic Beats sudo ufw allow in on <zerotier interface> to any port 5044 # Allow OSSEC agent sudo ufw allow in on <zerotier interface> to any port 1515 # Allow OSSEC agent registration sudo ufw allow in on <zerotier interface> to any port 1514Or you can use
so-allow, the commandline tool built into Security Onion for managing the firewall:
Note you may wish to harden this firewall configuration further locking down by specific IP or protocols.
You will need to point any log shippers or agents at your Security Onion ZT IP. For example, with
filebeat using a default Windows install to
C:\Program Files\Filebeat, edit the
filebeat.yml file to include the IP address you assigned your Security Onion system in ZerotTier:
We'll setup some initial flow control specific to managing traffic from filebeat, winlogbeat, and ossec agents. This will restrict traffic to only what we authorize, and prevent anything else from accessing the ZT network. Add the following to the Flow Rules for your ZT network:
# # Only allow ICMP, Elastic Beats, and OSSEC application traffic # accept ipprotocol tcp and ipdest 10.242.1.1/32 and dport 5044 or dport 1514 or dport 1515 ; accept ipprotocol udp and ipdest 10.242.1.1/32 and dport 514 ; accept ipprotocol icmp or ipprotocol icmp6 and ipdest 10.242.0.0/16 ;
You should now have a functioning private network capable of spanning any IP network on the globe. If you have any questions or comments, please contact me.