Some "leakage" of packets will occur
-
@cobrax2 said in Some "leakage" of packets will occur:
Thanks, the working of the process i understand
I just dont know if this 'leskage' is big enough to deliver some payload to a target?That is a very hard to answer question as it depends 100% on the particular exploit and whether or not a single packet is enough to trigger the Snort alert or if Snort needs to see a succession of packets from the stream in order to trigger. So if the exploit can succeed with a single packet, then yes in that case the leakage is very significant as Snort will be unable to prevent the attack (even though it will detect it).
But then also consider that the vast majority of network traffic today is encrypted, even DNS is now via DoT (DNS over TLS). You have VPN traffic, you have SSH traffic, you have encryption with email using
smtps
andpop3s
via TLS, and you of course have pretty much every site on the web using HTTPS over SSL. So very little of the actual conversation happening over TCP (or UDP), and certainly none of the actual packet payload, can even been seen by the IDS/IPS in those streams. So leakage is immaterial when you think about it that way. The rise of end-to-end encryption is the death knell for IDS/IPS unless you implement MITM (man-in-the-middle) interception, and even that is becoming harder and harder to do. Protection is going to have to move to the endpoint devices (the PCs and servers themselves) because that is the only place where "in-the-clear" data could actually be inspected.We encrypt network traffic so that it can't be "snooped on" by others. Well, an IDS/IPS is going to be one of those "others" that wants to snoop on traffic, but with end-to-end encryption it can't ... .
-
@bmeeks
I'm just a 'power user' let'say, so by no means i fully understand where things are going, but isn't what you are saying that soon a 'cheap' off the shelf router be enough? If all that a firewall can do is block some ports, a pfsense or any other big router will be pointless?
I just switched to pfsense from tomato, to get snort lol
Thanks for taking your time to explain these things to me -
@cobrax2 said in Some "leakage" of packets will occur:
@bmeeks
I'm just a 'power user' let'say, so by no means i fully understand where things are going, but isn't what you are saying that soon a 'cheap' off the shelf router be enough? If all that a firewall can do is block some ports, a pfsense or any other big router will be pointless?
I just switched to pfsense from tomato, to get snort lol
Thanks for taking your time to explain these things to meYes, that is basically what I'm saying. I created the Suricata package for pfSense and maintain both that package and Snort for pfSense, so I would love to see them continue in use, but I will be honest and admit that the days of IDS/IPS on intermediary points like firewalls are numbered. It's because of all the encryption. You can't peer into the packet payloads when they are encrypted. All you see is randomized data until it is properly decrypted by use of the correct key. That usually only happens on the two endpoints of a given conversation.
Things like OpenAppID and some of the other Layer 7 DPI technology is really only examining the headers and some initial preamble parts of a network conversation to try and guess the traffic type (i.e., is it a Netflix stream, a Facebook session, etc.). But it's not looking at the actual content of the packet. Instead, it's looking at the preamble part of a conversation (SNI, for instance). But even that ability is going to diminish as the web continues the push to encrypting and hiding every facet of a network conversation.
-
@bmeeks
Damn, i think that is going to be very bad for people, as from my point of view their computers are and will be always vulnerable...
Also themselves -
@cobrax2 said in Some "leakage" of packets will occur:
@bmeeks
Damn, i think that is going to be very bad for people, as from my point of view their computers are and will be always vulnerable...
Also themselvesThe very best cyber security practice is keeping your devices updated with all of the latest security hotfixes. That closes almost all of the "holes" in your systems. Sure there is the occasional zero-day thing, but even an IDS/IPS or antivirus client is no good there as by definition a "zero-day" has never been seen and thus nothing is prepared for that exploit.
-
@bmeeks
What if one uses a proxy on the firewall or somewhere else? Is that proxy able to inspect the packets?
Thanks -
@cobrax2 It is. Or set Pf as an MITM inspector.
-
@cool_corona
Will have to research that, i have no idea how to set this up
Thanks -
@cobrax2 said in Some "leakage" of packets will occur:
@cool_corona
Will have to research that, i have no idea how to set this up
ThanksWhile you can implement various MITM solutions, I would never worry about that on a home network. It's way too much hassle for very little reward. A home user is not the target of state-sponsored bad actors, and forcing a proxy/MITM solution on all of the mobile devices, PCs and any IoT devices on your network will be a constant challenge.
If you are just curious and want to learn, have at it. But expect some difficulties like having stuff just not work properly (for example, some sites might not load).
I have a different take on cyber security. I was in the field for about 10 years, so I have actual experience in the corporate world. Home networks are not the same as enterprise networks. As I mentioned earlier for home networks, the best cyber security is fully patched software on client devices. Couple that with a little common sense about what you double-click on (meaning email attachments in particular), and you are almost 100% golden in terms of security. Do some research here on the forum and you will find folks (usually it's the same group of folks) running pfBlocker, DNSBL and/or Snort or Suricata on home networks. They are constantly fiddling with those packages and posting here repeatedly complaing about something not working properly. Their family is upset because something they are trying to access (Hulu, Netflix, Facebook or whatever) is not loading. After much back and forth here on the forum, it always turns out to be one of those packages they have installed and configured that is blocking something critical. Usually it's because they added dozens of "block lists" containing supposed "bad actor" IP addresses without having any real idea what those lists might actually contain. Those free lists are maintained many times by folks who really have no experience in cyber. How else would you explain the Google DNS server IPs getting added to a supposed "bad actor IP" list a few months ago? That broke things for several folks using that list. If the quality control for that list is so bad that it failed to detect the addition of the Google DNS servers IP as "bad", then what level of quality do you suppose exists for the other IP addresses on that list? Maybe they missed a ton of actual bad actors? Or maybe they now have a ton of "good" IPs listed as bad? Yes, I'm am picking on that one instance a bit, but it is an example of the problem you have with the "block a bunch of IP address space" approach. Perfectly legitimate IP addresses wind up on the blacklist from time to time, and that in turn leads to issues loading legitimate sites in a browser or other application.
To me, it would not be worth all that trouble and headache when simply keeping your devices updated and not allowing any unsolicited inbound connections is usually all you really need. If you need remote access, configure a VPN for that. You do not need a "privacy VPN" in my view. Some may disagree, but I say it's not worth all the trouble just to keep your ISP from knowing you visited some web site.
If you are protecting a school or corporate network, then yeah, you need additional tools in place for content inspection and perhaps to help enforce a network acceptable use policy. But you do not need all that for a home network in my opinion. And if you are the security admin for an education institution or corporate network, then you should be fully trained by attending formal training classes conducted by qualified individuals.
-
@bmeeks
Lol you are right!
Btw, is there a way to have dnsbl without pfblockerng? Now i have it just as you said, but disabled ip filtering in pfblocker, and snort has a a few et and free vrt rules. Thing are working ok, just some instability (kernel panic sometimes that i have yet to discover why, for now swapped ram but still had a crash when i changed dns to not push dns server from pppoe to clients)
Thanks again! -
@cobrax2 said in Some "leakage" of packets will occur:
@bmeeks
Lol you are right!
Btw, is there a way to have dnsbl without pfblockerng? Now i have it just as you said, but disabled ip filtering in pfblocker, and snort has a a few et and free vrt rules. Thing are working ok, just some instability (kernel panic sometimes that i have yet to discover why, for now swapped ram but still had a crash when i changed dns to not push dns server from pppoe to clients)
Thanks again!I'm not an expert on the DNSBL thing, but in terms of GUI support you kind of need pfBlockerNG-devel in order to implement the DNSBL feature with
unbound
. That's because the pfBlockerNG-devel GUI code handles the messy tasks of configuring the Python module and managing other configuration settings required to make DNSBL work.You could certainly configure all that on your own via the command line, but it would not be as easy as "click this, click that" like it is in the GUI.
As for the instability, that can happen as you burden the firewall with more and more things to keep track of while blocking. Adding millions of IP addresses to block from some list, and comparing each incoming packet against each IP on that list is a lot of CPU work and takes lots of state table entries and RAM. However, a single "deny all" rule is the ultimate in efficiency .