Re: GB IDS solutions

From: Brian Hernacki (bhernack@recourse.com)
Date: 04/12/02


Date: Fri, 12 Apr 2002 11:41:01 -0700
From: Brian Hernacki <bhernack@recourse.com>
To: focus-ids@securityfocus.com


How ya Doin wrote:
>
> Hello,
>
> Does anyone know of GB network IDS solutions other than ISS? Better yet has
> anyone implemented a non-ISS solution and how is it working? What type of
> hardware are you using? What were your costs approx. per sensor?
> I will be needing GB capable sensors but believe there must be another way
> to go besides ISS (to much $$$). Has anyone used Snort with GB ethernet
> cards?

Well there are a number of providers who claim 'gigabit detection' these
days so you want to be a little careful. Most that I've seen simply use
this to indicate that they can listen on a gigabit interface of some
kind. You can usually differentiate these guys by looking for specific
data points about how much traffic they can handle. Often these guys top
out around 300-500 Mbps.

Others actually claim they can support a gigabit of traffic based on
some pretty contrived tests (there's been plenty of discussion on this
list about those). It's not to hard to skew these types of tests by
constraining packet size, attack density, number of flows, etc. If
you're going to rely on someone's test results you should take a look at
these kind of things pretty carefully.

A few things I would reccomend you consider when evaluating a solution
are:

-ability to detect attacks under load (this is different than just
'staying up' under load)
-how scalable the management interface is under load (lots of events,
etc)
-how scalable the data store is
-the hardware, form factor, etc required to do this

Now that I've given my neutral and objective response, I'll insert my
product plug. :) If you're looking at gig IDS solutions you should take
a look at Recourse's ManHunt product as well. It's one of the leading
gigabit capable solutions and scales pretty well in large environments.

--brian