I am looking for a device doing DPI for home use. I have a lot of IoT devices which I have 0 visibilty on and decided to check what they are doing. They are in different VLAN, but still looking for a more advanced way of listening on the traffic toward the internet
IDS possibly IPS would be a required feature.
Currently I have a 750gr and CRS 328s
Could mikrotik help me out here or do I need to add a different vendor?
If so, is it redommended to do the VLAN → VLAN (east-west) communication on the mikrotik router and have the firewall only (north-south)? I would prefere Mikrotik to do the most work.
Different vendor… You will pay through the nose for a higher end device that can still provide the throughput required with IDS services applied and by the way those IDS… DPI services are not native to the router, you then additionally have to buy subscription services to activate them.
Ha! Deep packet inspection, application awareness, L7 inspection, whatever name it has today. The hallmark of the modern firewall. But that’s not a function Mikrotik devices have natively. In essence, you are paying someone to maintain a database of IP addresses, domain names and signatures that enable a firewall to recognize an application or a service going over the internet. This is highly dynamic and changes pretty much every day, hence the price tag.
There was for a while an effort called “openDPI” which was to have an open source repository of such things. I think that project was abandoned several years ago and someone created another port called nDPI, but which focuses on ntop.
You may find your luck with Security Onion and integrate ntop data. I haven’t tried it yet, planned for when I have a moment.
If you plan on blocking stuff, an inline mode is pretty much the way to go, otherwise a port-mirror is probably better.
Most of the above vendors are really, really in another league compared to Mikrotik.
You must see Mikrotik RB as a ROUTER with network packet filter (and a lot of Swiss-army knife capabilities for sure!)
I use Fortinet & Palo Alto in my professional work, very,very capable but I comes with a price-tag…
Because they have dedicated silicon/ASIC’s to handle the complex stuff…
Perhaps an alternative to get something like a Firewall. These seem almost like rebranded “TopTon” boxes.
You could also get some Topton-box and do something with OpenSource depending on your level of knowledge.
Then on the Mikrotik you could work with Netflow and/or fully “mirror” your traffic stream into such box and use some tools like “ntopng” on it or something.
Among your list I have experience with Firewalla. An advantage is that today the IDS/IPS cost is in the capital for the box, not ongoing. That is not guaranteed to continue. Firewallas are also easy to configure though their configuration model (rule scopes) is different from that of ROS and open source products. If you want an easy, manageable IDS/IPS then so far, so good, though I agree with mada3k’s caveat.
Disadvantages include that it is terribly verbose, and repeatedly boasts of things it has blocked that are not meaningful threats in my context. Perhaps personal considerations are that I object to anything that demands that it phone home to function. Updates are pushed, not under your control.
I have switched to crowdsec for some protection beyond careful firewall configuration. The Firewalla box has been reinstalled with FreeBSD, just another device running inside my network.