Best way to impliment intrusion detection(IDS/IPS)

[Stack of computer parts 9]

I have Air setup on OPNSense following the same directions as setting up air on pfsense 2.1(2.3 instruction set doesnt really work for some reason beyond me). Anyway, opnsense(and pfsense) come with intrusion detection systems that I would like to use. However, if I put the system on the wan, I dont see how it could read a packet since its been encrypted in the airvpn_wan. I guess I could install it in the airvpn_wan but I wanted to bounce the idea off of anyone here just to get some pointers.

 

The same could be said for other features like reverse proxy or caching proxy, adblock, antivirus. The best place to employ(or not) these at the server level would make a good discussion topic.

[zhang888 1066]

You don't need a traditional IDS when you are connected to Air. The reason is, that unless you forward high ports in the client area,

no traffic will reach your endpoints unlike when it can happen with regular WAN with a connectable IP address.

So your best setup would be just filtering any incoming traffic on your WAN interface.

The caching and proxies are very individual setups and mostly depend on what you want to achieve, so there is no "one goes for all"

suggestion in this case. Note that the file hash-based Antivirus on these devices is pretty much useless against today's threats, so using

it will not provide you any real security. Almost the same thing goes for Adblock, most ads today are served over TLS so just blocking hosts

without actual DOM awareness is a little obsolete, and will result in many broken pages, and white pages where the actual ad is supposed to be.

A better solution for this would be browser extensions like uBlock Origin/Adblock Plus, etc.

[Stack of computer parts 9]

So an attacker cant see your connection on their end, like say an active connection on Steam or some place with an obvious username, inject some bad packets at that end and use it to establish a connection at the client level? Alternatively can someone just know the physical location of my house and attempt to get through the wan say from somewhere in the neighborhood? Or at the ISP since generally most areas only have one or two choices?

I also have some clear net going into the box on another nic so its not like its completely obfuscated from the world.

[zhang888 1066]

An attacker can infect you with various ways, but an IDS like Snort/Suricata is unlikely to prevent it.

Unless you run a web service or something of that kind, it's a total waste of resources.

 

When you are connected to VPN there is no way for an attacker on a physical layer to inject anything to your connection.