On 2020-11-20 17:15, Erik Lauritsen wrote: > Is it recommended to run some kind of intrusion detection on an > OpenBSD router/firewall? >
What do you mean by "some kind of intrusion detection" (IDS). At the risk of sounding patronizing I would start by clarifying terminology. I got confused by Nick's answer as he started talking about Intrusion Prevention Systems when you asked about Intrusion Detection Systems. In layman's terms Intrusion Prevention Systems are trying to keep the bad buys out before they get into your system. Intrusion Detection Systems are postmortem tools. They are useful for detecting that your system is compromised. Both IPS and IDS can be further roughly divided into host (file) based systems or network based systems. Some tools are easier to classify than other. For example it would seems logical to me to classify OpenBSD packet filter (PF) as an example of a network intrusion prevention system. On the another hand, log file monitoring could be useful both for preventing but also for detecting intrusion so the above classification is really blurry. OpenBSD is all about prevention and exploit mitigation. Code simplicity, correctness, and code audit are all examples of intrusion prevention methods. They don't sound very sexy :-) If you are super new to OpenBSD Peter just gave a really nice virtual talk which can be found on the net https://home.nuug.no/~peter/openbsd_and_you/#12 Now going to your original question. What about Intrusion Detection Systems? While as an OpenBSD user would like to think that I am a bit ahead of guys using more complicated OSs, I am not delusional to assume that my systems can't be compromised. There is a saying that the OS is as secure as the person who configured it. In spite of using OpenBSD for almost 15 years now including at work I frequently get amazed by my own incompetence so I am 100% sure my systems are not super secure. Therefore (and due to other contractual obligations) I do use Intrusion Detection Systems. The concept of IDS can be divided into two classes. These are Host IDS (HIDS) and Network (NIDS). IDS / \ HIDS NIDS Host IDS Network IDS Inspecting Host Inspecting Network Host based intrusion detection HIDS for short. An example would be Tripwire (not available on OpenBSD) or a free alternative security/aide. Even better. OpenBSD comes with mtree(8) utility. It is dead easy to turn on HIDS on your OpenBSD firewall. You can also check hack 58 (Use mtree as a Built-in Tripwire). https://www.oreilly.com/library/view/bsd-hacks/0596006799/ I would put Nick's rsync hack into this category. > I suspect that any kind of system like Snort or Suricata will give a > lot of false positives?o These two fall into the category of Network Based Intrusion Detection Systems. I would add to that group zeek (formerly known as Bro). I do run Suricata and I do run Zeek on OpenBSD. While turning them on is trivial getting them to do anything useful (in particularly Zeek which more of an infrastructure for building NIDS) is not for the faint of heart. I also run OSSEC on OpenBSD which is oftenly misclassified as HIDS only. Configured properly it is actually useful in monitoring all sorts of log files including network logs so it is kind both HIPS and NIPS. An for the record I do recommend running centralized login server. Intrusion Prevention and Intrusion Detection are active research areas and I am not talking about superficial level. It is actual real research on the cusp of computer science, mathematics, statistics, and few other things people commonly refer these days as artificial intelligence, machine learning, and statistical data mining. https://www-users.cs.umn.edu/~lazar027/intrusion_detection.htm As my expertise is in applied dynamical systems (math-physics) I should wrap up this email before too much garbage comes out of my mouth . I have seen people giving a low level Network System monitoring, Intrusion detection presentations at various BSD conferences. https://papers.freebsd.org/2017/vbsdcon/shirk-the_state_of_network_security_tools_on_bsd/ https://www.bsdcan.org/2004/papers/sguil.pdf https://www.ibm.com/developerworks/library/se-intrusion/index.html I did read a few low level books on the topic but I neither have professional nor research interest in the topics. Here are two of those: The Practice of Network Security Monitoring: Understanding Incident Detection and Response https://www.amazon.com/Practice-Network-Security-Monitoring-Understanding/dp/1593275099 Tao of Network Security Monitoring, The: Beyond Intrusion Detection https://www.amazon.com/Tao-Network-Security-Monitoring-Intrusion/dp/0321246772 Cheers, Predrag