Configuring Scrutinizer for Dual/Multi-homing

Security Considerations

Scrutinizer is configured with Reverse-Path Filtering which is disabled by default. It allows the collector to receive flows from IP addresses that it does not know how to route to. This functionality exists in order to allow collectors to receive non-local traffic that may have been forwarded by a proxy or replication appliance and is intended ONLY to be used when Scrutinizer:

  1. is in a secure environment
  2. has a single interface

Plixer recommends that in multi-interface/multi-homed situations and where strict networking practices are required, best practices defined in RFC 3704 should be observed. This is required in order to ensure that spoofed/forged packets are not used to generate responses that are sent out another interface.

It is recommended the following steps be taken:

  1. Enable Reverse Path Forwarding –

    Edit the /etc/sysctl.conf and modify the line “net.ipv4.conf.default.rp_filter = 1” to “net.ipv4.conf.default.rp_filter = 0”

  2. If the goal is to not restart networking after editing this file, simply run the command “sysctl net.ipv4.conf.default.rp_filter = 0” and this should turn it on (editing the file is still required).

  3. Make sure the routing tables contain routes to all networks that will be receiving flows. Failure to properly configure routing will result in the inability to collect flows from non-local address spaces.

Virtual Routing and Forwarding (VRF) Mode

In certain circumstances it might be best to isolate the routing tables from the management network. Common cases for this are either security requirements or the management network may overlap with IP addresses on the collection side interfaces.

In these cases separate routing tables can be created in order to isolate management traffic to the management interface. Collection and polling traffic will then only impact their respective interfaces.

Configuration Examples

In this example, Scrutinizer has 2 interfaces: eth0 and eth1. Each will have its own routing table. One called “plixer”, another called “public”.

Configure separate routing tables

In this example notice that 2 default gateways are configured. This would not be possible under a standard configuration with a single routing table. Each maintains separate isolated IP networks which are not routable to one another on the Scrutinizer box.

  1. Add the 2 routing tables to the file named “/etc/iproute2/rt_tables”. The 2 lines will result in the file looking like this:
#
# reserved values
#
255 local
254 main
253 default
0 unspec
#
# local
#
#1 inr.ruhep
1 public
2 plixer
  1. Create file /etc/sysconfig/network-scripts/route-eth0 containing the following:

    default via 172.16.2.20 table plixer

  2. Create file /etc/sysconfig/network-scripts/route-eth1 containing the following:

    default via 10.1.1.251 table public

  3. Interfaces do not need any special configuration. Here is an example based on the above configuration.

/etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE="eth0"
BOOTPROTO="none"
HWADDR=""
NM_CONTROLLED="yes"
ONBOOT="yes"
BOOTPROTO="none"
PEERDNS=no
TYPE="Ethernet"
NETMASK=255.255.255.0
IPADDR=172.16.2.7


/etc/sysconfig/network-scripts/ifcfg-eth1
DEVICE="eth1"
BOOTPROTO="none"
HWADDR=""
NM_CONTROLLED="yes"
ONBOOT="yes"
BOOTPROTO="none"
PEERDNS=no
TYPE="Ethernet"
NETMASK=255.255.0.0
IPADDR=10.1.4.190
GATEWAY=10.1.1.251
  1. Restart the server in order to make sure networking is reset and operating properly.
  2. Verify that iptables are configured to accept or deny the traffic desired on each interface.