Intrusion detection / prevention for home network IoT devices

Dalis

New Member
Apr 20, 2021
11
0
1
Arizona, USA
Hi all – What are some good solutions for firewall and IDS/IPS that can help prevent or mitigate IoT exploits? I want to get more insight into the traffic and behavior of smart home devices on the network.

I'm especially concerned about cameras and security systems, scenarios like the recent hack of Cloudflare's video cameras at their HQ building, the misc botnets, Mirai, etc. But more generally just good insight into what's going on.

I've read about Snort, Suricata, Zeek, OSSEC, and others. Are these open source implementations able to detect signatures based on updated real world data and intel? Do they know anything about devices and active exploits targeting specific devices? I want something where I can tell it "This is a Ring XYZ model camera." and then it keeps its ear to the ground for any exploits of that model, shutting down any activity that fits the exploit. Are we there yet as far as open source tools?

I'm interested in any recommendations you have for SOHO or SMB level firewalls and IDS/IPS, including the ones I mentioned above. The hardware can be anything, whatever you recommend, though I assume I can run the software mentioned above on a vanilla server or small PC.

Thanks.
 

coxhaus

Member
Jul 7, 2020
87
32
18
I can tell you years ago I was running Untangle firewall at home and my wife cousin came over with a laptop and complained it could not get on the internet. So, when I checked it out it was shut down by Untangle because it was sending out spam. The problem now is a lot of traffic is encrypted so it is hard to detect. I am not sure Untangle will let a home owner use their code decryption for the $50 price for home use. So, you might have to pay business prices for that. But Untangle gives you out bound security in the home addition for $50 per year which is the cost of using Untangle at home.

The hardware required is basically the same as pfsense. I ran it on an old used low voltage Xeon I had built.
 
Last edited:
  • Like
Reactions: Dalis

eduncan911

The New James Dean
Jul 27, 2015
605
435
63
eduncan911.com
If you are wanting to "monitor" traffic, there are various IPSec concepts for this. NIDS and NIPS techniques are the leading tools here. There are various hardware devices and even software that can do these, and depending on your switch(es) could be even easier.

NIDS is basically just a glorified alerting monitor and the easiest and less resource intensive. The "D" is just detection, and alerting. Think of it as just passively monitoring a port on your switch, as that's exactly what it is: cloning a port on your switch. Good old Snort can do this pretty well with enough setup, Suricata with Bro built-in these days is another free tool at the top of the list.

The "P" in NIPS is Protection. Meaning, of it detects an issue, it shuts down the source. The problem with this realtime analysis w/cutoff control is that it needs to be inline, handling all traffic. Suricata could be setup for this. But snort is faster (higher throughout).

PfSense is a software solution that can do either of these with it's plugins and some custom configs. However, enabling NIPS will kill your throughout. You'll need some very high-end core clocks.

---

Personally, I have an IoT said that is Air-Gapped on my wifi on a dedicated VLAN. That way if they were any issues, it all stays confined to the IoT network.

...and you can setup NIDS and just monitor it.
 
  • Like
Reactions: monotux

monotux

Member
Oct 23, 2019
30
14
8
Kiruna, Sweden
www.monotux.tech
If you're just curious and would like to find out at least some basic stuff with little effort involved, isolate your IoT devices into their own network/VLAN and block everything out (and allow only what you really need, by experimentation). Then, have pihole serve DNS for this network (make sure to to rewrite any DNS request out on the internet to be served by pihole) and you'll have a basic but excellent idea what happens on your IoT network.

Is it fool-proof or optimal? No, but it's low effort and gets you a basic idea what is going on. Most IoT devices will use DNS and not hardcoded IP addresses to phone home.

My IoT network currently lacks any internet connectivity. But I only have a few simple switches that I managed to flash with Tasmota so all they need is DHCP, local name resolution and MQTT access.
 
  • Like
Reactions: RTM

RTM

Well-Known Member
Jan 26, 2014
868
325
63
In order to do IDS/IPS you will need a good ruleset (signatures).
Honestly I doubt you will be able to get what you want in terms of a ruleset that provides good coverage for the device(s) you specifically are using (which is why you are better off with a baseline (determine what is normal and required for the devices to work) + whitelisting approach (block everything that is not required, this includes within your local network)).

The two typical vendors for rules are Cisco Talos and Emerging Threats (now proofpoint).
Both are offered in a free version (with significant limitations, such as number of rules and delay from publication) and paid versions.
The Cisco Talos rules has a personal use subscription that is only $30, so that may be worth doing, as far as I can tell you must use Snort for this ruleset.
The ET Pro rules are generally quite expensive, but if you use OpnSense firewall software and are okay with sending telemetry, there is a free version.

Of course only a subset of the rules will have any relevance to the devices you specifically are using.
So it can be worthwhile to spend some time enabling only the rules that are relevant to you.
This is also important for IDS/IPS performance, as the more rules you have enabled the slower it gets.
 
  • Like
Reactions: abq

Evan

Well-Known Member
Jan 6, 2016
3,346
593
113
For IoT devices I would assume all traffic blocked both to you other subsets including regular client subnet and also to the internet. Then you creat allow rules as you need. Maybe you even choose to separate you IoT devices and have rules.

very difficult if not impossible to install a certificate on many IoT devices so you can see inside ssl which is why you have to look more what is going where.
 

Dalis

New Member
Apr 20, 2021
11
0
1
Arizona, USA
In order to do IDS/IPS you will need a good ruleset (signatures).
Honestly I doubt you will be able to get what you want in terms of a ruleset that provides good coverage for the device(s) you specifically are using (which is why you are better off with a baseline (determine what is normal and required for the devices to work) + whitelisting approach (block everything that is not required, this includes within your local network)).

The two typical vendors for rules are Cisco Talos and Emerging Threats (now proofpoint).
Both are offered in a free version (with significant limitations, such as number of rules and delay from publication) and paid versions.
The Cisco Talos rules has a personal use subscription that is only $30, so that may be worth doing, as far as I can tell you must use Snort for this ruleset.
The ET Pro rules are generally quite expensive, but if you use OpnSense firewall software and are okay with sending telemetry, there is a free version.

Of course only a subset of the rules will have any relevance to the devices you specifically are using.
So it can be worthwhile to spend some time enabling only the rules that are relevant to you.
This is also important for IDS/IPS performance, as the more rules you have enabled the slower it gets.
Thanks. That's interesting about rules. I didn't realize they were commodities or saleable goods, worth lots of money. I don't have a visual on what these rules are all about. Are they super complicated, like a sort of fingerprinting?

Why is your Talos link going to Snort? Is there some connection between Snort and Talos?
 

RTM

Well-Known Member
Jan 26, 2014
868
325
63
Thanks. That's interesting about rules. I didn't realize they were commodities or saleable goods, worth lots of money. I don't have a visual on what these rules are all about. Are they super complicated, like a sort of fingerprinting?

Why is your Talos link going to Snort? Is there some connection between Snort and Talos?
I am not sure if I would call them super complicated, but yeah signatures can be called fingerprints, oftentimes they match traffic as simply as looking for a sequence of bytes, that for some reason is supposed to indicate something bad.

It can be worth keeping in mind, that there is a confidence gap between what rules are good for IDS and IPS.
Generating an alert based on a rule that is a little broad, may be perfectly acceptable for IDS, where people can deal with false positives, before taking action. But if the same rule were to be used for IPS (meaning traffic would be blocked) it could block legitimate traffic, potentially causing stuff to break.

For all I know, Talos or ET may differentiate rules useful for IPS separately, but keep in mind that you may have to sort out issues like this, if you enable rules intended for IDS in an IPS configuration.

Yes Cisco (Talos is the security unit within Cisco, or something like that...) bought Sourcefire, the company that makes Snort, which is also why I suspect you will have to use Snort for their rules.

Given that you are just now starting with this, I recommend not spending any money on rulesets.
If you can make it work acceptably (meaning it does not break your stuff), then consider paying for it.
 

jjacobs

Member
Dec 25, 2020
70
31
18
CO
Properly deploying IDS/IPS is a skill. Those with real expertise and experience command significant salaries. The muscles in my jaw tighten when I see IDS/IPS in a home network context. The alerts have to be interpreted and the rules tuned. It's the combination of alerts and other context (DNS logs as one simple example) interpreted with the knowledge of what is normal for that specific environment that differentiate between an attack and a false positive. No rule set, free or paid, can be deployed out of the box. Never do that if you're blocking (IPS).

Having Snort or Suricata running does not make you more *secure*. It can, often, give a false sense of security. That $25 smart switch or magic doorbell from the big box that has been turned into a zombie agent of awfulness is almost always talking to it's CC host via multiple levels of indirection and through an encrypted channel. Even JA3 fingerprints are of limited use. Just leave that cheap IoT crap at the store.

Having said all of that. Running snort or even just looking at your DNS query logs can be a real eye opener and worthwhile as a learning experience, just don't think you are even the smallest amount *safer* because of it.
 
Last edited:
  • Like
Reactions: pod

coxhaus

Member
Jul 7, 2020
87
32
18
Properly deploying IDS/IPS is a skill. Those with real expertise and experience command significant salaries. The muscles in my jaw tighten when I see IDS/IPS in a home network context. The alerts have to be interpreted and the rules tuned. It's the combination of alerts and other context (DNS logs as one simple example) interpreted with the knowledge of what is normal for that specific environment that differentiate between an attack and a false positive. No rule set, free or paid, can be deployed out of the box. Never do that if you're blocking (IPS).

Having Snort or Suricata running does not make you more *secure*. It can, often, give a false sense of security. That $25 smart switch or magic doorbell from the big box that has been turned into a zombie agent of awfulness is almost always talking to it's CC host via multiple levels of indirection and through an encrypted channel. Even JA3 fingerprints are of limited use. Just leave that cheap IoT crap at the store.

Having said all of that. Running snort or even just looking at your DNS query logs can be a real eye opener and worthwhile as a learning experience, just don't think you are even the smallest amount *safer* because of it.
Untangle requires a lot less tunning than pfsense with snort when you are trying to use it at home. I think Untangle is the better firewall. But run both and you decide. Untangle is almost set and forget compared to SNORT.
 

jjacobs

Member
Dec 25, 2020
70
31
18
CO
Untangle uses snort with a plugin to integrate it into their UI. Just as pfSense does.

From untangle:

"Intrusion Prevention blocks hacking attempts before they reach internal servers and desktops. Untangle’s pre-configured signature-based IPS makes it easier for administrators to provide 24/7 network protection from hackers.

It minimizes annoying false positives and ensures that signatures are always current with automatic updates. With an easy-to-use setup wizard allowing simple configuration of rules specific to each environment, Intrusion Prevention provides flexible control. Over 34,000 signature detections, including heuristic signatures for port scans, enable you to effectively monitor and block most suspicious requests."

which is marketing BS of the highest order.

It's not that easy.

"... heuristic signatures for port scans" this is particularly egregious. If your paying attention to all the port scans from script kiddies on your WAN there's not much I can say other than good luck.
 

coxhaus

Member
Jul 7, 2020
87
32
18
Untangle uses snort with a plugin to integrate it into their UI. Just as pfSense does.

From untangle:

"Intrusion Prevention blocks hacking attempts before they reach internal servers and desktops. Untangle’s pre-configured signature-based IPS makes it easier for administrators to provide 24/7 network protection from hackers.

It minimizes annoying false positives and ensures that signatures are always current with automatic updates. With an easy-to-use setup wizard allowing simple configuration of rules specific to each environment, Intrusion Prevention provides flexible control. Over 34,000 signature detections, including heuristic signatures for port scans, enable you to effectively monitor and block most suspicious requests."

which is marketing BS of the highest order.

It's not that easy.

"... heuristic signatures for port scans" this is particularly egregious. If your paying attention to all the port scans from script kiddies on your WAN there's not much I can say other than good luck.
Untangle takes way less support than Snort on pfsense back when I ran both of them. Untangle might use the snort engine but you don't see it like pfsense. Untnagle assigns enough tunning that the home requires vary little tunning from default setup. When I first fired up snort on pfsense I spent 2 weeks every day tunning snort just to be useable for home use.
 

jjacobs

Member
Dec 25, 2020
70
31
18
CO
useable for home use
Meaning it doesn't alert a lot?

Last thing I'll have to say on the subject.

It's not what you block it's what you pass that should concern you.

It's about knowing what's normal for your environment and then looking at the alerts/logs and having the experience to notice something unusual. A quiet alert log just means there isn't anything being logged to notice, you're passing everything.

I'll try to make myself as clear as I can.

If 100 devices match some rule all the time, that's normal. It's the one device that matches the same rule that hasn't before that you need to be concerned with. If you quiet those alerts you'll never see the one that is concerning.
 
Last edited:

Dalis

New Member
Apr 20, 2021
11
0
1
Arizona, USA
Thanks all. I'm a little bit confused by statements like "Untangle uses Snort." and "pfSense uses Snort." and "Untangle can use Suricata."

I thought Untangle, pfSense, Snort, Suricata, Sophos, etc. were all similar applications. In what sense do Untangle or pfSense "use" the others? Are you talking about rules, like a text file of rules in a specific format? Or is there actual software code added when we say that Untangle uses Snort?
 

RTM

Well-Known Member
Jan 26, 2014
868
325
63
Untangle, pfSense, OPNsense, Sophos XG, Sophos UTM are all firewall distributions, meaning a complete piece of software with an underlying OS, that can be installed on a device to make it function as a firewall.

Snort and Suricata are IDS/IPS engines, meaning pieces of software that listen to traffic and based on its signatures generate alerts and/or block traffic (if it is configured in IPS mode). These will need to be installed on something, which will also need to have an OS on it.
Snort and Suricata are both standard components that are frequently installed on (or it is possible to install) on devices that have previously mentioned firewall distributions installed. This is of course done, so the firewalls may perform IDS and/or IPS.

Some of the other technologies you mention:

Zeek (old name was "bro"): a (N)IDS, that in many ways is significantly different compared to signature detection with Snort and Suricata (although Suricata can do some of the stuff that Zeek does now). Usually it is used to generate logs based on the traffic that it observes, that you can then search.

OSSEC (it is my understanding that the Wazuh project has mostly superceded OSSEC): A piece of software that you install on your client computers to help make them more secure (you can think of it as a sort of AV client, that focuses on making the computer it is installed on more difficult to compromise).

I would like to stress, that what I have written here are highly generalized descriptions of the various pieces of software. Think of it as these technologies do this, not as they only do this. To a large extent they implement good features from one another (like Suricata can also generate logs based on the traffic it has observed, like Bro).
 
  • Like
Reactions: Evan and Dalis

sic0048

New Member
Dec 24, 2018
20
15
3
I would suggest using at least two VLANs for your IOT devices. One for things (like streaming sticks and TVs) that need to connect to the internet to work, and one that is locked down and doesn't allow any internet connections. This is good for things like smart switches, plugs, cameras, etc.
 

jjacobs

Member
Dec 25, 2020
70
31
18
CO
Agreed. It's not what *category* a device falls into it's the access profile that determines what VLAN it goes in.

Not to put to fine a point on it, but if you're putting a device on your network that you feel you need to go to extremes to defend yourself from, why are you putting it on your network?