IDS/IPS system (small footprint) and possibly network analyzer/recorder

T

tankman1989

Gawd
Joined
Aug 21, 2009
Messages
588
I'm trying to figure out what my options are for setting up an additional layer of security behind my router firewall (that's another topic all together). I don't have a ton of traffic and my ISP speeds range from 10-20Mbps (sometimes 2 connections so an additional 12Mbps). I'm ok with hooking up a 500GB to 2TB drive to record network data for analysis should something happen. IDK how much "time" 500GB will cover and I suspect it is highly dependent upon Internet usage. I was thinking of using a Raspberry Pi (which version, idk...) as it is small, power efficient. other small "router like" computers that could handle this are also of interest but I'm not up on the current offerings of such.

I also need to a very reliable router, ideally with multi-wan support. I'm thiking of using an old Dell 1950 or 2950 poweredge server but that kills the small footprint - but price is right (I have them). I'd run VMware ESXi 6.0 as the hypervisor or possilby some Linux KVM flavor. From there install the router and IDS/IPS, each on their own VM (if that is best).

I've been away from tech for awhile and don't know if there is anything "new" available (think last 3 years) that will harden my network and tighten security. I'm willing to run Linux, BSD or anything proprietary if it is far superior.

Does anyone have any suggestions?
 
I don't think a Rasberry PI has that much horsepower. I would run pFsense running on either another dedicated machine or run it virtually on the ESXI server.
 
why not retain? So he doesnt have to sit there for hours on end with wireshark/another sniffer
 
Take a look at OSSIM from Alienvault. It is a SEIM that also does vulnerability scanning and can deploy HIPS/HIDS agents to your boxes (though, the Linux ones won't push from the console). It's probably overkill, but it will probably do what you want it to do.
 
I second the recommendation on a Fortigate firewall. If you truly want to record every packet, just get a smart switch, span/mirror that port and fire up Wireshark on a PC to capture everything with a rolling HDD buffer. Personally I think that last part is overkill, but that'll do it.
 
Schro said:
Take a look at OSSIM from Alienvault. It is a SEIM that also does vulnerability scanning and can deploy HIPS/HIDS agents to your boxes (though, the Linux ones won't push from the console). It's probably overkill, but it will probably do what you want it to do.
Click to expand...

^^

I use AlienVault every day at work. I would recommend it as a SIEM tool. If you're willing to deal with the larger footprint of your current boxes, then set up pfsense on one of them?
 
I'm using an APU2C4 running LEDE with a debian chroot running suricata in IPS mode with snorby as a reporting front end. This is also my primary home router. It's quad core x86 with plenty of power and 4gb of memory. I've contributed to LEDE a bunch (formerly openwrt) and wrote a bunch of code for the x86 platform to get this thing running and upgrading nicely.

PC Engines apu2c4 product file

It's small, has 3x intel igb nics with aes-ni.

It's also running my unifi controller and a bunch of other random things.

Sb3WGGp.jpg


Code: 
top - 23:05:36 up 97 days,  3:01,  0 users,  load average: 0.44, 0.35, 0.25
Tasks: 113 total,   1 running, 112 sleeping,   0 stopped,   0 zombie
%Cpu0  :   1.0/0.0     1[|                                                              ]
%Cpu1  :   3.9/0.0     4[||                                                             ]
%Cpu2  :   5.8/0.0     6[||||                                                           ]
%Cpu3  :   7.8/1.9    10[||||||                                                         ]
GiB Mem : 35.4/3.844    [                                                               ]
GiB Swap:  0.0/0.000    [                                                               ]

  PID USER      PR  NI    VIRT    RES  %CPU %MEM     TIME+ S COMMAND
20054 root      20   0 1054.6m 356.3m  19.6  9.1   1545:14 S Suricata-Main
28002 root      20   0    7.8m   1.2m   2.0  0.0   0:00.15 R top
32011 root      20   0 3910.9m 318.1m   2.0  8.1 845:01.71 S java
32032 root      20   0 1216.6m  42.0m   1.0  1.1 493:41.67 S mongod
 2701 104       20   0  344.1m  35.9m   1.0  0.9 645:26.29 S mongod
    7 root      20   0    0.0m   0.0m   0.0  0.0  38:05.70 S rcu_sched
    8 root      20   0    0.0m   0.0m   0.0  0.0   0:01.52 S rcu_bh
    9 root      rt   0    0.0m   0.0m   0.0  0.0   0:01.75 S migration/0
    4 root      20   0    0.0m   0.0m   0.0  0.0   0:00.00 S kworker/0:0
   11 root      20   0    0.0m   0.0m   0.0  0.0  16:20.70 S ksoftirqd/1
 
I'm looking for an IPS appliance too and thought i would chime in.

I looked at the Fortinet appliances. The smallest one is $500 retail + $150/yr subscription. That's pretty expensive, though still cheaper than the smallest Palo Alto firewall. pfSense also has appliances that seem a bit cheaper + no subscription. I wonder how they compare in terms of adware/botnet/malware protection? I don't need full capture, just IPS/NGFW capability.
 
pfSense does not any valid IPS/IDS capability and doesn't get any subscriptions for anything. Some add-ons can do block lists, but that's about it.
 
Sophos UTM 9. Free for home use up to 50 devices and super feature packed. Runs great on my homemade ITX system.
 
If you want intrusion detection on your network, and this is home, I'd really suggest something passive like Security Onion. I've run a UTM device for years, including with IPS, and I'm getting away from IPS. I'm pretty sure pfsense uses Snort, which is an IPS. Or have they moved to Suricata now? Anyway, I think they're using the Emerging Threats Open rulesets. However, for all the years I've run IPS on my home network, I've had maybe one or two alerts that were anything meaningful over all those years. A good IPS/IDS requires a highly tuned rule set for your network.

I know in the early years I was guilty of just turning on all the rules, but many of the rules aren't helpful. If your IPS has rules enabled looking for attacks on Apple products, but you don't have any, it's a waste of resources. Same thing with Linux servers, web-facing resources, etc. When you do get a seemingly valid hit, you have to decipher it. I was running Security Onion for a while just for fun, and was getting a few hits that appeared valid. However, trying to interpret what the problem was took a lot of time in some cases and just becomes a burden for little or no gain. With Security Onion you'll probably get literally thousands of warnings in a day, week, etc. I basically completely ignored all of them except the "red" ones, and used it mostly for traffic tracking (that was interesting).

I've run Sophos UTM for the last few years, and it's a great product, but it breaks all kinds of functionality. You have to babysit it, and to be honest the majority of devices on my network are bypassed through some of the filters because it just becomes too much work. I really like Sophos, but it also has a nasty problem of ignoring the firewall rules. It processes geolocation blocking first, and then pretty much ignores the rest of the firewall. If you want to block traffic between subnets on your network, say between your wireless and internal networks, you need to set up regex blocking in the web filter. One nice feature about Sophos is that as I recall it has an auto-deprecating feature for older IPS rules. It drops them if they are older, assuming that your devices are properly updated and no longer susceptible to old attacks.

You also have to consider that unless your IPS is running with full certificates for your devices / MITM scanning, it's worthless on most modern websites and only filters based on URLs. It can't see the HTTPS traffic unless it's decrypting it, and that can take a lot more horsepower.

The problem with IDS, is that you have to interpret the security alerts--but it doesn't break anything. With an IPS, it actively drops whatever comes up as an alert, and now you're chasing what's maybe broken (or probably a false alarm).

Most of the free rulesets available for IDS/IPS systems are not really actively managed by any company. I think Sophos' rulesets are, but most of them out there are based on community-created rules, such as ET Open and Snort's set. You have to pay for the better, actively managed rule sets. Don't get me wrong-IDS is a very critical and necessary security layer. It requires people dedicated to the task of analyzing and managing traffic and what's going on--something a major corporation can dedicate significant resources to. I've not worked in a corporate environment yet that has had an active IPS running--but I'm sure at least some of them have had a passive IDS with a competent security team.

If you want more info about this, I suggest Richard Bejtlich's book, "The Practice of Network Security Monitoring". He goes through a lot of the theory of network security, monitoring, and then how to achieve it using Security Onion.

I'm not trying to dissuade you from running a certain product. There are a ton of great features on the UTM's that are worthwhile in addition to IDS. Sophos has a fantastic executive report email that I really like, probably the best inline anti-virus software (not ClamAV like the others), and it is extremely solid. It also runs on OpenSuSE as I recall, which for Linux I like quite a bit. I think the ad blocking is priceless at the network level, and some of the other features like some of the URL blocking is pretty nice as well. I just wanted to provide some info from my experience running UTM/IDS for years. I ran Endian for a while until it kind of fell off (it's back), then Untangle for years, and Sophos for the last few years.
 
You must log in or register to reply here.
Back
Top