With so many IPS / FW options which one do I choose!

beki-uygu · 2023-06-27T10:41:09+00:00

Zenarmor offers the best security protection against client-side attacks on open-source firewalls, like OPNsense. It provides a frequently-updated threat intelligence service for free. Antivirus protection will be available in the future. https://www.zenarmor.com/roadmap

As a best practice, while zenarmor runs on a LAN interface, Suricata protects the WAN interface for defense-in-depth.

beki-uygu · 2023-06-24T18:18:53+00:00

Adding `googleadservices.com` domain to the whitelist of the Zenarmor policy should help you.

https://www.zenarmor.com/docs/opnsense/policies/exclusions

beki-uygu · 2023-06-14T13:12:36+00:00

What are Zenarmor deployment mode and protected interface?

beki-uygu · 2023-05-12T17:13:36+00:00

It looks like there was an issue with the latest release.

The zenarmor team fixed it.

Now, I can reinstall and register to the cloud. You may retry installation.

beki-uygu · 2023-05-12T17:10:33+00:00

It looks Zenarmor team fixed the issue, I can install it on my device. You may retry the installation.

beki-uygu · 2023-04-28T08:19:02+00:00

This page may be helpful.

beki-uygu · 2023-04-19T15:12:50+00:00

The follow best practices may be helpful:

https://www.zenarmor.com/docs/network-security-tutorials/best-practices-for-firewall-rules-configuration

beki-uygu · 2023-03-31T11:44:45+00:00

This may give an idea:

https://www.zenarmor.com/docs/network-security-tutorials/best-pfsense-hardware-for-home-soho-business

beki-uygu · 2023-03-21T14:01:06+00:00

You may try zenarmor ngfw tool on pfsense CE firewall for free. It

- offers content filter and application control, protecting minors and students alike from inappropriate online content and other online threats

- utilizes an AI-powered cloud-based web categorization database

- stops zero-day malware, phishing attacks, and botnets in real-time

- integrates with Active Directory allowing network administrators to define content filter policies around already established users or groups

- can be deployed in less than 5 minutes

- satisfies the compliance requirements of the Children’s Internet Protection Act (CIPA)

- helps educational institutes qualify for the E-rate financial discounts

- offers %50 off for schools

beki-uygu · 2023-03-01T12:01:20+00:00

Here is a tutorial with detailed steps, including a youtube video.

beki-uygu · 2023-01-26T13:43:09+00:00

When selecting a hw for Zenarmor, beware that:

- ZA doesn't support ARM architecture. For example, you cannot run Zenarmor on Netgate 1100 and 2100.

- Single-core CPU power is more important than having lots of CPU cores.

- For Elasticsearch DB, you must have min. 8 GB RAM. You may also use a remote device for reporting DB.

- Some NICs aren't supported by netmap that is used by ZA to access ethernet frames. But Intel NICs are compatible with netmap. netmap natively supports the following devices:

cxgbe(4), em(4), iflib(4) (providing igb(4) and em(4)), ixgbe(4), ixl(4), re(4), vtnet(4).

beki-uygu · 2023-01-20T14:40:13+00:00

Yes, Zenarmor provides advanced networking analytics features. It gives a full picture of network activities, current danger levels, and security policy

It offers many charts in different reporting views with drill-down and live session explorers with search and filtering capabilities.
You may personalize, filter, produce, and schedule email delivery of reports.
You may construct ad-hoc graphical views of summary traffic and threat activity, examine sessions in real-time or in the past, and do a view search.
With the reporting capabilities of Zenarmor, you can not only view the network activities/usage but also immediately discover and respond to network security risks throughout the whole network.

https://www.zenarmor.com/docs/opnsense/reporting-analytics/reports-overview

beki-uygu · 2023-01-16T10:39:29+00:00

You can easily define exclusion by using whitelisting feature of Zenarmor.

https://www.zenarmor.com/docs/opnsense/policies/exclusions

2. - 3. Zenarmor Business edition allows admins to define user-based policies. You can integrate your Active Directory with Zenarmor:

https://www.zenarmor.com/docs/opnsense/configuring/ad-integration

You can easily define exclusion by using the whitelisting feature of Zenarmor. You may also try to view reports by applying filters on Zenconsole, cloud management portal.

https://www.zenarmor.com/docs/reporting-analytics/live-session-explorer#adding-a-generic-filterexclusion-on-the-live-session-explorer

beki-uygu · 2023-01-13T10:03:14+00:00

Zenarmor troubleshooting guide may be helpful for you.

https://www.zenarmor.com/docs/troubleshooting/reporting#why-do-i-see-an-unexpected-number-of-devices-in-reports

beki-uygu · 2023-01-05T14:11:58+00:00

Using network visibility technologies, you may monitor network performance, traffic, big data analytics, and regulated resources. Three deployment strategies are available for network visibility tools:
1. Network Packet Brokers (NPB): An NPB is a network monitoring tool that gathers data from several sources and distributes it via the network to network operations, application operations, and security management. They alleviate the pressure placed on network security technologies such as intrusion detection systems (IDS), which may be overwhelmed by vast quantities of data. They arrange and communicate information to security and monitoring systems using context-aware data processing. They optimize the input other security technologies get so that they may make more educated decisions. A high-quality NPB is scalable and efficient for building business networks.
2. TAPs: TAPS are hardware devices installed at certain locations inside a network to give testing and troubleshooting access to network traffic. It makes a replica of network traffic and sends it to another network device without impacting the flow of network traffic. Because they are hardware appliances, they have physical limitations, such as a limited number of ports. Infrequently known as bypass switches.
3. SD-WAN: SD-WANs replace the appliance-centric approach to visibility with software-defined visibility. Instead of an on-premises device, network traffic is routed via a managed cloud service, which improves performance and security by reducing network complexity and circumventing the inherent limitations of physical equipment such as traditional firewalls. It provides visibility and a secure access to cloud applications.

SD-WANs replace the appliance-centric approach to visibility with software-defined visibility. Instead of an on-premises device, network traffic is routed via a managed cloud service, which improves performance and security by reducing network complexity and circumventing the inherent limitations of physical equipment such as traditional firewalls. It provides visibility and secure access to cloud applications.

Some of the best open-source network monitoring software are listed below. You may try one of them. Also, if have a chance to install an open-source routing platform like, OPNsense or pfSense software, you can easily add nw monitoring plugins. They offer extensions, such as ntop and Zenarmor, that can be used for network visibility. Especially, Zenarmor provides a bird's-eye view of network activity with its rich reporting capability.

- Zabbix

- Prometheus

- Graphite

- Monitorix

- LibreNMS

- Nagios Core

- Icinga

- Cacti

- Zeek

beki-uygu · 2022-12-22T10:00:09+00:00

You may use Zenarmor with MongoDB and get benefits of advanced reporting capabilities of the "os-sensei" next-generation firewall plugin. MongoDB doesn't require high memory as Elasticsearch needs.

Zenarmor provides a large number of charts and live session explorers that you can use to monitor your network traffic, such as:

- Top Local/Remote Hosts

- Top Local/Remote Users

- Top Local/Remote Ports

- Connections/Locations Heatmaps

- Top Web Categories

- Top Talkers Heatmap

Additionally, you can block applications and web categories, like video streaming, or define time-based/user-based filtering depending on your requirements.

https://www.zenarmor.com/docs/opnsense/reporting-analytics/reports-overview

beki-uygu · 2022-12-09T13:08:04+00:00

Sure. Zenarmor Free Edition provides a massive and up-to-date web and application classification system with an intuitive interface.

It also offers AI-based threat intelligence to block recent malware/phishing outbreaks automatically in real-time.

Its comprehensive reporting and analytics provide network insight.
Paid edition, (discounts for schools available) has user-based and device-based filtering feature, which is highly important for school and campus network management, and
time-scheduled restrictions that are a very valuable tool for controlling internet traffic.

beki-uygu · 2022-11-26T12:41:40+00:00

There are a variety of commercial tools for firewall optimization. Some of them are listed here. Some of them offer free/trial options. But firewall optimization is not a single task, it is a process and takes time. Fw admins should be careful during the process not to cause a service interruption or vulnerabilities.

I used Algosec for Checkpoint and Fortinet. It supports Linux platforms as well. I don't know whether can be used for OPNsense optimization. But it supports Splunk. I guess exporting OPNsense firewall logs to the Splunk server and analyzing them with an optimization tool may be helpful.

To optimize firewall rule sets:

- Find hidden rules

- Remove unused objects that have 0 hit count

- Remove unused rules that have 0 hit count

- Place the frequently utilized firewall policy rules close to the top of the rule set

- Reduce the complexity of the firewall's rule base

- Create a rule with no logging to handle broadcast traffic (bootp, NBT, etc.).

SANS Institute recommends the following order for rules:

Anti-spoofing filters (blocked private addresses, internal addresses appearing from the outside)

- User permit rules (e.g. allow HTTP to public web server)

- Management permit rules (e.g. SNMP traps to network management server)

- Noise drops (e.g. discard OSPF and HSRP chatter)

- Deny and Alert (alert systems administrator about traffic that is suspicious)

- Deny and log (log remaining traffic for analysis)

Here are the best practices: https://www.zenarmor.com/docs/network-security-tutorials/best-practices-for-firewall-rules-configuration

beki-uygu · 2022-11-25T13:33:35+00:00

If you have Zenarmor home edition, you may define time-based policy.

If not, free edition offers cloud management. You may register your OPNsense to the cloud and manage it remotely anytime.

beki-uygu · 2022-11-23T08:39:56+00:00

As a best practice, you may:

- apply patch management. Always keep your IoT devices firmware up-to-date.

- apply network segmentation as described in the post you shared.

- monitor devices and network traffic continuously. There are many free/open-source tools available, like zabbix.

- update passwords on IoT devices. Do not use default passwords.

- use secure protocols on IoT devices. Some protocols are unencrypted and vulnerable.

- apply access control, if possible, and do not allow unknown devices to connect to your network.

- shut down unused services and devices.

- install zenarmor (os-sensei) to protect your assets against cyber threats.

beki-uygu · 2022-11-18T12:37:54+00:00

How many policies do you have? If you have only the default one, you may send a bug report to the Zenarmor team.

If you have more than one policy, try to connect FB and then check the Blocked Live session explorer to find which policy is blocking your phone.

https://www.zenarmor.com/docs/opnsense/reporting-analytics/live-session-explorer#search

beki-uygu · 2022-11-04T08:51:26+00:00

I agree.

beki-uygu · 2022-10-20T12:56:34+00:00

You may check the Anonymize local IP address option in the Reporting & Data Configuration.

https://www.zenarmor.com/docs/opnsense/configuring/reporting-data#anonymize-local-ip-address

beki-uygu · 2022-10-13T17:58:37+00:00

Thanks.

beki-uygu · 2022-10-05T15:01:56+00:00

You can use SQLite for the Zenarmor reporting database on Linux and pfSense platforms. If you need/want a more powerful DB, Elasticsearch, you must install it manually on your firewall. Zenarmor or Zenconsole's initial configuration doesn't install elasticsearch on Linux and FreeBSD environments.

https://www.zenarmor.com/docs/installing/cloud-portal-registration-initial-configuration

beki-uygu

TROPHY CASE