OPNsense Forum

English Forums => Zenarmor (Sensei) => Topic started by: QuaCKeReD on August 03, 2022, 09:57:52 pm

Title: Benefits of zenarmor over suricata?
Post by: QuaCKeReD on August 03, 2022, 09:57:52 pm
Hi All

Pretty new here. Still trying to find my feet.

One question I have is around zenarmor and suricata solutions on OPNsense.

Could someone please let me know the benefits of both?

I am struggling to understand why I should use one over the other - do they provide same protection, are they complimentary to each other, etc

Any help greatly received 😀
 
Title: Re: Benefits of zenarmor over suricata?
Post by: sy on August 05, 2022, 04:40:03 pm
Hi,

You can use both on the scenario to protect the WAN side with Suricata and LAN side with Zenarmor.

Suricata will detect and prevent intrusions on the WAN side and Zenarmor will inspect user traffic application based and report it detailed.  Please see the following document for the details.

https://www.sunnyvalley.io/docs/#about

https://www.sunnyvalley.io/docs/network-security-tutorials/what-is-intrusion-detection-system#what-are-intrusion-detection-system-ids-tools

Title: Re: Benefits of zenarmor over suricata?
Post by: QuaCKeReD on August 05, 2022, 04:57:28 pm
Thanks 😀 Pretty much what my reading had led to.

From zenarmor pages on opnsense, only interfaces listed are non-WAN ones. Yet, when linking to Cloud Portal, option appears to add WAN interface, too.

Is this advisable - to use zenarmor for both internal and external interfaces?
Title: Re: Benefits of zenarmor over suricata?
Post by: rudiservo on August 06, 2022, 01:41:24 pm
Is this advisable - to use zenarmor for both internal and external interfaces?

Not really a good idea.
i.e. if you have a DMZ, the added overhead for serving requests will skyrocket and you will have double the logs for the same traffic, also you might want not to put some internal interfaces.

Also zenarmor has exceptions for certain domains you add and also might have based on traffic going in the interface not out.
i.e. it might consider every external connection in the wan interface has an internal device, so naturally zenarmor might consider that you have +1000 devices that aren't really yours, that might not do well in the database and also in the way it logs and analyzes traffic.
It all depends on how Zenarmor is implemented.

Honestly I would keep suricata with hyperscan for Wan interfaces and Zenarmor for analyzing and protecting internal interfaces for your end users.
For DMZ you have other stuff like WAF (web application firewall) on nginx.
Title: Re: Benefits of zenarmor over suricata?
Post by: QuaCKeReD on August 06, 2022, 03:07:18 pm
Thanks!

Does hyperscan work better for suricata on Protectli devices than the default?