On Sat, Feb 14, 2015 at 10:19 AM, Rich Kulawiec <rsk@gsp.org> wrote:
On Fri, Feb 13, 2015 at 03:45:30PM -0600, Rafael Possamai wrote:
What is the alternative then... Does he have the time to become a BSD guru and master ipfw and pf? Probably not feasible with all other job duties, unless he locks himself in his mom's basement for the next 5 years.
Are we really talking "ipfw add deny udp from any to any 123 not in via $lan" where? Or are we talking "iptables -A INPUT -s 0/0 -p udp -m udp --dport 123 -j DROP"? Or maybe we are talking "config firewall local-in-policy \n edit #id \n set intf ifacename\n set srcaddr any\n set dstaddr any\n set service previosly_configured_object\n set action deny\n next\n end\n" ? Nobody needs to lock himself down on a basement to learn PF or IPFW. While this might not be true for other firewalling systems, it can't be easier than it's on BSD. All it takes is proper networking skills. The tool is just simple to do what you want to do if you know how you want it (TCP/IP skills, not PF skills required). I know this will come a shock, but there are now a plethora of how-to's
and tutorials and books and FAQs and examples for pf. Getting from zero to a first-order working configuration, especially for someone already familiar with FreeBSD (as in this case) should not entail more than a couple of days of reading and tinkering. And it's most definitely not necessary to become a BSD guru in order to run:
Not to mention PF's documentation, IPFW documentation and Handbook chapter...
pfctl -f /etc/pf.conf
Obviously complex use cases will require more understanding, but that's a constant regardless of the platform.
Agree, networking skills are required, not PF/IPFW skills as they are easy and well documented tools. Easier and more performing than most other firewalling tools and options, or as easy as other easy ones like Cisco ASA. But back to Andy's original point: As someone else mentioned before, I dropped Snort in favor of Suricata + Bro, and they are the tools I would also suggest. Do it FreeBSD + Suricata and/or Bro. And remember, IDS is not a service you set up and forget. The most important point is to learn how to do proper analysis on what you are seeing and understand volumetric vs unusual single attacks, inspect payload, L7 content and have a daily analysis cycle if you can't have dedicated personnel to do that continuosly. This is not different if you go how brew open source, "packed ready" opensource (pfSense) or proprietary / commercial. I also agree with someone who suggested Bejlich's SIEM (NSM) book, and I would recommend Shon Harrys, Miller et. al SIEM book as well! Regards,