[Oisf-users] Suricata as IPS with IPSec and internet breakout
vishalkv at altencalsoftlabs.com
Thu Oct 10 11:26:21 UTC 2019
I am running suricata 4.1.4 on ubuntu 16.04 in inline mode. My box
also acts as IPSec end point for users accessing internet. My box works
as a access gateway in a sense that User's ipsec tunnel will terminate
on the box and then traffic will get forwarded to internet after Source
NATting. Suricata is the first module in the system which receives all
incoming packets from both LAN and WAN interfaces.
I want to ...
1. protect my box from any DoS/DDoS, port scanning kind of
attacks from WAN side
2. protect Users from downloading any files that may have
I am facing two problems ...
1. for the User traffic, entering from LAN side, suricata will
see ipsec encrypted payloads which it cannot inspect but return reply
packets on WAN will be plaintext. Suricata won't be able to match the
same traffic to same flow; will it?
2. Even if I pass the User traffic entering the box after ipsec
decryption to Suricata on LAN side; the traffic will be SNATed on WAN
before going out to internet. So user generated traffic is say from A to
C, after SNAT it will become say B to C. Suricata has mapped a flow from
A to C as SNAT happened at out time on WAN. Now the return reply traffic
is C to B on WAN and suricata sees the packet as C to B only. Suricata
will add this as new flow from C to B as it cannot match it's original
flow of A to C. Suricata won't be able map this as a bi-directional
flow? Will it affect suricata's inspection capability?
Should I enable "async-oneside" setting in yaml for these
cases? Will it help?
Thanks & Regards,
Vishal V. Kotalwar
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Oisf-users