My question is: HOW BIG of a prime factor does (N-1) need to have, in order for Diffie-Hellman to be considered secure,
Background: if Diffie-Hellman, we have a generator $g$; the size of the subgroup generated by $g$ (that is, the number of values $g^x \bmod N$ can take on for various values of $x$) can be designated by $q$. That is the "large prime factor of $N-1$" (and we usually select $g$ such that $q$ is prime; if you select a subgroup that isn't of prime size, then we can assume $q$ is the largest prime factor).
With that background in place, one way to attack Diffie-Hellman is to take one of the keyshares $g^x \bmod N$ and try to recover $x$ using a generic group attack (such as Baby-Step-Giant-Step); if we recover $x$, it becomes simple to recover the shared secret. Now, it can be shown that such a generic group attack (and there are several known) always takes $\Omega( \sqrt{q} )$ steps [1]. In addition, we know algorithms for which the implied constant in $\Omega( \sqrt{q} )$ isn't that far from 1.
Because of this, if we have a security level $\lambda$, that is, we want to ensure that it takes at least $2^\lambda$ operations to break it, we need to ensure that $\sqrt{q} \ge 2^\lambda$, that is, $q \ge 2^{2 \lambda}$. Or, in other words, the prime factor needs to have a bit length (at least) twice as long as the security level we hope to achieve. For example, if we are aiming at a 128 bit security level, this means that the prime factor needs to be at least 256 bits long.
Of course, there are other attacks which depend on the size of $N$; those attacks give other constraints on the size of $N$.
[1]: This $\Omega$ notation is just like the more common $O$ notation, except that it gives a lower bound, not an upper one; that is, for the attack to succeed with a given probability (given a random instance) always takes at least $M \sqrt{q}$ operations, for some constant $M$.
