I have installed ntopng on my opnsense and was looking at network connectivity inside my IOT network (that has a solar inverter, charging station and battery). All three are from different vendors.
I noticed activity that is originating from the gateway inside the IOT network (diagram attached). I thought it was a bit strange that the gateway was trying open SSH or http connections to hosts inside the IOT network.
But perhaps it is not strange, and it is intended behavior from ntopng to check open ports on hosts? Can someone confirm/deny this ?
perhaps: https://www.ntop.org/ntopng/how-ntopng-merges-vulnerability-scan-with-traffic-monitoring-for-better-cybersecurity/
Hi,
I have been leveraging traffic flow data from ntopng to automate the population of the pftable with IP addresses associated with specific applications. I then create firewall rules to block these IP addresses using an alias. While this approach effectively blocks most applications, I encounter difficulties blocking high-profile services such as YouTube and other Google applications. These services continuously use dynamically changing IP addresses.
I am seeking advice on enhancing this mechanism to better handle the dynamic nature of these applications. Specifically, I would like to improve the speed at which the pftable is updated and develop a more robust strategy to address the challenge of dynamic IP addresses.
Any insights or recommendations would be greatly appreciated. Thank you in advance!
Best,
VivekSP
You'll need NGFW features for that, such as the ZenArmor integration that allows for Application Control.
https://www.zenarmor.com/docs/policies/application-control-rules (https://www.zenarmor.com/docs/policies/application-control-rules)
It'll keep track of the Youtube set of dynamic external IP addresses and will allow for the application type to be recognized as Youtube traffic.
https://www.zenarmor.com/docs/opnsense (https://www.zenarmor.com/docs/opnsense)