Time to build a new network

It is time to upgrade HW and renew licenses for the network stack at work. I have gotten tired of expensive secret sauce being forced down and would like to come up with something that would work better.

Right now the plan consists of the following:
Pfsense, Squid, Suricata, Packetfence, OpenVAS, ELK stack. That should provide FW, IDS/IPS, Cache/Webfilter, automated vulnerability scanning, 802.1x, and monitoring of it all. Also, everything will be designed for production and setup in HA where applicable.

I think it will be pretty straightforward to setup. The only thing I didn’t see information on was getting the traffic decrypted by squid and sent to suricata via eCAP/ ICAP/ PCAP so that suricata could inspect everything. Otherwise suricata is only able to scan an unencrypted header on encrypted traffic. Maybe @wendell has a suggestion?

Any suggestions on stacks to add? Any interest in following my progress?

I am very interested in following your progress.