Best practices for IDS / IPS?


  • I am a noob but love pfSense. I installed SNORT and the personal subscription rule set. I have a balanced policy but had huge trouble streaming anything. No cameras or security products work. I had to put 100+ IPs in IP pass list and now I’m up and running. I’m uneasy because some of those URLs do more than host Amazon Prime streaming. I learned that FQDN is not supported. I’d love some general direction. Do I Just whitelist my PS4 and cameras instead? What’s the best practice for a allowing traffic in for a variety of services without letting the security level get to relaxed?


  • I've stated this several times in this forum. When you are new to running and administering an IDS/IPS, you DO NOT put it in blocking mode until you have become very familiar with the types of alerts generated on your network and have researched each of them to see which ones are likely false positives. Only after running in alert-only mode for several weeks (and preferably about a month) should you turn on blocking. You disable or suppress the known false positives that trigger in your network environment.

    Failure to follow the advice above puts you where you are: stuff is breaking and you don't really know why. An IDS/IPS is not as simple as an anti-virus app. You can't just install it, turn on some policy you don't really understand and enable blocking and then expect smooth sailing. That's just not how these systems work. They are very complicated and require a deep understanding of what constitutes "normal" traffic for your network.

    "Balanced" is not the correct starting point for someone new to an IDS/IPS. The "Connectivity" policy is much more appropriate. But even there, do not enable blocking for several weeks until you have seen normal traffic patterns in your network and have determined which rules trigger false positives and need to be disabled or suppressed.

    Once you have your system properly tuned, you will have no problems streaming or with anything else. I stream Amazon Prime and Netflix just fine, and surf the web without issue. I have the "IPS Balanced" policy enabled on my LAN. The difference is I have tuned my rules to eliminate false positives. That's what you will have to do. I have zero external IP addresses in a pass list. I am using the default pass list.

    Go read through this long historical thread to get some training and ideas about which rules are prone to false positive and why -- https://forum.netgate.com/topic/50708/suricata-snort-master-sid-disablesid-conf.


  • Hey bmeeks,
    Thanks for the link and thread. I look forward to reading through it. I admire your passion for making sure people are not getting in over their head. I got things up and running. I think I saw your posts similar to this, in another thread. It's good that you are helping so much around here. I think you might have missed my question, though. My question was, "What is the best practice?" Should I not be approaching security from this direction? Should I be using a different tool? I included streaming details so someone could suggest I use OpenID, Suricata, only a firewall ruleset. I won't stop using pfSense, it's amazing.


  • @forestaccounted said in Best practices for IDS / IPS?:

    Hey bmeeks,
    Thanks for the link and thread. I look forward to reading through it. I admire your passion for making sure people are not getting in over their head. I got things up and running. I think I saw your posts similar to this, in another thread. It's good that you are helping so much around here. I think you might have missed my question, though. My question was, "What is the best practice?" Should I not be approaching security from this direction? Should I be using a different tool? I included streaming details so someone could suggest I use OpenID, Suricata, only a firewall ruleset. I won't stop using pfSense, it's amazing.

    Not 100% sure what you mean by "best practice", but I will take a stab anyway.

    If you have a typical home network and you keep all your machines properly patched/updated (say Windows PC or Apple devices of some type), then all you really need is a basic pfSense firewall setup with the default rule set (deny all unsolicited inbound on WAN and allow all inbound from LAN). That's it. Oh -- and probably a decent A/V client on your LAN machines. For my home LAN I use the built-in Windows Defender product on my Windows 10 PCs. Perfectly fine for my uses.

    If you just want to play with an IDS/IPS, then you can install either the Snort or Suricata package. Both are essentially the same in terms of security. Neither is better than the other. They just have different features. Snort offers the OpenAppID technology that Sourcefire/Cisco open-sourced not long ago. That technology can detect certain types of Layer 7 stuff via fingerprinting. However, and this is a BIG however -- unless you are a corporate network where you are trying to restrict employee access to certain apps such as social media, streaming , etc., then OpenAppID is not of much use. Why do you care if you see Facebook or Twitter and other social media traffic on your home LAN? Odds are everyone in your household uses at least one of those kinds of apps. For most home network situations, an IDS/IPS is going to be more trouble than it's worth in terms of security. By that I mean it's likely to block a lot of stuff that folks typically want to use in home networks. That can be "tuned around" if you are very knowledgeable in the field, but it's not a turn-key solution by any means.

    For any kind of remote access into your LAN (home or business), you absolutely want to establish a VPN configuration on pfSense. I don't mean a VPN so you can hide your browsing from your ISP, I mean a VPN server on pfSense and the corresponding VPN client on your remote device (typically phone or tablet) so that you can securely connect back into your home LAN to do things like look at cameras or other smart IoT devices you may have. Depending on port forwards for access into your IoT devices is bad policy in my view. It's just a matter of time before a port scanner finds the device and potentially exploits a vulnerability in its firmware. Just research on the web how many different IoT devices have vulnerabilities that have already been exploited.


  • Thanks bmeeks!
    This is amazing and super helpful. Great details and examples for this greenhorn. I am grateful for your time and help!