[zorp] good setup

Balazs Scheidler bazsi@balabit.hu
Fri, 26 Oct 2001 15:59:15 +0200


On Mon, Oct 22, 2001 at 07:04:54AM +0200, Torsten Curdt wrote:
> I'm about to revise our network setup and I was wondering
> how a good setup with zorp would look like.
> We are a pretty small company. We have about 10 workstations
> and about 4 servers. We are connected with around 1,5 MBit
> and we have about 2-4 GByte/Month of traffic on our firewall right
> now.
> Since zorp is an application level proxy firewall the demands
> of machine power are usually a bit higher than for a simple
> ipchains based firewall. I was wondering if an old PII 200 Mhz
> might be enough for our scenario.

It should be enough. Our tests have shown that a P133 is able to saturate a
10Mbit ethernet link provided the number of concurrent sessions are low. A
Memory might be a scarce resource, put as much in as you can (128MB should
be enough)

> I am also wondering if there are traffic statistics available
> with zorp and how good the IDS is. Maybe snort can be combined
> with zorp?

yes, of course it can be combined. otherwise you might be interested in
*.error log lines emitted by proxies, because they usually indicate protocol
errors in the stream. (to find out log tags assigned with messages use the
-T command line option to Zorp)

> Maybe someone could also spent his 2 cents on the
> following network setups:
> setup 1:            internet
>                        |
>                     [zorp]
>                      |  |
>                      |  +---perimeter net
>                      |
>                   intranet
> setup 2:
>                     internet
>                        |
>                      [zorp]
>                        |
>                     perimeter net with [gateway]
>                                           |
>                                           |
>                                        intranet

we usually use the #1 scheme, because the most risky environment is the
permiter network (provided you mean a DMZ here), and given it is
compromised, your intranet is still protected.

> Where should a centralized syslog-ng and/or authentication
> server be placed. inside the perimeter net or inside the
> intranet. (inside the intranet would mean to pierce the
> firewall to allow syslog traffic from the perimeter net
> into the intranet)

inside the intranet, syslog is _sensitive_ information, and as such must be
protected by all possible means.

PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1