OPNsense Forum
English Forums => Intrusion Detection and Prevention => Topic started by: gambrinus on May 03, 2018, 01:47:34 pm
-
Hi. Fairly new to all this. Simple set-up, so far.
WAN > ISP MODEM > OPNSENSE > LAN and WIFI (bridged)
Small home network. WIFI Bridged to LAN (working, but not quite there yet. WIFI drops when LAN activity ceases for a while).
Have Suricata watching over the WAN but I ask myself... wouldn't Suricata be better provisioned if it was watching the LAN (and therefore also the WIFI, I assume)? Given that the firewall will be dealing with the WAN.
Thanks.
-
IDS is looking for signatures from unwanted traffic. Unless you have that on your LAN, IDS is better suited for the WAN where the real danger is. I only use IDS on a LAN when I have an untrusted LAN network. ie. unknown users.
When using IPS, if you use LAN then the IDS will be behind the firewall. The preferred method is to have IDS in front of the firewall with inline IPS.
-
It makes logical sense, as you explain, to set up the inline detection on the WAN. Much thanks and apologies for not getting back to you sooner.
No longer having problems with WIFI failing when the LAN goes quiet. Not sure what I did or even if I did anything. Was maybe fixed by incorporating an unmanaged switch. Perhaps that keeps the LAN alive, and consequently the WIFI.
-
Just for your information: I would not recommend running IPS on wan because it makes no sense to let the IDS read traffic that is dropped by the firewall anyway. If you want to use it to check the inbound traffic, I would select the DMZ interfaces because this way, it does not need to read garbage traffic (improved performance).
-
Thanks, fabian. I'm keeping a close watch on degradation. We're running here on an APU2 (with a palm-sized gigabit switch that runs off 5v 600ma, so I have it plugged into the router's USB). The APU2 has a fair bit of oomph, as I expect you're aware.
I'm chuffed to have got this far. The internet speeds are much snappier. We migrated here from an Asus Merlin. We're not heavy users and we don't need intense streaming, but like almost everyone these days, we're like cold turkeying lab rats if the internet breaks.
I'm taking it steady. Learning now how to hone the logs and what to watch out for. This is why I love opensource. It's technological freedom.
Excuse the ramble. On balance, the performance hit of facing Suricata on the WAN isn't a big deal on a simple and low-use home network such as ours. And it is working now, very stable. I imagine this becomes more of an issue the greater the load becomes? I guess there was some insight going on in my original question.
Cheers.
-
IMO I guess it depends on how you use IPS. If you have a zillion IDS rules, I agree, too much to process on the NIC. But for me, I stop all unused ports with just a few custom rules, which makes for better performance on the backend. Why let unwanted traffic into the firewall at all. if your hardware can handle it, stop the traffic at the source.
-
Thanks dcol. I'd just popped back to swot up on how to be a little bit more tyrannical with my firewall rules. And saw your reply.
I really like the logic of blocking unused inbound ports outright. Must be a guide somewhere?
Although I'd come back here with outbound blocking in my mind.
It does seem that the internal wifi of a PC Engines APU2 is somehow made stable when bridged to the LAN by simply plugging in an unmanaged switch. I've since read that lots of people have trouble with the WIFI dropping out a lot -- as I did -- and this is a solution of sorts. Or, I could be wrong, and something else fixed it, like an update!
But we're about a month in now and OPNSense is extraordinarily stable and robust, and snappy. The investment of time and effort has been worth it.
-
I have three custom rules that takes care of all unused TCP ports. These will get you started.
pass tcp $EXTERNAL_NET [25,80,443,465,587,993] -> $HOME_NET any (msg:"ports1"; sid:9900001; rev:1;)
pass tcp $EXTERNAL_NET any -> $HOME_NET [25,80,443,465,587,993] (msg:"ports2"; sid:9900002; rev:1;)
drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Golden Rule TCP"; classtype:bad-unknown; sid:9900003; rev:1;)
Just add the ports you want to pass to the pass rules. Everything else is blocked from entering your firewall. Simple, easy, and uses little overhead. Pass rules always execute before drop rules. I let the firewall handle UDP. Just make sure you have the $HOME_NET IP's in the IDS advance mode Home Networks setting.
$EXTERNAL_NET is any IP that is not in the $HOME_NET list.
These rules work well in a business environment where you really want to control TCP traffic. Not so well in a home with lots of gaming, torrents, and who knows what traffic without a lot of tweaking. These example pass rules are setup in a business environment running email and web servers.
You can change the $HOME_NET value to any IP that you want to restrict the ports. For example, if you have one server at external IP 99.99.99.100, then use the following pass rules so that your other networks will not be affected.
pass tcp $EXTERNAL_NET [25,80,443,465,587,993] -> 99.99.99.100 any (msg:"ports1"; sid:9900001; rev:1;)
pass tcp $EXTERNAL_NET any -> 99.99.99.100 [25,80,443,465,587,993] (msg:"ports2"; sid:9900002; rev:1;)
This will protect the server @99.99.99.100 and not affect the LAN network. Again, in this example, add 99.99.99.100 to the Home Networks.
-
Appreciate the generosity there, dcol. You've given me a fine head-start. Have never been much good at firewall rules. Never had that aha moment I've managed with other things. But can adapt other peoples' rules, so fantastic.
I'll spend a bit of time this coming weekend working out which ports various services use. No gaming or torrents which'll save a few headaches but i do like to use OSMC from time to time. (Kodi variant if you've not heard of it). That might prove a stumbling block. Heres hoping it doesn't. Other than that it's just surfing, email and, occasionally, a bit of testing of nginx stuff. Also hoping to make motioneye os available to remote viewing. Just so much on the list...
Best wishes and thanks again.
-
Easy to tweak. Just keep your eye on the IDS Alerts. It will show you any blocked ports. If they are legit, then add them to the pass rule.