RE: High availability design of NIDS

From: Gary Halleen (ghalleen_at_cisco.com)
Date: 02/23/05

  • Next message: Jon Hart: "Re: High availability design of NIDS" 
    To: "'Vincent IP'" <pong@cs.ust.hk>, <focus-ids@securityfocus.com>
Date: Tue, 22 Feb 2005 18:10:40 -0800

    Cisco sensors support etherchannel load-balancing. In this scenario, all
    IDS traffic would automatically be load-balanced to your sensors. If a
    hardware or software issue caused a sensor to fail, then that sensor would
    drop out of the etherchannel group and all traffic would be sent to the
    remaining sensor(s).

    Gary
     

    -----Original Message-----
    From: Vincent IP [mailto:pong@cs.ust.hk]
    Sent: Tuesday, February 22, 2005 1:27 AM
    To: focus-ids@securityfocus.com
    Subject: High availability design of NIDS

    Hi all,

    I am now designing an NIDS solution. In the design, I would like to include
    high availability (HA) feature for my NIDS solution so that when one of the
    sensor is dead, the other (resilient) sensor can take up the monitoring job
    automatically.

    If the NIDS is not running in stealthy mode, I think I could use the Cluster
    service of Windows to monitor the network in HA mode. (assuming both sensors
    can listen to all traffics in the network).

    However, if I need to run the NIDS in stealthy mode, could I also use the
    Cluster service to monitor the network in HA mode? Are there any products
    already enabling HA feature?

    Thank you very much.

    Regards,
    Pong

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from CORE
    IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    --------------------------------------------------------------------------

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    --------------------------------------------------------------------------

  • Next message: Jon Hart: "Re: High availability design of NIDS"

    Relevant Pages

    • RE: high-speed NIDS (>1.7GBit/sec traffic) required.
      ... then go with the Cisco IDS blade. ... You could use an IDS load balancer that spreads the traffic to many highly ... tuned small snort IDS sensors, then carve up the rulesets (3 or 4 per ... Sensor 1 does IIS, ...
      (Focus-IDS)
    • IDS Sensor operation
      ... Basically sensors operates with promiscuous mode interface for monitoring ... But there is an optionality in an IDS to alert the firewall to ... this we see in Realsecure Network sensor 7.0 where there is a option called ... Test Your IDS ...
      (Focus-IDS)
    • RE: can tripwire be used for sensor integrity???
      ... We have lots of users who use IDS Informer in this way to ensure that the $$ ... not caught out by a sensor going off line without knowing. ... tripwire does not detect LKM trojans or tampering. ... of kernel integrity protection. ...
      (Focus-IDS)
    • RE: NIDS
      ... The following link is a gold mine on all things IDS (at least in my ... Hands down snort is probably the most famous intrusion detection system. ... I think it is a good idea to place a sensor ... I am looking for information on deployment scenarios. ...
      (Security-Basics)
    • Re: High availability design of NIDS
      ... OpenBSD + CARP + snort = failover NIDS ... > one of the sensor is dead, the other sensor can take up the ... > However, if I need to run the NIDS in stealthy mode, could I also use the ... The only people for me are the mad ones -- the ones who are mad to live, ...
      (Focus-IDS)