I have a couple of questions about snort
-
I have a WatchGuard M400, i5 4th gen, 8GB RAM, 256GB SSD.
I use HAproxy, plex, smtp, sftp, and 443 in my environment.
If I install Snort will I have any issues, or do I need to watch or change something in snort?
And will having IDS/IPS enabled on my Gbit Cable connection cause reduction in speed?
Thanks,
-
If this is a home network, then I am hesitant to suggest using Snort. Especially if you have no prior experience running an IDS/IPS platform. It takes very specialized knowledge to configure, tune and monitor the IDS packages.
If you want to try it, put an instance on your LAN and DO NOT turn on blocking for several weeks. Let it run and check the ALERTS tab at least daily, and preferably more often, to see what kind of alerts are being generated. Remember that every alert you see is a potential block of that traffic when blocking is turned on. If the alerts are false positives (and many of them will be), that means legitimate stuff would get blocked. Lots of aggravation comes with that.
And finally, yes using an IDS/IPS will impact your performance. How much is a matter of how many rules you choose to enable, which mode you choose for blocking (Legacy Mode or Inline IPS Mode), and of course CPU horsepower. Oh, and with Inline IPS Mode your hardware NIC must support the netmap kernel device. How well it supports netmap or not determines in large part how much of a performance penalty you may see.
-
Is the performance impact not related tot he firewalls hardware? From what I understand Ubiquiti uses snort, and their UDM Pro which is more powerful than their old gen router/firewall which doesn't hurt the performance much. It's definitely not a i5-4570 inside their UDM Pro or 8GB of RAM.
Thanks,
-
@Smoothrunnings said in I have a couple of questions about snort:
Is the performance impact not related tot he firewalls hardware? From what I understand Ubiquiti uses snort, and their UDM Pro which is more powerful than their old gen router/firewall which doesn't hurt the performance much. It's definitely not a i5-4570 inside their UDM Pro or 8GB of RAM.
Thanks,
Certainly the underlying hardware has a huge impact on the performance of an IDS/IPS. How Snort or any IDS/IPS impacts performance is also heavily influenced by the mode. When running in IDS mode (detection only, no blocking), the impact is very minimal unless you truly have anemic hardware. And with IDS mode, dropping packets (by the IDS) would be unnoticed. IDS mode is a parallel processing path for the packet stream. So a copy of each packet is inspected while the original packet went straight to the kernel stack.
With IPS mode (intrusion prevention which means detection and blocking), there is a performance penalty. This is particularly true with inline IPS modes because every single packet pulled from the NIC has to be inspected by the IPS engine and then either passed on to the kernel network stack or dropped. The IPS engine literally sits between the NIC and the kernel stack, and every packet must go through the IPS engine (no parallel path of "copied" packets). And in this configuration, any dropped packets (as in the IPS engine could not keep up with the packet line rate) means interrupted network flow and thus a performance penalty.