OPNsense Forum

English Forums => Zenarmor (Sensei) => Topic started by: mfsense on September 24, 2020, 10:41:17 pm

Title: Is Sensei a good replacement for LAN IDS/IPS?
Post by: mfsense on September 24, 2020, 10:41:17 pm

Hi everyone,

I'm new to the opnsense forums and wanted to ask a general question regarding sensei and suricata

I've been using OPNsense with Suricata IDS/IPS in LAN and so far it has been good. I am new to Sensei and wanted to give it a shot. When I tried to enable Sensei it asked me to disable suricata on my lan connections.

That being said, I'm wondering if anyone could give a short pros and cons of each. If it makes sense to trade suricata with sensei and so on. There are a lot of discussions whether to enable IPS/IDS on WAN or LAN and now Sensei comes into play. I'm lost  :-\

Title: Re: Is Sensei a good replacement for LAN IDS/IPS?
Post by: DenverTech on September 24, 2020, 11:32:21 pm

My take on this (right or wrong) has been as follows:
- Sensei does a LOT more than IDS/IPS, but overlaps with it heavily as they use the same engine. As such, I feel confident with Sensei on my LAN interface as it's scanning for much the same things that IDS/IPS do.
- In any situation where there's WAN exposure (web servers, port forwardings, etc), I then also enable IDS/IPS on the WAN.
- Between the two, both interfaces are shielded against behaviors that are appropriate to that side of the firewall. Generally, IDS/IPS catches most of its issues on WAN anyway, so this seems to work out very well.
- You lose speed as soon as you enable either, if your hardware doesn't quite cut it. OPNsense 20.7 is very demanding as soon as there's heavy packet inspection. Enabling both hasn't seemed to cause any extra loss of speed over enabling either by itself.

Title: Re: Is Sensei a good replacement for LAN IDS/IPS?
Post by: ArminF on September 26, 2020, 08:23:35 am

IDS/IPS - is a network layer scanner
Sensei - an application layer scanner

Usually your application siting in the LAN or DMZ inside of your network.
Most  setups are using sensei in the LAN and/or DMZ and run IDS/IPS on the WAN side to prevent external scans or attacks to the interface itself.

IDS/IPS can scan application behavior as well but Sensei tag them better and you can sort better out what you need on your network talking to the network or outside world. Plus reporting is a good feature of Sensei. Drilling down session what and how devices talking and take measures.

With the home version of sensei (99 USD/year) you could then setup different profiles. Something like "my son" should not watch TikTok movies and block the application. So sensei is more granular when it comes to single apps or profiles.

I do use the free version and block most of the unused apps while running IDS/IPS on the WAN and DMZ.

But you might check your internet speed. I had to reduce the settings on both (suricata and sensei) to get a decent speed out of my bandwith.