Re: Intrusion Detection recommendations

[Rich Kulawiec <rsk () gsp org>]

On Fri, Feb 13, 2015 at 03:45:30PM -0600, Rafael Possamai wrote:
> What is the alternative then... Does he have the time to become a BSD guru
> and master ipfw and pf? Probably not feasible with all other job duties,
> unless he locks himself in his mom's basement for the next 5 years.

I know this will come a shock, but there are now a plethora of how-to's
and tutorials and books and FAQs and examples for pf.  Getting from zero
to a first-order working configuration, especially for someone already
familiar with FreeBSD (as in this case) should not entail more than a
couple of days of reading and tinkering.  And it's most definitely not
necessary to become a BSD guru in order to run:

        pfctl -f /etc/pf.conf

Obviously complex use cases will require more understanding, but that's a
constant regardless of the platform.  There's really no point-and-drool
shortcut for actually understanding what your network's doing, why it's
doing it, and how it's doing it in sufficient depth to figure out which
parts of that are goodness and which are dubious -- worse.  To quote
Ranum, "How can you call yourself a 'Chief Technology Officer' if you
have no idea what your technology is doing?"

---rsk