Network monitoring and security

[IMHO]

1-year update refills are cheaper on eBay - but yes, it's enterprise grade gear, and priced that way. Still excellent value, once you actually understand what you're getting / see just how many vulnerabilities it actually protects your devices from - and devices it protects your network from - it's not just inbound vulnerabilities it analyzes, but also local ones...

I've got several hundred thousand dollars worth of Fortinet kit in the office, I kinda know how it works.

But it's too much for the house.

The ITUS Shield is enough for most people.

Fortinet isn't even an IPS.

If you want to check for vulnerabilities, use Nessus (which is free).

If you want a free IPS, use SNORT or Suricata (which is what's built into the ITUS Shield).

Of course it's an IPS. eh?

[IMHO]

You didn't ask me but... LOL. Either of those might be more trouble that you want. For sure the Fortigate is an enterprise level firewall which might keep you busy. It's one thing to lock down your files so people can't access them, and another to mask your traffic so that people can't read it. The latter requires something like a VPN and some kind of scrambling. I've never felt like I needed that except it was required when I was in IT.

The chances of anyone breaking into your network without you requesting or clicking on something dumb are so remote that any data loss is going to come from lack of good practices rather than poor security. A great setup won't save you from human error or bad practices or even nefarious operators in your own network. Remember also not to share out files on your own network that aren't essential for sharing. Keep critical files unshared.

Your router is a computer, absolutely. It just isn't a MAC or Windows computer. Bad guys on the internet try to hack your network and hit that router/computer and think they found your computer. That's if they know your IP address. What they don't know is that it's a router and contains nothing they are interested in. Let them hack away. Let them do that for a week until they get tired of it. None of your internal nodes (inside the router) have internet routable IP addresses and they aren't talking to the bad guys. They can't.

If you're bent on setting up a dedicated firewall in addition to your router firewall please look into which is most user friendly because by default they don't work well until you set them up. I'm here to tell you that you don't need one if you use best practices and have the router and good malware software. It ain't gonna happen unless you screw up and even then the firewall probably won't help you with external attacks because you asked for the data.

Cheers.

I think you're missing one big point here... The OP has devices on his own network that can't be trusted. The threat is from within, as well as from outside.

Then put them on different subnets, especially cameras. Why do they have to be on the same subnet if they aren't trusted? This is a home system he said. In a home I would think that physical access to resources would be the problem if something "isn't trusted". About all you can do is lock things down with permissions and passwords and hope someone isn't smart enough to get past that. Once someone has physical access to your network there's not a lot more you can do.

If he doesn't have enough home control and/or trust to deny others admin rights and permissions then I don't know what he'll do. Once someone is inside and has access to the appliances there's not much stopping them.

I don't get the impression that he wants to spend the big bucks on this. Maybe I read him wrong but he started out - home network and I ran with that. If permissions, file sharing routines, a router and different subnets aren't adequate then I don't know what is. What good is an internal firewall if I can just walk off with the HDD from your computer 555?

Cheers.

How is putting P2P IP cams (for which all you want is their ONVIF capability, but can't turn off the P2P "gift" all vendors give you) on a different subnet going to stop everyone getting their hands on your surveillance video?

That's a rhetorical question - because we all know "it doesn't"

Edited August 21, 2015 by IMHO

[Chicog]

1-year update refills are cheaper on eBay - but yes, it's enterprise grade gear, and priced that way. Still excellent value, once you actually understand what you're getting / see just how many vulnerabilities it actually protects your devices from - and devices it protects your network from - it's not just inbound vulnerabilities it analyzes, but also local ones...

I've got several hundred thousand dollars worth of Fortinet kit in the office, I kinda know how it works.

But it's too much for the house.

The ITUS Shield is enough for most people.

Fortinet isn't even an IPS.

If you want to check for vulnerabilities, use Nessus (which is free).

If you want a free IPS, use SNORT or Suricata (which is what's built into the ITUS Shield).

Of course it's an IPS. eh?

I phrased that badly. What I meant was that FortiNet aren't known as an IPS company, they were primarily a Firewall manufacturer who have added on bits and pieces over the years.

As opposed to, say, Sourcefire, which was based on SNORT and developed specifically for that purpose.

And Suricata, which can use SNORT plugins.

[IMHO]

1-year update refills are cheaper on eBay - but yes, it's enterprise grade gear, and priced that way. Still excellent value, once you actually understand what you're getting / see just how many vulnerabilities it actually protects your devices from - and devices it protects your network from - it's not just inbound vulnerabilities it analyzes, but also local ones...

I've got several hundred thousand dollars worth of Fortinet kit in the office, I kinda know how it works.

But it's too much for the house.

The ITUS Shield is enough for most people.

Fortinet isn't even an IPS.

If you want to check for vulnerabilities, use Nessus (which is free).

If you want a free IPS, use SNORT or Suricata (which is what's built into the ITUS Shield).

Of course it's an IPS. eh?

I phrased that badly. What I meant was that FortiNet aren't known as an IPS company, they were primarily a Firewall manufacturer who have added on bits and pieces over the years.

As opposed to, say, Sourcefire, which was based on SNORT and developed specifically for that purpose.

And Suricata, which can use SNORT plugins.

Fortigate can also use Snort scripts, with a simple script/macro to reformat them.

http://camerabob.dyndns.org:5190/Fortigate/snort.cgi

Anyways, as for the history - cheers. They've certainly added enough bits and pieces to become a pretty compelling choice today. 15K (20K from a Thai vendor) for a wireless gigabit router that does all they do is pretty hard to beat.

Edited August 21, 2015 by IMHO

[Chicog]

Anyways, as for the history - cheers. They've certainly added enough bits and pieces to become a pretty compelling choice today. 15K (20K from a Thai vendor) for a wireless gigabit router that does all they do is pretty hard to beat.

Seems like overkill to me.

That's 15K ($420) ++ (bt8500 ($238) p/a unless you've found a cheaper option)

As opposed to $250 (with free lifetime updates)

for

– Intrusion Prevention – 2x 1.0 GHz MIPS64

– Network Anti-Virus – 1 GB DDR3 RAM

– NAT Firewall – 4GB eMMC Storage

– Content Filtering – 3x GbE Interfaces

– Web Proxying – 1x RJ45 Serial Console

– Dynamic DNS – SD Card Interface

– Site-to-Site SSLVPN

– Client SSLVPN

– Quality of Service

– Graphical Web User Interface

– Realtime Traffic Monitor

– Realtime Connection Monitor

– Plus More!

And you can use Nessus for free if you're really paranoid.

Edited August 21, 2015 by Chicog

[Chicog]

^ But when is it available ? I am checking the website https://itusnetworks.com/product/shield/ every day (since June) but it's still "out of stock"

Are they getting delivered ? Don't misunderstand me, I want one (as soon as it's available) even when I already have a fortigate.

I can build my own but I am just too lazy

Apparently they had production problems and the supplier is shipping at a rate of about 2/3 of what they estimated.

Which is OK with me, I told them to hold my order until they've finished testing the latest version of the software.

[IMHO]

^ But when is it available ? I am checking the website https://itusnetworks.com/product/shield/ every day (since June) but it's still "out of stock"

Are they getting delivered ? Don't misunderstand me, I want one (as soon as it's available) even when I already have a fortigate.

I can build my own but I am just too lazy

Who are ITUS Networks? and where are their security credentials? - I mean software is only part of it, the hardware and firmware matters too, right?

Also, what gigabit router and wifi access point are you going to use with it, and how does it's (mis)configuration impact your overall attack surface?

Why is one of the USP's on the home page "BUSINESS FIREWALLS ARE EXPENSIVE" - if they want to compare to them, where are their throughput specs? What AV are they running, and how well supported will it actually be, considering it's free? the only thing I see is this post from ITUS:

The AV currently running is not very efficient so its effectiveness is limited right now. Due to this, we've licensed an entirely new engine and we're working on integrating it into the product.

Source: https://packetinspector.org/showthread.php?tid=210

How did they get it wrong in first place? what else did they get wrong?

I'm not really dissing on the device.. nor on Snort, Bro, Sourcefire etc etc It could be a great machine, or not. Only time will tell...

In any case, I don't think you should have any buyer's remorse

Edited August 21, 2015 by IMHO

[JohnnyJazz]

IMHO, Chicog, MJCM your "expert battle" is quite instructive, thank you for sharing your professional knowledge with us. But what kinds of threat are you fighting against ?

I believe in the future thieves will be roaming affluent neighborhood with portable computer equipments to check for weak security system in order to plan for future break in. Just look at car thieves, how hightech they have become nowadays. As home security is becoming more and more integrated with home networks protecting your network is becoming a priority if you don't want to come back from a night out to find an empty house.

Edited August 22, 2015 by JohnnyJazz

[JohnnyJazz]

A question regarding pfSense. Will any network card work ? From what I read it seems pfSense requires an Intel NIC. Is it negotiable ?

[Chicog]

^ But when is it available ? I am checking the website https://itusnetworks.com/product/shield/ every day (since June) but it's still "out of stock"

Are they getting delivered ? Don't misunderstand me, I want one (as soon as it's available) even when I already have a fortigate.

I can build my own but I am just too lazy

Who are ITUS Networks? and where are their security credentials? - I mean software is only part of it, the hardware and firmware matters too, right?

Also, what gigabit router and wifi access point are you going to use with it, and how does it's (mis)configuration impact your overall attack surface?

Why is one of the USP's on the home page "BUSINESS FIREWALLS ARE EXPENSIVE" - if they want to compare to them, where are their throughput specs? What AV are they running, and how well supported will it actually be, considering it's free? the only thing I see is this post from ITUS:

The AV currently running is not very efficient so its effectiveness is limited right now. Due to this, we've licensed an entirely new engine and we're working on integrating it into the product.

Source: https://packetinspector.org/showthread.php?tid=210

How did they get it wrong in first place? what else did they get wrong?

I'm not really dissing on the device.. nor on Snort, Bro, Sourcefire etc etc It could be a great machine, or not. Only time will tell...

In any case, I don't think you should have any buyer's remorse

AV asn't in the original spec for the device, which was crowdfunded on kickstarter.

So they worked on integrating AV into it (which I think was going to be a "premium" service). Obviously the first one didn't work, so they switched.

What they are trying to do is provide a low cost alternative to the big boys; if you buy FortiNet, for example, FortiMail is a paid add on (and an expensive one).

Or you could go for something like FireEye, who do separate appliances for Web and Email traffic.

This is Suricata IPS/IDS/NSM with AV included, preconfigured on a low-cost appliance.

Myself I'll be putting it before or after a Huawei fibre router; as such it will reduce the attack surface.

In the case of FortiNet, you're using that as a router, right? So misconfiguring that means potentially increasing your attack surface.

This is simply an extra layer, providing IPS/IDS for those that aren't already getting it through an expensive FortiNet solution.

Edited August 22, 2015 by Chicog

[Chicog]

IMHO, Chicog, MJCM your "expert battle" is quite instructive, thank you for sharing your professional knowledge with us. But what kinds of threat are you fighting against ?

I believe in the future thieves will be roaming affluent neighborhood with portable computer equipments to check for weak security system in order to plan for future break in. Just look at car thieves, how hightech they have become nowadays. As home security is becoming more and more integrated with home networks protecting your network is becoming a priority if you don't want to come back from a night out to find an empty house.

Put simply, an IPS/IDS examines your network traffic looking for known signatures of network intrusion or infection attempts.

You're right that as technology becomes more integrated with the Internet, there will be increased attempts to exploit it, so anyone with a remotely-accessible home alarm system is exposing themselves to hackers.

Me, I'm happy having a "dumb" house with "dumb" things like movement sensors and loud alarms.

[Chicog]

A question regarding pfSense. Will any network card work ? From what I read it seems pfSense requires an Intel NIC. Is it negotiable ?

They're pretty vague:

Selection of network cards (NICs) is often the single most important performance factor in your setup. Inexpensive NICs can saturate your CPU with interrupt handling, causing missed packets and your CPU to be the bottleneck. A quality NIC can substantially increase system throughput. When using pfSense software to protect your wireless network or segment multiple LAN segments, throughput between interfaces becomes more important than throughput to the WAN interface(s).

NICs based on Intel chipsets tend to be the best performing and most reliable when used with pfSense software. We therefore strongly recommend purchasing Intel cards, or systems with built-in Intel NICs up to 1Gbps. Above 1Gbps, other factors, and other NIC vendors dominate performance.

[JohnnyJazz]

Me, I'm happy having a "dumb" house with "dumb" things like movement sensors and loud alarms.

If you go this way. Old school but not dumb

[thedemon]

A question regarding pfSense. Will any network card work ? From what I read it seems pfSense requires an Intel NIC. Is it negotiable ?

It will likely run with any make but there are throughput issues with some cheap onboard chips i.e. Realtek. That probably wouldn't be a problem unless you have a fairly high speed internet connection.

Given a choice though, I would always choose Intel for NICs. You can't really go wrong with them.

For the past year or two I have been running pfSense in a HyperV VM which is using synthetic adaptors and that has proven to be very stable and fast.

[Chicog]

Me, I'm happy having a "dumb" house with "dumb" things like movement sensors and loud alarms.

If you go this way. Old school but not dumb

I am reminded of the old joke about the bloke parking his car in Liverpool. A bunch of youths said to him "Hey mister, give us some money and we'll look after your car".

He replied, "It doesn't need looking after, there is a rottweiler sat in the back seat", to which one replied:

"It can put fires out, can it?

[JohnnyJazz]

Went to Fortune yesterday. Here are the Lan cards available, no Intel

TP-link TG-3468

TP-link TG-3269

D-Link DGE-528T

Which one is the most suitable for pfSense ?

[thedemon]

Intel cards are silly expensive in Thailand. A year or 2 ago I searched pretty thoroughly for a quad port Intel and the best price I could find was over THB12k.

I had it shipped from HK for under USD100. If you're not in a hurry I would suggest searching on ebay or aliexpress.

[JohnnyJazz]

Intel cards are silly expensive in Thailand. A year or 2 ago I searched pretty thoroughly for a quad port Intel and the best price I could find was over THB12k.

I had it shipped from HK for under USD100. If you're not in a hurry I would suggest searching on ebay or aliexpress.

A few month ago I compared prices between Hong Kong and Bangkok, I found for products that are widely distributed in Bangkok there wasn't much difference. The problem is in Thailand the choice, like for the lan cards, is very restricted. I you want something a bit different then they charge you extortion price. As you say ebay or aliexpress are then the best option.