A few months ago, I took the plunge and finally acquired better networking gear for the home. For years, I have worked with professional equipment at Ohio University and on the job with Progressive. For some reason, when I came home names like Linksys and Asus became reasonable options for routers and switches. DD-WRT and flashing my router were commonplace as I could “upgrade” my consumer gear to something that was still consumer. Not really an upgrade…
I finally chose to get a tiny APU4, a low-power server’esque device that can run pfSense. pfSense has been a pleasure! It’s got really neat graphs, packet captures on every port, logging, ntp, all the bells and whistles a developing network engineer could want. One of the best features is that it can run Snort as a downloadable package. Snort, is an intrusion prevention system and intrusion detection system or IPS/IDS.
The ability to run Snort has opened my eyes to why the consumer needs a better home router. Snort can identify patterns or signatures of various known attacks and can deflect them based on these known patterns. These patterns can be updated and are updated very frequently. It will log these patterns and hopefully deflect the attacks. It has been written (by USA Today) that a Windows XP SP1 computer can be hacked within 4 minutes. A home firewall is simply not enough or sophisticated enough to catch and defend against complex attacks. Home firewalls typically include basic firewalls designed for NAT. This no longer is applicable though as NAT is no longer needed with IPv6.A buddy and I have always joked that NATing is “a poor man’s firewall.” I certainly will not condone using NAT as a firewall as that is not it’s intended purpose.
Blocked Hosts in the past hour
Recent attack signatures identified by Snort
With Snort, I can view the attempted attacks within the past hour and view what the attack signature was. Even as an IT professional, specializing in networking, these logs hit home. I knew that the world is a dangerous place but I did not expect some of the complex attacks snort is defending against. Attempted SQL injections on my public IP address surprised me as I wasn’t running any servers when I first installed snort
These logs shocked me. Home routers need to up their game in my opinion. I am hosting a Pi for a webserver, with protected ports but what about grandma who just wants to play Mahjong and check email? She won’t probably have IDS/IPS at home and is being attacked just like I am but is her system defending?
Protect yourself and realize that I focused primarily on IPS/IDS. I didn’t even begin to mention how vulnerable the Linksys and Asus routers actually are. I’ll let these links [1, 2] do the talking for now. Even pfSense is vulnerable but the ability to catch patterns could secure even those vulnerabilities.
I’ll probably do a few more of these focusing on other areas. I’ve been so impressed with Snort that it deserved “first dibs.”