How's my Hardware
-
Hey Guys,
I know these types of questions have probably been asked a ton but it would be great if someone can double check for me before I make this big purchase on hardware.
I have a network that averages 10 GBps during peek hours. We have a Network Monitor plugged inline that will port mirror the 10 Gbps traffic. I would like to build a Suricata Sensor as an IDS (passive) that will able to take the throughput. The end goal would be to enable a good chunk of signatures ( 6,000+) and hopefully achieving 0% packet loss. After doing some reading, it really just seems that the CPU and network card is the most important aspect. So, here is what I've mapped out:
E5-4669V4 2.2 GHz 22 Core/ 44 thread Processor
192 GB DDR4 2400 MHz RAM
16 TB of HDD
2x 10 Gigabit Ethernet connectionUnfortunately, I am limited to buying something from CDW, so those specs come from this box below, with a few upgrades:
https://www.cdw.com/shop/products/HPE-ProLiant-DL560-Gen9-rack-mountable-Xeon-E5-4669V4-2.2-GHz-64-GB/4313418.aspx?pfm=srh&expand=TS#POFrom what I've read I feel that this will be more than enough, but like I said it's not a cheap buy so getting a second set of eyes to confirm my hardware equipment would be great help.
Thanks!
-
I'd get a smaller box (fewer sockets) with a higher clock rate. In general, the more sockets + cores, the slower the CPU. You don't need that much RAM, and I'd consider balancing all the available channels more important than the total RAM size. The 16TB of disk makes me a little curious–that's a lot for logs, and if you're trying to do packet capture that's a whole additional layer of requirements. I would not use pfsense as the basis for a pure IDS solution, and honestly would advise you to do this on linux rather than freebsd. See
https://suricon.net/wp-content/uploads/2016/11/SuriCon2016_MichalPurzynski_PeterManev.pdf
https://github.com/pevma/SEPTun/raw/master/SEPTun.pdffor some food for thought. There are some implicit assumptions there, like a hardware device to balance streams between NICs. At 10Gbps the hardware feeding the IDS is just as important as the IDS itself. There are other ways to configure things, but that's one nicely documented example if it works in your environment.
-
Yeah probably not a good use for pfSense. I'd suggest reaching out directly to the suricata team for this build. They can do a much better job of recommending hardware.
-
It really depends on your network load. 20Mbit will run fine on any hardware, including an E5 with NUMA.
-
@johnkeates:
It really depends on your network load. 20Mbit will run fine on any hardware, including an E5 with NUMA.
Right at the top he said it averages 10Gbit…
-
I'd get a smaller box (fewer sockets) with a higher clock rate. In general, the more sockets + cores, the slower the CPU. You don't need that much RAM, and I'd consider balancing all the available channels more important than the total RAM size. The 16TB of disk makes me a little curious–that's a lot for logs, and if you're trying to do packet capture that's a whole additional layer of requirements. I would not use pfsense as the basis for a pure IDS solution, and honestly would advise you to do this on linux rather than freebsd. See
https://suricon.net/wp-content/uploads/2016/11/SuriCon2016_MichalPurzynski_PeterManev.pdf
https://github.com/pevma/SEPTun/raw/master/SEPTun.pdffor some food for thought. There are some implicit assumptions there, like a hardware device to balance streams between NICs. At 10Gbps the hardware feeding the IDS is just as important as the IDS itself. There are other ways to configure things, but that's one nicely documented example if it works in your environment.
Thanks for the tips, I'll read through that document as it looks really resourceful. The 16 TB was just my assumption of about 2 -3 weeks of storing packets, I might also just archive and move over to a larger NAS if we need to store more. Looks like I can tweak some settings and lower down the cost a bit. I was actually planning on using a Linux Distro as oppose of freeBSD for this setup.
Yeah probably not a good use for pfSense. I'd suggest reaching out directly to the suricata team for this build. They can do a much better job of recommending hardware.
I did just send out an email to their team to see what they also recommend.
Thanks again for the suggestions, this is the first time I've had to tackle a large network like this.
-
Keep in mind that if you simply ingest that mirror port, you won't really have to worry about NAT speed or bridging or routing etc. Only 'eating' packets fast enough.