In this chapter, we will explore the Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) concepts to understand their functionality. This will help us implement a good network perimeter defense using them. We will explore how OPNsense employs Suricata and combines it with Netmap to implement an outstanding IDS and IPS open source solution. By the end of this chapter, you will know how to use an IDS/IPS solution to monitor and block traffic using OPNsense.
In this chapter, we will cover the following topics:
Good TCP/IP networking knowledge will be enough for you to understand the concepts in this chapter. To follow the configuration steps, you will need a working version of OPNsense with a host connected to it, along with an active internet connection.
The rise of different types of attacks on the internet has pushed firewall solutions to increase their defense mechanisms. A layer 4-only approach became inefficient against more sophisticated attacks, such as techniques that are used to exploit a known vulnerability, requiring a new approach to detect and block the latest threats. Let's look at a practical example.
Suppose that a layer 4-only firewall allows LAN to internet-only connections to well-known internet protocols such as DNS and HTTP, and connections that are used for email communication, such as POP3, SMTP (submission), and IMAP. So, to bypass the firewall, the attacker could install malware that uses the same ports as the HTTP protocol, such as 80 and 443, so that the malware can transmit data using an allowed port without any problem. Now, suppose that this kind of technique became a trend, and all attackers started bypassing firewalls in this way! Cybersecurity professionals would get in trouble, right? Not so fast – thanks to skilled security researchers, the IDS concept was created, and some excellent tools have risen since then. An IDS can detect attacks using allowed ports, alerting the security teams about possible harmful traffic.
The IDSs that are used in network borders such as firewalls are known as Network IDSs (NIDSs). There are host-based IDS (HIDS) tools that are installed on each host of the network, also known as endpoints.
Important Note
An outstanding HIDS open source project is Open Source HIDS SECurity (OSSEC): https://www.ossec.net/. This project was founded by Daniel B. Cid, who is a Brazilian tech entrepreneur – which I am proud to mention, by the way.
Now, let's look at the next level of protection! What if a NIDS could automatically block attacks based on signatures? It would be heaven for any security team! So, let's introduce the concept of IPSs. Most NIDSs have blocking capabilities, turning them into NIPSs or Network Intrusion Detection and Prevention Systems (NIDPSs). Let's dig a little deeper and explore how all this magic happens.
The OPNsense IDPS implementation is based on the Suricata project, a truly open source I(DP)S that's supported by the Open Information Security Foundation (OISF). Suricata is an excellent open source NIDS solution with superb support for signatures from companies such as Proofpoint, for example. On OPNsense, Suricata has Netmap support, which means fewer CPU resource requirements to detect threats, which results in good performance. The Netmap framework is driver-dependent, and it is essential to check whether the network device that's being used supports it before activating a feature that uses Netmap. In this chapter, we will do that while enabling IPS mode.
Note
We discussed how to implement Netmap in OPNsense in Chapter 2, Installing OPNsense. There, you can find the Netmap devices that are supported on FreeBSD.
The OPNsense project steps closer to the OISF, so you can always expect a better Suricata implementation on it. The Suricata and Netmap combination means good performance for I(DP)S inspection. One of the most challenging things to implement on a busy network is a NIPS because, with high traffic, packet inspection in real time is a CPU-consuming task. Without an exemplary implementation, like what OPNsense has, using a kernel-based version of Netmap and Suricata, sometimes even with powerful hardware, isn't enough to enable the IPS on larger networks.
Another significant advantage OPNsense has, compared to other NIPS open source projects, is that it only blocks the traffic that matches the NIPS signature. Some solutions block the source/destination IP for a while, which can cause a lot of issues in a false positive case.
Its support for Proofpoint signatures is another vast improvement that the OPNsense project achieved. Having better signature rulesets means fewer false positives and better accuracy while blocking threats.
Some of the key features of the Suricata project are as follows (extracted from the project's official website – https://suricata.io/features/all-features/):
As you may have noticed, the OPNsense project is always pursuing state-of-the-art open source security. This is also true for I(DP)S features.
Next, let's check out the available signatures and rulesets.
The I(DP)S rulesets are a group of rules that you can enable to detect certain types of traffic – for example, a signature that's been designed to prevent attacks on web servers. In OPNsense, it is possible to enable different rulesets simultaneously. By default, the available rulesets are as follows:
Whatever ruleset you decide to use, you must download and install these rulesets before enabling them.
Some additional rulesets that are available as plugins are as follows:
Before we configure an I(DP)S in OPNsense, we need to enable some rulesets. To do that, go to Services | Intrusion Detection | Administration and click the Download tab via the webGUI:
Check the OPNsense-App-detect/test rule, click the Enable selected button, and click the Download & Update Rules button:
Once it has been installed, you may see the rule as it's shown in the preceding screenshot. Pay attention to the Last updated column. It must show a recent date. If you see not installed, this means that the ruleset hasn't been installed yet.
Now that we have at least one ruleset installed and enabled, let's learn how to configure an I(DP)S in OPNsense.
To configure an I(DP)S, we need to go to Services | Intrusion Detection | Administration and go to the Settings tab. This can be seen in the following screenshot:
Here, you will see the following options:
Important Note
The Suricata daemon in IPS mode uses Netmap in OPNsense. It doesn't work well with hardware offloading, so keep it disabled while using IPS mode.
Important Note
If you are using Zenarmor Sensei, you can't use the same interface that has been configured on it with IDS/IPS (Suricata).
The available advanced options are as follows (you must ensure that advanced mode is checked):
Some of these additional options are as follows:
Let's look at these options in more detail:
To finish configuring and setting up the service, click on the Apply button. Now, let's test this configuration.
To test an I(DP)S in OPNsense, you'll need a host connected to OPNsense's LAN. To follow these steps with ease, we'll use the lab that's already been configured using an Ubuntu host, but you can use your own if you wish.
In this exercise, you will detect and block Facebook usage using the OPNsense-App-detect/social-networking ruleset. Follow the steps described in the Rulesets section to enable this ruleset.
Go to Services | Intrusion Detection | Administration via the webGUI and follow these steps:
Let's look at the steps that are highlighted in the preceding screenshot:
You should see all the alerts related to OPN_Social_Media - Facebook.
Great – the IDS is working! Congratulations!
Now, let's make things more interesting: Let's block Facebook access using the IPS. Follow these steps:
You should see that the rules have their default action set to drop:
You should see the following error:
As you can see, an I(DP)S is very efficient and can detect and block content based on traffic. To block Facebook, as we did, using only firewall rules would be difficult, but not impossible, depending on the results you want to achieve.
In this example, we blocked outgoing traffic, but IPS is often used as an effective barrier for dangerous incoming traffic. A good example is attacks based on recent vulnerabilities that can be detected and blocked using an effective ruleset. A recent example is the Log4j vulnerability (also known as Log4Shell), which had rules released by Proofpoint quickly.
The Suricata project that's used by OPNsense, known as a192.168.0.1s, has an I(DP)S engine that isn't capable of decrypting SSL/TLS traffic without external tools. Still, you can create your own rules based on the SSL/TLS certificates' SHA fingerprints. SHA is an algorithm that checks data integrity, and in OPNsense, we can extract it from a website certificate to match traffic and create custom rules for alerting or even blocking traffic.
Note
This isn't a stable feature. Test it before implementing it in a production environment. For more accurate SSL/TLS filtering in a production environment, it is advisable to use the Zenarmor plugin instead.
To start, go to Services | Intrusion Detection | Administration. Then, go to the User defined tab and click + to create a new custom rule. The following screenshot shows the Rule details page:
On the Rule details page, you can define the following options:
Before the Zenarmor Sensei plugin, it was considered useful to block websites and web applications using OPNsense. Nowadays, the Zenarmor Sensei plugin is more effective in blocking localhost traffic rather than collecting every website/app certificate you want to block. A high number of certificates have a short time when they're valid, such as those generated using the Let's Encrypt project, which means that the fingerprint could change every 60 days. In the next chapter, we'll explore the Zenarmor Sensei plugin, which has next-generation firewall capabilities.
Now, it's time to explore the common issues surrounding IDS and IPS and how to solve them.
In this section, we will explore some of the common issues you may face while using an I(DP)S in OPNsense and also how to solve each:
Of course, these are not the only issues that you may face while using an I(DP)S in OPNsense, but its community is engaging with it as a fantastic open source project. You may find many topics on this in the official forum talking about the issues other users have faced while using it.
In this chapter, you learned about IDSs and IPSs and how to configure OPNsense as an IDS to gather traffic alerts for traffic based on rulesets. You also learned about IPS mode, as well as how to enable it and block traffic on the local network. In the Troubleshooting section, we explored common issues that you may face while using an I(DP)S in OPNsense and learned how to solve each.
In the next chapter, we'll take traffic inspection to the next level by using the next-generation capabilities that are available via Sunny Valley's Zenarmor plugin.