Do Snort and pfBlockerNG serve complementary functions? Is my system more (Netgate 5100) secure if I install both on the Netgate 5100 or is only one sufficient (if so which one)? Will having both running significantly impact data transfer rates. What are your thoughts and recommendations? Alternatively, is there a better package that will perform the functions of these two?
Thanks
EBJ
Snort can only inspect unencrypted traffic. So http, ftp and so on. It cannot inspect https which will be the majority of the traffic. IMO it’s not worth running.
Pfblockerng is worth running because you will use the DNS and IP filtering.
If you are hosting services to the internet pfBlockerNG and Snort is a good combination. What I find is that inbound connections with the right pfBlocker lists will catch 90% of the bad reputation endpoints out there. Snort usually will get the others when they start their probe or go after known CVE’s and other vulnerabilities.
I don’t use the DNS blocking in pfBlocker because it can’t do granular lists by hosts or groups, but I do use piHole for that since I can assign hosts to groups of block lists or have them completely ignore block lists. Most of the snort rules for outbound traffic are mostly useless and can generate a lot of noise that you will need to disable with suppressing rules.
.
In almost all cases, these are just knobs and buttons to make you feel better.
I don’t completely agree with you, but I feel like snort is one of those features. This type of inspection should be at the endpoint level…
I’m excited to get Crowdsec on pfsense going when it’s officially released.
You can install crowdsec on pfsense using their instructions via command line. I agree would be cool to have it as a package so it can be managed via WebGUI.
However, crowdsec is better suited on endpoints rather than on an appliance or server that it could break things for everyone.
I disagree. My services are behind HAproxy using pfsense. So the ideal place for the Crowdsec install is on pfsense.
Also blocking malicious IP’s from the firewall for all devices is ideal.
Command line is voodoo around here my friend. And running a firewall with crowdsec on the endpoint? With no pfsense GUI? No GUI for that at all? Ha, no flipping way.
pfsense is the best place to run this service because it is the first place everybody runs their services.
For the record all my servers are pure debian and ubuntu servers with no GUI whatsoever. I don’t mind CLI at all. What I don’t like is PFsense flakey upgrades and changes. I want crowdsec to be an actual package that has at least been tested better than just running right now. Also, who knows what I would need to do if I implemented this now and then the actual package breaks my installation.
Why not run haproxy in a container on your debian box using fancy crowdsec FW rules? That would be soooo much more secure than running it on your gateway (without any namespace isolation). Of all services you run, that one is probably the most radioactive. And warrants a little isolation.
Doing it this way you could tweak the crowdsec FW rules apart from your router. Plus, you wouldn’t have to worry about it bringing down your router with an update. Little advantages here and there.