Recommended for IPS/IDS - MikroTik (2024)

Dear All,

I am looking for a device doing DPI for home use. I have a lot of IoT devices which I have 0 visibilty on and decided to check what they are doing. They are in different VLAN, but still looking for a more advanced way of listening on the traffic toward the internet
IDS possibly IPS would be a required feature.

Currently I have a 750gr and CRS 328s

Could mikrotik help me out here or do I need to add a different vendor?

If so, is it redommended to do the VLAN -> VLAN (east-west) communication on the mikrotik router and have the firewall only (north-south)? I would prefere Mikrotik to do the most work.

Internet is 1G down and maybe half up.

Did see , but I wasnt sure if my situation is the same.

Ha! Deep packet inspection, application awareness, L7 inspection, whatever name it has today. The hallmark of the modern firewall. But that's not a function Mikrotik devices have natively. In essence, you are paying someone to maintain a database of IP addresses, domain names and signatures that enable a firewall to recognize an application or a service going over the internet. This is highly dynamic and changes pretty much every day, hence the price tag.

There was for a while an effort called "openDPI" which was to have an open source repository of such things. I think that project was abandoned several years ago and someone created another port called nDPI, but which focuses on ntop.

You may find your luck with Security Onion and integrate ntop data. I haven't tried it yet, planned for when I have a moment.

If you plan on blocking stuff, an inline mode is pretty much the way to go, otherwise a port-mirror is probably better.

So far I found is the following list of vendors to consider:

Fortinet FortiGate: https://www.fortinet.com
Check Point Quantum Security Gateways: https://www.checkpoint.com
Barracuda CloudGen Firewall: https://www.barracuda.com
Palo Alto Networks PA Series: https://www.paloaltonetworks.com
SonicWall Network Security Appliance NSA 4600: https://www.sonicwall.com
Firewalla: https://firewalla.com/

Tbh: The last one seems to have a resonable price, but with no experience hard to tell if its worth the money.

Any experience with either?

Also, if I have a firewall do I need a router? What benefit would I get with a L3 router as often firewalls include this functionality.

Most of the above vendors are really, really in another league compared to Mikrotik.
You must see Mikrotik RB as a ROUTER with network packet filter (and a lot of Swiss-army knife capabilities for sure!)
I use Fortinet & Palo Alto in my professional work, very,very capable but I comes with a price-tag....
Because they have dedicated silicon/ASIC's to handle the complex stuff...

Perhaps an alternative to get something like a Firewall. These seem almost like rebranded "TopTon" boxes.
You could also get some Topton-box and do something with OpenSource depending on your level of knowledge.

https://nl.aliexpress.com/store/9117683 ... PblPPblPvq

Then on the Mikrotik you could work with Netflow and/or fully "mirror" your traffic stream into such box and use some tools like "ntopng" on it or something.

Suricata is an popular open-source alternative.

But note that 99,9% of typpical IoT-devices is encrypted traffic, usually HTTPS of some kind. So IDS/IPS is usually pointless.

Among your list I have experience with Firewalla. An advantage is that today the IDS/IPS cost is in the capital for the box, not ongoing. That is not guaranteed to continue. Firewallas are also easy to configure though their configuration model (rule scopes) is different from that of ROS and open source products. If you want an easy, manageable IDS/IPS then so far, so good, though I agree with mada3k's caveat.

Disadvantages include that it is terribly verbose, and repeatedly boasts of things it has blocked that are not meaningful threats in my context. Perhaps personal considerations are that I object to anything that demands that it phone home to function. Updates are pushed, not under your control.

I have switched to crowdsec for some protection beyond careful firewall configuration. The Firewalla box has been reinstalled with FreeBSD, just another device running inside my network.