IDS and Firewall on the same =but> POWERFULL BOX

From: Rajeev Kumar (rajeev@rajeevnet.com)
Date: 08/03/01


Message-ID: <3B6AC637.DE331B90@rajeevnet.com>
Date: Fri, 03 Aug 2001 11:41:43 -0400
From: Rajeev Kumar <rajeev@rajeevnet.com>
To: focus-ids@securityfocus.com, rajeev@rajeevnet.com
Subject: IDS and  Firewall on the same =but> POWERFULL BOX

Hello All,
        
SHORT QUESTION:
======================================================================================
I am wondering if people in the list see any problem/threats/security
issues in
deploying Firewall (such as ipchains/iptables or Checkpoint FW & IDS
program such
as snort running on the same box.).
======================================================================================

LONG QUESTIONS:
=======================================================================================
Reason I am asking is for convenience. (Yes I know convenience is
inversely proportional to security), but I want to check it out if I am
loosing something big here.

My point is, buy a powerful Multi-CPU box. Say 2 x P4 (1.7+Ghz) with
atleast 512MB RAM. And deploy, lets say checkpoint and snort together.
Now both of these program are written serially which means individually
they can not make use of both CPU at the same time, but OS can schedule
them and use both CPU for load balancing.(That's my reason to buy
multi-cpu).

Now Questions to ponder?

[1] Firewall and snort both will snoop traffic at all interfaces.
        
 <Positive points>:
  o This is good for snort. We can run one snort per interface with
different config files for each interface. That way we can have multiple
IDS sensors on the same box.
                
  o We don't have to worry about putting separate hubs, configure
switches for mirror ports. Putting individual snort box at each side of
firewall (internal, external, DMZ, etc..).

  o We can control access to snoop sensors easily.
                

 <Negative points>:
  o Box may overload ?? (That's why I am proposing POWERFUL box). I
know checkpoint can run on merely 166Mhz, 64MB Nokia box for T1 line.
and snort won't put too much of CPU load on GHz. CPU.
 
  o How about snooping and loosing packets (Any chance Firewall and
snort may conflict here ??)

[2] Hardware is not costly these days, but when we start thinking of
deploying Firewall and IDS sensors on 10+ sites that will cause much
support/setup load if we plan separate boxes.

Any other comments suggestions are more than welcome.

Thanks

Rajeev

 

-- 
********************************************************************
	Rajeev Kumar (rajeev@rajeevnet.com)
		http://www.rajeevnet.com
********************************************************************
-- PGP PUBLIC KEY -- http://www.rajeevnet.com/crypto/mypubkey