What's the point?



  • Firstly sorry for the somewhat clickbait title but it does sum up what I'm thinking right now.

    pfSense has, in my opinion, a good firewall that can block IPs, ranges, traffic and loads of different protocols. This makes me wonder what's the point in getting an IDPS such as snort or Suricata because don't they basically do the same thing?

    I've watched through tutorials and read a bit into both but they both seem to do the same thing so the question I ask is this: What can an IDPS system do that can't be done with the firewall and what, if any, are the advantages / disadvantages to running them both?

    I also could be misunderstanding something so I apologise if I am.

    John.



  • Firewall blocks on source/dest address or port only.  And IDS can scan incoming/outgoing packets for signs of bad stuff and block that.  For example, say you have a web server that you are forwarding to the Internet.  Unknown to you, your web server is vulnerable to 3 different attacks.  A firewall would let the traffic in that would hack your server.  An IDS would stop that by looking inside ever packet for signatures of known badness.  An IDS is like an antivirus for your network.



  • People are running IDPS just to be fashionable?

    Firewall is that guy by the head of the security line, checks your passport, valid blah-blah, check your boarding pass, blah-blah let you through.

    IDPS are those guy by the scanning machine who now want to pat you, take out your metals blah-blah.

    Multi-layer security.


  • Netgate

    Though, for the home user, the time spent installing, configuring, tuning, and maintaining snort would probably be better spent educating the family on what not to do. That will benefit them for life on every network they encounter.