Low power IDS for home use - Intel NUC any good?

[Rob Hunter]

Hello,
I'm currently running Security Onion on a old 32 bit Celeron based desktop with 2GB of RAM and I'm looking to replace it with a low power option. I only run snort with snorby and squert. At idle the load is 0.3 and it seems happy enough with no dropped packets, but I'd like to reduce my yearly power consumption.

My IDS is listening on a mirrored port on a netgear switch that is in a DMZ between two firewalls. My ADSL link to the Internet is rated at 20Mbit/S. According to speedtest my link maxes out at 10Mbit/S in practice.
I'm only monitoring what goes through this link out to the Internet and back, not the internal home network. There are only a few laptops and iPads etc. on this network. I'm mostly seeing break in attempts to my SSH server.

I was wondering if anyone has tried an Intel NUC? There is a cheapish one with a i3 dual core processor that I would like to put 8GB in. Has anyone tried one of these? I would like to try Bro in addition to what I'm already running.

Am I correct in saying that memory is more important to Security Onion than raw processor power?

My compliments to Security Onions design team, it really is easy to use.

regards,
Rob

[Doug Burks]

Hi Rob,

My sensor at home is an old desktop (probably similar in power to the
NUC's i3) with 8GB RAM and it works fine with Suricata, Bro, ELSA,
etc.

> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/groups/opt_out.



--
Doug Burks

[Mrs. Y.]

I have an Intel NUC and use it as an ESXi host at home. The only
problems with it are the limited storage options (have to use USB
passthrough for extra space) and the limited network interfaces. You can
add a wireless interface or share the onboard for mgmt and monitoring.
Other than that, it's pretty snappy running a Kali guest.

Michele

[Michal Purzynski]

On 2/8/14, 2:24 PM, Doug Burks wrote:
> Hi Rob,
>
> My sensor at home is an old desktop (probably similar in power to the
> NUC's i3) with 8GB RAM and it works fine with Suricata, Bro, ELSA,
> etc.

Having a real CPU this should be a lot better than an Atom box. I've
tried the later and did not like the results. It was the older Atom, 64
bit with 4GB of RAM and a separate Intel NIC for sniffing - which is not
enough and the raw CPU power seems to be on the low side.

Take a look at the maximum RAM size (8GB should be fine) and the
sniffing NIC.

Running a distributed setup of SO in two ESXi VMs but the only reason
for that is - I need a place to experiment with something that looks
like the in-work setup ;)
>
>

[Mrs. Y.]

Intel NUC doesn't use Atom. 3rd generation uses Haswell.

[Michal Purzynski]

On 2/8/14, 3:58 PM, Mrs. Y. wrote:
> Intel NUC doesn't use Atom. 3rd generation uses Haswell.

That's why I said "

Having a real CPU this should be a lot better than an Atom box

"

;-)

The new Atom might be also interesting.

[Liam Randall]

Dwight Beaver and Ron Bandes of SEI/CERT did an interesting
presentation at Flocon 2014 about building a monitoring sensor for
under a $100. While they did not use Security Onion I did love the
real numbers that they had in there about what line rate they were
able to achieve before dropping packets on things like the Rasberry
Pi. I did not see a copy of the presentation up there yet, but
hopefully one shows up soon (or my google-fu is #fail).

It was an excellent presentation- I hope next year they have video
(*cough* Jon :).

Liam