Building an IDS system

[halve]

As the title states I am going to build a IDS system to monitor all traffic going out of our pix and coming back in. I plan to use FreeBSD for the OS and Snort for the IDS. I want to go with a 64bit processor from AMD and the case needs to be a rackmounted case that will fit in a Dell Rack. I do not need redundancy like dual power supplies or raid or some such. What I do need is some info on what Board would be a good fit for a 64bit processor, should I go AMD64 or Opteron? What type of Hard Drives would you use, maybe 2 SCSI drives, one for the OS and Snort and the other for MYSql? Any help would be very much appreciated, thanks so much everyone.

Halve

 

[mikecel79]

How much traffic will this machine be sniffing? That would go a long way in determining hos much disk space and CPU you would need.

 

[n0cmonkey]

OC3?

 

[thorin]

IDS System = Intrusion Detection System System

Is there some reason you want a 64bit processor? And why SCSI drives? IDE (PATA or SATA) will do, spooling traffic even off a big pipe isn't that big a deal.

Thorin

 

[n0cmonkey]

Originally posted by: thorin
IDS System = Intrusion Detection System System

Is there some reason you want a 64bit processor? And why SCSI drives? IDE (PATA or SATA) will do, spooling traffic even off a big pipe isn't that big a deal.

Thorin

Getting traffic off the wire and inspecting each packet puts a strain on the CPU. Putting that information onto disk isn't a big deal, but since this system also seems to be the place to go to look at events, it can put a strain writing and reading large chunks of disk. I'd go with IDE too, but split these two parts of IDS monitoring into two computers (maybe IDE on the server).

 

[halve]

The network supports around 1000 nodes. I cant remember how many packets go through that area at the moment, but I can run a quick collection and let you guys know.

Halve

 

[thorin]

Originally posted by: n0cmonkey

Originally posted by: thorin
IDS System = Intrusion Detection System System

Is there some reason you want a 64bit processor? And why SCSI drives? IDE (PATA or SATA) will do, spooling traffic even off a big pipe isn't that big a deal.

Thorin

Getting traffic off the wire and inspecting each packet puts a strain on the CPU. Putting that information onto disk isn't a big deal, but since this system also seems to be the place to go to look at events, it can put a strain writing and reading large chunks of disk. I'd go with IDE too, but split these two parts of IDS monitoring into two computers (maybe IDE on the server).

I agree he needs a fast CPU but I don't see the need for a 64bit CPU.

Thorin

 

[Sideswipe001]

Originally posted by: thorin

Originally posted by: n0cmonkey

Originally posted by: thorin
IDS System = Intrusion Detection System System

Is there some reason you want a 64bit processor? And why SCSI drives? IDE (PATA or SATA) will do, spooling traffic even off a big pipe isn't that big a deal.

Thorin

Getting traffic off the wire and inspecting each packet puts a strain on the CPU. Putting that information onto disk isn't a big deal, but since this system also seems to be the place to go to look at events, it can put a strain writing and reading large chunks of disk. I'd go with IDE too, but split these two parts of IDS monitoring into two computers (maybe IDE on the server).

I agree he needs a fast CPU but I don't see the need for a 64bit CPU.

Thorin

Well it's not like AMD makes any other server-class chips.

 

[n0cmonkey]

Originally posted by: thorin

Originally posted by: n0cmonkey

Originally posted by: thorin
IDS System = Intrusion Detection System System

Is there some reason you want a 64bit processor? And why SCSI drives? IDE (PATA or SATA) will do, spooling traffic even off a big pipe isn't that big a deal.

Thorin

Getting traffic off the wire and inspecting each packet puts a strain on the CPU. Putting that information onto disk isn't a big deal, but since this system also seems to be the place to go to look at events, it can put a strain writing and reading large chunks of disk. I'd go with IDE too, but split these two parts of IDS monitoring into two computers (maybe IDE on the server).

I agree he needs a fast CPU but I don't see the need for a 64bit CPU.

Thorin

My only question would be how well FreeBSD supports AMD64 platform.

 

[AFB]

Originally posted by: Sideswipe001

Originally posted by: thorin

Originally posted by: n0cmonkey

Originally posted by: thorin
IDS System = Intrusion Detection System System

Is there some reason you want a 64bit processor? And why SCSI drives? IDE (PATA or SATA) will do, spooling traffic even off a big pipe isn't that big a deal.

Thorin

Getting traffic off the wire and inspecting each packet puts a strain on the CPU. Putting that information onto disk isn't a big deal, but since this system also seems to be the place to go to look at events, it can put a strain writing and reading large chunks of disk. I'd go with IDE too, but split these two parts of IDS monitoring into two computers (maybe IDE on the server).

I agree he needs a fast CPU but I don't see the need for a 64bit CPU.

Thorin

Well it's not like AMD makes any other server-class chips.

:Q How dare you say that. You=:evil: :frown::disgust::disgust:

 

[mamisano]

I agree on SCSI or even 2x SATA (WD Raptors), especially good when you need to run reports.

We had an IDS setup here that included 3 sensors (2x processor/SCSI) and 1 console (basic P3 desktop). The IDS system ran ISS.com's IDS software and Win2K as the OS.

 

[n0cmonkey]

Originally posted by: mamisano
I agree on SCSI or even 2x SATA (WD Raptors), especially good when you need to run reports.

We had an IDS setup here that included 3 sensors (2x processor/SCSI) and 1 console (basic P3 desktop). The IDS system ran ISS.com's IDS software and Win2K as the OS.

ISS requires beefier hardware than some other IDSes. Also, they recommend not putting the log monitoring software on the sensor (and that will be a question they ask if you call for support). One of the reasons is speed. The log monitoring software will eat up resources like no other.

 

[thorin]

Originally posted by: Sideswipe001

Originally posted by: thorin

Originally posted by: n0cmonkey

Originally posted by: thorin
IDS System = Intrusion Detection System System

Is there some reason you want a 64bit processor? And why SCSI drives? IDE (PATA or SATA) will do, spooling traffic even off a big pipe isn't that big a deal.

Getting traffic off the wire and inspecting each packet puts a strain on the CPU. Putting that information onto disk isn't a big deal, but since this system also seems to be the place to go to look at events, it can put a strain writing and reading large chunks of disk. I'd go with IDE too, but split these two parts of IDS monitoring into two computers (maybe IDE on the server).

I agree he needs a fast CPU but I don't see the need for a 64bit CPU.

Well it's not like AMD makes any other server-class chips.

That's some excellent work you're doing keepin the guys @ AMD employed buyin their procs "just because".

Thorin