I am trying to design a network based around the existing infrastructure that is setup in this manner:
What I want to do is replace the failing router with a pFSense router that is made from a rackmount server ($250) that has SNORT running in IDS mode and a Firewall as well. I also want to do away with the DMZ and instead use VLANs to segment the network. I would also like to VLAN Tag traffic so that the VPN can sit on the Router as well and all VPN tagged VLAN traffic will go through the VPN and everything else will pass through the regular WAN connection.
One of my coworkers on the other hand says I am out of my mind and that I should instead run a dedicated IDS instead of a Firewall. Also that a router running on the server hardware is overkill. Granted, it may seem overkill at first glance until you realize what else the router is handling. It is also handling all the QoS SQM traffic shaping to reduce/eliminate Buffer Bloat. This alone eats routers alive and will hopefully make the 3Ghz Quad core Xeon worth it. I mean, this is a 1U rack mount server built specifically FOR pFSense so it is not like I am taking an off the shelf server and doing something crazy with it. The company that put it together designed it for pFSense specifically.
The Game server behind the DMZ currently protects itself with Windows Firewall and I constantly nag the server owner to fix that glaring security flaw.
The only challenge I can see with the server you found, is that the processor does not support AES-Ni. How much of a problem that actually is, I can’t say. But since PfSense will start using AES-NI in version 2.5 (next year), it might not be as viable as planned.
I presume others with more insight can elaborate on potential challenge with not supporting AES.
While I commend your desire to get a rackmount Psense router, I would be very hesitant to purchase any such device from Ebay with all the scams that are on Ebay today. What I would encourage you to do instead is build your device your self. I am quite confident you could accomplish this goal for the same cost or just a little bit more.
If you do decide to purchase your device from Ebay, make sure they don’t preinstall Pfsense on the device; if you do I won’t trust the device because you never would know if they didn’t install backdoor into Pfsense.
Inline processes the actual traffic rather than a copy. It means that your network speed is limited by the speed that the IPS can process the packets. Doing it on a copy means you don’t need to worry about the IPS speed but some traffic will get through before it’s blocked. This isn’t a real problem though as we’re talking about a delay of a few milliseconds.
They’re both pretty similar, there are differences with their detection rates for different types of attack so you may want to look in to it. I use suricatta because it’s multithreaded, but there’s not much meaningful difference between the two in terms of functionality and configuration.