[Bro] traffic to logger from workers
Azoff, Justin S
jazoff at illinois.edu
Thu Jan 19 07:12:33 PST 2017
> On Jan 19, 2017, at 8:37 AM, erik clark <philosnef at gmail.com> wrote:
> This seems to be a pretty big oversight. Depending on the controls you implement from NIST 800-53 Rev 4, encryption between processes is mentioned. In our environment, it is not just nice to have, it is a requirement.
> Since no Bro to Bro communication is encrypted, this makes it 100% impossible for us to have a Bro cluster spanning multiple servers. We are relegated to load balancing via a smart tap and hosting all-in-one Bro instances in disparate hardware, and then forwarding the logs off the box with Splunk which _does_ do encrypted log handoff to the indexers.
> I understand that there is some concern about possible performance implications, but making an application that is completely devoid of FIPS 140-2 compliance does not seem to be very good.
If encryption between all processes is a requirement in your environment then what exactly is Bro seeing via the taps? Anything that Bro is seeing on the taps is not encrypted and is ALREADY being transmitted in plain text in the first place.
> What can be done to get encryption into Bro to Bro communication? If nothing else, at least to the logger. The other elements (workers, proxies) can be handled by pushing proxies to the individual hosts and blocking proxy port requests from Bro between hosts.
ipsec, openvpn, etc. Or possibly via tls via broker at some point.
- Justin Azoff
More information about the Bro