requirements for IPS/IDS & Wifi?
-
Quick questions, please help.
-
What is the best way to harden pfsense home network, besides separate vlans, closing ports and enabling ips/ids (snort / sericata) ?
-
What are requirements for running ips/ids for a home network, will an Sg-1100, 2100, 3100 work?
-
How does IPS/IDS interact with wifi, what is the recommended way to run it and any recomended hardware for small home network?
Thanks.
-
-
-
it depends on what you're trying to accomplish. Those are the ways to isolate traffic.
-
What is your Internet speed? The 1100 and 2100 don't have that fast CPUs so will be CPU limited on faster connections. (see the Netgate specs) I have a 2100 at home on my DSL connection with Snort and it's fine. We have a client with an older 2440, I think it is, and I noticed around 350 Mbps (speed testing their "300" connection) it gets around 95+% CPU usage with Suricata running. IDS CPU usage also depends on how many rules are enabled.
-
IDS doesn't know about Wi-Fi. If you have wireless clients on a separate port/network then you can run IDS on that network. Otherwise if wireless devices are just on the LAN then you can run IDS on LAN.
Note running IDS on a parent interface also runs it on a VLAN on that interface, no need to set it up twice.
-
-
@steveits said in requirements for IPS/IDS & Wifi?:
- it depends on what you're trying to accomplish. Those are the ways to isolate traffic.
-> Trying to have home a network that benefits maximally from the security options available with pfsense.
- What is your Internet speed? The 1100 and 2100 don't have that fast CPUs so will be CPU limited on faster connections. (see the Netgate specs) I have a 2100 at home on my DSL connection with Snort and it's fine. We have a client with an older 2440, I think it is, and I noticed around 350 Mbps (speed testing their "300" connection) it gets around 95+% CPU usage with Suricata running. IDS CPU usage also depends on how many rules are enabled.
->Thanks for explaining this. VDSL2 speed that caps at about 100mb download for now, will soon have option for 2gig fibre not that I need it ;) so I am building for 100mb. Small home network w/ few PCs Lan, wifi with some mobiles and laptops.
- IDS doesn't know about Wi-Fi. If you have wireless clients on a separate port/network then you can run IDS on that network. Otherwise if wireless devices are just on the LAN then you can run IDS on LAN.
->I do not understand what you mean. PCs Vlanned into a switch indepedentaly, another vlan for wireless AP with moblies and laptops connected. Where do you run IDS and IPS ? Do you assign it do each Vlan or run then on those devices? Not sure how you would run snort on an iphone for example? Please help me better understand this and also the distinction between how to run IDS and IPS.
Note running IDS on a parent interface also runs it on a VLAN on that interface, no need to set it up twice.
-> Confused, answer to the followup question above should sort this out.
Thanks for helping !
-
To isolate devices on a Netgate router with switched ports, you can set the ports to act like separate ports. Each is its own network. Then devices connected via those ports are isolated unless you set firewall rules allowing them to talk to other networks.
At 100 Mbit/s I'd fully expect the 2100 to be fine, running IDS. At 2000, I'd expect it to have problems. Not quite sure where the middle ground is but I'd guess around 300-500 Mbps.
IDS (Snort/Suricata) is set up on an interface on the router. So it can be set up on one of the ports, generally LAN.
re: IDS with VLANs, see this thread. So if you run Snort on LAN it should function for any of the VLANs that are set up on any of the LAN ports as well.