Is below figure OK?
Suricata-IDS in IPS mode can’t protect my Apache server?
Any opinion welcomed.
This question cannot be an equally clear answer under any circumstances. For example, if the Apache server is encrypted with TLS, it is difficult not only by Suricata, but also by other security solutions. However, if the area is decrypted by Apache server reverse proxy, etc., the story is different. I think the attached table is an extreme example.
Thank you for your reply.
Thus, Suricata-IDS in drop mode is just useful for HTTP and other protocols that doesn’t encrypt?
Then, the WAF is the only solution?
WAF may be suitable if your server is encrypted with TLS. If your WAF is to detect requests that have already been decrypted, like modsecurity, there is no problem. However, WAF located in front of the web like Suricata must be decrypted through SSL/TLS Termination. Supporting SSL/TLS Termination means that already at this point, Suricata is also likely to check the decrypted traffic.
Thank you so much.
Is you mean:
Internet Traffic —> WAF —> Suricata-IDS —> Web site
Can you show me a diagram about it?
Internet → WAF → IDS/IPS → Web Server
The diagram above is correct.
However, in my actual experience, in this diagram, the SSL decryption entity (Termination) exists in the WAF location and the actual WAF(Dedicated) is often located behind the IDS/IPS.
This is only my experience, and there are various cases depending on the usage environment.
For WAF and Suricata-IDS, I must have two servers. One for the ModSecurity and another one for Suricata-IDS. Can’t have both on one server?
It is possible to configure the two solutions to work together on a single server, but it is not recommended for performance reasons. In addition, if it is configured in IPS mode (Suricata inline), the configuration is also complicated.
As a final word, Suricata-IDS and other security products can help my server if the connections are not encrypted?
If it’s not encrypted, it doesn’t matter.
Even if the connection is encrypted, it is limited, such as threshold detection or a combination of features of TCP, but some can be handled.
Thus, Suricata-IDS can protect a server in HTTP mode and in the HTTPS mode, it just can handle some requests. Is it right?
Yes, that’s right.
When used properly, it can respond to threats.