OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: keithmcp on April 25, 2018, 11:18:17 pm

Title: IDS or IPS for School Firewall [SOLVED]
Post by: keithmcp on April 25, 2018, 11:18:17 pm

Hi,

Am new to opnsense (coming from other sense), and so far I lie it, but I need a little guidance or IDS versus IPS, I am having trouble understating which would be better for my setup.  The setup is as follows:

Private school with around 180 students and 27 staff.  Internet is 500Mbs up and down (Centurylink FiberPlus).  Each student has a tablet or chromebook and teachers have either a desktop or laptop.  There is one server (Windows 2016) with a CentOS 7 vm that runs OTRS helpdesk which will be internet facing. Based on this, do I need IDS/IPS and if so, which rulesets make the most sense to start off with?

The firewall hardware is a Partaker 1u i5-3317u with 6 Ethernet, 4GB Ram and 128 SSD. 

I have used snort on the other sense, but I just enabled at the ETs, which was probably not smart, but it seems that what most suggested.  Any input/advise would be very helpful.

Thanks in advance

Title: Re: IDS or IPS for School Firewall
Post by: Ciprian on April 26, 2018, 11:13:28 am

As you might have seen on other topics regarding ID(P)S and rulesets usage best practices/ advice, the rules and rulesets to be used is not at all "set it and forget it" quickly.

I recommend to read the docs/ explanations for those rulesets found on their corresponding websites, to understand their purpose, and then decide what to activate on your firewall.

I don't think anyone here will even try to give you a plug and play recipe, cause there is no such a thing. :)

Title: Re: IDS or IPS for School Firewall
Post by: keithmcp on April 29, 2018, 09:01:13 pm

Thanks. That was what I was thinking.  Just wanted to know if anybody had any of the catergories that was a must have no matter what was behind the firewall.  I am going to go through each one and see which ones will work best for me.  I don't think that most will apply as I will only have desktop users behind the firewall and only one LAMP server that will be exposed to the web. I should be able to have a pretty streamlined IPS system. 

Again any advice is helpful though.

Title: Re: IDS or IPS for School Firewall
Post by: dcol on May 07, 2018, 12:03:34 am

I just use custom rules for TCP ports and a couple of rulesets in IDS/IPS. But as hutiucip says, every situation is different requiring specific rules. Some Snort rules are not compatible with Suricata, so watch out for that. Many rules protect resources you may not have. For a school, I would start with the chat, game, malware, trojan, and worm rulesets. Don't go crazy enabling a bunch of rulesets or you will be spending lots of time tweaking it.

Also, where you have many users on the LAN which may generate unpredictable traffic, you may consider IPS on the LAN as well.

You may also consider country blocks in the firewall for all countries outside your own.

In the beginning, plan on keeping a close eye on the blocks to catch false positives.

Title: Re: IDS or IPS for School Firewall [SOLVED]
Post by: keithmcp on May 14, 2018, 03:06:08 pm

Thanks to all for the advice, it was helpful.