But while we're on the subject.. Permit me a small rant... When you
can hang your IDS stuff off something in front and behind the
firewall, I think people are smoking big 'ol bags of crack when they
want to combine them.
From a security perspective it's like taking a porsche (OpenBSD)
and putting a 40 ton reciprocating steam engine that burns recycled
pigshit in it. Just look at some of the papers that showed up at
cansec and elswhere recently about exploiting flaws in the gigatons
of quickly written code that makes up the IDS systems. Remember the
worms recently exploiting some of the windows personal ones? count lines
of code in what you are considering running on it. If it's not open
source take the closest thing to it that is and triple it. These are
exercises to make your sphincter tighten involuntarily, or at least it
should.
Stick to OpenBSD on your firewall. and make it a firewall. it should
be *simple and secure*. IDS systems are not. They do tons and tons and
tons of parsing and pattern crud. Make your IDS system, well, an IDS
system. More importantly then chances are your firewall can be built
on nothing but two (or three) cheap and simple boxes running carp and
pfsync, then your IDS can have the momey spent on it for balls to the
wall performance, and face it kids, who really give a flying fsck at a
rolling doughnut if the IDS system goes away whil you fix a drive. you
then don't need to spend a fortune for fully redundant stuff where you
don't need to. Think like OpenBSD users instead of people who gobble
up the crap the trade rags feed your bosses while they're in
airplanes. (Just wait, you'll see Cisco stuff for sale in the
in-flight store soon, it's perfect for stuff targetted at people dumb
enough and willing enough to part with money for overpriced junk)
-Bob
PS: a very fine bottle of scotch for the first subscriber who mails me
a genuine in-flight shopping rag I can buy cisco gear in (now, not
just an ad, I have to be able to buy a switch or a pix the same time
I'm buying jewlry for my mistress, motivational posters and trinkets
for the natives, and stupid golf crap..) If I don't die laughing
before mailing you the bottle.
* Jon Hart <[EMAIL PROTECTED]> [2005-07-28 09:00]:
> On Mon, Jul 11, 2005 at 06:54:28AM +0200, Matteo Mancini wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Hi *,
> >
> > I've to build an high performance openbsd firewall with ids included.
> > I think to use the server in subject, does any one have tried it??
>
> For a price that is in the same ballpark, you should go with the 1850s.
> They've got faster PCI buses that'll be a big help:
>
> PE750:
> 1x 64-bit/66Mhz PCI-X
> 1x 32-bit/33Mhz PCI
>
> PE1850
> 1x 64-bit/133Mhz PCI-X
> 1x 64-bit/100Mhz PCI-X
>
> Especially if you are slapping dual or quad port cards in there, the
> faster PCI will be a big help.
>
> -jon
>
--
Bob Beck Computing and Network Services
[EMAIL PROTECTED] University of Alberta
True Evil hides its real intentions in its street address.
