RE: [SLUG] Firewall latency

From: Ken Elliott (kelliott4@tampabay.rr.com)
Date: Wed Jul 07 2004 - 20:49:20 EDT


>>Isn't Windows naturally more secure?

Why, yes it is.

As shipped from Microsoft, Windows will crash, and thus be impossible to
compromise. Linux, OTOH, can run years without crashing, thus may be
compromised...

Ken Elliott

=====================
-----Original Message-----
From: slug@nks.net [mailto:slug@nks.net] On Behalf Of Ronan Heffernan
Sent: Wednesday, July 07, 2004 12:33 PM
To: slug@nks.net
Subject: [SLUG] Firewall latency

I am looking at adding some security (iptables and snort) to my network. I
have several questions and problem-domains; if anyone has answers or
experience with this, please pipe up.

* What kind of latency (expressed as ms?) and CPU load (expressed as, I
dunno, %CPU on a 900MHz Xeon? or other suitable expression) is introduced by
having IPTables examine packets? Does the penalty scale (linearly?
geometrically?) with the number of firewall rules? Is the latency higher on
100Mbit than 10Mbit? How does the penalty scale-up in relation to
load/traffic?

* If snort detects an 'attack' (or portscan, etc.), what is a good way to
have it create IPTables rules to block attackers?

* Related to the above question: can I have snort on one IDS box reach-out
and create the rules on all of my other boxen (I guess SSH is a gimme, but
is there a more structured protocol for propogating these
messages?) Yes, this question exposes the fact that my boxen are not behind
a single firewall. I am trying to avoid an expensive firewall (e.g. Cisco
535 = $21k) by running IPTables on each of the 6 machines that need to be
protected.

* Isn't Windows naturally more secure? (Sorry, that one is just
flamebait tossed-in for entertainment value!)

* Do I need to merge various snort rulesets into my machine periodically (on
www.snort.org, there is a ~15 line ruleset for dealing with NIMDA)?
Is there an auto-updating source (well trusted, of course) that I can fetch
from every day, week, etc?

* Is anyone running a tarpit using the IPTables TARPIT module? It sounds
like a good idea, what do you think?

Thanks.

--ronan

-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages posted
are those of the author and do not necessarily reflect the official policy
or position of NKS or any of its employees.

-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:13:40 EDT