Re: [SLUG] Firewall latency

From: Ronan Heffernan (ronanh@auctionsolutions.com)
Date: Wed Jul 07 2004 - 14:25:47 EDT


>
> There have been a few analysis done on this. A google search should
> turn up some pretty good numbers. Suffice to say that you should
> easily be able to push 100M through a 900Mhz Xeon if that's all the
> answer you're really looking for. When you get to gigabit, then you're
> starting to tax current high-end processors.

Thanks for the response. I have been googling for most of these things.
I just queried the SLUG list to get first-hand experiences.

>
> Also, why wouldn't you just buy an inexpensive box to run as a linux
> iptables firewall since you're planning on using iptables anyway
> instead of buying some expensive firewall appliance or running
> iptables on each box?
>
Mostly it is a performance issue (I guess), see my other response (from
before this one).

>> * Do I need to merge various snort rulesets into my machine
>> periodically (on www.snort.org, there is a ~15 line ruleset for
>> dealing with NIMDA)? Is there an auto-updating source (well trusted,
>> of course) that I can fetch from every day, week, etc?
>
>
> Again, there are at least a couple of tools for automagically keeping
> your snort rules up-to-date that you can probably find on the snort
> website. I think oinkmaster is one of the more popular. (Although that
> might be something else entirely....) Also at least a couple of the
> more popular "snort analysis/management console" type things also do
> rules management.
>
I will add 'oinkmaster' to my search criteria on this one. Thanks.

>
> See above re: DoS. Depends on what you're trying to do. In general,
> Best Practice says to never let your IDS automatically manage your
> firewall; you should have an admin with a brain in there somewhere.

The automatic IDS is probably going to be a must, just because of speed.
By the time a beeper message has gotten from snort to our sysadmin (and
we do not have a 24/7 admin staff), and he has SSH'd in to see if there
is an attack, several of our applications could have been crippled (very
expensive, and bad PR). I would rather lock-out a kosher user and take
30 minutes to let them back in, than have all of our remote users
(hundreds) frozen-out by a DOS attack for 10 minutes.

--ronan

-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:12:24 EDT