Firewall engineer here (Palo Alto and Fortinet)… Application level security is going to catch most things; obviously don’t expose services that are poorly configured. But sometimes there’s zero days and things you can’t control… that’s where a dynamic IPS/IDS really saves you. We saw this with log4j; IPS/IDS blocked pretty much every attack attempt. Also, using SSL decryption makes IDS/IPS a lot more effective. A lot of organizations will have some sort of IPS/IDS as a requirement, especially for sensitive environments. We have it turned on absolutely everywhere. As a home user I’m lucky enough to have firewalls from both of the above brands so I can turn on all the advanced IPS/IDS. I imagine that if I were to switch to something like Pfsense I would go to the trouble of configuring those security measures.
@@Michaelp715Fortinet is actually fairly competitive on cost compared to Palo. Our latest Palo renewal was in the 8 figures. But for a F100 company… worth it.
@@Michaelp715 Palo too, the big bux are in the data though, who wants to categorise websites manually or identify SaaS applications to whitelist. Click click is nice when it works
That’s the point I try to stress. Pfsense IPS isn’t effective when compared to modern systems from Fortigate. There is no scenario I can think of that I would run a pfsense in corporate or pfsense with Suricata. It’s not an effective firewall
Ive found IDS/IPS really doesn't do much today from an overall perspective. Executives have this vision of a SOC which monitors all of these logs that are being generated and flying by and then proactively making sure there are no security breaches... I think they watch too much TV Edit: with inside secured networks they have some usage... But I've also seen them break legitimate traffic and cause problems.
LOL. You're not wrong! If nothing else though, they can be useful in a post-incident situation where simply having additional logs from additional sources can help track/correlate the when/where such incident occurred. ('post' of course means that the [D]etection/[P]revention parts of the acronyms didn't exactly work as hoped...)
I wish I had the opportunity to show you what a Palo Alto Network Firewall is able to do here. You are absolutely right, you can’t just relate on the Firewall for protection. Regards Marc
For Homeusers I only know the Unifi Security Gateways and the newer models that offer a ids/ips in a consumer product. Unifis ips is sucricata based too. I don‘t know any vendor for homeusers that offers something similar.
Yeah I don't have a need for IDS/IPS. I use NoScript in Firefox + uBlock Origin + Pi-Hole and that's all I have setup for. The most important part is vigilance. IDS/IPS is great if everything going in and out of my network is not encrypted. Of course, I use Linux as my daily driver.
@@_clownworld I tried it, but when it comes to visiting ITPro TV to take courses in technology, their site uses animations that is very under-performining in Librewolf compared to Firefox. It's probably due to the lack of GPU acceleration in Librewolf. Also, once I have it all setup with NoScript, my web browsing is fine. I just have UA-cam in a separate profile and if I encounter reCAPTCHA in websites such as in Pizza Hut, all I do is setup a separate profile for Pizza Hut and I'm golden. Of course, I don't have that luxury in my Android smartphone and I do not browse the Internet in my smartphone anyway unless I'm on-the-go.
Thanks for the educational overview wonder how Unifi IDS/IPS is good enough for regular home users and having those checkboxes up like you sand and just trusting them can work for basic home security versus none at all.
IDS/IPS for a home network isn't really necessary but I have one for learning purposes. However, I'd say as an appliance, it adds to defense in depth of an organization. Having network visibility is crucial especially but without tuning/updating and or testing the rules, an organization won't see much return on investment. Even though most traffics like HTTPS are encrypted, you can set up a SSL proxy where possible. At the end of the day, it would be real sad if an organization was compromised by a trivial attack that would have been mitigated given an IDS/IPS.
@@_clownworld Well, the goal would really be decryption for any protocol; whichever protocol that is encrypted. SSL/TLS proxy is just an example and more likely than others but if you can decrypt the traffic your IDS/IPS can inspect it.
We do a lot of edge security (firewall, waf, etc.) in conjunction with NDR, SIEM, SOAR and MDR. This gives us complete visibility into all traffic and an opportunity to investigate the effectiveness of all components in the chain. Without mentioning vendors, our firewalls' IPS blocks just shy of 95% of ALL detected attacks; the waf, brings that up to about 98% (for the HTTP stuff) and the rest is SOAR/SIEM and custom mdr. I'm not sure about you but I like those odds and will 100% always run IPS + WAF at the edge if possible. Ignore the cruft at your peril! I do understand that Snort is not commercial grade so your video in that context is fair ... but the commercial IPS market is fairly robust and still relevant. Perhaps an adjustment to the title may help? You also skimmed the subject but didn't quite nail it: SSL decryption is absolutely required for any kind of IPS these days. If you own the network, then of course you should do inbound SSL fronting/offloading for the IPS component as well as the same for the WAF and application-layer stuff. The same applies for outbound traffic. @drewp1102 below says below "makes IDS/IPS a lot more effective" - I'd change that to "makes IDS/IPS effective". If you can't see the payload, you can't do much about it. Understandably, a lot of this capability is only available to large enterprise and those with deep pockets. But you can still do some of this stuff at the smb and mid-enterprise level without breaking the bank.
I wish it were 100% legal to hit back. i.e. make it completely legal to counterattack if you receive an attack on your network. Like a right to use virtual weapons in self-defense instead of a right to spend loads of money getting ever stronger armor. IDS and IPS should be supplemented with ICAS (intrusion counter attack system). A new product with a name like NNS (network nuclear superiority) to enforce your territorial imperative.
There’s always nuisance to these conversations. If your favorite firewall can’t properly do IPS the same way as the big players that does not mean IPS is useless. Any modern firewall can decrypt traffic, pass it through a scanning engine for threats, and encrypt your packet again… Pfsense or opnsense has no ability to do this. Suricata is a bolted on packages which effectively makes them useless. UniFi EFG firewall functions like the big players now…. That said, yes, IPS is useless BUT only on pfsense
I agree that firewall based security is largely dead as an end point protection tool. End users are mobile. There is no point in putting your controls in places that are only effective some of the time, if effective at all.
@@PowerUsr1 You will note I refer to endpoint security. That is the laptops and devices used to access applications. This video is all about "Firewall IDS", a dying technology. 90% of my users don't work in an office. What is the point of putting protections in places where they will have little effect? SSE is a much better network based solution as it goes wherever the user is. Is SSE a solution good solution outside of a business context? Probably not. Does SSE replace the need for a firewall at a data center? No. If you listen to Tom's comments from 7:13 onward he basically says that they rely on protections on the endpoint because the firewall is blind to most attacks. IDS was a good technology many years ago but it's just not as effective as it used to be. The juice ain't worth the squeeze!
in my best redditor guys voice “well actually from the title an IDS can’t stop anything it only detect. An IPS can only stop something” 😂. now time to watch the video.
Firewall engineer here (Palo Alto and Fortinet)…
Application level security is going to catch most things; obviously don’t expose services that are poorly configured. But sometimes there’s zero days and things you can’t control… that’s where a dynamic IPS/IDS really saves you. We saw this with log4j; IPS/IDS blocked pretty much every attack attempt.
Also, using SSL decryption makes IDS/IPS a lot more effective. A lot of organizations will have some sort of IPS/IDS as a requirement, especially for sensitive environments. We have it turned on absolutely everywhere.
As a home user I’m lucky enough to have firewalls from both of the above brands so I can turn on all the advanced IPS/IDS. I imagine that if I were to switch to something like Pfsense I would go to the trouble of configuring those security measures.
Those annual Fortigate subscriptions are quite $$$$
@@Michaelp715Fortinet is actually fairly competitive on cost compared to Palo. Our latest Palo renewal was in the 8 figures. But for a F100 company… worth it.
@@Michaelp715 Palo too, the big bux are in the data though, who wants to categorise websites manually or identify SaaS applications to whitelist. Click click is nice when it works
"engineer" lmao, stop pooping in the street
That’s the point I try to stress. Pfsense IPS isn’t effective when compared to modern systems from Fortigate. There is no scenario I can think of that I would run a pfsense in corporate or pfsense with Suricata. It’s not an effective firewall
Ive found IDS/IPS really doesn't do much today from an overall perspective. Executives have this vision of a SOC which monitors all of these logs that are being generated and flying by and then proactively making sure there are no security breaches... I think they watch too much TV
Edit: with inside secured networks they have some usage... But I've also seen them break legitimate traffic and cause problems.
LOL. You're not wrong!
If nothing else though, they can be useful in a post-incident situation where simply having additional logs from additional sources can help track/correlate the when/where such incident occurred. ('post' of course means that the [D]etection/[P]revention parts of the acronyms didn't exactly work as hoped...)
Thank you. This is one of the very few worthwhile IT videos I've seen lately.
Thanks flr the video and the caveats! Sharing your wisdom and experience is a true gift to us all.
I wish I had the opportunity to show you what a Palo Alto Network Firewall is able to do here. You are absolutely right, you can’t just relate on the Firewall for protection. Regards Marc
so whats the best for home user you think
For Homeusers I only know the Unifi Security Gateways and the newer models that offer a ids/ips in a consumer product. Unifis ips is sucricata based too. I don‘t know any vendor for homeusers that offers something similar.
Yeah I don't have a need for IDS/IPS. I use NoScript in Firefox + uBlock Origin + Pi-Hole and that's all I have setup for. The most important part is vigilance. IDS/IPS is great if everything going in and out of my network is not encrypted. Of course, I use Linux as my daily driver.
What router are you using
@@StrokeMahEgo Standard Debian running in my CWWK firewall appliance. I'm using NFTables for my firewall.
why use noscript when you can just use librewolf
@@_clownworld I tried it, but when it comes to visiting ITPro TV to take courses in technology, their site uses animations that is very under-performining in Librewolf compared to Firefox. It's probably due to the lack of GPU acceleration in Librewolf.
Also, once I have it all setup with NoScript, my web browsing is fine. I just have UA-cam in a separate profile and if I encounter reCAPTCHA in websites such as in Pizza Hut, all I do is setup a separate profile for Pizza Hut and I'm golden. Of course, I don't have that luxury in my Android smartphone and I do not browse the Internet in my smartphone anyway unless I'm on-the-go.
@@_clownworld Hah... Seems my comment got disappeared for no reason. Thank you UA-cam.
Anyway, I have NoScript all setup and it's fine for me.
Thanks for the educational overview wonder how Unifi IDS/IPS is good enough for regular home users and having those checkboxes up like you sand and just trusting them can work for basic home security versus none at all.
It offers very little security at all.
IDS/IPS for a home network isn't really necessary but I have one for learning purposes. However, I'd say as an appliance, it adds to defense in depth of an organization. Having network visibility is crucial especially but without tuning/updating and or testing the rules, an organization won't see much return on investment. Even though most traffics like HTTPS are encrypted, you can set up a SSL proxy where possible. At the end of the day, it would be real sad if an organization was compromised by a trivial attack that would have been mitigated given an IDS/IPS.
what would an SSL proxy do in terms of IDS/IPS
@@_clownworld Well, the goal would really be decryption for any protocol; whichever protocol that is encrypted. SSL/TLS proxy is just an example and more likely than others but if you can decrypt the traffic your IDS/IPS can inspect it.
Strong Threat Intel on your perimeter defence systems will always be stronger than IPS/IDS
We do a lot of edge security (firewall, waf, etc.) in conjunction with NDR, SIEM, SOAR and MDR. This gives us complete visibility into all traffic and an opportunity to investigate the effectiveness of all components in the chain. Without mentioning vendors, our firewalls' IPS blocks just shy of 95% of ALL detected attacks; the waf, brings that up to about 98% (for the HTTP stuff) and the rest is SOAR/SIEM and custom mdr.
I'm not sure about you but I like those odds and will 100% always run IPS + WAF at the edge if possible. Ignore the cruft at your peril! I do understand that Snort is not commercial grade so your video in that context is fair ... but the commercial IPS market is fairly robust and still relevant. Perhaps an adjustment to the title may help?
You also skimmed the subject but didn't quite nail it: SSL decryption is absolutely required for any kind of IPS these days. If you own the network, then of course you should do inbound SSL fronting/offloading for the IPS component as well as the same for the WAF and application-layer stuff. The same applies for outbound traffic. @drewp1102 below says below "makes IDS/IPS a lot more effective" - I'd change that to "makes IDS/IPS effective". If you can't see the payload, you can't do much about it.
Understandably, a lot of this capability is only available to large enterprise and those with deep pockets. But you can still do some of this stuff at the smb and mid-enterprise level without breaking the bank.
I wish it were 100% legal to hit back. i.e. make it completely legal to counterattack if you receive an attack on your network. Like a right to use virtual weapons in self-defense instead of a right to spend loads of money getting ever stronger armor. IDS and IPS should be supplemented with ICAS (intrusion counter attack system). A new product with a name like NNS (network nuclear superiority) to enforce your territorial imperative.
Hey Tom, believe there's a typo in your thumbnail - should be 'Intrusion' not 'Instrusion'. Great video, thank you!
Thanks, fixed
Ips alone isn't enough, that's for sure. That's why you should treat security as process not product ;)
What do you think about unifi fortress gateway
Interesting video.
Are you also planning a guide on how to check encrypted traffic?
Not really.
Thank you
There’s always nuisance to these conversations. If your favorite firewall can’t properly do IPS the same way as the big players that does not mean IPS is useless. Any modern firewall can decrypt traffic, pass it through a scanning engine for threats, and encrypt your packet again…
Pfsense or opnsense has no ability to do this. Suricata is a bolted on packages which effectively makes them useless.
UniFi EFG firewall functions like the big players now….
That said, yes, IPS is useless BUT only on pfsense
What would be considered better for modern threats?
Endpoint security.
@@LAWRENCESYSTEMS Do you have any recommendations for endpoint security for SMBs?
@@petertrahan9785 For home users on Windows the Microsoft Defender works well and we also use Huntress
Typo in the thumbnail: instrusion
I agree that firewall based security is largely dead as an end point protection tool. End users are mobile. There is no point in putting your controls in places that are only effective some of the time, if effective at all.
Omg…I hope you don’t in any way manage security for any business. What you are saying is very wrong and would put any business at risk
@@PowerUsr1 You will note I refer to endpoint security. That is the laptops and devices used to access applications. This video is all about "Firewall IDS", a dying technology. 90% of my users don't work in an office. What is the point of putting protections in places where they will have little effect? SSE is a much better network based solution as it goes wherever the user is. Is SSE a solution good solution outside of a business context? Probably not. Does SSE replace the need for a firewall at a data center? No. If you listen to Tom's comments from 7:13 onward he basically says that they rely on protections on the endpoint because the firewall is blind to most attacks. IDS was a good technology many years ago but it's just not as effective as it used to be. The juice ain't worth the squeeze!
in my best redditor guys voice “well actually from the title an IDS can’t stop anything it only detect. An IPS can only stop something” 😂. now time to watch the video.
To be a Redditor, you also have to call him racist after correcting him and claim he hates poor people.
First!
damn you are quick