What's the process of connecting raspberry Pi ids to the home router for detecting network wide intrusions?
Is there a better way through which I can connect the raspberry Pi ids to my home router to detect network wide intrusions?
While configuring a raspberry pi IDS/IPS with ELK stack on a separate machine, I tried to find more information about it and got to know it's features such as -
- -Enforce network traffic policies
- - Ensure that abnormal packets does not get out or in our network
- - DHCP server to distribute network parameters to your LAN
- - DNS cache/server to speed up DNS requests and filter out bad DNS queries
- - NIDS to detect malicious traffic, such as malware or vulnerability exploits
- - Central network monitoring node to watch and debug network traffic
If you want to passively monitor the whole network by connecting raspberry pi ids, a monitor port on the router or similar would be sufficient - although most common home routers (the ones with WLAN and cable/DSL modem in it) don't have anything like this.
If you want to monitor data and also actively block traffic the IDS has to be in the path of the traffic. This means it either needs to be set up as the gateway for all systems in the internal network and then forward the traffic to the router, or the router remains the gateway but the IDS is between the router and the ISP. In the latter case the Raspi needs to care about the ISP connectivity too, i.e. it needs to have the physical ability (which might require a DSL, cable or FFTH modem depending on the kind of connectivity to the ISP you have) and also have the login information, can speak PPPoE or whatever protocol is required for the ISP etc.
So your current idea of setting up Raspi as the network gateway is likely the easiest to implement. But, as Josef noted in a comment: it should be set up in a way that users simply cannot bypass the IDS just by changing the gateway. This would be best achieved by having the router/modem physically behind the Raspi so that no internal system could directly reach it and thus the only way for any internal system to the router/modem and then to the internet is through the Raspi.