Experienced user needs answers that should be obvious, yet aren't
I'm reviewing my router security and was presented with a question I couldn't answer clearly.
What am I protecting my network from with snort and pfBlockerNG? I have an annual subscription to snort signatures.
No, I have no intention of removing either. I'm finally past all the snort false positives (usually akamai port 80 related).
Here's what I know and or think. In simple terms only, what is missing, right, or wrong?
All ports are closed except for openvpn related ports. No port forwards at this time, although I had one to a slingbox for a while. It turned out it wasn't needed (I think). Is NAT and SPI enough. What is Snort adding?
Snort blocks lots of stuff and the messages sometimes look frightening. For incoming traffic, is it needed or a nice to have? If ports are closed, what is it doing? Is it like a TCP/IP virus checker in a manner of speaking?
If snort blocks something outgoing, did it just potentially save my network from a catastrophe?
re pfblockerNG, I like the way it helps block adware and potential access to bad sites. Country blocking seems like a good idea because I will never access my network from China, for example, so why should I entertain unsolicited connection attempts from them? Belt and suspenders combined with NAT and SPI just in case something new comes around?
I'm trying to get a few short answers so I can explain what seems obvious, but yet I'm not experienced enough to answer them.
Edit next day:
explains a lot. My conclusion is it's great if you have open ports. It's a sort of TCP/IP virus checker … that's not the right terminology but the comparison is close. It inspects traffic and blocks and warns rather than scans disks.
Still unclear is what it does if you have no open ports, or no open ports other than for OpenVPN and what does it do on the LAN side for outgoing traffic? I can understand protecting the WAN port. Assuming no false positive, what is it doing when the LAN side catches something?
I think I learn a little more. Comments welcome.
I was concerned about a snort alert about a ransomware tracker outgoing from my wan to various ip addresses. These were intermittent and, according to logs, have been going on for at least a month.
After research, I THINK it means that snort referred to a list provided from Ransomware Tracker, which claims the IP address is or has at one time been identified as a ransomware related site. My outgoing connection was blocked. Other research stated that if was related to a real infection, my network would be toast by now. No virus scans found anything, three different antivirus programs with multiple scans. It SEEMS active antivirus is better at detecting ransomware at point of contact. Also, I use sandboxie which is said to protect the rest of the system quite well.
First I try to answer your questions in your first post:
1, E.g. Imagine one day a zero day vulnerability is discovered in the openvpn software. With your updated snort ruleset you can protect your unpatched device against disclosing this vulnerability.
2, The example above applies here again. Because the manner TCP connections work snort will block the answer (reply to a LAN connection) coming to your WAN interface if a rule is matching the packet. So in this situation it "doesn't matter" whether a port is closed on your firewall or not.
3, E.g. You accidently or by mistake click to a link in an email message that points to a crypto malware file that would encrypt your whole disk. Snort will block the connection and save you from a catastrophic situation.
4, Pfblockerng will broaden the IPS function by blocking known malicious, attacking IP addresses and DNS addresses thus further protecting your network against malware, spam, ransomware and other threats.
As far as I can tell by reading your second post, that you are not sure why to protect the traffic coming from the LAN interface.
Your network could be attacked not just from the Internet. E.g. someone connects an infected USB drive to a computer in your network which spreads over all the machines. This infection could send private data out of your network BUT snort could block this too.