I’ve updated my home network security posture. I’m pleased with it. Prior to the update, I was monitoring my traffic using a span from my internal router to Security Onion. My home network is an external router (from my ISP), my DMZ equipment (Set Top Box), an internal router (DD-WRT), and then my internal network.
The span was giving me performance issues on my router. I disabled it. I’m back to using a physical tap on the external interface of the DD-WRT interface. I’m losing visibility due to the NAT, but my environment is limited enough that I should be able to infer who is doing what.
My sensor is now a CentOS box with Bro, Splunk, and Nessus. Bro is monitoring the tap. I’m in the process of configuring Nessus to scan my hosts. Splunk is Splunk’ing all the data. I decided to leave Security Onion since I found the full packet capture to be unnecessary for my environment and I strongly prefer Splunk over Elsa.