Build Your Own IDS Firewall With PFSense

[brossyg]

Thanks for the article on making the IDS firewall. I have a Linksys RVS 4000 (Cisco) business class router with a SPI firewall, which is a lot better than basic consumer firewalls. Can you explain, briefly, how much better the SPI is than NAT and how much better IDS is than SPI?

Thanks...

 

[thiggins]

NAT provides basic protection by preventing unrequested traffic inbound from the Internet from reaching your LAN.

Most router SPI provides little real benefit. It looks for some traffic signatures that indicate exploits like denial of service or specific service probes, none of which you can do anything about anyway.

Intrusion detection looks deeper into packets to see what is actually being carried. Depending on the IDS engine, things like malware and viruses can be detected.

 

[Unregistered]

Firewall Hardware

I'm looking at an appliance from Logic Supply with:

Mainboard Jetway J7F2WE-1G
Processor 1 GHz VIA C7
RAM DDR2 667 DIMM
Storage Direct-plug IDE Flash (solid state)
Ethernet Ports 2x or 4x 10/100 RJ45

It's already pre-loaded with pfSense for $290. Do you think that is a good deal?

 

[GregN]

I'm looking at an appliance from Logic Supply with:

Mainboard Jetway J7F2WE-1G
Processor 1 GHz VIA C7
RAM DDR2 667 DIMM
Storage Direct-plug IDE Flash (solid state)
Ethernet Ports 2x or 4x 10/100 RJ45

It's already pre-loaded with pfSense for $290. Do you think that is a good deal?

Like all things requiring a judgment, it depends.

I looked at both the Jetway and Zotac MB's for my build, went with the Supermicro choice.

Criteria I used:

Network: Two Intel Gigabit NICs on Motherboard, other NIC chips rely more heavily on CPU, some chipsets have compatibly issues - Intel offers the best choice. My home network is gigabit, and I wanted three ports ( WAN, LAN, WLAN ).

Memory: Wanted to support as much as possible, I am running Snort and other packages that are memory hungry. Needed up to the 32-bit max addressable, 3Gig+

Storage: Hard Disk was chosen to support expandability, full logging, packet capture and alike. Flash storage limits expandability.

Install: PFSense requires no real expertise, my grandma could do it.

So the questions you have to answer, to judge whether it is a good deal:
1. How many Network interfaces? How heavy the traffic?
2. Are you running Snort or other demanding memory hungry packages?
3. Is expandability important?

Given all of that, the price seems high, you can get a single Intel NIC 1.8 Ghz atom board for $80, a nic card $40, 2Gb memory $25, a re-certified 160GB HD for $20. So lets say $170 bucks.

 

[GregN]

Thanks for the article on making the IDS firewall. I have a Linksys RVS 4000 (Cisco) business class router with a SPI firewall, which is a lot better than basic consumer firewalls. Can you explain, briefly, how much better the SPI is than NAT and how much better IDS is than SPI?

Thanks...

Tim nailed this.

What I think is significant is to understand that SPI is a technique and a marketing acronym, how it is applied is important. Snort is a rules engine for inspecting packets, with one rule or ten thousand rules, it is still doing SPI.

The power of IDS/IPS is in what it is inspecting for, the rules, not the fact the inspection process is happening.

Hope that helps.

 

[claykin]

What do you think about Astaro for Home users?

 

[GregN]

What do you think about Astaro for Home users?

Sorry, not familiar with their products.

 

[claykin]

Sorry, not familiar with their products.

I haven't tested PFSENSE but Astaro appears to have more features including full UTM. Note, the FREE license is for Home use only and is limited to 50 LAN IP's accessing the WAN port.

http://www.astaro.com/landingpages/en-worldwide-homeuse

 

[GregN]

I haven't tested PFSENSE but Astaro appears to have more features including full UTM. Note, the FREE license is for Home use only and is limited to 50 LAN IP's accessing the WAN port.

http://www.astaro.com/landingpages/en-worldwide-homeuse

Not sure, looking over their site, other than spam filtering (FreeBSD has SpamD), what capabilities do you see that Astaro has PFSense doesn't have?

I'm looking at expanding Cerberus to a full UTM appliance, and am interested in seeing if something critical is missing.

 

[Peter]

Waste of Money

This whole process seems like a complete waste of time and money for a home network. Properly using and maintaining an IDS is a complex and time consuming task requiring deep levels of network knowledge, a full understanding of TCP/IP, and keeping up with the current threat landscape.

Sure, you could set this all up and spend the time monitoring and maintaining it, but the author hasn't even attempted to show that it will actually keep you safer, or keep out any additional traffic, than a standard router/firewall. Is the author that naive that he didn't think that bad guys were already running port scans on his public IP address?

I installed a SNORT IDS on my employer's network just to see what was going on. The results were interesting from an academic standpoint, but the existing firewall still blocked everything it was supposed to. Knowing that someone from Russia (for example) is running a port scan on you doesn't allow you to do anything about it except block the IP address. If your router/firewall is doing what it is supposed to, they aren't going to get any information from a port scan anyway.

Most other attacks work the same way, with a properly configured firewall doing its job and stopping the attack at the front door. The only additional option an IDS will offer you is to drop the connection and block the sending IP address.

Any time or money spent on an IDS for a home network would be better spent on properly configuring your router/firewall and installing good endpoint protection on all your network devices.

 

[claykin]

This whole process seems like a complete waste of time and money for a home network. Properly using and maintaining an IDS is a complex and time consuming task requiring deep levels of network knowledge, a full understanding of TCP/IP, and keeping up with the current threat landscape.

Sure, you could set this all up and spend the time monitoring and maintaining it, but the author hasn't even attempted to show that it will actually keep you safer, or keep out any additional traffic, than a standard router/firewall. Is the author that naive that he didn't think that bad guys were already running port scans on his public IP address?

I installed a SNORT IDS on my employer's network just to see what was going on. The results were interesting from an academic standpoint, but the existing firewall still blocked everything it was supposed to. Knowing that someone from Russia (for example) is running a port scan on you doesn't allow you to do anything about it except block the IP address. If your router/firewall is doing what it is supposed to, they aren't going to get any information from a port scan anyway.

Most other attacks work the same way, with a properly configured firewall doing its job and stopping the attack at the front door. The only additional option an IDS will offer you is to drop the connection and block the sending IP address.

Any time or money spent on an IDS for a home network would be better spent on properly configuring your router/firewall and installing good endpoint protection on all your network devices.

Astaro keeps it all updated for you. Its not much more difficult than setting up a half decent hardware UTM. The big plus is that the UTM features are included (no additional subscription req'd). Then again, the free version of Astaro is only for HOME use.

 

[GregN]

This whole process seems like a complete waste of time and money for a home network. Properly using and maintaining an IDS is a complex and time consuming task requiring deep levels of network knowledge, a full understanding of TCP/IP, and keeping up with the current threat landscape.

Sure, you could set this all up and spend the time monitoring and maintaining it, but the author hasn't even attempted to show that it will actually keep you safer, or keep out any additional traffic, than a standard router/firewall. Is the author that naive that he didn't think that bad guys were already running port scans on his public IP address?

I installed a SNORT IDS....

Waste of Money - Boy, that's enough to harsh my buzz.

I do think you are right, for average joe user, a home IDS is not a necessity, and it is work. A maintained firewall will be more than adequate. But here is the thing, most home break-ins are due to ignoring simple things, doors unlocked, windows left open, etc. Taking care of those things will prevent something like 90% of home break-ins.

But if you want to feel secure someone isn't going to steal your stuff, mess up your house, you can choose to install an alarm system. With the attendant care and feeding, and cost.

For most folks, it can be argued that an alarm system is a waste of money, in most circumstances, for the average attentive homeowner, a break-in is unlikely. So giving money to the Alarm companies may be a waste.

Those folks often do it to be confident that if that improbable 10% occurs, they are covered. That peace of mind, confidence, is a personal thing and the price a person pays for it, is their own thing. I think it insulting and shallow to make the blanket statement that it is a waste of money, it is so much more complex than that, for anyone.

Cerberus gives my that peace of mind, and no I don't have an alarm system.

I'm sorry, if in your judgment the article did not make a compelling case. My reasons for building my first IDS Firewall was a that of of hobbyist, and the $100 spent converting a fallow PC to a network watchdog was fun and instructive, I got to see what was really going on, what the acronyms really meant. Much like your installing of Snort at work.

Once I saw the sheer amount of attacks leveled at my public IP, yes mostly scans, but also ICMP/UDP floods, and one embarrassing occurrence when a piece of installed malware tried to phone home (those darn users) - my admiration for what PFSense offers, made it for me, a no-brainer. As was the building of its replacement, Cerberus.

 

[GregN]

Astaro keeps it all updated for you. Its not much more difficult than setting up a half decent hardware UTM. The big plus is that the UTM features are included (no additional subscription req'd). Then again, the free version of Astaro is only for HOME use.

There are no subscriptions or other costs required for PFsense, it is a completely open platform. It will also auto-update the content it uses.

Is there some functionality you see as missing in PFSense?

 

[msmollin]

Hey Greg,
Good article. I was in a similar situation of having an unused piece of hardware and decided to play around with pfsense. I have since uninstalled it and switched to Astaro Home. Both have their ups and downs. Here is what I have found between running both:

Astaro Home is much more picky about the hardware it gets installed on. Astaro is based off of SuSE Linux, with a rebuilt custom kernel in place so I'm guessing that might be some of the issue. Granted I installed 8.000 so I'm also guessing there were some bugs to iron out.

An important item that is relevant for all home users: neither pfsense nor astaro supports UPnP. The reason is UPnP basically allows devices to punch random holes in the firewall. Ramifications of not supporting UPnP are things like Xbox Live doesnt work or barely works. There is a large thread on the pfsense forums in regards to this problem (on iPad now or else would link). PFsense however would not respect my manual port forwards for Xbox live, whereas Astaro did.

I have shut down the IDS functionality on my Astaro box because their UTM is really aggressive by default and I honestly did not want to muck around with changing the defaults.

Also of note for possible Astaro users: the box by default is completely locked down. No traffic comes in or goes out so expect to spend another hour configuring once you have managed to install it.

Overall I am gonna keep Astaro I think or maybe set up a Linux router that's a little more home friendly. The router is incredibly fast compared to any of the consumer devices I've used. I've also got plans with friends to set up a self healing VPN network (this is what happens when network engineers are up late drinking haha). The PPTP VPN is easy to set up and allows my iPhone access into my house network for doing small chores.

Just my $0.02. YMMV

Matt

 

[Peter]

Once I saw the sheer amount of attacks leveled at my public IP, yes mostly scans, but also ICMP/UDP floods, and one embarrassing occurrence when a piece of installed malware tried to phone home (those darn users) - my admiration for what PFSense offers, made it for me, a no-brainer.

My main point is that the IDS still doesn't allow you to DO anything about all these reported scans and floods (and the article never suggested it can). It provides a lot of data but there isn't much action you can take based on any of it, so I don't find it very useful in the long run. If it makes you feel more confident being able to actually see what the firewall protected you against, then enjoy it, but having the IDS doesn't actually change the functionality of the firewall or protect you against any additional attacks. I'm perfectly happy to let the firewall do its job without knowing all the details.

 

[GregN]

Hey Greg,
Good article. I was in a similar situation of having an unused piece of hardware and decided to play around with pfsense. I have since uninstalled it and switched to Astaro Home. Both have their ups and downs. Here is what I have found between running both:

Astaro Home is much more picky about the hardware it gets installed on. Astaro is based off of SuSE Linux, with a rebuilt custom kernel in place so I'm guessing that might be some of the issue. Granted I installed 8.000 so I'm also guessing there were some bugs to iron out.

An important item that is relevant for all home users: neither pfsense nor astaro supports UPnP. The reason is UPnP basically allows devices to punch random holes in the firewall. Ramifications of not supporting UPnP are things like Xbox Live doesnt work or barely works. There is a large thread on the pfsense forums in regards to this problem (on iPad now or else would link). PFsense however would not respect my manual port forwards for Xbox live, whereas Astaro did.

I have shut down the IDS functionality on my Astaro box because their UTM is really aggressive by default and I honestly did not want to muck around with changing the defaults....

Matt

Matt,

Thanks for the tip of the hat. And for the birdseye on Astaro. Some questions if I may.

I'm curious, does Astaro run Snort for IDS/IPS? Are they their own rule provider?

Which version of PFSense were you running? The current stable incarnation, version 1.2.3, has UPnP (miniUPnP ). Have you had problems with it? It seems to handle punching through for uTorrent just fine. There does seem to be some reported issues.

I'm running the latest XBox360, and it seems to have some net issues, generating odd traffic from time to time.

Folks have talked about Untangle as an alternative to Astaro. Have you looked at Untangle?

Greg

 

[msmollin]

Matt,

Thanks for the tip of the hat. And for the birdseye on Astaro. Some questions if I may.

I'm curious, does Astaro run Snort for IDS/IPS? Are they their own rule provider?

Which version of PFSense were you running? The current stable incarnation, version 1.2.3, has UPnP (miniUPnP ). Have you had problems with it? It seems to handle punching through for uTorrent just fine. There does seem to be some reported issues.

I'm running the latest XBox360, and it seems to have some net issues, generating odd traffic from time to time.

Folks have talked about Untangle as an alternative to Astaro. Have you looked at Untangle?

Greg

Greg,
Yeah Astaro runs the standard snort IDS system. They are their own rule provider because they felt several rules in the snort DB were too aggressive, which I found funny seeing as their ruleset was causing issues for me. They do not however allow custom rules to be created via the web GUI since version 6 for some reason, and it continues to be requested by users but no development yet.

I tried enabling the miniupnp daemon process and had little success with it. I was running release candidates of 1.2.0 and subsequently the releases of 1.2.0 & 1.2.1. The fact that port forwarding didn't work told me that it was PFSense since Microsoft's own docs state which ports to port forward to aid connectivity issues. Perhaps this has been fixed by now, which would be nice since not having UPnP support in my Astaro has made management that much more annoying.

I actually deployed untangle for an IT client of mine. It installs nice and "just works" but really need a better web UI. Doing things like port forwarding or assigning multiple IPs to interfaces were too buried, whereas the "Buy this feature" spots were too prominent for my tastes. Plus I get marketing emails from them too much for my tastes. But like I said it does work well, installs easily, and sets up rather quickly. It's had 0 downtime in about a year now, so I really can't complain about it too much.

My next thing to try out is ClearOS, aka ClarkConnect renamed. I'm worried ClearOS might be too much though. I don't need most of the functionality it has, nor do I think anyone should really place all that functionality inside a single machine (Windows domain controller on a firewall? Really?) Its UI looks really nice and its RHEL/CentOS based, and I'm an old Redhat guy so that gives me the "warm & fuzzies" Maybe I'll move back to PFSense.

Another thing I forgot to mention: Astaro does not make it at ALL easy to clone a mac address, which is still required for many cable providers. I had to do it temporarily with FIOS and that required SSH access and screwing around with ifconfig.

Maybe I'll move back to pfsense, haha. First I'll probably do what you did though and build a real system for it. I have a desktop sitting there sucking down 200+ watts of juice when it doesn't need it. Plus due to our apartment setup, the fios drop is in the dining room (yeah really don't ask.) and so the router sits in the family room. It's not too noisy but its enough that I notice it when the router is off.

--Matt--

 

[GregN]

Greg,
Yeah Astaro runs the standard snort IDS system. They are their own rule provider because they felt several rules in the snort DB were too aggressive, which I found funny seeing as their ruleset was causing issues for me. They do not however allow custom rules to be created via the web GUI since version 6 for some reason, and it continues to be requested by users but no development yet...



--Matt--

Cheers, thanks for the thumbnail.

It is weird, it looks like you and I followed the same course, my impression, when evaluating which distro to go with, came to the same conclusions. ClearOS seemed very heavy, and not as clean as PFSense. I also looked at various others and PFSense seemed to have the most thriving and open community, support seemed easily at hand if I had problems.

 

[msmollin]

My main point is that the IDS still doesn't allow you to DO anything about all these reported scans and floods (and the article never suggested it can). It provides a lot of data but there isn't much action you can take based on any of it, so I don't find it very useful in the long run. If it makes you feel more confident being able to actually see what the firewall protected you against, then enjoy it, but having the IDS doesn't actually change the functionality of the firewall or protect you against any additional attacks. I'm perfectly happy to let the firewall do its job without knowing all the details.

Peter,
I just saw your response (forum's email is being wonky). You are correct that an IDS just in reporting mode isn't very helpful. Greg did point out on Page 3 of his article how to set SNORT up to automatically block incoming attacks (or what it thinks are attacks). It significantly improves the reliability of the firewall because dropping all traffic coming from a particular source before the traffic hits the firewall, relieves the firewall to deal with real traffic.

--Matt--

 

[GregN]

Peter,
I just saw your response (forum's email is being wonky). You are correct that an IDS just in reporting mode isn't very helpful. Greg did point out on Page 3 of his article how to set SNORT up to automatically block incoming attacks (or what it thinks are attacks). It significantly improves the reliability of the firewall because dropping all traffic coming from a particular source before the traffic hits the firewall, relieves the firewall to deal with real traffic.

--Matt--

Thanks Matt. I can think of a couple scenarios where I'm glad to have Snort running, one I mentioned, there is a Snort rule for detecting plaintext credit card numbers in packets. Though a small thing I think it shows how a firewall isn't all you need to be secure.

The other was a recent article, Where TVs with internet connectivity are vulnerable, installing one behind a firewall would not be protected, because the TVs are designed to traverse a NAT and firewall as a trusted client. There is a good chance that Snort would catch the attacks on those open ports.

What looks like a UDP Port scan is often used as innocuous trigger for for malware to take instructions. So even blocking scans can make you more secure.

Those are just a few examples, I also mention that open ports running SNMP, SMTP, and alike are often targets for attacks, IDS/IPS protects against emerging exploits of those protocols ( if you are running them ), this is something a firewall can't accomplish.