IDS Bridge Configuration?
-
For reasons I won't bore you with, I built my home pfSense using a Jetway NF592-Q170 with an i5 and 16 GB of RAM. This motherboard has 8x intel interfaces (1xI219, 7xI211). This box is very capably running Suricata in IPS mode without any packet loss, but I'm interested in learning more about Bro/Zeke and trying some different configurations of pfSense. I would like to continue to run Suricata, and add a configuration similar to the left side of the image here: http://wiki.networksecuritytoolkit.org/images/Nst_quad_tap_networking.png
Unfortunately I don't have $1500 per segment to spend on TP-CU3s. Nor do I have a high end switch capable of high-quality port spanning as suggested here, here, and here. I'm willing to spend up to a few hundred on a managed switch if that's the best bet, but the SANS ISC guys indicate that port mirroring on consumer grade switches has issues with buffer memory.
I do have 6 available interfaces on my pfSense box. Would it be possible to:
Bridge WAN+OPT1 with OPT1 as a span to my Bro/Zeke box? I realize this would be 50% throughput -- 500mbps full duplex. Could I then do the same for LAN?Or do I need to burn an interface each time to get the bridge? So Wan+Opt1 = Bridge1, then Bridge1 Spans to Opt2?
What are the major disadvantages to doing it this way rather than using a switch?
Thanks