IDS block time

[franco]

PS: IDS more or less came from tap-based network scenarios, so there was no way to respond either way as hardware was not capable of doing inline analysis yet and that is how the industry treats the IDS / IPS split until today although hardware and software has caught up.

[xinnan]

That wasn't a snipe.  Perhaps I need to work on my diplomacy. 

[franco]

No, I'm not trying to defend anything here, I'm just trying to say what we have and why we have it aside from the fact that other projects may differ in philosophy and implementational details.


Cheers,
Franco

[dcol]

Since inline captures before firewall inspection, there is no need to keep offending IP's. That was a necessity with Snort which used tables to keep a history of offending IP's for the firewall to handle on repeat offenders. But the biggest downside of Legacy is the first packets do make it inside the network before the firewall has a chance to drop it. Really not a 'true' firewall. Like blocking the fire but letting the sparks in.

So building a system around Suricata inline and abandoning Snort IDS makes for the most hardened firewall you can have. This is what hooked me with OPNsense which I consider the best open source firewall available. Now as a user I need to just concentrate on the IDS rules to get the maximum protection. This is where OPNsense needs to concentrate its resources. Rules management.