Hardening Pfsense, with Snort

Steelhand

Hi guys!

New to this forum, but have been using pfsense for a while, but no expert..
I'm just looking for best practice regarding hardening pfsense and snort, without using all my time on false positives.
Just upgraded to 2.4.0..
Simple config with mgmt, guest and admin vlan.
Admin can access all, otherwise everything is blocked. No inter-vlan routing.

Just keen on getting some feedback.. how's your setup?

Jailer

Unfortunately, Snort is not a simple plug and play package. You will have to tune Snort to your network traffic and usage, no config here or elsewhere is going to avoid that.

Harvy66

I wouldn't say Snort can harden pfSense, but harden your network. If anything, it represents another attack surface against pfSense.

bcruze

Snort is a very cool make you feel more secure app.

i can tell you from my little use all it did for me was slow down streaming and stop Netflix and sometimes Amazon prime video's from streaming properly though..    it also blocked my exchange email going through my smartphone on my home network.

i tried to resolve all of the issues.  but it was just too complicated for me

belt9

I'd recommend just passing on IDS IPS since you don't have a specific reason to use it and don't already know how to use it.

You will likely gain nothing but frustration and lost time. Additionally you will likely piss off the people using the network.

Velcro

I say go for Snort turn it on…if your worried about blocking traffic, put it in IDS mode first....after a week lock it down with IPS!!! It really depends on your usage...is this home(my spouse lets me know quick) or business with employees?

It seems a balance between security and usability is the rub! :)

Guest

New to this forum, but have been using pfsense for a while, but no expert..

It doesn´t matter at all, but that said, like mentioned before, snort and suricata are not set it up and forget it packets!
It´ll be more on the need to fine tune more and more and also get new rules for that will be a work for itself.

I'm just looking for best practice regarding hardening pfsense and snort, without using all my time on false positives.

We all do! But again it is not a plug and play packet, it can help much and bringing you to running wild too,
if there is a DMZ with opened ports and forwarded protocols it might be the best bet to positioning it there,
if you are not really sure how to use it, I suggest you to get a small amount of books about your favorite
IDS/IPS system such snort and suricata are. That will narrow down the entire time you spend on it.