To Snort or not & pfBlocker

aljames

A newbie question. For a home network including a NAS storage server, NextCloud, and remote access OpenVPN, is IPS/IDS necessary, or is pfBlocker enough?

I’m also not clear if Snort or Suricata is better. Does the new Snort use multithreads?

Thanks

aljames

I am planning to implement both Snort & pfBlocker but I guess my real question is more about implementation sequence such as which one to set up first, and are there settings to be aware of so that these protection screening applications play nice with OpenVPN?

KOM

They don't do the same job so they're hard to directly compare. pfBlocker is good for geo-blocking and DNS blackholing, among other things. Snort/Suricata are true IDSes that inspect packet contents against a ruleset and then reject further traffic from bad hosts.

I don't use either so I have no guidance about installation sequence.

Raffi_

I would suggest looking at this thread.
https://forum.netgate.com/topic/141743/best-rules-to-best-protection-in-wan-and-lan-interface

Bill lays out great advice for a start with IDS/IPS. I think this pretty much applies to both Snort and Suricata.

I personally started out using Snort, but ran into an error which caused Snort to fail starting up. If I remember, I think it was due to typos in a set of rules during an update. So it was not technically an issue with Snort, but Snort wasn't able to handle it very well. I don't know if that has changed since then, but to me that was a deal breaker. I switched to Suricata and it has been great since. Suricata does not support all the different lists that Snort does such as the OpenAppID, but to me having an IPS running is more important than having one that does not run at all due to a mistake in a rule.

Raffi

bmeeks

There is no security significant difference between Snort and Suricata. Both do essentially the same thing, and both do it well. Each package has its own "selling points", but some of them are more fluff than anything else. For example, Suricata is multi-threaded while Snort is not, but that really makes about zero difference in the actual throughput under real-world traffic conditions. Under limited laboratory test setups, yes multi-threaded can be slightly better; but with the mix of packet types you get with real-world network traffic some of the multi-threaded advantages disappear because at some point in the processing chain those threads need to all get back out to the same place (the network stack). Snort does offer their OpenAppID Layer 7 inspection engine and associated stub rules. Suricata has nothing like that. Suricata, on the other hand, will simply log an error and reject any rule with a syntax error when loading rules. Snort will totally barf and refuse to continue startup when it encounters a rule syntax error.

kashifz

Hi, Aljames, To answer your first part of question, yes IPS/IDS necessary if you want to protract your data, pfBlockerNG is a simple tool works with list of IP addresses, a good tool to prevent bad IP addresses to communicate with your network but IPS perform much more than that, it make decisions of allow or deny using defined rule sets.
You can use PfBlockNG along with snort or Suricata initially but eventually it will cost you more hardware, for better performance you can use PfBlocker ACL's in SNORT or Suricata both use multitheads and equally good.
I hope you will get your answer, please let me if you want me to add more.

johnpoz

@kashifz said in To Snort or not & pfBlocker:

yes IPS/IDS necessary if you want to protract your data,

Sorry but NO IT ISN'T!!

Nor is pfblocker a requirement...

Only thing you mention that might have any sort of inbound traffic would be your nextcloud... Where exactly are you going to be accessing this nextcloud from? Who will be using it an how? If you want to access your nextcloud data while your remote - you can just vpn in.

Saying you need a IDS/IPS to secure your data is like saying you can not be safe in your home without seal team six guarding it..

bmeeks

@johnpoz is correct. Having an IDS/IPS or pfBlockerNG is not mandatory to secure your data. They are just two of many different tools that when used in the right context for the right reason can enhance security. But they are not required. It all depends on the specific network that needs protection and what constitutes "normal" traffic on that network.

My personal opinion is that most small home networks really don't need either package. The very best security practice is simply being committed to keeping your software packages updated. This means the firewall itself and of course any client applications on PCs, tablets, phones, etc. That simple practice goes a very long way towards enhancing security.

If you have network users at home that are what I call "free clickers" (meaning they will click on any link anywhere .. ), then it might be helpful to have some additional tool such as an IDS/IPS or pfBlockerNG to help protect those users from themselves. On the other hand, if you have responsible, alert and careful users (that watch what they click), you very well need nothing else besides maybe the built-in anti-virus that comes with Windows just so you can scan any files you download.

In a business network, there are other considerations where using an IDS/IPS or a tool such as pfBlockerNG with its geo-blocking capability is helpful to security. A great use of an IDS/IPS in a business network is to let it scan outbound traffic using rules that look for malware CNC server and botnet destinations, traffic destined to known untrusted countries, or any other traffic that should not normally be exiting your network. For example, if you have internal DNS servers that clients are configured to use, you could have a rule that would alert on any outbound DNS request that did not originate from your internal DNS server. Another handy thing for business networks would be using Snort's OpenAppID technology to identify non-work related traffic that violates a business policy.

I am not a fan of having a list of say a couple of million IP addresses that my firewall is actively blocking. I would instead turn that around and be much more specific with what I allow in and then let the default deny rule take care of everything else. Your firewall will sweat a lot less and you won't have memory and stability issues caused by having huge IP block lists. Do a quick search here on the forum for users posting about Unbound problems that are frequently the result of having huge DNS blacklists enabled. I know some folks use this feature for ad blocking, but I prefer to do ad blocking at the client level using tools like uBlock Origin in the browser. Between that and AdBlock for YouTube I don't see a single add on any web site I visit or any YouTube video I watch. Granted I'm an old fart and do my web browsing on a PC where the screen is big enough for me to see it ... . Maybe if all my browsing was on my iPad or iPhone, where ad blockers are not as prolific, I might go for something like Pi-Hole or DNSBL.

Just my two cents worth for the debate ...
Bill