RE: GB IDS solutions
From: ARIAN EVANS (arian.evans@uscentral.org)Date: 04/11/02
- Previous message: robert_david_graham: "RE: Firewall Tester 0.6"
- Maybe in reply to: How ya Doin: "GB IDS solutions"
- Next in thread: robert_david_graham: "RE: GB IDS solutions"
- Reply: robert_david_graham: "RE: GB IDS solutions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: ARIAN EVANS <arian.evans@uscentral.org> To: 'Stephane Auger' <stephane.auger@abovesecurity.com> Date: Thu, 11 Apr 2002 15:10:01 -0500
> > Does anyone know of GB network IDS solutions other than ISS?
There's a number of vendors that claim GB; intrusion.com, etc.
IME Dragon, Cisco Netranger/SecureIDS, and Snort are faster than
ISS RS 5.0/5.5. Haven't tested RS 6.x for max throughput.
YMMV depending on underlying hardware and OS...
> Better yet has anyone implemented a non-ISS solution and how is it
> working?
We moved to Sourcefire's OpenSnort appliances (basically a 1U Intel
server chassis, bsd+snort and Sourcefire's management interface.)
http://www.sourcefire.com
I've replaced two higher-end Intel multi-proc servers, running RS
6.0 on Win2k w/one OpenSnort appliance. Due to the current performance
of that appliance, I am estimating I'll be able to replace about four
of our RS 6.0/Intel/2k sensors, at least, but I don't have hard metrics
yet, and we've done very little sensor tuning so far, so we might
do better yet...
> What type of
> > hardware are you using? What were your costs approx. per sensor?
Contact Sourcefire on pricing...Prepackaged *appliances* seem to
all run about the same on cost, ISS, Symantec, Intrusion.com,
Dragon, Cisco SecureIDS, etc, for equal underlying hardware.
> > I will be needing GB capable sensors but believe there must
> be another way to go besides ISS (to much $$$). Has anyone used Snort with
> GB Ethernet cards?
Talk to the guys at Sourcefire about this; I talked w/Marty at length
about this last year, and decided that was not the route I wanted to
go since above the NIDS layer (on our 2k stuff) w/GigE or not, 300mbs
seems about the max that can be processed. Unless something has changed
recently in the GigE/NDIS/NIDS world, or I'm way off on my testing, you
might look at a different approach:
Have you thought about creating a farm of sensors with a central database
and using either VTP in conjunction w/specific span ports for monitoring
specific VLANs (sensor1--VLAN 101, sensor2--VLAN 202, etc.; all sensor
data sent to the same DB)? If you are grabbing this all from the same
broadcast domain, how about using a device that can do traffic mirroring,
or network taps into a concentrator, and break up the traffic by IP range
across a sensor farm?
There's several ways to do this, and without knowing if this is all one
broadcast domain, or if you have a perimeter you are monitoring from
(and thus can use inline devices...), or whether network taps on internal
switches is the better way to go in your scenario, it's hard to say.
You'd spend some money up front for hardware to aggregate/distribute
traffic, but could build your own sensors *nix+snort+intel cheaply
and keep your NIDS centralized.
Arian J. Evans
Senior Information Systems Security Engineer
U.S. Central Credit Union
- Previous message: robert_david_graham: "RE: Firewall Tester 0.6"
- Maybe in reply to: How ya Doin: "GB IDS solutions"
- Next in thread: robert_david_graham: "RE: GB IDS solutions"
- Reply: robert_david_graham: "RE: GB IDS solutions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
