I run a small business network with around a 500mbit Internet connection and want to introduce an NIPS (network intrusion prevention system). I have identified SNORT or SURICATA as the software of choice (and maybe Zeek which I know less about). Perhaps with PFSense etc. TBD.
Wifi is heavily used in the business, as is standard Windows LAN-cable PCs. Currently our basic Router/Modem handles everything.
CURRENT network topology:
INTERNET ==> Existing ADSL-like Router/Modem (with DHCP + wifi) ==> Office network infrastructure etc
I want to insert a basic Linux box with 2 or four cores + 4GB of ram and a basic 1gbps network card for this SNORT/SURICATA box, before the Internet router.
I want to confirm the following is a good means to go about introducing NIPS:
DESIRED network topology:
INTERNET ==> Existing ADSL-like Router/Modem (disable wifi) ==> SNORT/SURICATA Linux Box ==> Spare Standard ADSL-like Router/Modem with DHCP + Wifi enabled ==> Office network infrastructure etc.
Question: Will this setup allow the SNORT/SURICATA box (given default settings / nothing fancy enabled) to:
- Track LAN source IP address of WAN traffic, both outgoing and incoming. I.e. Torrent connection between "Local Computer LAN IP and Remote IP" -, not "Router IP and Remote IP"
- Ability to login to SNORT/SURICATA box (no subnet craziness - at least not super hard to resolve problems)
- Any gotchas here?
Note this is for a small business with 20 employees, not 300 etc. Conforming to every best practice is impractical at this size.
I am not keen on adding a WIFI network card to said Linux box. The reason is, in a crisis, I want to be able to unplug the snort box and connect the two routers together and immediately provide Internet to the office in case the box goes down for whatever reason (bad snort rules, hard drive dies etc). Also, router/modems need clicks to get connectivity going - I don't need to load up Putty, which would be very hard for anyone else to deal with, if I am not available.
Thanks for the help!
