RE: IDS deployment on a Cat6500 series & which Snort box?
From: Carles Fragoso i Mariscal (cfragoso_at_cesca.es)
Date: 05/27/04
- Previous message: Michal Zalewski: "Bypassing "smart" IDSes with misdirected frames? (long and boring)"
- In reply to: Tony Carter: "Re: IDS deployment on a Cat6500 series & which Snort box?"
- Next in thread: Gary Halleen: "RE: IDS deployment on a Cat6500 series & which Snort box?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Tony Carter" <tcarter@entrusion.com> Date: Thu, 27 May 2004 17:52:15 +0200
Tony,
That link refers to the first generation of IDSM which is IDSM1,
which was Windows OS based, and now it is an End-of-Life product.
IDSM2, the new version, is based on the same software as their
appliances (Linux based) and it can manage 600 Mbps with 450-byte
packets (4000 TCP conn/sec and 500000 concurrent connections on
its stateful DB).
I was talking about IDSM2. :)
Thank you and regards,
-- Carlos
-----Mensaje original-----
De: Tony Carter [mailto:tcarter@entrusion.com]
Enviado el: jueves, 27 de mayo de 2004 16:08
Para: Carles Fragoso i Mariscal
CC: focus-ids@securityfocus.com
Asunto: Re: IDS deployment on a Cat6500 series & which Snort box?
A little late but...
according to Cisco's site (
http://www.cisco.com/en/US/products/hw/switches/ps708/
products_data_sheet09186a0080134014.html )
it can only
# Monitor 100 Mbps of traffic
# Approximately 47,000 packets per second, with a new flow arrival rate
of 1000 per second
-Tony
On May 23, 2004, at 2:08 PM, Carles Fragoso i Mariscal wrote:
> Hi,
>
> A customer of us is evaluating an outer IDS deployment on its Internet
> Data
> Center (IDC) core network which consists on a layer-3 enabled Cisco
> Catalyst
> 6500 series. Its network traffic is under Gig speed but over >200Mbps.
>
> They have been told that the best choice would be a Cisco IDSM2 which
> is a
> switch-in blade IDS because of it is a network-node IDS and because IOS
> provides some kind of L2/VLAN ACL's which could allow them to capture
> traffic
> from/to selected sources/destinations to IDS (for instance: critical
> hosts
> or subnets).
>
> Cisco IDSes seems not to be as well-featured as other products:
> Netscreen
> IDP,
> SourceFire, ISS Proventia etc.
>
> I have been documenting on that and it seems that also exists the
> possibility
> on Cat6500 to do L2/VLAN ACL's to forward matched traffic to a span
> port,
> that
> could open the chance of using any IDS on that port instead of
> switch-in
> only
> solution.
>
> - Has anyone a similar deployment to described that could provide their
> experience on that?
> - Any input regarding IDSM2 experience could also be useful.
>
> They have also asked me if an open-source solution such as Snort could
> deal
> with Gig traffic and which computer platform would be necessary?
> I have seen on NSS Group report that a dual Xeon CPU with 1 Gig mem
> minimum
> for Snort 2.x branch is recommended. I imagine that the NIC data bus
> with
> main
> board should be big enough.
>
> - Any recommendation on which architecture could fit their possible
> needs?
>
> Thanks in advance guys for your help,
>
> -----------------------------------------------------------------------
> -----
> ----
> Carles Fragoso i Mariscal
> Anella Cientifica RREN Incident Response Team (ERIAC) - Incident
> Handler
> Communications and Operations Dept. - Supercomputing Center of
> Catalonia
> eMail: cfragoso@cesca.es Phone: +34 932056464 Fax: +34 932056979 iDBA:
> 13041*CFM
> -----------------------------------------------------------------------
> -----
> ----
>
>
>
>
>
> -----------------------------------------------------------------------
> ----
>
> -----------------------------------------------------------------------
> ----
>
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Michal Zalewski: "Bypassing "smart" IDSes with misdirected frames? (long and boring)"
- In reply to: Tony Carter: "Re: IDS deployment on a Cat6500 series & which Snort box?"
- Next in thread: Gary Halleen: "RE: IDS deployment on a Cat6500 series & which Snort box?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
