Intrusion Detection recommendations

• Previous message (by thread): Intrusion Detection recommendations
• Next message (by thread): Intrusion Detection recommendations
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Feb 13, 2015 at 6:45 PM, Rafael Possamai <rafael at gav.ufsc.br> wrote:

> I am a huge fan of FreeBSD, but for a medium/large business I'd definitely
> use a fairly well tested security appliance like Cisco's ASA.


Or maybe Juniper, Cisco's Ironport, IPSO?

They are all FreeBSD based, big and large critical networks ready.

FreeBSD's ipfw codebase exists for longer than most commercial products you
somehow believe to be more mature. So, FreeBSD's firewalling code at least,
as well tested as commercial vendors products.


> Depending on
> the traffic you have on your fiber uplink, you can get a redundant pair of
> ASAs running for less than $2,000 in the US.


For this traffic rate the best part on a commercial product is just
irrelevant: good specifics hardware. Whatever can be done with a USD 2K
Cisco based solution can be done on cheap low capacity x86 hardware with
FreeBSD.


> I just find it less stressful
> to use a solution like ASA rather than worrying about patching your kernel
> every so often and worrying about possible vulns in the ipfw/pf codes.
>

One does not need to svn update, build kernel, build world if he does not
want to. It's just a matter of adding freebsd-update to crontab (or having
you own manual updating cycle in place).


> That, and you have to make sure EVERYTHING is taken into account when you
> create your rules, which requires some intense knowledge on either ipfw, pf
> or both.
>

Another point I am completely inclined to disagree.

My team is made up of junior level, trainees, to +20yr experience
professionals.

There is absolutely no relevant learning curve for someone who has
configured a Cisco or Juniper firewall to a PF or IPFW firewall. If the
guys comes from a Linux background he finds ridiculously simple to have a
PF firewall up and running, after all for someone used to that weird
iptables syntax and semantics, a firewall where rules are linear and
natural syntax are a piece of cake.

For new professionals, they quickly learn PF/IPFW better than Linux or
Fortigate which is another product we also have in place (heterogenous /
mixed team and technologies here).

The tool is just the tool, it should a matter of what the tool can or can
not do, but not a matter on how to use it. Cisco ASA and PF are completely
different animals, sure, but learning 'em from scratch or coming from other
animals like Linux or Fortigate is straightforward.

While products like fortigate have a nice GUI interface, it's just limited
and low productive. My team tendo to configura fortinet on CLI, and guess
what? Fortinet team are usually joked by BSD team when they see someone
using Fortinet cli.

It just takes 5 times more to configure several "edit"  blocks, creating
objects, putting it all together to have a simple firewall rule in the end,
when the BSD guys do a one line rule with macros and tables sorted all for
equivalent "object"  advantages. Nobody cares for GUI in my team, but if a
fancy GUI is required they send pfSense screenshots for the Fortinet guys
just to keep the making fun...

I strongly believe in the idea that open source has it's place and
commercial products have their place on different scenarios and
requirements. And in this scenario Mr Andy is asking about, IMO there's no
reason not to go with open source BSD.

Specially because he seems already familiar with FreeBSD.

I am not an expert in intrusion detection, so with regards to that, I'd
> just setup a honeypot and monitor activity. You can also regularly run
> penetration tests on your own network and see how well you are protected.
> Just make sure the appropriate people know about these tests so you don't
> get wrongfully reported.
>

Not the same thing, same goal or same results.


>
>
> Rafael
>
>
> On Fri, Feb 13, 2015 at 11:40 AM, Andy Ringsmuth <andy at newslink.com>
> wrote:
>
> > NANOG'ers,
> >
> > I've been tasked by our company president to learn about, investigate and
> > recommend an intrusion detection system for our company.
> >
> > We're a smaller outfit, less than 100 employees, entirely Apple-based.
> > Macs, iPhones, some Mac Mini servers, etc., and a fiber connection to the
> > world. We are protected by a FreeBSD firewall setup, and we stay current
> on
> > updates/patches from Apple and FreeBSD, but that's as far as my expertise
> > goes.
> >
> > Initially, what do people recommend for:
> >
> > 1. Crash course in intrusion detection as a whole
> > 2. Suggestions or recommendations for intrusion detection hardware or
> > software
> > 3. Other things I'm likely overlooking
> >
> > Thank you all in advance for your wisdom.
> >
> >
> > ----
> > Andy Ringsmuth
> > andy at newslink.com
> > News Link – Manager Technology & Facilities
> > 2201 Winthrop Rd., Lincoln, NE 68502-4158
> > (402) 475-6397    (402) 304-0083 cellular
> >
> >
>

• Previous message (by thread): Intrusion Detection recommendations
• Next message (by thread): Intrusion Detection recommendations
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]