Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Snort / Suricata for inbound traffic only

    IDS/IPS
    2
    5
    1832
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      JasonJoel last edited by

      In the past, my network was simple and mainly for outbound use only (no services needed to be reached from the outside).

      Now, however, I have the need to host a small web server on my network.

      I was thinking of adding snort or suricata to my pfSense to more actively analyze the traffic coming into that web server. However, I really just want to use it for incoming traffic to that one specific server, and not change/analyze any of my other outbound traffic.

      Is that possible?

      1 Reply Last reply Reply Quote 0
      • bmeeks
        bmeeks last edited by

        Yes, providing you put that web server on a subnet and interface (or VLAN) by itself.  You would then run Suricata or Snort on that interface (or VLAN) only.  That would really be best practice anyway – putting your Interfacing web server in a DMZ.  Run the IDS only on the DMZ interface.

        Bill

        1 Reply Last reply Reply Quote 0
        • J
          JasonJoel last edited by

          Good idea, and that is what I did - kind of.

          Unfortunately (for now) the server also needs to be on the LAN network. But I was able to install a 2nd NIC on the server and use an unused NIC on the pfSense box to make a DMZ of sorts. I make a new NAT rule that goes to the new DMZ server IP address. I then added the 'DMZ' interface to suricata.

          Yes, the web server is now dual-homed, but I thought that would still be better than allowing external traffic to my main LAN.

          Thoughts on dual-homing the server versus just letting the outside talk to the server's LAN IP?

          Jason

          1 Reply Last reply Reply Quote 0
          • bmeeks
            bmeeks last edited by

            Well…dual-homed means if any bad guy finds a way into the web server, then he has immediate free access to you LAN.  With a true DMZ, firewall rules protect the LAN from the DMZ.

            Oh, and in my original reply up above I badly misspelled "Internet-facing web server".  I put "Interfacing web server" instead... :-[.

            Bill

            1 Reply Last reply Reply Quote 0
            • J
              JasonJoel last edited by

              Yeah, I realize if the dual-homed web server is compromised then the LAN is still compromised as well.

              I was just thinking out loud whether making it dual homed like that with a dedicated 'outside' interface really buys me anything. And I still think it does in terms of making it a lot easier to monitor the traffic, even if it doesn't add much additional security.

              The other thing it allows me to do is to keep my suricata rules very tight, as there is limited traffic of a specific type going through that one interface.

              Again, not as good as a real DMZ, but will have to do for now until I rebuild a few things.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post