Is IPS/IDS worth it in 2022 - And Snort 3.0
-
@bmeeks
I cannot thank you enough for your hard work and continued effort of maintaining these great tools. I just wanted to start off with credit where credit is due.I have 2 underlying questions tho:
- Is running IPS/IDS in the home worth it now days?
As everything is pretty much encrypted right down to DNS request.
My situation I have a server running the usual *arr stuff, with some downloaders and what not. Jellyfin and Emby. All of these services are behind HAProxy and SSL encrypted.
Would having IPS running help to secure these services any more than they already are?
Is there even benefit to running IPS now days?- Snort 3 has been out for a bit. I kinda know how you feel regarding porting configs but I'm planning on doing a clean new pfSense build soon.
I really like the Snort presets like Balanced/Security and so on.
What are the chances of getting a Snort 3 package down the line?
And again really appreciate your efforts
- Is running IPS/IDS in the home worth it now days?
-
I run MITM for that bery reason.... IDS is more important than ever and one needs to circumvent and control traffic to secure the networks.
-
@n0_klu3 said in Is IPS/IDS worth it in 2022 - And Snort 3.0:
I have 2 underlying questions tho:
- Is running IPS/IDS in the home worth it now days?
As everything is pretty much encrypted right down to DNS request.
My opinion is that running IDS/IPS on a home network does not provide much benefit and can actually be a bit of an aggravation. This is because most users are not professionally trained IDS admins, and thus really have no foundation upon which to select rules and monitor alerts. Yes, that can eventually be learned, but it is a long and difficult road that requires just a lot of experience in the end. Because many users I've seen here on the forum tend to treat Snort or Suricata the same as they would an anti-virus scanner, they just go through and enable a ton of rules, and then start getting all kinds of alerts and blocked traffic. But they have no clue why, so they come here and start complaining about things that are broken ... . Some don't even realize the IDS/IPS package they installed is what is blocking the traffic .
My situation I have a server running the usual *arr stuff, with some downloaders and what not. Jellyfin and Emby. All of these services are behind HAProxy and SSL encrypted.
Would having IPS running help to secure these services any more than they already are?
Is there even benefit to running IPS now days?So you have a server (or servers) providing public access on your home network? Or do you mean that the Internet access is really just remote access for you via VPN?
If you have public access servers, the most important security setting is to stay up to date with all security hotfixes and patches. Make sure the servers are running the bare minimum of what is necessary for them to operate. Run only a single public app on each server. That way you can optimize the security on each box for the specific app running on it. And I feel I must mention, if these are publicly-accessible servers running on a home network, that doing so violates the terms of service of just about every residential ISP I have ever heard of.
You can run an IDS/IPS in front of the servers, but encryption will be in the way unless you implement MITM. But the second relevant part of IDS/IPS is having the proper rules to detect attacks against the actual vulnerabilities present on the server. This goes back to my point above about requiring experience and deep knowledge about the rules and how they work and which to deploy.
- Snort 3 has been out for a bit. I kinda know how you feel regarding porting configs but I'm planning on doing a clean new pfSense build soon.
I really like the Snort presets like Balanced/Security and so on.
What are the chances of getting a Snort 3 package down the line?
Let's just say that no work in going on with Snort3 by me at this time. And none is currently planned in the future. I've started and stopped looking at that package about 3 times over the last couple of years or so. I just don't see enough reward coming from the effort needed to rewrite the current package. Suricata can do pretty well just as much as Snort. The only deficit in Suricata at the moment is that it has nothing like OpenAppID. But OpenAppID is not required at all for home networks. It has some use in larger enterprises where it can be used to police corporate polices about using social media and other tools during working hours.
- Is running IPS/IDS in the home worth it now days?
-
@bmeeks
Thank you so much for your answers and you too @Cool_CoronaYeah I have a server (unRAID) with docker containers.
I have a domain name that forwards to my public IP of my WAN.
Then pfSense picks up the domain and provides SSL and allows access to my services behind pfSense.Normal proxy stuff, nothing really distinct about this setup.
When I rebuild my pfSense I will probably setup VPN and kill publicly accessible stuff and just VPN in instead.