Getting Data In

Splunk forwarder behind a one way data diode. UDP help

Path Finder

Hello,

So as a high level overview,

I have a raspberry pi 4 that i will use to configure a forwarder to purely forward UDP information through my data diode and into my splunk clustered indexers.

My question, clearly the indexers and deployment servers will not be able to see the splunk forwarder on the Pi, but will the forwarder still be able to forward the information to the indexers without issues? As in are there heart beats that need to be taken into account or any system TCP flows that i need to take into account as clearly these will not be able to go through my one way data diode. hence the name.

Any help is appreciated.

0 Karma
1 Solution

Path Finder

Having just come back from .conf19 the recommended solution for this is as follows.

On the secure side of the network where all the SNMP polling is taking place. index the data!!
From here it is then sent through the data diode to another indexer. I would post the pictures from the sessions i had with the consultants or the breakout sessions but i dont have enough points.

It is certainly doable though and is happening in a lot of secure organisations.

View solution in original post

0 Karma

Path Finder

Having just come back from .conf19 the recommended solution for this is as follows.

On the secure side of the network where all the SNMP polling is taking place. index the data!!
From here it is then sent through the data diode to another indexer. I would post the pictures from the sessions i had with the consultants or the breakout sessions but i dont have enough points.

It is certainly doable though and is happening in a lot of secure organisations.

View solution in original post

0 Karma

Esteemed Legend

It will not work. Splunk uses Splunk-to-Splunk protocol and it requires responses. You are correct that you need to use UDP to fire and forget through the data diode so you will have to use a forwarding agent that can do that (like snare). Then you need to stand up a syslog-ng server on the other side to receive the UDP and then use HEC or [monitor:// to send to the indexers (DO NOT UPD directly to the indexers).

0 Karma

Path Finder

So i have just come back from .conf19 in Vegas and had a few one to consultancy chats, It is possible and is widely used. Not the way i was doing it with a Pi, but with a Nexus, Owl or waterfall One way transfer data diode.

The Splunk-to-Splunk protocol can be turned off and neglected providing you do not care about managing the forwarder.

0 Karma

Contributor

Hi willsy, this is a common setup in high security environments. First the good news: It can be done. Now the bad news: Not with the pi. In order to accomplish this, you will need a Heavy Forwarder installation behind the diode. Personally, I prefer a small A-i-O box, but a virtual machine image is fine as well. Configure the forwarder to send its events through the syslog output processor using UDP. Details on the configuration can be found here: https://docs.splunk.com/Documentation/Splunk/7.3.2/Admin/Outputsconf#Syslog_output----

Please note: The events will be dropped from the system as soon as they are sent. If you want to keep a copy, be sure to add another syslog target onto the local machine, storing a copy in the local syslog facility.

0 Karma

Legend

Hi willsy,
let me understand:

  • your server receives UDP information through data diode, how they are taken, in a text file?
  • it has a Universal Forwarder that takes these logs and sends them to indexers,
  • it's not clear what you mean with "the indexers and deployment servers will not be able to see the splunk forwarder on the Pi"
  • it's not clear how you want to configure inputs on UF.

Can you share more information?

Bye.
Giuseppe

0 Karma

Path Finder

Hey Guiseppe,

So i will be ingesting power data from rack mounted PDUs, i currently have this sorted and working through an SNMP server using baboonbones application for splunk.

My issue is that the power that this is polling is extremely sensitive and as such from a security point of view it needs to be one way transmission only.

So the data flow will go

Network behind data diode

  • A splunk universal forwarder on raspberry pi 4 SNMP polling the power PDUs
  • Power PDUs replying back to the SNMP server on the raspberry pi
  • SNMP Server on Raspberry pi sends the data through a data diode UDP ONLY

once its passed that data diode everything still works fine. but due to the nature of the data diode information can only pass one way, from the power network behind the data diode, to the rest of the network (which is where the rest of my splunk deployment lives)

so the question is....
will the rest of my splunk deployment be happy if it cannot talk to the universal forwarder.... and yet still receive data from that universal forwarder?

A = UF
B = Data Diode
C = Splunk deployment

A - > B - > C (information into splunk)
C - > B XX C (splunk talking, maintaining, administrating the UF) it will not be able to get passed my data diode.
Many thanks

0 Karma