Jump to content
Not connected, Your IP: 3.145.37.219
Sign in to follow this  
Stack of computer parts

Best way to impliment intrusion detection(IDS/IPS)

Recommended Posts

I have Air setup on OPNSense following the same directions as setting up air on pfsense 2.1(2.3 instruction set doesnt really work for some reason beyond me). Anyway, opnsense(and pfsense) come with intrusion detection systems that I would like to use. However, if I put the system on the wan, I dont see how it could read a packet since its been encrypted in the airvpn_wan. I guess I could install it in the airvpn_wan but I wanted to bounce the idea off of anyone here just to get some pointers.

 

The same could be said for other features like reverse proxy or caching proxy, adblock, antivirus. The best place to employ(or not) these at the server level would make a good discussion topic.

Share this post


Link to post

You don't need a traditional IDS when you are connected to Air. The reason is, that unless you forward high ports in the client area,

no traffic will reach your endpoints unlike when it can happen with regular WAN with a connectable IP address.

So your best setup would be just filtering any incoming traffic on your WAN interface.

The caching and proxies are very individual setups and mostly depend on what you want to achieve, so there is no "one goes for all"

suggestion in this case. Note that the file hash-based Antivirus on these devices is pretty much useless against today's threats, so using

it will not provide you any real security. Almost the same thing goes for Adblock, most ads today are served over TLS so just blocking hosts

without actual DOM awareness is a little obsolete, and will result in many broken pages, and white pages where the actual ad is supposed to be.

A better solution for this would be browser extensions like uBlock Origin/Adblock Plus, etc.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

So an attacker cant see your connection on their end, like say an active connection on Steam or some place with an obvious username, inject some bad packets at that end and use it to establish a connection at the client level? Alternatively can someone just know the physical location of my house and attempt to get through the wan say from somewhere in the neighborhood? Or at the ISP since generally most areas only have one or two choices?

I also have some clear net going into the box on another nic so its not like its completely obfuscated from the world.

Share this post


Link to post

An attacker can infect you with various ways, but an IDS like Snort/Suricata is unlikely to prevent it.

Unless you run a web service or something of that kind, it's a total waste of resources.

 

When you are connected to VPN there is no way for an attacker on a physical layer to inject anything to your connection.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Sign in to follow this  

×
×
  • Create New...