On 2/2/2011 10:20 PM, Pandu Poluan wrote:
I agree with Jim.
A firewall box should be exclusively a firewall, no matter how 'stout'
it is.
Hmmmm. Perhaps. I am currently running DHCP/NTP on my pfsense
installation. I'll be adding BGP/OSPF routing soon as well. I could put
these things on separate machines, but don't really see the point. Oh I
also run squid and SNORT on the machine. I see all of these functions as
networking services, and pfsense makes them all quite easy to deploy.
pfsense also has so much clean integration between everything, that it
just makes sense to use as a combined routing/firewall/security system.
Now I do export all the data via SNMP/barnyard/netflow off to other
machines in my VM farm for monitoring/analytics purposes. I wouldn't do
that on the firewall itself. As far as I can tell, pfsense really sucks
at any sort of general purpose functionality. :) It excels as what it's
built for.
More components == more attack surface area. Not to mention the
intricacies of interaction that might bollix the firewall's mechanisms
in a non-repeatable way.
Better to put all analysis packages in another box, which may be
realized as a Linux box, which Mark is more comfortable with.
Yep. Lots and lots of great software out there for analysis that runs
in a LAMP environment.
Or, you can also save on boxes by installing the analysis mechanisms
as a VM, either through KVM or XenServer. Admittedly, the latter
requires you to reformat a box, but IMO more stable because it does
not have to rely on the stability of the Dom0 Liuux.
I use OpenVZ (proxmox) to host my vm farm. Have two Dell servers hosting
all my virtual machines. Really quite happy with that setup. Have a
dedicated machine for pfsense. Will add a secondary pfsense firewall at
some point.
Just my 2 cents.
Rgds,
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
Commercial support available - https://portal.pfsense.org
