Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Do I Need IPS ?

    Scheduled Pinned Locked Moved Firewalling
    22 Posts 10 Posters 2.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      oznet
      last edited by

      Since I have a default config on my 2100 where all ports are blocked and I only have 5 home machines ie 2 laptops, 1 desktop and 2 androids with Bitdefender on them and competent users aware of threats should I still install the IPS package? What are the threats without IPS running?

      M johnpozJ 2 Replies Last reply Reply Quote 0
      • M
        michmoor LAYER 8 Rebel Alliance @oznet
        last edited by

        @oznet
        Generally, for home use, you do not need any IPS.
        If you have ports open on the WAN side then i would say yes, apply an IPS.

        The real magic and usefulness of an IPS is taking all that encrypted data on port 443 and run it through a proxy like Squid, scan the data, and detecting threats.
        pfSense does not have that capability. Therefore theres a limited use case of running an IPS on pfsense in general.

        Firewall: NetGate,Palo Alto-VM,Juniper SRX
        Routing: Juniper, Arista, Cisco
        Switching: Juniper, Arista, Cisco
        Wireless: Unifi, Aruba IAP
        JNCIP,CCNP Enterprise

        O 1 Reply Last reply Reply Quote 1
        • O
          oznet @michmoor
          last edited by

          @michmoor I was going to use Snort as the IPS but what about if an internal machine gets infected or a laptop that is infected while on a public wifi or android phone on a data service and then brought back onto the lan? Would IPS then be beneficial?

          M GertjanG 2 Replies Last reply Reply Quote 0
          • M
            michmoor LAYER 8 Rebel Alliance @oznet
            last edited by

            @oznet What do you mean infected?
            I assume there is an A/V application installed.
            If a more MSP or Enterprise environment there is security apps like Sentinal One or Huntress that may catch it.

            I suppose an IPS could get lucky and spot an issue from LAN -> WAN but I certainly wouldn't rely on it.
            If your "infected" machine is calling out to a domain thats on 443..then what?

            Most modern security platforms will have MITM enabled so that the firewall could drill down into the URL and see what resource is being requested. From there based on signatures or policy that site gets denied. Thats the power of a MITM + ThreatPrevention tool.
            As i stated, pfsense cant do that. Squid and Snort are considered two independent packages. If there was some way to pass decrypted site information to Snort then i would say, yes, absolutely snort is needed.

            Firewall: NetGate,Palo Alto-VM,Juniper SRX
            Routing: Juniper, Arista, Cisco
            Switching: Juniper, Arista, Cisco
            Wireless: Unifi, Aruba IAP
            JNCIP,CCNP Enterprise

            O C 2 Replies Last reply Reply Quote 0
            • O
              oznet @michmoor
              last edited by oznet

              @michmoor infected I mean compromised some kind of malware and the AV did not detect it, if IPS is not needed then I am ok with that, just wanted to explore this a bit, I am not a firewall pro just a home user and thank you for your help!

              1 Reply Last reply Reply Quote 0
              • C
                coxhaus @michmoor
                last edited by

                @michmoor
                I am a home user thinking of using SNORT. I was thinking of the issue with using port 443. Is there a way to know the connection is happening with SNORT? I don't remote into anything anymore as I am an old retired network guy. Will SNORT list the 443 connection whether you use the LAN or the WAN side for SNORT? I know it is outbound traffic but I might I be able to block it on the firewall?

                Speaking of SNORT, is it better to use the WAN or the LAN. I think I have read on here it is better to use the LAN side. I have a Cisco L3 switch running my VLANs and no vlans are defined to pfsense. If I use the LAN side for SNORT will it read deep enough into the packet to know where the packet originates from or will it all show the L3 switch as the originator?

                S 1 Reply Last reply Reply Quote 0
                • S
                  SteveITS Galactic Empire @coxhaus
                  last edited by

                  @coxhaus @oznet
                  Use Suricata not Snort, sounds like Snort may die off on pfSense unless someone takes over the next version.

                  Neither can scan HTTPS traffic so malware can just use that to bypass.

                  Running on LAN it will show you the LAN deviceโ€™s IP. It runs outside the firewall so on WAN it will scan everything the firewall blocks.

                  Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                  When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                  Upvote ๐Ÿ‘ helpful posts!

                  1 Reply Last reply Reply Quote 0
                  • N
                    NOCling
                    last edited by

                    Use pfBlocker and the right lists instead.
                    You got a very powerfull protection, if you use the right lists.
                    It is also significantly more efficient than Snort.

                    Netgate 6100 & Netgate 2100

                    1 Reply Last reply Reply Quote 0
                    • GertjanG
                      Gertjan @oznet
                      last edited by

                      @oznet said in Do I Need IPS ?:

                      laptop that is infected while on a public wifi or android phone

                      When a PC/laptop/Phone/pad/whatever connects to a network, it will default to the Public (network) mode.
                      You've seen this already : on a Windows PC, when you connect the very first time to a network that the device didn't used before, you can chose between a private (or company) network, or a public network.
                      When 'private' is selected, your device can access other devices in the same connected LAN, and other devices in the same LAN can use resources that are shared on your device, if there are any.
                      A public : network : only connections to the gateway (Internet traffic) are created, only traffic is end to the gateway, and only traffic coming from the gateway is accepted.

                      So : In a way, some random public Wifi network is more secure then the network you share at home.

                      The unique and final factor that can make the difference : the user using the device.
                      If he downloads and executes a trojan, it was because he took action to do so.

                      @oznet said in Do I Need IPS ?:

                      a data service and then brought back onto the lan? Would IPS then be beneficial?

                      Good point !
                      Ones a device is infected, and it is connected to your local private 'trusted' network, then the devices on this (your) LAN can connect to each other without passing through pfSense. So, 'IPS' on pfSense that doesn't see the inter LAN traffic is pointless.
                      You could even power down pfSense : the LAN still works fine (for some time).

                      You might think that Suricata (or Snort) or any IPS can help you ....
                      When you investigate this question, you'll reach the opposite side : you don't want IPS to happen.
                      IPS is means : make the encrypted data stream readable. You need, among others, to be able to 'undo' TLS traffic (== the encrypted data stream) coming from any LAN device to a remote server, analyze it, and when ok, 'redo it' an d send it of. Then, the return TLS stream (for example, from your bank) needs to be 'undone', checked, and when ok, 'redone' to be sent to your PC.

                      While your are doing you best to make the MITM to happen, so you can do IPS, you also know that thousands of network engineers/expert are working hard to make your task as hard as possible.
                      After all, if you could do this at home, then every 3 letter agency could do with the snap of a finger same. Let's image this : they (officially) can't - neither your ISP, nor your neighbor.

                      They told you 'https' == safe. It's time to know why this is actually true ๐Ÿ˜Š

                      Home user, or not, go have a look at what TLS, or more known as https (== web traffic using TLS) actually is. It's 2023 these days, basic, easy, fast to understand info is now available @Youtube.
                      I'll promise you : it's worth the effort.

                      In the beginning, and at the end : it's far easier to :
                      You start with : Explain, teach, make clear, to your network users what the risks are.
                      At the end : Don't allow 'dangerous' devices (==people) entering your network. I mean : it's ok that people don't want to cooperate, but they are using 'your' network, so you have something to say.

                      No "help me" PM's please. Use the forum, the community will thank you.
                      Edit : and where are the logs ??

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator @oznet
                        last edited by

                        @oznet do you have experience using an IPS/IDS - its a bit more complicated then just enabling it.. If you want to enable it in monitor mode.. Sure go ahead - there is a lot of config and maint required to run a successful IPS/IDS..

                        I have run them for many years professionally, and I don't run one on my home network. Its a bunch of work, for very little return.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 2
                        • bmeeksB
                          bmeeks
                          last edited by

                          Agree wholeheartedly with @johnpoz here. On a home network, an IPS requires a lot of upfront knowledge to configure and a lot of labor to maintain. Because of the magnitude of encrypted traffic these days, the amount of effort involved with the IPS/IDS vastly overshadows any potential gain in my opinion (in a home network). I say this as the package maintainer for Snort and the package creator for Suricata ๐Ÿ™‚. If you just want to play around with IPS/IDS to learn, then have at it. But just realize there is much, much more effort involved with IPS/IDS than there is with using an anti-virus client.

                          And as others have mentioned, if someone brings an infected machine back into your local LAN, an IPS running on the firewall could likely not even be aware of the traffic between two hosts on the same LAN as that traffic will be directed by the L2 switch from one port to another on the switch and bypass the firewall's LAN port completely. Only if the malware attempted some kind of network scan would it perhaps "trip" the IDS/IPS on the firewall's LAN port (as that port IP was targeted during a scan). The IPS/IDS could potentially see traffic outbound from the LAN as that would be given to the firewall's LAN interface to route. But encryption will be an obstacle here. For web and email traffic the IDS/IPS has zero visibility into payloads and thus only has the little bit of IP header info to work with.

                          DaddyGoD 1 Reply Last reply Reply Quote 3
                          • DaddyGoD
                            DaddyGo @bmeeks
                            last edited by

                            @bmeeks said in Do I Need IPS ?:

                            Agree wholeheartedly with @johnpoz here. On a home network, an IPS requires a lot of upfront knowledge to configure and a lot of labor to maintain.

                            Hi Bill,
                            Long time no "see", but I hope all is well.

                            Very true, but I still love this approach (if I can call it IPS stuff), sure the yes the learning curve can be steep, but let's not take away anyone's enthusiasm.
                            When you're pushing this in a production environment, you're past a home and/or VM/test system... ๐Ÿ˜‰ (I hope so)

                            BTW:
                            I'm still impressed by your work ๐Ÿ‘

                            Cats bury it so they can't see it!
                            (You know what I mean if you have a cat)

                            bmeeksB 1 Reply Last reply Reply Quote 0
                            • bmeeksB
                              bmeeks @DaddyGo
                              last edited by bmeeks

                              @DaddyGo said in Do I Need IPS ?:

                              sure the yes the learning curve can be steep, but let's not take away anyone's enthusiasm.

                              I don't mean to discourage someone who wants to try it out for the learning experience, but there are a fair number of users that install it without fully understanding what it is and how to maintain it. They then post here with frustrations because something is blocked. Unintended blocking will happen a lot with a typical home setup unless the admin is skilled in the craft of IDS/IPS.

                              But this is also a problem with all of the packages that can "block things" such as Snort, Suricata, pfBlocker, SquidGuard, etc. I am always amazed at the posts where someone installs one or more of those packages on their pfSense and then posts asking "... why is pfSense blocking xyz site?". It makes me want to whack them on the side of their head and ask "do you think it could possibly be one of those packages you installed that are intrinsically designed to block stuff? Have you checked if one of those packages is blocking the desired traffic?" ๐Ÿ™‚ . And many times it takes two or three rounds of back and forth questions to pry out of them the tidbit that they have indeed installed one (or even several) of the blocking packages.

                              M DaddyGoD 2 Replies Last reply Reply Quote 3
                              • M
                                michmoor LAYER 8 Rebel Alliance @bmeeks
                                last edited by

                                @bmeeks The pros and cons of making a product available to the masses.
                                The solution would be to gatekeep this behind a VAR and high cost support packages :)

                                Firewall: NetGate,Palo Alto-VM,Juniper SRX
                                Routing: Juniper, Arista, Cisco
                                Switching: Juniper, Arista, Cisco
                                Wireless: Unifi, Aruba IAP
                                JNCIP,CCNP Enterprise

                                O DaddyGoD 2 Replies Last reply Reply Quote 0
                                • O
                                  oznet @michmoor
                                  last edited by

                                  @michmoor sounds like I will fore go the IPS aspect and stick to blocking ads

                                  1 Reply Last reply Reply Quote 0
                                  • JonathanLeeJ
                                    JonathanLee
                                    last edited by JonathanLee

                                    DO IT!!! IPS/IDS both have fun setting it up too,

                                    I added some alias rules to do not block lists as SNORT takes some time to fine tune, once it's tuned its great!!

                                    d9663fab-1bf1-449d-b4db-a13f60f0c157-image.png
                                    83 plus blocks in 1 hour of invasive actors.

                                    1330a158-0b82-4ef5-a4f2-b8ac1d10b17a-image.png
                                    Mine even does auto scan blocking, that was fun to set up as roblox like to scan when it starts up.

                                    1c96cbf5-4562-4d67-bc37-260fe0e6f61f-image.png
                                    I have a nice ACL for it, plus a ignore scans set

                                    9068dce5-ac4c-4d2f-a57c-e4b478640082-image.png
                                    I ignore a pretty big block of addresses that Roblox uses or Snort blocks them all when it sees a UDP scan

                                    It's the 1990s Air-Snort application upgraded, anyone play with that in the 90s, I use to see 0.0.0.0 MACs sometimes back in the day.

                                    Make sure to upvote

                                    C 1 Reply Last reply Reply Quote 0
                                    • DaddyGoD
                                      DaddyGo @bmeeks
                                      last edited by

                                      @bmeeks said in Do I Need IPS ?:

                                      but there are a fair number of users that install it without fully understanding what it is and how to maintain it.

                                      yes, this can be seen in many scenarios and when they fall flat on their face they realise what they have done wrong ๐Ÿ˜Š

                                      +++edit:
                                      at least they will have something to ask here on the forum

                                      Cats bury it so they can't see it!
                                      (You know what I mean if you have a cat)

                                      1 Reply Last reply Reply Quote 0
                                      • DaddyGoD
                                        DaddyGo @michmoor
                                        last edited by

                                        @michmoor said in Do I Need IPS ?:

                                        The solution would be to gatekeep this behind a VAR and high cost support packages :)

                                        that would be quite terrible ๐Ÿ˜Š

                                        Cats bury it so they can't see it!
                                        (You know what I mean if you have a cat)

                                        1 Reply Last reply Reply Quote 0
                                        • C
                                          coxhaus @JonathanLee
                                          last edited by

                                          @JonathanLee
                                          Are you running it on the WAN or the LAN side?

                                          I plan to run it. I am waiting for 23.09 first.

                                          Do any of Pfsense's IPS/IDS use Intel's Hyperscan? Maybe that is the real SNORT 3?

                                          https://www.intel.com/content/www/us/en/developer/articles/technical/introduction-to-hyperscan.html

                                          JonathanLeeJ 1 Reply Last reply Reply Quote 0
                                          • JonathanLeeJ
                                            JonathanLee @coxhaus
                                            last edited by

                                            @coxhaus WAN it does take a while to configure this way. Most use Lan today

                                            Make sure to upvote

                                            C 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.