Log anomalies on the network??
-
Lets say a hacker enters the network.
How would you discover that unless you discover some malware on a server?
Abnormal traffic pattern on the network would give a decent clue.
How to use pfsense for that? And give alert about anomalies?
-
First thing you have to consider is how that intruder (I remember when "hacker" meant someone with a lot of skill, for example Steve Wozniak) might get in.
-
Usually the intruder starts scanning the internal network for hosts to compromise.
Thats an anomaly.... nobody with legitimate access would do that.
-
And how do they get in initially? Penetrate the firewall? Malware? Phishing? Rogue employee?
-
Could be any of the mentioned...
-
If you mean finding anomalies on a home network (assuming you really want to bother with doing that on a home LAN), you would need some type of HIDS (Host Intrusion Detection System) running on each endpoint on the LAN. Then you would need some kind of SIEM software to gather those logs from the endpoints, analyze them, and alert when necessary. In a typical home LAN configuration, your firewall is not in the picture if you are assuming the bad guy is sitting on the LAN (either physically or virtually, via a LAN device). That's because traffic local to the LAN (for example, port scanning hosts on the LAN) is not going to even hit the firewall interface.
If you have capable switches (with a lot of processing capacity if we're talking about a busy network), then you could configure a SPAN port (port mirroring setup), and connect a dedicated IDS to that port for monitoring. So you would have say Snort or Suricata running on a dedicated host on the LAN that is connected to that SPAN port. How effective this is depends on what the malicious traffic might be. If it's all encrypted, then IDS is not going to be much help.
As the "LAN" gets bigger and becomes composed of a series of inter-connected smaller subnets (think local offices or various HQ buildings of a large enterprise network, each on a routed local subnet, but all behind a common perimeter firewall or, in rare cases, each subnet firewalled off from the others), then other more costly and sophisticated options are needed. A single SPAN port won't cut it for those setups.
Network security is much, much more than just technology like firewalls and an IDS/IPS, though. That's the glitzy stuff that everybody focuses on first, but the real security comes from implementing something like all the NIST-800 cyber controls. That involves locking down endpoints (workstations and servers) using least-privilege security schemes, installing HIDS and SIEM tools in the network, and physically securing access to endpoints by putting them behind locked doors. It means securing network Ethernet ports in the wall by implementing some kind of 802.1X technology. Ditto for any wi-fi setups. And don't forget about USB ports on servers and workstations. They must be physically secured as well. A number of companies make USB "port blocks" that stick into the port and can only be removed with a special key. The port blocks prevent a user from inserting anything into a USB port. There is also software that installs on endpoints and prevents the execution of binary code unless the hash of that file is pre-approved. The software uses a kernel-level driver that intercepts everything the OS attempts to load. This technology takes anti-virus to a whole new level. Not only is the malicious code alerted on when a load is attempted, it won't even load to get executed if the file hash is not in the approved executables database. I've managed a system like this in the past in the nuclear power world. Not fun! Imagine all the darn DLLs that most applications load and run. Now imagine having to identify all of them and hash them. Also remember to update said hash everytime there is an update of the software. Very effective at locking down a machine, but a royal PITA to manage!
Of course all this costs money, and lots of it ...
.IT security in the real world is a delicate balancing act. You can make anything totally secure (even Windows ...
), but it might also be totally unusable, or at least not usable in a practical sense. IT solutions are tools meant to be used, but if you lock them down to the point where they become unwieldy, users either abandon them (and you lose the potential productivity benefits), or users find "shortcuts and workarounds" in order to do their job, that then end up circumventing your security controls. Take the once common requirement for users to choose long passwords containing mandated combinations of characters (one or more caps, lower case and one or more symbols), and that password changes monthly, and the system keeps a history of your last 6 or 12 and won't let you reuse one. What does a user do when faced with that requirement? Of course, they write their password down on a sticky note or tape it to the bottom of their keyboard ... 
. What happened to your security at that point? -
@bmeeks Totally agree.
BUT.... usually the scan of hosts includes the LAN Ip as well and I want pfsense/suricata to react and send an alert when proned by a network scan...
-
@cool_corona said in Log anomalies on the network??:
@bmeeks Totally agree.
BUT.... usually the scan of hosts includes the LAN Ip as well and I want pfsense/suricata to react and send an alert when proned by a network scan...
If you are running an IDS on the LAN interface, then it can respond to scans of that particular interface IP. It won't necessarily see scans from one LAN host directly to another LAN host in a switched network. That's because modern network switches will isolate traffic among ports, so even with the firewall's LAN interface in promiscuous mode, it won't see traffic among LAN hosts because the Ethernet switch will filter traffic among its ports based on the MAC registered on that port. So if the destination MAC is registered on say port 6, then only port 6 will see the traffic. To get around this, you need to use a SPAN port (or port mirroring, for the more generic term). If you run dumb network hubs (and not switches), then every port on the hub sees all traffic from other ports. That's not a good thing for performance, though.
Edit: I went back and read your reply again later. Not entirely sure what you mean by this statement:
BUT.... usually the scan of hosts includes the LAN Ip as well and I want pfsense/suricata to react and send an alert when proned by a network scan...
If the intruder is port scanning your firewall, then an IDS could detect that. So if the IDS was monitoring the WAN interface, and the intruder port scans the WAN, he could be detected. Ditto if the intruder were port scanning through your firewall to internal hosts. But if he can do that, then your firewall is nothing but swiss cheese (that is, shot full of holes), and your network is toast! Your earlier reply to @JKnott, when he asked "how do they get in initially?", was "any of those mentioned". So I answered the question from the point of view of endpoint devices on the internal network or networks. In other words, a bad actor or piece of malicious software running reconnaissance on the internal network.
Finally, note that Suricata really has no internal port scan detection mechanism. Snort, on the other hand, has a special port scan preprocessor. However, these tools are often fooled by legitimate traffic. That's one reason why Suricata never got a specific port scan module. There are some primitive Emerging Threats rules for Suricata that can sort of do port scan detection, ,but it's not the same technology as Snort uses.
