Hi, On Mon, Oct 22, 2001 at 07:04:54AM +0200, Torsten Curdt wrote:
I'm about to revise our network setup and I was wondering how a good setup with zorp would look like.
We are a pretty small company. We have about 10 workstations and about 4 servers. We are connected with around 1,5 MBit and we have about 2-4 GByte/Month of traffic on our firewall right now.
Since zorp is an application level proxy firewall the demands of machine power are usually a bit higher than for a simple ipchains based firewall. I was wondering if an old PII 200 Mhz might be enough for our scenario.
It should be enough. Our tests have shown that a P133 is able to saturate a 10Mbit ethernet link provided the number of concurrent sessions are low. A Memory might be a scarce resource, put as much in as you can (128MB should be enough)
I am also wondering if there are traffic statistics available with zorp and how good the IDS is. Maybe snort can be combined with zorp?
yes, of course it can be combined. otherwise you might be interested in *.error log lines emitted by proxies, because they usually indicate protocol errors in the stream. (to find out log tags assigned with messages use the -T command line option to Zorp)
Maybe someone could also spent his 2 cents on the following network setups:
setup 1: internet | [zorp] | | | +---perimeter net | intranet
setup 2:
internet | [zorp] | perimeter net with [gateway] | | intranet
we usually use the #1 scheme, because the most risky environment is the permiter network (provided you mean a DMZ here), and given it is compromised, your intranet is still protected.
Where should a centralized syslog-ng and/or authentication server be placed. inside the perimeter net or inside the intranet. (inside the intranet would mean to pierce the firewall to allow syslog traffic from the perimeter net into the intranet)
inside the intranet, syslog is _sensitive_ information, and as such must be protected by all possible means. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1