Re: [pfSense-discussion] Considering Switching to Pfsense

2011-02-10 Thread Tony Zakula
Okay, I understand what your saying now.  I agree, reliability is key.
 Maybe a second firewall for customers who want that specifically.
This will be a major point failure.  :-)  Thanks!

Tony

On Thu, Feb 10, 2011 at 9:46 AM, Greg Hennessy  wrote:
> I'm saying that for a hosted site style deployment that one shouldn't attempt 
> to cover the lot with a single point of inspection.
>
> If/when PFSense offers virtualized instances like say Juniper VSYS, then each 
> site [cw]ould have it's own dedicated firewall/I[DP]S instance.
> Change control etc can then be applied at the most appropriate level.
>
>> -Original Message-
>> From: Tony Zakula [mailto:tonyzak...@gmail.com]
>> Sent: 10 February 2011 3:36 PM
>> To: discussion@pfsense.com
>> Subject: Re: [pfSense-discussion] Considering Switching to Pfsense
>>
>> Wow!  Cool.  So the IDS is built in.
>>
>> Greg, are you saying you can enable or disable Snort on an ip address
>> basis?  Some ips get it and some do not?  Can you expound on that a
>> little?  I always assumed it was firewall wide, or are you saying each
>> hosted site would have their own IDS or paying customers would be
>> behind another router/firewall?
>>
>> Thanks for all this great info!
>>
>> Tony
>>
>> On Thu, Feb 10, 2011 at 9:30 AM, Greg Hennessy 
>> wrote:
>> > For hosted sites, I would suggest enablement on a site by site basis.
>> >
>> >
>> >
>> > A change control snafu/bad update could kill everything otherwise.
>> >
>> >
>> >
>> > From: Tim Dressel [mailto:tjdres...@gmail.com]
>> > Sent: 10 February 2011 3:29 PM
>> > To: discussion@pfsense.com
>> > Subject: Re: [pfSense-discussion] Considering Switching to Pfsense
>> >
>> >
>> >
>> > The snort plugin has this functionality built in. Just enter your
>> oink code
>> > and set how often you want it to update.
>> >
>> > On Thu, Feb 10, 2011 at 7:16 AM, Tony Zakula 
>> wrote:
>> >
>> > Yes, but I was just wondering if this is routing for say several
>> > hundred hosted sites, if it would be appropriate to do that on the
>> > main router or not.  I guess you could start with that, but then turn
>> > it off right?
>> >
>> > How then do people update their rules if they are using say snort?
>> > Purchase a contract direct?  Any other solutions out there for
>> > Pfsense?
>> >
>> > Tony Z
>> >
>> > On Thu, Feb 10, 2011 at 2:38 AM, Greg Hennessy
>> 
>> > wrote:
>> >>
>> >>>
>> >>> Any thoughts on whether IDS is appropriate at the perimeter or not?
>> >>>
>> >>
>> >> If you take a look at any serious commercial firewall offering on
>> the
>> >> market, integrated IDS/IPS is the order of the day.
>> >>
>> >> More sophisticated solutions offer application control.
>> >>
>> >> 
>> -
>> >> To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com
>> >> For additional commands, e-mail: discussion-h...@pfsense.com
>> >>
>> >> Commercial support available - https://portal.pfsense.org
>> >>
>> >>
>> >
>> > -
>> > To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com
>> > For additional commands, e-mail: discussion-h...@pfsense.com
>> >
>> > Commercial support available - https://portal.pfsense.org
>> >
>> >
>>
>> -
>> To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com
>> For additional commands, e-mail: discussion-h...@pfsense.com
>>
>> Commercial support available - https://portal.pfsense.org
>
>
> -
> To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com
> For additional commands, e-mail: discussion-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>

-
To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com
For additional commands, e-mail: discussion-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



RE: [pfSense-discussion] Considering Switching to Pfsense

2011-02-10 Thread Greg Hennessy
I'm saying that for a hosted site style deployment that one shouldn't attempt 
to cover the lot with a single point of inspection. 

If/when PFSense offers virtualized instances like say Juniper VSYS, then each 
site [cw]ould have it's own dedicated firewall/I[DP]S instance.
Change control etc can then be applied at the most appropriate level.  

> -Original Message-
> From: Tony Zakula [mailto:tonyzak...@gmail.com]
> Sent: 10 February 2011 3:36 PM
> To: discussion@pfsense.com
> Subject: Re: [pfSense-discussion] Considering Switching to Pfsense
> 
> Wow!  Cool.  So the IDS is built in.
> 
> Greg, are you saying you can enable or disable Snort on an ip address
> basis?  Some ips get it and some do not?  Can you expound on that a
> little?  I always assumed it was firewall wide, or are you saying each
> hosted site would have their own IDS or paying customers would be
> behind another router/firewall?
> 
> Thanks for all this great info!
> 
> Tony
> 
> On Thu, Feb 10, 2011 at 9:30 AM, Greg Hennessy 
> wrote:
> > For hosted sites, I would suggest enablement on a site by site basis.
> >
> >
> >
> > A change control snafu/bad update could kill everything otherwise.
> >
> >
> >
> > From: Tim Dressel [mailto:tjdres...@gmail.com]
> > Sent: 10 February 2011 3:29 PM
> > To: discussion@pfsense.com
> > Subject: Re: [pfSense-discussion] Considering Switching to Pfsense
> >
> >
> >
> > The snort plugin has this functionality built in. Just enter your
> oink code
> > and set how often you want it to update.
> >
> > On Thu, Feb 10, 2011 at 7:16 AM, Tony Zakula 
> wrote:
> >
> > Yes, but I was just wondering if this is routing for say several
> > hundred hosted sites, if it would be appropriate to do that on the
> > main router or not.  I guess you could start with that, but then turn
> > it off right?
> >
> > How then do people update their rules if they are using say snort?
> > Purchase a contract direct?  Any other solutions out there for
> > Pfsense?
> >
> > Tony Z
> >
> > On Thu, Feb 10, 2011 at 2:38 AM, Greg Hennessy
> 
> > wrote:
> >>
> >>>
> >>> Any thoughts on whether IDS is appropriate at the perimeter or not?
> >>>
> >>
> >> If you take a look at any serious commercial firewall offering on
> the
> >> market, integrated IDS/IPS is the order of the day.
> >>
> >> More sophisticated solutions offer application control.
> >>
> >> 
> -
> >> To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com
> >> For additional commands, e-mail: discussion-h...@pfsense.com
> >>
> >> Commercial support available - https://portal.pfsense.org
> >>
> >>
> >
> > -
> > To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com
> > For additional commands, e-mail: discussion-h...@pfsense.com
> >
> > Commercial support available - https://portal.pfsense.org
> >
> >
> 
> -
> To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com
> For additional commands, e-mail: discussion-h...@pfsense.com
> 
> Commercial support available - https://portal.pfsense.org


-
To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com
For additional commands, e-mail: discussion-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



Re: [pfSense-discussion] Considering Switching to Pfsense

2011-02-10 Thread Tony Zakula
Wow!  Cool.  So the IDS is built in.

Greg, are you saying you can enable or disable Snort on an ip address
basis?  Some ips get it and some do not?  Can you expound on that a
little?  I always assumed it was firewall wide, or are you saying each
hosted site would have their own IDS or paying customers would be
behind another router/firewall?

Thanks for all this great info!

Tony

On Thu, Feb 10, 2011 at 9:30 AM, Greg Hennessy  wrote:
> For hosted sites, I would suggest enablement on a site by site basis.
>
>
>
> A change control snafu/bad update could kill everything otherwise.
>
>
>
> From: Tim Dressel [mailto:tjdres...@gmail.com]
> Sent: 10 February 2011 3:29 PM
> To: discussion@pfsense.com
> Subject: Re: [pfSense-discussion] Considering Switching to Pfsense
>
>
>
> The snort plugin has this functionality built in. Just enter your oink code
> and set how often you want it to update.
>
> On Thu, Feb 10, 2011 at 7:16 AM, Tony Zakula  wrote:
>
> Yes, but I was just wondering if this is routing for say several
> hundred hosted sites, if it would be appropriate to do that on the
> main router or not.  I guess you could start with that, but then turn
> it off right?
>
> How then do people update their rules if they are using say snort?
> Purchase a contract direct?  Any other solutions out there for
> Pfsense?
>
> Tony Z
>
> On Thu, Feb 10, 2011 at 2:38 AM, Greg Hennessy 
> wrote:
>>
>>>
>>> Any thoughts on whether IDS is appropriate at the perimeter or not?
>>>
>>
>> If you take a look at any serious commercial firewall offering on the
>> market, integrated IDS/IPS is the order of the day.
>>
>> More sophisticated solutions offer application control.
>>
>> -
>> To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com
>> For additional commands, e-mail: discussion-h...@pfsense.com
>>
>> Commercial support available - https://portal.pfsense.org
>>
>>
>
> -
> To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com
> For additional commands, e-mail: discussion-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>

-
To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com
For additional commands, e-mail: discussion-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



RE: [pfSense-discussion] Considering Switching to Pfsense

2011-02-10 Thread Greg Hennessy
For hosted sites, I would suggest enablement on a site by site basis.

A change control snafu/bad update could kill everything otherwise.

From: Tim Dressel [mailto:tjdres...@gmail.com]
Sent: 10 February 2011 3:29 PM
To: discussion@pfsense.com
Subject: Re: [pfSense-discussion] Considering Switching to Pfsense

The snort plugin has this functionality built in. Just enter your oink code and 
set how often you want it to update.
On Thu, Feb 10, 2011 at 7:16 AM, Tony Zakula 
mailto:tonyzak...@gmail.com>> wrote:
Yes, but I was just wondering if this is routing for say several
hundred hosted sites, if it would be appropriate to do that on the
main router or not.  I guess you could start with that, but then turn
it off right?

How then do people update their rules if they are using say snort?
Purchase a contract direct?  Any other solutions out there for
Pfsense?

Tony Z

On Thu, Feb 10, 2011 at 2:38 AM, Greg Hennessy 
mailto:greg.henne...@nviz.net>> wrote:
>
>>
>> Any thoughts on whether IDS is appropriate at the perimeter or not?
>>
>
> If you take a look at any serious commercial firewall offering on the market, 
> integrated IDS/IPS is the order of the day.
>
> More sophisticated solutions offer application control.
>
> -
> To unsubscribe, e-mail: 
> discussion-unsubscr...@pfsense.com<mailto:discussion-unsubscr...@pfsense.com>
> For additional commands, e-mail: 
> discussion-h...@pfsense.com<mailto:discussion-h...@pfsense.com>
>
> Commercial support available - https://portal.pfsense.org
>
>

-
To unsubscribe, e-mail: 
discussion-unsubscr...@pfsense.com<mailto:discussion-unsubscr...@pfsense.com>
For additional commands, e-mail: 
discussion-h...@pfsense.com<mailto:discussion-h...@pfsense.com>

Commercial support available - https://portal.pfsense.org



Re: [pfSense-discussion] Considering Switching to Pfsense

2011-02-10 Thread Tim Dressel
The snort plugin has this functionality built in. Just enter your oink code
and set how often you want it to update.

On Thu, Feb 10, 2011 at 7:16 AM, Tony Zakula  wrote:

> Yes, but I was just wondering if this is routing for say several
> hundred hosted sites, if it would be appropriate to do that on the
> main router or not.  I guess you could start with that, but then turn
> it off right?
>
> How then do people update their rules if they are using say snort?
> Purchase a contract direct?  Any other solutions out there for
> Pfsense?
>
> Tony Z
>
> On Thu, Feb 10, 2011 at 2:38 AM, Greg Hennessy 
> wrote:
> >
> >>
> >> Any thoughts on whether IDS is appropriate at the perimeter or not?
> >>
> >
> > If you take a look at any serious commercial firewall offering on the
> market, integrated IDS/IPS is the order of the day.
> >
> > More sophisticated solutions offer application control.
> >
> > -
> > To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com
> > For additional commands, e-mail: discussion-h...@pfsense.com
> >
> > Commercial support available - https://portal.pfsense.org
> >
> >
>
> -
> To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com
> For additional commands, e-mail: discussion-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>


Re: [pfSense-discussion] Considering Switching to Pfsense

2011-02-10 Thread Tony Zakula
Yes, but I was just wondering if this is routing for say several
hundred hosted sites, if it would be appropriate to do that on the
main router or not.  I guess you could start with that, but then turn
it off right?

How then do people update their rules if they are using say snort?
Purchase a contract direct?  Any other solutions out there for
Pfsense?

Tony Z

On Thu, Feb 10, 2011 at 2:38 AM, Greg Hennessy  wrote:
>
>>
>> Any thoughts on whether IDS is appropriate at the perimeter or not?
>>
>
> If you take a look at any serious commercial firewall offering on the market, 
> integrated IDS/IPS is the order of the day.
>
> More sophisticated solutions offer application control.
>
> -
> To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com
> For additional commands, e-mail: discussion-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>

-
To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com
For additional commands, e-mail: discussion-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



RE: [pfSense-discussion] Considering Switching to Pfsense

2011-02-10 Thread Greg Hennessy

> 
> Any thoughts on whether IDS is appropriate at the perimeter or not?
> 

If you take a look at any serious commercial firewall offering on the market, 
integrated IDS/IPS is the order of the day. 

More sophisticated solutions offer application control.  

-
To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com
For additional commands, e-mail: discussion-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



Re: [pfSense-discussion] Considering Switching to Pfsense

2011-02-09 Thread Tony Zakula
Thank you for the replies.  I figured the hardware was overkill, but
the current Linux platform runs in about 1gb of ram and I am currently
not doing any ip traffic collection.  I was considering using pmacct
or ntop for that which I have been told ntop takes some resources.  I
have been using ClearOS, but I like the commercial support structure
better for Pfsense.

Any thoughts on whether IDS is appropriate at the perimeter or not?

Tony Z



On Wed, Feb 9, 2011 at 5:17 PM, Greg Hennessy  wrote:
>>
>> We have a 5mb line, is a quad core processor with 4gb of ram overkill?
>
> Just ever so slightly.
>
> I've used dual core Opteron with 2GB in multi gig/sec (large packet) 
> applications with PF.
>
> -
> To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com
> For additional commands, e-mail: discussion-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>

-
To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com
For additional commands, e-mail: discussion-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



RE: [pfSense-discussion] Considering Switching to Pfsense

2011-02-09 Thread Greg Hennessy
> 
> We have a 5mb line, is a quad core processor with 4gb of ram overkill?

Just ever so slightly. 

I've used dual core Opteron with 2GB in multi gig/sec (large packet) 
applications with PF. 

-
To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com
For additional commands, e-mail: discussion-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



Re: [pfSense-discussion] Considering Switching to Pfsense

2011-02-09 Thread Tim Dressel
Hi Tony,

I have a /24 public subnet for a school district running behind an old pail
of proliant dual CPU (single core) opteron box, 2GB ram each. It is
ridiculous overkill with my 100Mbit pipe and ~10,000 simultaneous sessions.
I used to run squid on it, but moved that elsewhere as it made it just that
much simpler.

I moved from IPCop and have never looked back. pfSense is a way better
platform for this kind of task compared to any linux solution.

It is a bit hardware picky IMHO, so make sure to check the BSD HCL before
you jump.

Cheers,


On Wed, Feb 9, 2011 at 2:41 PM, Tony Zakula  wrote:

> Hi,
>
> I have been using a Linux distribution router/firewall for a number of
> years for a small company.  I have been aware of Pfsense for a few
> years, but have never switched.  I am now in the position that we are
> going beyond a few servers and will be running web and email servers
> for third parties.  I am going to do a hardware upgrade and so I have
> a chance to switch.  A couple of questions to try to get a sense of
> the differences.
>
> Our layout, I would plan to install pfsense as the main router at the
> end of the ISP line.  We have lots of public ip addresses which will
> be mapped to VPS servers behind this machine.  I currently NAT all
> traffic, but was considering assigning the public ips to the VPSs
> themselves to simplify things.  Ranges of ip addresses have different
> subnets and gateways.
>
> IDS and updates is provided for a fee for us right now.  In a setup
> like this, is IDS a good idea?  Or will it probably cause headaches
> locking some clients out accidentally?  I would assume PFS is hardened
> to withstand attacks against it.  We have multiple wans, but we run
> all traffic on one pipe and lan traffic on the other which has another
> firewall to separate it from the servers.
>
> Would running a firewall on PFS in this situation be a good idea?  Or
> just run it as a router?
>
> The fail over sounds great, especially for a production environment.
> If I start with one machine now, can I add a second one later while
> things are running?
>
> We have a 5mb line, is a quad core processor with 4gb of ram overkill?
>  I will want to do ip accounting.
>
> Thanks for any info from the experts!
>
> TonyZ
>
> -
> To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com
> For additional commands, e-mail: discussion-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>


Re: [pfSense-discussion] Considering Switching to Pfsense

2011-02-09 Thread Chris Buechler
On Wed, Feb 9, 2011 at 5:41 PM, Tony Zakula  wrote:
>
> We have a 5mb line, is a quad core processor with 4gb of ram overkill?
>

Way, way overkill, that's closer suited to a 5 Gb connection than 5
Mb. Not that that's a problem, you can get by with a whole lot less
hardware if needed though.

-
To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com
For additional commands, e-mail: discussion-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



Re: [pfSense-discussion] Considering Switching to Pfsense

2011-02-09 Thread jason whitt
I dont see any reason why PF wouldnt fit your bill. The hardware may be
slightly overkill, but so what. What are you going to do pull that aging
pIII server out of the closet dust it off and fire it up?

On Wed, Feb 9, 2011 at 3:41 PM, Tony Zakula  wrote:

> Hi,
>
> I have been using a Linux distribution router/firewall for a number of
> years for a small company.  I have been aware of Pfsense for a few
> years, but have never switched.  I am now in the position that we are
> going beyond a few servers and will be running web and email servers
> for third parties.  I am going to do a hardware upgrade and so I have
> a chance to switch.  A couple of questions to try to get a sense of
> the differences.
>
> Our layout, I would plan to install pfsense as the main router at the
> end of the ISP line.  We have lots of public ip addresses which will
> be mapped to VPS servers behind this machine.  I currently NAT all
> traffic, but was considering assigning the public ips to the VPSs
> themselves to simplify things.  Ranges of ip addresses have different
> subnets and gateways.
>
> IDS and updates is provided for a fee for us right now.  In a setup
> like this, is IDS a good idea?  Or will it probably cause headaches
> locking some clients out accidentally?  I would assume PFS is hardened
> to withstand attacks against it.  We have multiple wans, but we run
> all traffic on one pipe and lan traffic on the other which has another
> firewall to separate it from the servers.
>
> Would running a firewall on PFS in this situation be a good idea?  Or
> just run it as a router?
>
> The fail over sounds great, especially for a production environment.
> If I start with one machine now, can I add a second one later while
> things are running?
>
> We have a 5mb line, is a quad core processor with 4gb of ram overkill?
>  I will want to do ip accounting.
>
> Thanks for any info from the experts!
>
> TonyZ
>
> -
> To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com
> For additional commands, e-mail: discussion-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>