[Solved] Need for IDS/IPS [Solved]

So I am curious, OpenWrt does not expose any of my ports to the WEB and OpenWrt does not allow traffic in. This being said, why do I need an IDS/IPS snort or other wise to block any of the threats sent towards my system. If they cannot get in why bother? New to this and a bit confused by this concept. I did install banIP and like the logging aspect but now wonder why I am doing this other than seeing all of the blocks.


The way the firewall works is pretty straightforward (simplified view):

  • The firewall will protect your network by not allowing any connections that are initiated by hosts on the internet (i.e. unsolicited traffic)
  • And, so that you and your devices can use the internet normally, it allows connections to be initiated from the LAN to the internet. Obviously it needs to then allow the response traffic/connections (which is 'established and related') back through the firewall to your devices on the LAN.

Therefore, OpenWrt will indeed protect your network from unsolicited traffic and attacks.
But it directly cannot protect against threats due to a compromised device on the lan side of the network. So, if you have a device that has been infected with some malware, it may attempt to do various things that are initiated from inside your network. For example, it may try to ex-filtrate your data or 'keylogged' login credentials that it grabbed while you were using your computer. Or, it might create a connection to a Command & Control (C&C) server on the internet to download a malicious payload to execute on your computer. It is these types of things that (hopefully) become apparent with IDS/IPS and other higher level traffic analysis tools.


Thank you for that explanation


Just to add a little footnote, the system requirements for a half-decent IDS/ IPS are considerably higher than those for routing the same WAN speed. IDS/ IPS is pretty much x86_86, high-end ARMv8 or high-end mips64 (octeon/ cavium) territory only, both because of the considerable storage and RAM requirements (mostly independent of the intended WAN speed) to load in the first place, but even more the CPU requirements to intercept and inspect every packet going through (directly depending on the WAN speed and the number of concurrent clients behind it). We are talking about mid- to high-end x86_64 systems here for anything but the slowest WAN connections.

Most of the routers you'd usually think about in terms of OpenWrt won't qualify.


You're welcome.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.