General question on Snort or other IPS
-
Some of what I've read says that the SG-1100 isn't powerful enough to run IPS? Is that correct, and does it matter the size of the connected network? My guess would be no, on the 2nd point.
Anyhow I'm interested in feedback from the community. Thanks.
-
The biggest issue is limited RAM. With an IDS/IPS, you can consume a significant amount of RAM with some rule configurations.
If you have just a typical home network, I would skip using an IDS/IPS and just keep my internal hosts (PCs and whatever) fully up-to-date with security patches. That is 90% or more of "good cybersecurity" right there. Oh, and have an anti-virus client on those endpoints when possible and keep it updated.
IDS/IPS is losing the ability to fully inspect traffic on the firewall or elsewhere in the network due to the exponential rise in end-to-end encryption. Neither Snort nor Suricata can "see" into an encrypted packet payload such as an HTTPS, SSH, or TLS stream. Those packets only get decrypted once they hit their final destination endpoint (meaning your Windows PC, for example). So having the IDS/IPS examining encrypted packets is pretty much useless. Sure, it can see a little about about the traffic type by examining the preamble headers and such, but it can't really see the true payload when it is encrypted.
-
@bmeeks Ok thank you for that information.
I do use AV on my clients, and install OS and browser updates (literally) daily.