Re: Intrusion Detection recommendations

[Rafael Possamai <rafael () gav ufsc br>]

Thanks for the awesome response, you have valid points. This could be me
trying to simplify things by suggesting something like Cisco ASA, but the
FreeBSD solution will need much more than just a well written ipfw or pf
set of rules. In his scenario, I would also most likely need to setup VPN,
CARP, etc, which requires decent amount of knowledge. If you use newer
NICs, most likely will need to go with 10.0 or higher, which requires
constant updates/patches since it's new release.





On Sat, Feb 14, 2015 at 11:31 AM, BPNoC Group <bpnoc.lists () gmail com> wrote:

> On Fri, Feb 13, 2015 at 6:45 PM, Rafael Possamai <rafael () gav ufsc br>
> wrote:
>
> > I am a huge fan of FreeBSD, but for a medium/large business I'd definitely
> > use a fairly well tested security appliance like Cisco's ASA.
>
>
> Or maybe Juniper, Cisco's Ironport, IPSO?
>
> They are all FreeBSD based, big and large critical networks ready.
>
> FreeBSD's ipfw codebase exists for longer than most commercial products
> you somehow believe to be more mature. So, FreeBSD's firewalling code at
> least, as well tested as commercial vendors products.
>
>
> > Depending on
> > the traffic you have on your fiber uplink, you can get a redundant pair of
> > ASAs running for less than $2,000 in the US.
>
>
> For this traffic rate the best part on a commercial product is just
> irrelevant: good specifics hardware. Whatever can be done with a USD 2K
> Cisco based solution can be done on cheap low capacity x86 hardware with
> FreeBSD.
>
>
> > I just find it less stressful
> > to use a solution like ASA rather than worrying about patching your kernel
> > every so often and worrying about possible vulns in the ipfw/pf codes.
>
> One does not need to svn update, build kernel, build world if he does not
> want to. It's just a matter of adding freebsd-update to crontab (or having
> you own manual updating cycle in place).
>
>
> > That, and you have to make sure EVERYTHING is taken into account when you
> > create your rules, which requires some intense knowledge on either ipfw,
> > pf
> > or both.
>
> Another point I am completely inclined to disagree.
>
> My team is made up of junior level, trainees, to +20yr experience
> professionals.
>
> There is absolutely no relevant learning curve for someone who has
> configured a Cisco or Juniper firewall to a PF or IPFW firewall. If the
> guys comes from a Linux background he finds ridiculously simple to have a
> PF firewall up and running, after all for someone used to that weird
> iptables syntax and semantics, a firewall where rules are linear and
> natural syntax are a piece of cake.
>
> For new professionals, they quickly learn PF/IPFW better than Linux or
> Fortigate which is another product we also have in place (heterogenous /
> mixed team and technologies here).
>
> The tool is just the tool, it should a matter of what the tool can or can
> not do, but not a matter on how to use it. Cisco ASA and PF are completely
> different animals, sure, but learning 'em from scratch or coming from other
> animals like Linux or Fortigate is straightforward.
>
> While products like fortigate have a nice GUI interface, it's just limited
> and low productive. My team tendo to configura fortinet on CLI, and guess
> what? Fortinet team are usually joked by BSD team when they see someone
> using Fortinet cli.
>
> It just takes 5 times more to configure several "edit"  blocks, creating
> objects, putting it all together to have a simple firewall rule in the end,
> when the BSD guys do a one line rule with macros and tables sorted all for
> equivalent "object"  advantages. Nobody cares for GUI in my team, but if a
> fancy GUI is required they send pfSense screenshots for the Fortinet guys
> just to keep the making fun...
>
> I strongly believe in the idea that open source has it's place and
> commercial products have their place on different scenarios and
> requirements. And in this scenario Mr Andy is asking about, IMO there's no
> reason not to go with open source BSD.
>
> Specially because he seems already familiar with FreeBSD.
>
> I am not an expert in intrusion detection, so with regards to that, I'd
> > just setup a honeypot and monitor activity. You can also regularly run
> > penetration tests on your own network and see how well you are protected.
> > Just make sure the appropriate people know about these tests so you don't
> > get wrongfully reported.
>
> Not the same thing, same goal or same results.
>
>
> > Rafael
> >
> >
> > On Fri, Feb 13, 2015 at 11:40 AM, Andy Ringsmuth <andy () newslink com>
> > wrote:
> >
> > > NANOG'ers,
> > >
> > > I've been tasked by our company president to learn about, investigate
> > and
> > > recommend an intrusion detection system for our company.
> > >
> > > We're a smaller outfit, less than 100 employees, entirely Apple-based.
> > > Macs, iPhones, some Mac Mini servers, etc., and a fiber connection to
> > the
> > > world. We are protected by a FreeBSD firewall setup, and we stay
> > current on
> > > updates/patches from Apple and FreeBSD, but that's as far as my
> > expertise
> > > goes.
> > >
> > > Initially, what do people recommend for:
> > >
> > > 1. Crash course in intrusion detection as a whole
> > > 2. Suggestions or recommendations for intrusion detection hardware or
> > > software
> > > 3. Other things I'm likely overlooking
> > >
> > > Thank you all in advance for your wisdom.
> > >
> > >
> > > ----
> > > Andy Ringsmuth
> > > andy () newslink com
> > > News Link – Manager Technology & Facilities
> > > 2201 Winthrop Rd., Lincoln, NE 68502-4158
> > > (402) 475-6397    (402) 304-0083 cellular