I am looking at adding some security (iptables and snort) to my
network. I have several questions and problem-domains; if anyone has
answers or experience with this, please pipe up.
* What kind of latency (expressed as ms?) and CPU load (expressed as, I
dunno, %CPU on a 900MHz Xeon? or other suitable expression) is
introduced by having IPTables examine packets? Does the penalty scale
(linearly? geometrically?) with the number of firewall rules? Is the
latency higher on 100Mbit than 10Mbit? How does the penalty scale-up in
relation to load/traffic?
* If snort detects an 'attack' (or portscan, etc.), what is a good way
to have it create IPTables rules to block attackers?
* Related to the above question: can I have snort on one IDS box
reach-out and create the rules on all of my other boxen (I guess SSH is
a gimme, but is there a more structured protocol for propogating these
messages?) Yes, this question exposes the fact that my boxen are not
behind a single firewall. I am trying to avoid an expensive firewall
(e.g. Cisco 535 = $21k) by running IPTables on each of the 6 machines
that need to be protected.
* Isn't Windows naturally more secure? (Sorry, that one is just
flamebait tossed-in for entertainment value!)
* Do I need to merge various snort rulesets into my machine periodically
(on www.snort.org, there is a ~15 line ruleset for dealing with NIMDA)?
Is there an auto-updating source (well trusted, of course) that I can
fetch from every day, week, etc?
* Is anyone running a tarpit using the IPTables TARPIT module? It
sounds like a good idea, what do you think?
Thanks.
--ronan
-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:11:52 EDT