English Forums > Intrusion Detection and Prevention

opnips in conjunction to opnsense

(1/4) > >>

ruggerio:
Hello,

I know, i am in the wrong forum, but @opnidp no chance on answer.

I installed opnidp as separate idp from my firewall, using a TAP-device. Unfortunately, i am completely unexperienced in that matter. :(

Even if it's a tap-device, i think my networks have to be aware of this. And as it isn't an inline idp, it makes no sense, placing it as default route.

Could anybody help me with the architecture? Where does the device, which has the ips need to be connected? To the WAN-Port, in front of the firewall?

How would you do this? Thanks for any proposals or ideas. As it is still WIP for me, i appreciate any information.

bunchofreeds:
I think it might be hard for people to help without more information as there are so many ways to do this...

What is your goal
What is your hardware (virtualisation if any)
How is your network setup currently

Answering these might get a few more replies

I have installed OPNIDS as a virtual appliance to see what it was, however I believe it is still a work in progress and not ready for production deployment. So your intended path of having it as a passive TAP in a LAB would be correct from my perspective.

ruggerio:
first, you are right with work in progres, as the last "release" is 18.9 - but the website says its production. But after installing it, i got the same impression as you.

What i hoped to get is some ideas, like other do, but i makes it easier for other to see how i would like. And just for information: it's a small home network. So, first le me design the existing network:


evil           ---            WAN-Port           ---           LAN                ---    LAN-Network      --- NAS, devices, Wifi
internet               PC-Engines APU4           PC-Engines APU-4             8-Port Switch           several VLAN's
                                (Port 1)                        (Port 3)
                                (DHCP)                         (Private Adress)     
                                (Opnsense 19.7)
                                                         ---           DMZ               ---    DMZ-Network     --- Several LXC Contain.
                                                               PC-Engines APU-4             8-Port Switch
                                                                    (Port 2)
                                                                    (Private Adress)


Remarks: The PC-Engines APU-4 is the same machine for alle mentionned above.

For me, it would be the idea to split suricata off the opensense and having opnids as passive (i know, it's not inline...) monitor.

- Surveying the internal networks
- Surveying the DMZ
- If possible, surveying the WAN-Port too.

I think, having the openids in front of the opnsense would not work for me, as this would make it complicated for servers (web, mail, etc...), as i use letsencrypted. I am searching the "correct" place for the opnids and i still did not really understood how i get it "sniffing" the networks. Do i still have to do some port mirroring/span for this?

Thx for any ideas how others have something equal running. I read lots of information, but sill have a knot.

Ruggerio

franco:
I heard that OPNids is allegedly considering becoming a pure OPNsense plugin. That would simplify these setups...


Cheers,
Franco

bunchofreeds:
It would certainly be easier if it was a plugin to OPNsense!

The main issue I see will be needing multiple interfaces on OPNids in your instance.

So your intention is only to monitor your traffic using 'IDS' but not be able to control it using 'IPS'.
I believe you would need an interface on OPNids for each network you want to monitor, being WAN, LAN and DMZ. From what I understand, OPNids has two interfaces out of the box being WAN and LAN, but most likely its easy to add additional interfaces assuming you have them physically.

With a TAP setup, the traffic will transparently flow through the TAP, effectively in-line with your network and then a third port on the TAP out to OPNids. So this may not be appropriate as you would need multiple TAP's, one for each network

Assuming you can create Mirror ports on each of these networks (on the switches that support them), I would probably attempt this and then terminate these to your OPNids appliance.

This would be the least intrusive solution to get to viewing your traffic and be able to help progress the OPNids solution.

There are some caveats though...

Mirror ports only copy traffic at full speed as long as the switch is not overloaded. So at times of high utilisation, you may miss packets etc.
On the LAN and DMZ, you will most likely not be seeing all traffic directly between two physical servers connected to the same switch, as these ports will not be mirrored.

Basically a lot of networking and reading up :)
Fun though!

I hope this helps...

Navigation

[0] Message Index

[#] Next page