Hey everyone!
I’ve been using Qubes for almost a year now, and I’m pretty settisfied with it.
However, I don’t really know about virtualization, but I wan’t to make a project that creates a SIEM envrionment for educational purposes.
What can be the most easy way, if I want the qubes to fully see each other?
Is creating a virtual switch can be an option? How would you guys try it?
I tried via setting up a new networking qubes using “provides network access to other qubes”, and selected sys-net
then another qube which connected to the previous one, that still provides network
hoever, I still couldn’t manage to make the qubes see each others. Any recommendations?
2 Likes
3 Likes
Yes, this is exactly what I needed
I should have read that already
Thank you!
1 Like
that sounds interesting!
Would love to hear more about what you’re trying to achieve
Ive got wazuh installed on my network in a proxmox VM and whilst Ive deployed the agent to all my servers and my Macs, Ive not yet tried to install it on any of my qubes yet… it’s on my list of things to do!
2 Likes
I was literally playing with building my own SIEM Qube RN and thought to take a look at the forums. I think something based on Elastic + Zeek all tied together with SIGMA could be a very fascinating POC for both EDR & NDR capabilities, either within the system or as a central node for broader operations from a more global perspective. I think QubesAir + Dasharo Supported Hardware has huge potential as a platform for an SIEM / SOC platform and is one of the main reasons I like playing with Qubes.
3 Likes
The goal would be to get hands-on experience both in attacking-simulations and a more clear understanding of how to implement rules successfully
I think Qubes gives a great opportunity, since I can deploy many endpoints, the main server and the attacking machine at the same time.
And as @rem said as well, it can allow many things and configuration opportunities hence QubesAir and the availability of different SOC solutions
A basic setup isn’t actually that complicated, for the first round I’ll just build Wazuh maybe
I’ll link the tutorial here as soon as I’ve posted it:)
2 Likes
rem and 0xt0m4: both your projects sound super interesting and would love to participate if I can be of any help.Im not super technical as such but if you need support in terms of defining scope of what you;re trying to achieve, defining direction, help with testing, etc… Id love to give a hand
2 Likes
I think easier and right way is to build such lab relay on:
Opening a single TCP port to other network-isolated qube
Another 2 relevant topic for secure deployment and future management would be:
1 Like
@WhiteShadow just to clarify your comment on using a single TCP port, is that in relation to Encapsulated Port Mirroring for an NDR qube? Instead of Enabling networking between two qubes and using the virtual interfaces with nmcli? In any case, keeping things unidirectional is probably desirable.
If that is the case, I’d be very curious to understand that design decision, or are you more referring to other aspects such as sourcing logs from Client Qubes, for EDR or general SIEM services and web interfaces?
1 Like
If you wish to setup SIEM, log collector and etc. within Qube you can’t achieve nmcli connection for all qubes on your installation if you separate network adapters between HVM’s:
sys-net - Ethernet.
sys-wifi - pci wifi and Bluetooth module.
sys-usb - USB
sys-LTE - LTE modem (rare, but same people use it).
For me, it unacceptable to use of sys-net that handle anything: ethernet, wifi, lte and usb to have opportunity for easy setup of log collector over single firewall qube.
If you connect log collector by use the qubes RPC service, you get much more secure setup and also scalable.
About web interface, you can build set of 3-4 servers for your siem solution that are air gaped from all another qubes.
sys-log-collection <—> sys-siem-core <—> sys-analyzer <—> sys-managment.
While only sys-log-collector and sys-siem-core should run all over the time, sys-analyzer and sys-managment may stay offline most of the time.
Such way you secure your setup and save CPU and RAM resources, and even battery life, if you run on laptop.
At the moment, I don’t have working setup of my answer - work on it those days.
Worst part of all of that,
You need at less 32GB RAM and over 10 cpu cores, so certificated for QubesOS hardware as v54/56 is the minimum hardware, even not a comfort option.
2 Likes