Post Reply
- Print view
- powerhosting
just joined
- Posts: 8
- Joined: Wed Apr 29, 2020 2:45 am
Topic Author
Recommended for IPS/IDS
- Quote
- #1
Sat Jan 06, 2024 8:57 pm
Dear All,
I am looking for a device doing DPI for home use. I have a lot of IoT devices which I have 0 visibilty on and decided to check what they are doing. They are in different VLAN, but still looking for a more advanced way of listening on the traffic toward the internet
IDS possibly IPS would be a required feature.
Currently I have a 750gr and CRS 328s
Could mikrotik help me out here or do I need to add a different vendor?
If so, is it redommended to do the VLAN -> VLAN (east-west) communication on the mikrotik router and have the firewall only (north-south)? I would prefere Mikrotik to do the most work.
Internet is 1G down and maybe half up.
Did see , but I wasnt sure if my situation is the same.
Top
- anav
Forum Guru
See AlsoUsed SonicWall NSA 3700 High Availability Firewall (02-ssc-7368) (02ssc7368)Dell Security Announces SonicOS 6.2.5 for Dell SonicWALL Next-Generation Firewalls | DellSonicWall 02-SSC-4012 Analytics for NSa 2600, 2650 Subscription UpgradUsed NEW SonicWall NSA 5650 01-SSC-1939 6.25 Gbps Firewall - NEVER REGISTERED - Posts: 20009
- Joined: Sun Feb 18, 2018 11:28 pm
- Location: Nova Scotia, Canada
- Contact:
Re: Recommended for IPS/IDS
- Quote
- #2
Sun Jan 07, 2024 1:24 am
Different vendor.............. You will pay through the nose for a higher end device that can still provide the throughput required with IDS services applied and by the way those IDS... DPI services are not native to the router, you then additionally have to buy subscription services to activate them.
Top
- vingjfg
Member
- Posts: 384
- Joined: Fri Oct 20, 2023 1:45 pm
Re: Recommended for IPS/IDS
- Quote
- #3
Sun Jan 07, 2024 1:00 pm
Ha! Deep packet inspection, application awareness, L7 inspection, whatever name it has today. The hallmark of the modern firewall. But that's not a function Mikrotik devices have natively. In essence, you are paying someone to maintain a database of IP addresses, domain names and signatures that enable a firewall to recognize an application or a service going over the internet. This is highly dynamic and changes pretty much every day, hence the price tag.
There was for a while an effort called "openDPI" which was to have an open source repository of such things. I think that project was abandoned several years ago and someone created another port called nDPI, but which focuses on ntop.
You may find your luck with Security Onion and integrate ntop data. I haven't tried it yet, planned for when I have a moment.
If you plan on blocking stuff, an inline mode is pretty much the way to go, otherwise a port-mirror is probably better.
Top
- powerhosting
just joined
- Posts: 8
- Joined: Wed Apr 29, 2020 2:45 am
Topic Author
Re: Recommended for IPS/IDS
- Quote
- #4
Sat Jan 27, 2024 12:43 am
So far I found is the following list of vendors to consider:
Fortinet FortiGate: https://www.fortinet.com
Check Point Quantum Security Gateways: https://www.checkpoint.com
Barracuda CloudGen Firewall: https://www.barracuda.com
Palo Alto Networks PA Series: https://www.paloaltonetworks.com
SonicWall Network Security Appliance NSA 4600: https://www.sonicwall.com
Firewalla: https://firewalla.com/
Tbh: The last one seems to have a resonable price, but with no experience hard to tell if its worth the money.
Any experience with either?
Also, if I have a firewall do I need a router? What benefit would I get with a L3 router as often firewalls include this functionality.
Top
- jvanhambelgium
Forum Guru
- Posts: 1039
- Joined: Thu Jul 14, 2016 9:29 pm
- Location: Belgium
Re: Recommended for IPS/IDS
- Quote
- #5
Sat Jan 27, 2024 9:46 am
Most of the above vendors are really, really in another league compared to Mikrotik.
You must see Mikrotik RB as a ROUTER with network packet filter (and a lot of Swiss-army knife capabilities for sure!)
I use Fortinet & Palo Alto in my professional work, very,very capable but I comes with a price-tag....
Because they have dedicated silicon/ASIC's to handle the complex stuff...
Perhaps an alternative to get something like a Firewall. These seem almost like rebranded "TopTon" boxes.
You could also get some Topton-box and do something with OpenSource depending on your level of knowledge.
https://nl.aliexpress.com/store/9117683 ... PblPPblPvq
Then on the Mikrotik you could work with Netflow and/or fully "mirror" your traffic stream into such box and use some tools like "ntopng" on it or something.
Top
- mada3k
Forum Veteran
- Posts: 707
- Joined: Mon Jul 13, 2015 10:53 am
- Location: Sweden
Re: Recommended for IPS/IDS
- Quote
- #6
Sat Jan 27, 2024 10:55 am
Suricata is an popular open-source alternative.
But note that 99,9% of typpical IoT-devices is encrypted traffic, usually HTTPS of some kind. So IDS/IPS is usually pointless.
Top
- phascogale
Frequent Visitor
- Posts: 54
- Joined: Tue Oct 17, 2023 11:25 am
Re: Recommended for IPS/IDS
- Quote
- #7
Sat Jan 27, 2024 11:06 pm
Among your list I have experience with Firewalla. An advantage is that today the IDS/IPS cost is in the capital for the box, not ongoing. That is not guaranteed to continue. Firewallas are also easy to configure though their configuration model (rule scopes) is different from that of ROS and open source products. If you want an easy, manageable IDS/IPS then so far, so good, though I agree with mada3k's caveat.
Disadvantages include that it is terribly verbose, and repeatedly boasts of things it has blocked that are not meaningful threats in my context. Perhaps personal considerations are that I object to anything that demands that it phone home to function. Updates are pushed, not under your control.
I have switched to crowdsec for some protection beyond careful firewall configuration. The Firewalla box has been reinstalled with FreeBSD, just another device running inside my network.
Top
Post Reply
- Print view
Who is online
Users browsing this forum: No registered users and 17 guests