High performance IDS/Firewall
meconlen at obfuscated.net
Wed May 28 14:54:16 PDT 2003
I'm considering setting up a FreeBSD firewall/IDS system to handle
60-80Mbit/sec of traffic. The box would have three adapters, two of them
bridging and one for access. I will place the IDS on the outside bridge
interface and apply IPFW rules on the system as needed. My concern is
what the failure order is if the system is under heavy load. My perfered
order would be
snort (libpcap) drops packets and snort fails to detect
firewall fails to block
system drops packets
as it's more important for the system to be running than to identify or
block the things we are trying to identify and block.
Is this the order things would fall over, or am I likely to cause the
system to drop packets as soon as things get ugly.
PS: I'm considering a dual p4 2Gz 4GB of memory system, and SCSI-3 disk
subsystem. and there's only one server on the "inside" of this network,
so I don't think I'll have a major failure situation, unless someone
suddenly generates over 20Mbit of DOS traffic, and those people usually
go after the router...
More information about the freebsd-performance