Network Security Question

I am trying to design a network based around the existing infrastructure that is setup in this manner:

What I want to do is replace the failing router with a pFSense router that is made from a rackmount server ($250) that has SNORT running in IDS mode and a Firewall as well. I also want to do away with the DMZ and instead use VLANs to segment the network. I would also like to VLAN Tag traffic so that the VPN can sit on the Router as well and all VPN tagged VLAN traffic will go through the VPN and everything else will pass through the regular WAN connection.

One of my coworkers on the other hand says I am out of my mind and that I should instead run a dedicated IDS instead of a Firewall. Also that a router running on the server hardware is overkill. Granted, it may seem overkill at first glance until you realize what else the router is handling. It is also handling all the QoS SQM traffic shaping to reduce/eliminate Buffer Bloat. This alone eats routers alive and will hopefully make the 3Ghz Quad core Xeon worth it. I mean, this is a 1U rack mount server built specifically FOR pFSense so it is not like I am taking an off the shelf server and doing something crazy with it. The company that put it together designed it for pFSense specifically.

The Game server behind the DMZ currently protects itself with Windows Firewall and I constantly nag the server owner to fix that glaring security flaw.

There’s plenty of people doing what you’re describing

IDS are interesting these days when https is so easy. Are you planning to mitm https traffic?

When you mention snort, did you actually mean snort or were you thinking of suricata?

The only challenge I can see with the server you found, is that the processor does not support AES-Ni. How much of a problem that actually is, I can’t say. But since PfSense will start using AES-NI in version 2.5 (next year), it might not be as viable as planned.

I presume others with more insight can elaborate on potential challenge with not supporting AES.

While I commend your desire to get a rackmount Psense router, I would be very hesitant to purchase any such device from Ebay with all the scams that are on Ebay today. What I would encourage you to do instead is build your device your self. I am quite confident you could accomplish this goal for the same cost or just a little bit more.

If you do decide to purchase your device from Ebay, make sure they don’t preinstall Pfsense on the device; if you do I won’t trust the device because you never would know if they didn’t install backdoor into Pfsense.

could you recommend some hardware to get me started?

That’s a nice deal for a Xeon 1U server, and a great business model for that eBay seller, building-out super-cheap little servers with obsolete hardware. But yeah, you want AES-NI support.

The same seller has systems with AES-NI support. This one is another ten bucks. Obviously I don’t vouch for them, but it is a pretty good deal.

But, Which is better? Using a Firewall and IDS/Snort setup or Router—>IPS—>Server

IPS of course being Intrusion Protection System.
IDS of course being Intrusion Detection System.

Snort can be configured for either. Im not sure if Snort can be configured to do both at the same time in pFSense.

Both Snort and Suricata will do both IDS and IPS. I would use Suricata. Put them all on the same server.

The difference between an IDS and an IPS is that an IPS will block traffic that generates alerts whereas an IDS will only log it, otherwise they do the same thing.

Either way you need a firewall.

Can they all run on the same server? Or, do I need separate machines? Can they all run on pFSense?

You don’t need separate machines. pfsense is a firewall and you can install snort or suricata on it.

can I put both on it?

Not only can you install it there, you can install and configure it through the GUI as well.

Both what?

the IDS and IPS. Both at the same time. Can they run at the same time on the same box on pFSense? Also, what kind of hardware (CPU/RAM) would I need to invest in for that.

They’re both the same thing, the difference is that an IPS blocks traffic and an IDS just logs it.

You don’t really need to worry about hardware unless you want to do IPS inline, which you don’t want to do as the hardware requirements are nuts.

what is the difference between inline and not?

Inline processes the actual traffic rather than a copy. It means that your network speed is limited by the speed that the IPS can process the packets. Doing it on a copy means you don’t need to worry about the IPS speed but some traffic will get through before it’s blocked. This isn’t a real problem though as we’re talking about a delay of a few milliseconds.

ok. So, of the two IPS options, which would you recommend?

They’re both pretty similar, there are differences with their detection rates for different types of attack so you may want to look in to it. I use suricatta because it’s multithreaded, but there’s not much meaningful difference between the two in terms of functionality and configuration.

1 Like