Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Zenarmor (Sensei)
»
Is Sensei a good replacement for LAN IDS/IPS?
« previous
next »
Print
Pages: [
1
]
Author
Topic: Is Sensei a good replacement for LAN IDS/IPS? (Read 9466 times)
mfsense
Newbie
Posts: 5
Karma: 0
Is Sensei a good replacement for LAN IDS/IPS?
«
on:
September 24, 2020, 10:41:17 pm »
Hi everyone,
I'm new to the opnsense forums and wanted to ask a general question regarding sensei and suricata
I've been using OPNsense with Suricata IDS/IPS in LAN and so far it has been good. I am new to Sensei and wanted to give it a shot. When I tried to enable Sensei it asked me to disable suricata on my lan connections.
That being said, I'm wondering if anyone could give a short pros and cons of each. If it makes sense to trade suricata with sensei and so on. There are a lot of discussions whether to enable IPS/IDS on WAN or LAN and now Sensei comes into play. I'm lost
Logged
DenverTech
Newbie
Posts: 49
Karma: 3
Re: Is Sensei a good replacement for LAN IDS/IPS?
«
Reply #1 on:
September 24, 2020, 11:32:21 pm »
My take on this (right or wrong) has been as follows:
- Sensei does a LOT more than IDS/IPS, but overlaps with it heavily as they use the same engine. As such, I feel confident with Sensei on my LAN interface as it's scanning for much the same things that IDS/IPS do.
- In any situation where there's WAN exposure (web servers, port forwardings, etc), I then also enable IDS/IPS on the WAN.
- Between the two, both interfaces are shielded against behaviors that are appropriate to that side of the firewall. Generally, IDS/IPS catches most of its issues on WAN anyway, so this seems to work out very well.
- You lose speed as soon as you enable either, if your hardware doesn't quite cut it. OPNsense 20.7 is very demanding as soon as there's heavy packet inspection. Enabling both hasn't seemed to cause any extra loss of speed over enabling either by itself.
Logged
ArminF
Full Member
Posts: 205
Karma: 11
Re: Is Sensei a good replacement for LAN IDS/IPS?
«
Reply #2 on:
September 26, 2020, 08:23:35 am »
IDS/IPS - is a network layer scanner
Sensei - an application layer scanner
Usually your application siting in the LAN or DMZ inside of your network.
Most setups are using sensei in the LAN and/or DMZ and run IDS/IPS on the WAN side to prevent external scans or attacks to the interface itself.
IDS/IPS can scan application behavior as well but Sensei tag them better and you can sort better out what you need on your network talking to the network or outside world. Plus reporting is a good feature of Sensei. Drilling down session what and how devices talking and take measures.
With the home version of sensei (99 USD/year) you could then setup different profiles. Something like "my son" should not watch TikTok movies and block the application. So sensei is more granular when it comes to single apps or profiles.
I do use the free version and block most of the unused apps while running IDS/IPS on the WAN and DMZ.
But you might check your internet speed. I had to reduce the settings on both (suricata and sensei) to get a decent speed out of my bandwith.
Logged
English: Never try, never know!
Deutsch: Unversucht ist Unerfahren!
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Zenarmor (Sensei)
»
Is Sensei a good replacement for LAN IDS/IPS?