Snort/Suricata/Etc. for web hosting
-
Hello!
Setting up a new pfSense firewall sitting in front of some web servers, and looking for advice on what - if anything - I may want to run other than pfBlocker.
Basic network looks like this:
VIPs using ProxyARP (should I be using IP Aliases?) with 1:1 NAT to the web servers.VLAN1/Default (Management LAN)
VLAN10 (Managed Plesk web servers for shared hosting)
VLAN20 (Client A VMs: Mix of web and sql)
VLAN30 (Client B VMs: Mix of web and sql)Plan is to isolate VLAN traffic by blocking RFC1918 addresses on the VLANs, but allowing DNS back to the pfSense. Seems to be working in the lab.
pfBlocker seems to do a good job of filtering by geo and lists. I don't have any experiences with Snort or Suricata - would these be a good fit for this application or are they more geared toward typical home/office networks and client workstations? What I don't want to do is introduce something that causing a headache with web and mail servers. Thanks in advance for any help!
-
@ashevillewebhosting said in Snort/Suricata/Etc. for web hosting:
Hello!
Setting up a new pfSense firewall sitting in front of some web servers, and looking for advice on what - if anything - I may want to run other than pfBlocker.
Basic network looks like this:
VIPs using ProxyARP (should I be using IP Aliases?) with 1:1 NAT to the web servers.VLAN1/Default (Management LAN)
VLAN10 (Managed Plesk web servers for shared hosting)
VLAN20 (Client A VMs: Mix of web and sql)
VLAN30 (Client B VMs: Mix of web and sql)Plan is to isolate VLAN traffic by blocking RFC1918 addresses on the VLANs, but allowing DNS back to the pfSense. Seems to be working in the lab.
pfBlocker seems to do a good job of filtering by geo and lists. I don't have any experiences with Snort or Suricata - would these be a good fit for this application or are they more geared toward typical home/office networks and client workstations? What I don't want to do is introduce something that causing a headache with web and mail servers. Thanks in advance for any help!
No, running either of the IDS/IPS packages is not a good idea in front of public-facing infrastructure that needs high availability. You would need quite a bit of experience using such packages before you could be successful with it, and since you are here asking the question, I have to assume you have limited experience with IDS/IPS technology.
-
@bmeeks Thanks. Yes, I have zero experience with Snort or Suricata. My assumption was just that - it'd likely be difficult at best to setup for this type of traffic. If it's not well suited, that's all I need to know. Not opposed to diving into if it would be beneficial though.