Network Security Methodologies

[FullyBorked]

Wanted to discuss with folks on methodology for securing networks on my network.  Currently have have various vlans internally a DMZ and two wan connections.  I host a few services on the DMZ, and a Wireguard connection, that is exposed to the internet. 

Currently, I have Zenarmor enabled on my internal vlans, and Suricata on my DMZ connection.  Finally I use Crowdsec on all interfaces. 

I like the deeper inspection and rules of Suricata on my DMZ, but I'm not sure it's effectiveness with transport security preventing it from being super useful now days.  However it feels like I'm chewing resources unnecessarily. 

My goal is to detect and/or block if there is a compromise of a server on the DMZ, without a SIEM on my network I'm not sure to get close-ish. In the past IPS/IDS was the answer, but maybe not anymore.

Is the simple answer just enable Zenarmor on the DMZ as well and disable Suricata?  Is there another tool I should be using that I'm not? Should I just rely on Crowdsec and hope for the best  8)   

I welcome any thoughts. 

[lilsense]

If you are on the 23.7, then you can install Wazuh as a Siem and enable the agent on the OPNsense and other devices to be able to see thru traffic. Also, you can try various means of MIM SSL using the OPNsense to be able to see thru the secure traffic if needed.

[FullyBorked]

If you are on the 23.7, then you can install Wazuh as a Siem and enable the agent on the OPNsense and other devices to be able to see thru traffic. Also, you can try various means of MIM SSL using the OPNsense to be able to see thru the secure traffic if needed.

That's an a thought. I'm not familiar with Wazuh, but I'll check it out.  In the past managing a SIEM at home was way more effort that I want to put in.  How tough is deployment and tuning of Wazuh? As far as firewall load this would be the better option as the processing is moved somewhere else.  Would also give you a wider picture.