View Single Post
  #2   (View Single Post)  
Old 15th May 2008
ai-danno's Avatar
ai-danno ai-danno is offline
Spam Deminer
Join Date: May 2008
Location: Boca Raton, Florida
Posts: 284

From what you've stated the setups you have would be fine for both basic firewalling and VPN needs. The real gotcha is the IDS section- you'd likely be using Snort.

Snort's great, but beware it's memory usage, especially on the larger rulesets- if you are going to filter traffic against a Windows network, you'll be using the largest rulesets and will consume large amounts of RAM. 512 MB filtering against a Windows network wouldn't be enough on it's own, not to mention it's other responsibilities. Also, the starting and stopping of Snort on a busy machine could cause the machine to churn, and even crash Snort from restarting altogether (this is based on personal experience.)

But if you are just using Snort for IDS and not for IPS (like snort2pf or snort2c) then IMHO you should mirror your traffic off to another separate box running snort (and then install BASE to view alerts in a more sane web-based manner.) If it's purely for Intrusion Detection and not Prevention, there's no need (and a lot of risk) in putting that application in-band on your production network paths- mirroring it off to a side server gives you the ability to muck with Snort as much as you want with no risk to production traffic.

In fact, even if you were going to use it for IPS purposes, you should take the mirroring+IDS path first until you are really comfortable with Snort, OBSD, and the interactions of both with your network. Then you can move that application inline with your production traffic.

Coming full circle, for high rate bursty transfers, if they are 'trusted' transfers a 'pass quick' in pf will take those packets out of the pf processing and make your firewall much more efficient.

Hope this gives some direction.
Network Firefighter
Reply With Quote