Transparent IPS/IDS
-
Hi,
I have a Draytek Vigor 3910 connected to 2 WAN connections.
The 3910 manages VPN connections (oenvpn and lt2p/ipsec) for remote workers, DHCP, QoS, Firewall, custom DNS routing, load balancing and content filtering.
I would like to place a pfsense device between the 3910, and my LAN.
Ideally I would like the pfsense device to transparently run IPS and IDS services only.Are there any guides, or can someone please give me some assistance, on how best to configure the pfsense device to perform the role I want it to?
The services running on the LAN are;
- A terminal server.
- Domain controller.
- VoIP handsets.
- Regular pc.
- Ip cameras.
we use Office365 for emails and collaboration services.
Cheers,
dooley -
The IDS/IPS packages for pfSense will not operate properly on a transparent bridge. For your setup with IDS, I would recommend some kind of network tap (or a managed switch powerful enough to support a mirrored or span port). Feed the tapped traffic into an IDS running on a separate server (or VM).
If you want IPS, then you could create a transit network and use the LAN and WAN ports of a pfSense machine as the two endpoints of the transit network. You would turn off NAT in that scenario and just let pfSense route.
Another possible configuration with IPS is a FreeBSD machine (or a Linux one) with two or more free and available network ports. Set up inline IPS operation with Suricata (from the standard FreeBSD ports tree, not the pfSense package) and configure things using a CLI environment. With your setup as described, this method would be my first choice. There would be no pfSense. Simply put FreeBSD or Linux on a bare metal host with two or more NICs, and install Suricata from the FreeBSD ports tree. Then configure it to use an inline IPS operating mode. On FreeBSD you would likely choose netmap, while on Linux you could use one of the other alternatives. You would use two NICs literally in series. They would act as your "transparent bridge". Via netmap on FreeBSD, for example, Suricata would copy packets between the two physical NICs, and drop (or simply not copy) packets that triggered a DROP rule.
-
@bmeeks said in Transparent IPS/IDS:
If you want IPS, then you could create a transit network and use the LAN and WAN ports of a pfSense machine as the two endpoints of the transit network. You would turn off NAT in that scenario and just let pfSense route.
Would this impact users connecting to the Draytek using VPN, then accessing the terminal server?
Currently the LAN range on the network is 192.168.10.0/24, and that is handled by the Draytek. Would I configure the pfsense box to run in DHCP relay mode and use a LAN port on the pfsense box as the "uplink" for want of a better term, for the existing LAN?
I'm not clear on how I would configure the LAN/WAN ports on the pfsense box so it handles the transiting of the traffic without causing issues.
-
@dooley said in Transparent IPS/IDS:
@bmeeks said in Transparent IPS/IDS:
If you want IPS, then you could create a transit network and use the LAN and WAN ports of a pfSense machine as the two endpoints of the transit network. You would turn off NAT in that scenario and just let pfSense route.
Would this impact users connecting to the Draytek using VPN, then accessing the terminal server?
Currently the LAN range on the network is 192.168.10.0/24, and that is handled by the Draytek. Would I configure the pfsense box to run in DHCP relay mode and use a LAN port on the pfsense box as the "uplink" for want of a better term, for the existing LAN?
I'm not clear on how I would configure the LAN/WAN ports on the pfsense box so it handles the transiting of the traffic without causing issues.
Working out the routing would be tricky, but possible.
However, I really think my third solution of a separate non-pfSense box using Suricata with netmap and inline IPS mode is the best solution. In that setup, the NICs would not actually have any IP address. They would just be enabled and Suricata would take them over and copy traffic between them at line rates using netmap.
You could have a third NIC in this IPS box for management and to load software and such. So three NICs, but only one actually has an IP address. The other two are like a series IN/OUT connection between your Draytek box and your LAN.
-
@bmeeks Thanks, I'll have a look in to your suggestion, though I'm not well versed in Linux so it would be a bit of a learning curve. The Draytek has port mirroring capabilities though, so maybe.
That said, would feel more comfortable working through the routing situation than trying to configure a cli OS that I am very unfamiliar with.
-
@dooley said in Transparent IPS/IDS:
@bmeeks Thanks, I'll have a look in to your suggestion, though I'm not well versed in Linux so it would be a bit of a learning curve. The Draytek has port mirroring capabilities though, so maybe.
That said, would feel more comfortable working through the routing situation than trying to configure a cli OS that I am very unfamiliar with.
With port mirroring, you need a VERY high capability piece of hardware because every packet from every port has to be copied to the mirror port. Obviously if we are talking gigabit here, then your mirror port may actually need to be a 10G port.
Do some Google research on "transit networks", and you should be able to figure out the routing from there. But still, performance will be much more limited with a pfSense box in the mix. That's due to the lack of RSS in the kernel, and the fact a host stack interface would be used by netmap. If you went the bare metal way with inline IPS as I recommend, you would get full line rate with no sweat.
-
@bmeeks said in Transparent IPS/IDS:
If you went the bare metal way with inline IPS as I recommend, you would get full line rate with no sweat.
Do you have any suggestions where I can get a start on sourcing info to head in this direction?
I appreciate your input @bmeeks and you taking the time out of your day to give me guidance on this matter.
-
@dooley said in Transparent IPS/IDS:
@bmeeks said in Transparent IPS/IDS:
If you went the bare metal way with inline IPS as I recommend, you would get full line rate with no sweat.
Do you have any suggestions where I can get a start on sourcing info to head in this direction?
I appreciate your input @bmeeks and you taking the time out of your day to give me guidance on this matter.
First, you will need to get comfortable working with either FreeBSD or Linux at the command line interface. Both are more or less the same. I would tilt towards FreeBSD simply because that is what pfSense is based on, and FreeBSD is said to have the better network stack.
Install FreeBSD (or Linux) on suitable hardware. As I mentioned, you will need three NICs to make things easy. One is your managment interface and should get an IP address from your LAN. The other two get no address assigned. They are simply going to be input and output ports running in promiscuous mode.
Next you install Suricata on the machine. On FreeBSD, there is a package in the ports tree. For Linux, there are also suitable packages available for installation.
Here is the official Suricata documentation: https://suricata.readthedocs.io/en/suricata-6.0.4/.
Here is the subsection for configuring IPS Inline Mode on Linux: https://suricata.readthedocs.io/en/suricata-6.0.4/setting-up-ipsinline-for-linux.html.
And here is a link showing how to install Suricata in IPS mode on Ubuntu Linux: https://www.digitalocean.com/community/tutorials/how-to-configure-suricata-as-an-intrusion-prevention-system-ips-on-ubuntu-20-04.
One last thing I will mention is that administering an IPS is a big challenge and requires quite a bit of knowledge and experience. If you are new to this, prepare to be very frustrated initially by false positive blocks. For that reason, you really should run a setup in IDS mode for a month to see what alerts get triggered on your network. You then selectively "tune" your rule set to get rid of false positives. Only then should you turn on the blocking of traffic using IPS mode.
