IDS and Firewall on the same =but> POWERFULL BOX

From: Rajeev Kumar (rajeev@rajeevnet.com)
Date: 08/03/01


Message-ID: <3B6AC637.DE331B90@rajeevnet.com>
Date: Fri, 03 Aug 2001 11:41:43 -0400
From: Rajeev Kumar <rajeev@rajeevnet.com>
To: focus-ids@securityfocus.com, rajeev@rajeevnet.com
Subject: IDS and  Firewall on the same =but> POWERFULL BOX

Hello All,
        
SHORT QUESTION:
======================================================================================
I am wondering if people in the list see any problem/threats/security
issues in
deploying Firewall (such as ipchains/iptables or Checkpoint FW & IDS
program such
as snort running on the same box.).
======================================================================================

LONG QUESTIONS:
=======================================================================================
Reason I am asking is for convenience. (Yes I know convenience is
inversely proportional to security), but I want to check it out if I am
loosing something big here.

My point is, buy a powerful Multi-CPU box. Say 2 x P4 (1.7+Ghz) with
atleast 512MB RAM. And deploy, lets say checkpoint and snort together.
Now both of these program are written serially which means individually
they can not make use of both CPU at the same time, but OS can schedule
them and use both CPU for load balancing.(That's my reason to buy
multi-cpu).

Now Questions to ponder?

[1] Firewall and snort both will snoop traffic at all interfaces.
        
 <Positive points>:
  o This is good for snort. We can run one snort per interface with
different config files for each interface. That way we can have multiple
IDS sensors on the same box.
                
  o We don't have to worry about putting separate hubs, configure
switches for mirror ports. Putting individual snort box at each side of
firewall (internal, external, DMZ, etc..).

  o We can control access to snoop sensors easily.
                

 <Negative points>:
  o Box may overload ?? (That's why I am proposing POWERFUL box). I
know checkpoint can run on merely 166Mhz, 64MB Nokia box for T1 line.
and snort won't put too much of CPU load on GHz. CPU.
 
  o How about snooping and loosing packets (Any chance Firewall and
snort may conflict here ??)

[2] Hardware is not costly these days, but when we start thinking of
deploying Firewall and IDS sensors on 10+ sites that will cause much
support/setup load if we plan separate boxes.

Any other comments suggestions are more than welcome.

Thanks

Rajeev

 

-- 
********************************************************************
	Rajeev Kumar (rajeev@rajeevnet.com)
		http://www.rajeevnet.com
********************************************************************
-- PGP PUBLIC KEY -- http://www.rajeevnet.com/crypto/mypubkey



Relevant Pages

  • Re: Intrusion Detection Systems
    ... SNORT does not install ... so at the very minimum it "costs" the installation labour. ... read of IDS systems indicate that *every* IDS suffers from false ... what it is monitoring for is A) the possibility that the firewall has ...
    (comp.security.misc)
  • Re: cisco -> ids -> firewall -> ids
    ... I would like to have snort on both sides of the firewall, ... An ids straight out on the net takes alot to keep ... > But a good idea to see how good the lists are on the cisco is put an ids ...
    (comp.security.firewalls)
  • Re: IDS Opinions
    ... > options then the best fit will be Snort or CA. Snort is a freeware with ... Works on Linux machine. ... your chosen platform to run the IDS on. ... > in low range loads only and requires high CPU and memory. ...
    (Focus-IDS)
  • Re: Intrusion Detection Systems
    ... SNORT does not install ... so at the very minimum it "costs" the installation labour. ... > read of IDS systems indicate that *every* IDS suffers from false ... > what it is monitoring for is A) the possibility that the firewall has ...
    (comp.security.misc)
  • Re: Value of "richer" signatures?
    ... Snort, Dragon, and NFR, and I can tell you that they ... Here's an example of how the newer IDS signatures help ... Let's say you are using a simple packet grepping IDS ... > an FTP connection). ...
    (Focus-IDS)