Thanks again for that very good article cactus, it led me to ask questions I did not think/know of. Also, seeing just how involved wire-speed packet capture becomes (especially as one moves up to faster gear and closer to the core).
I am thinking about the following edge implementation:
A tap on the dirty side leading into an instance of Snort running in 'passive' mode to detect, log and analysis what's happening outside the door; giving me detection.
Once in the house, another instance of Snort running 'inline' to alert and enforce drop rules/rewrite packets (if desired); giving me prevention.
Having two instance seems ideal to reveal a complete picture of what is occurring in and around the edge and to visually ensure firewall/router rule sets are being enforced.
I do have some minor concerns about latency on the inline side. But I suspect it will be acceptable for my needs.
So a hypervisor running the following VM's:
- Snort (Passive mode)
- pfSense (Router/Firewall/DHCP/NAT)
- Snort (Inline)
Seem logical? Has anyone setup similar implementations? Any recommendations/thoughts/gotchas/etc on such an implementation (or variant) plan?
The next steps will be to size the hardware. The guide is quite helpful in that regard.
Thanks guys - peace,