Should the Defense Manager Daemon (DMD) always remain active even though NO rules are defined or should it be started and IPSec rules issued only when it is needed? Is there an overhead incurred if it remains active 24/7?
For the defensive filtering function, DMD can be up 24x7, not just started when you want to add a defensive filter. DMD monitors the stacks to be aware of which ones are up but does very little processing if defensive filters are not being added/updated/deleted. So you should be able to have DMD active 24x7 with minimal overhead.