Built-in packet capture v. dedicated packet capture appliance
-
Packet capture appliances seem to start at about $15,000. For example, the Klos Technologies PacketVault (http://www.klos.com/products/packetvault/) is $15,000 in base configuration. Riverbed's NetShark is apparently $25,000 and the Fidelis XPS is probably a lot more than that. My question is whether anyone would prefer the built-in packet capture features of pfSense vs. these other systems. I have the C2758 and it makes sense to utilize the 80 gigs of storage for something useful. The goal is to log/analyze attacks on a secure communications platform that is in development. What would people recommend? Thanks.
-
80GB is not very much storage if your talking of storing packets for later forensics Shoot 80GB I carry around more than that on my keyring thumbdrive ;)
-
A dedicated *BSD or *nix system running tcpdump is much cheaper. The question I'd have is whether or not it can capture at sustained full line rate without missing any packets. That may be at least part of why those paid for dedicated solutions are so expensive.
-
A dedicated *BSD or *nix system running tcpdump is much cheaper. The question I'd have is whether or not it can capture at sustained full line rate without missing any packets. That may be at least part of why those paid for dedicated solutions are so expensive.
Line rate and data integrity are the biggest reasons for cost I'd guess.
-
Is this what 802.3x is about, ie pausing packets at the switch level, plus a decent switch should be able to handle port mirroring, so you could router/copy all traffic off to a NAS of sorts?
Personally though, unless you are the NSA with plenty of Intel Xeon's with the AES NI instruction sets built into the chips and you are using encryption algo's found on those Xeon's to brute force crack the encrypted transmission (what they like to call quantum crypto but brute force cracking captured transmission from decades ago), theres not much point using encryption behind the firewall as its harder to audit and log all the lan traffic not to mention slower as each machine has a few extra clock cycles wasted encrypting & decrypting things.
Besides your browser amongst other apps is also a potential zero day delivery mechanism right on in to your computer sat behind the firewall, which then kind of negates the need for a firewall in many ways.
So a switch & nas supporting 802.3x maybe all you actually need along with a decent file system. The thing with the file systems is, the better redundancy they offer, the slow they become as it takes a while to write, data in multiple parts, and thats before you get into which raid is faster debate.
-
A dedicated *BSD or *nix system running tcpdump is much cheaper. The question I'd have is whether or not it can capture at sustained full line rate without missing any packets. That may be at least part of why those paid for dedicated solutions are so expensive.
After significant testing of my prototype security appliance, which is a custom-built RHEL 6.7 system running ntop and Snort (see product page: https://r.raellic.com/vision/), I can answer this question now. When tapping a network segment between two BSD-type devices (i.e. my pfSense firewall appliance and iMac) that are saturating a gigabit network, plain Linux cannot sustain a full capture to disk without packet loss. This occurs no matter how large I set the buffer in tcpdump. However, I experience no packet loss when capturing from a Linux device. I assume the BSD network stack and kernel simply outperform Linux. Snort, with its packet pre-processor and filters, seems to be able to keep up with BSD as long as I don't attempt a full capture to disk. I should note that I didn't try running the PF_RING drivers with ntop, which are supposed to improve performance. I believe the situation would be different if I used the appliance inline as a router, but that presents other issues like added load from processing NAT, firewall rules, etc. in addition to capturing to disk.
There is apparently an industry consortium devoted to writing high performance drivers for various NICs (http://dpdk.org), which I expect to test when I have a chance. It may make more sense to further develop the packet capture feature of pfSense, or perhaps a custom BSD-derived OS running on a separate box, that accomplishes high performance packet capture to disk. I suppose the ultimate would be custom silicon with onboard packet processing, but venture funding would be required. Thanks everyone for your comments.
-
Dear Andrew!
Could You be so please to describe hardware logical scheme when all traffic (in/out) from mine gate are captured for further forensics analyses by other IDS/IPS software like Snort, Surucata, WireShark, Splunk...
This is something close to port mirroring and send mirrored traffic to capturing applience with pfSense, am I right?
Thank You for efforts!