Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IDS/IPS With VLANS, VPN, TLS & Network Setup

    Scheduled Pinned Locked Moved
    IDS/IPS
    vpn vlans suricata sg-2100 ids
    1
    1
    814
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rennit
      last edited by

      First, thank you for taking a look at this topic. After countless hours of reading and trying to put together bits and pieces from various articles/resources, as well as trial and error frustrations, I believe I have exhausted any existing resources and hopefully can provide a centralized answer for others as well.

      Context/Infrastructure/Topology:

      Modem (bridge) --> SG2100
      pfsense Plus
      WAN Gateway (for non-VPN traffic/clear)
      VPN Tunnel Gateway (OVPNC1)
      LAN IP (address in it's own subnet, only exists at router no "endpoint connections/assignments". More on that later...)

      *VLANs/SSID numbers are for example's sake & arrows conceptual, not always literal...

      pfsense:
      LAN 1/Port1 - 1111 - VLAN & PVID Untagged 1111
      (e.g. 1111,5t on Port 1)
      LAN 2/Port2 - 2222 - VLAN & PVID Untagged 2222
      LAN 3/Port3 - 3333 - VLAN & PVID Untagged 3333
      LAN 4/Port4 - 4444 VLAN & PVID Untagged 4444

      pfsense/Netgate:
      Port 1 (1111, 5t) --> WAN gateway --> Wifi AP 1--> IoT (had old spare)

      Port 2 Empty for now

      Port 3 (3333, 5t) VLANS 44t, 55t, 66t, 77t, 88t,---Trunk--> Wifi AP 2 with OpenWRT managed switch (all VLANs egress tagged including PVID 3333-which is not assigned to anything. Switch's internal VLAN 1 is untagged on all switch ports)

      "Dumb" Access Point2 with Managed Switch
      AP2 trunked VLANs assigned:
      vlan 44 - SSID 44 (WAN Gateway No VPN Guest firewall setup)
      vlan 55- SSID 55 (VPN Tunnel Gateway Guest firewall setup)
      vlan 66 - SSID 66 (VPN Tunnel Gateway Trusted firewall setup)
      vlan 77 - AP2 Port 2 for wired access future expansion
      vlan 88 - AP2 Port 3 same as above
      Port 4 - Untagged - direct management

      pfsense/Netgate Port 4: Not finished yet. Intention is wired trunk to Smart/Managed Switch to secured area wired network of computers and peripherals not accessible via anything on Netgate ports 1-3.

      Clear as mud? :)) I'm a very new (learned and did all during the last week, but more of a security enthusiast than casual hobbyist, now trying to learn this side of things). Sorry I don't have graphics for the above topogrophy, or know how to make them yet. If it's easy for those experienced, and anybody wants to, and also let me know how to update it, I will and continue to post with it as this expands. Might be helpful for future readers and new users. Appreciate you reading all of this.

      1. Suricata/Snort on LAN side only. (I am trying both packages separately and not committed to either yet. Any opinions/reasons for this specific use case, above the general debate, very appreciated.

      2. I understand the limitations of encrypted traffic with IDS/IPS and am open to all solutions. Currently considering proxy, but need your guidance.

      3. My main LAN interface in pfsense has very little traffic. I do not know if that is good or bad setup, or just inherent to that I have only utilized wired and wireless connections to the VLANs, via 1 computer and smart devices to the internet since I set this up. Learning curve has been steep!

      (Slighly off topic questions, but since just laid that all out: Should main LAN interface be a management ip/interface or use another VLAN?
      Is it normal to seldom have traffic on that main LAN parent interface when utilizing only VLANs for connections?
      What does one do with that first LAN ip address if all connections are segmented via VLANs?
      Is this good security practice or does not matter?)

      1. Everything above (finally) works and functions as described/intended. Tested and retested. My focus is security (firewall rules aside in this 1st post).

      Questions/Issues (currently testing Suricata/non-blocking mode):

      **First, if anything above jumps out at you or is misconfigured or against best practices, that this newbie screwed up, please let me know! I am barely just learning.

      Goal: Inline IDS/IPS on all traffic on LAN side. (pfBlockerNG on WAN - unless going to start a DMZ and external services)

      Currently Suricata active on all VLANs showing traffic.

      Suricata will not activate on VPN tunnel interface (ovpnc1). This is with or without other interfaces active.
      1. Should Suricata be operating on VPN interface?
      If so, any idea why it will not activate? I am thinking of reinstalling again. Recall it might have worked on prior install before trying snort, then removing (uploaded restore) and back to new Suricata install.

      1a. Is there a point....Would it see the traffic before encryption & after decryption going and coming respectively?

      I have only activated 1 ruleset for setup. I know that as I activate more the resource consumption will be greater.

      1. Is it best practice to activate Suricata on every VLAN interface?

        (Little to no traffic on "main LAN" interface. Although they are all assigned to that interface, but on different subnets.)

      I saw a prior post that alluded to grouping all VLANs together into a single interface, then having Suricata monitor that in promiscuous mode to utilize less resources. Makes sense in theory to the novice...

      1. Definition - Is promiscuous mode still an inline mode or does that only give IDS and not IPS?

      3a. I see this coarsely as: e.g. several VLANs-->grouped interface---->suricata-->VPN Tunnel-->internet / and reversed. Can that be done in an inline IDS/IPS setup for efficiency and less resource consumption?

      3b. If so, how?
      3c. Any security issues caused?

      1. Is it correct that VPN Gateway flow is: Internet -->firewall / decrypted -->VLAN sorting -->suricata (on each vlan)--> VLAN "end point" e.g. computer or phone?
        Reversed: VLAN end point --> suricata-->VPN Tunnel Encryption/firewall --> internet?

      I seem to be getting lots of:

      ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)

      ET POLICY curl User-Agent Outbound

      All from the VPN Gateway IP address. Instinctually feels like higher layer and not seeing traffic? That right?

      5. Lastly, is there a way to setup a proxy so all inbound traffic, including TLS, SSL etc., is decrypted after WAN/VPN gateway, then sent to Suricata then on to VLANs-->endpoints /and reversed? (Actually scanning all traffic...)

      I bought the netgate box envisioning:
      internet -->negate (VPN or clear WAN gateway)-->IDS/IPS to LAN endpoints / and reversed.
      If yes, and will effectively negate rather than build on the above questions/answers, it seems this is the ultimate solution so can just focus on that. I leave that to the experts and more experienced than me out there....

      I realize this is a long post and possibly somewhat of a chore. I tried not to ask anything I have seen explained before and up-to-date. I've also read 100's of posts and see a theme of context/info not provided by OP, then lots of wasted expert time on basic setup/context questions, so I tried to include as much relevant info as I could think of, without really knowing what I'm doing. I truly appreciate you taking the time to read through and hopefully accepting the 'challenge' and providing answers. Anything additional please let me know. Lastly, I know it's a lot to chew on, so if perhaps someone out there has discussion or an answer on one point and not the rest please chime in. Any help is really appreciated. Truly hope that this can help many people in the future. If you know of anything out there that is current, and apples-to-apples answers these questions, please share. If I get some graphics, with time, I could do a tutorial, for the beginner, to include the OpenWRT setup etc., if that would be of value. Have seen many snippets of these things as common questions, but no real actionable answers for a general group of newbies to reference in context.

      Thank you again. Appreciate your time!

      1 Reply Last reply Reply Quote 0
      • First post
        Last post