Re: high-speed NIDS (>1.7GBit/sec traffic) required.

From: roy lo (roylo@sr2c.com)
Date: 07/16/02 

Date: Mon, 15 Jul 2002 16:51:50 -0700
From: roy lo <roylo@sr2c.com>
To: focus-ids@securityfocus.com

I also think distributed IDS solutions is the best ideal in this case
>2 Gbit interfaces, 400-600MBit/sec each
most system (excluding those *high-end* ones) might not be able to
handle that at/during 100% utilization, simply due to the various bus
speed limits on the system. (also, as a reminder the speed it rans and
the resource it eats increses [jumps] like a log graph)

Travis's suggestion would be better and cheaper than a 1 box solution
you orginal asked

Travis Dawson wrote:
> At 09:37 AM 7/15/2002 -0700, s s wrote:
>
>> 2 Gbit interfaces, 400-600MBit/sec each, continuous
>> traffic.
>> total traffic peaking at around 1.6-1.7 Gbit/sec at
>> this time.
>> I would like to go with snort.
>
>
> Have you looked at distributed IDS solutions. Maybe going with multiple
> boxes so that you don't need a single monster box that probably does not
> exist.
> Three possible workarounds
> *2-3 snort boxes dumping to a shared DB and a Frontend putting them all
> together
> *2-3 snort boxes and a Security Information Manager (guarded,
> intellitactics, netForensics, etc) to put them all together.
> *A really beefy 2 or more Fast Chip, a few Gig of Memory, a nice
> motherboard, a really good SCSI subsystem, *BSD box that may just handle
> it (but probably not)
>
> You can use an IDS load balancer from TopLayer or Radware to even out
> the flows, although the TopLayer model takes in a couple GigE and pushes
> out a bunch of Fastethernet, The RadWare Fireproof unit looks like it
> can take in multiple GigE and push out to Multiple more GigE (probably
> what you want).
> Just my 2c.
>
> 

-- 
Roy Lo
Freelance Consultant
E-mail -  roylo@sr2c.com

Sun Certified Network Administrator (SCNA)
Sun Certified System Administrator (SCSA)
Cisco Certified Network Associate (CCNA)

Loading