Best placement of Suricata IPS?

Currently, I have sys-net → sys-firewall → sys-vpn → Qube.

Where would I install sys-ips (suricata) ?

Like this? sys-net → sys-ips → sys-vpn → Qube ?

Or do I still need sys-firewall in the mix?


The Firewall documentation mentions that you shouldn’t remove the qubes firewall.

Ok, so you suggest sys-net → sys-firewall → sys-ips → sys-vpn → qube?

In this tread: ANN: sys-ips it is mentioned that sys-firewall is not needed when running sys-ips.

Do you not agree with that?

I think it looks right, but wouldn’t the VPN make the IPS useless?

I think all the IPS is going to see if a single encrypted connection to the VPN gateway, wouldn’t it hide any suspicious traffic the IPS possibly could detect?

Yes, I believe that you are correct regarding the VPN.

Would it make more sense to put the VPN on the other side of the IPS, then?

Such as: sys-net → sys-firewall → sys-vpn → sys-ips ?

I quickly get confused with all of this so thank you for your helping in thinking through this.

hope I don’t confuse you, but I have:

sys-net > sys-ips > sys-pihole > sys-firewall > Qube

it really depends on what do you want to:

  • prevent with your firewall?
  • detect with your IPS?
  • achive with your VPN?

The answers from the audience is verly likely be different…so the implementation should align your needs. That’s it.

Another thing is your limited resources… as most of the time I see no reason using 3+ proxyVM in a row. I usually do use VPN + firewall in a single VM, I used IPS just for experimenting…

So a normal - but productive - setup on my machine is simply:
AppVM → VPN + Firewall → sys-net.
(even this simple setup is far superior that any ‘business forced’ security solution out there.

if I would use IPS then:
AppVM → IPS → VPN+firewall → sys-net.

btw: the arrows you drawing should point to the direction the IP traffic goes… Starting where you initiate the connection…and as you usually just reach OUT from the AppVMs to the internet, this should be the right sign to use:
AppVM → Firewall → sys-net → Internet.

For me the other way around:
sys-net → firewall → AppVM
would mean you are making your AppVM reachable from the internet… which is very likely not the case, right?

just my thoughts about the confusion this may creates.