Re: IDS deployment on a Cat6500 series & which Snort box?

[Tony Carter <tcarter () entrusion com>]

A little late but...
according to Cisco's site (  
http://www.cisco.com/en/US/products/hw/switches/ps708/ 
products_data_sheet09186a0080134014.html )
 it can only

# Monitor 100 Mbps of traffic
# Approximately 47,000 packets per second, with a new flow arrival rate  
of 1000 per second

-Tony

On May 23, 2004, at 2:08 PM, Carles Fragoso i Mariscal wrote:

> Hi,
>
> A customer of us is evaluating an outer IDS deployment on its Internet  
> Data
> Center (IDC) core network which consists on a layer-3 enabled Cisco  
> Catalyst
> 6500 series. Its network traffic is under Gig speed but over >200Mbps.
>
> They have been told that the best choice would be a Cisco IDSM2 which  
> is a
> switch-in blade IDS because of it is a network-node IDS and because IOS
> provides some kind of L2/VLAN ACL's which could allow them to capture
> traffic
> from/to selected sources/destinations to IDS (for instance: critical  
> hosts
> or subnets).
>
> Cisco IDSes seems not to be as well-featured as other products:  
> Netscreen
> IDP,
> SourceFire, ISS Proventia etc.
>
> I have been documenting on that and it seems that also exists the
> possibility
> on Cat6500 to do L2/VLAN ACL's to forward matched traffic to a span  
> port,
> that
> could open the chance of using any IDS on that port instead of  
> switch-in
> only
> solution.
>
> - Has anyone a similar deployment to described that could provide their
>   experience on that?
> - Any input regarding IDSM2 experience could also be useful.
>
> They have also asked me if an open-source solution such as Snort could  
> deal
> with Gig traffic and which computer platform would be necessary?
> I have seen on NSS Group report that a dual Xeon CPU with 1 Gig mem  
> minimum
> for Snort 2.x branch is recommended. I imagine that the NIC data bus  
> with
> main
> board should be big enough.
>
> - Any recommendation on which architecture could fit their possible  
> needs?
>
> Thanks in advance guys for your help,
>
> ----------------------------------------------------------------------- 
> -----
> ----
> Carles Fragoso i Mariscal
> Anella Cientifica RREN Incident Response Team (ERIAC) - Incident  
> Handler
> Communications and Operations Dept. - Supercomputing Center of  
> Catalonia
> eMail: cfragoso () cesca es Phone: +34 932056464 Fax: +34 932056979 iDBA:
> 13041*CFM
> ----------------------------------------------------------------------- 
> -----
> ----
>
>
>
>
>
> ----------------------------------------------------------------------- 
> ----
>
> ----------------------------------------------------------------------- 
> ----


---------------------------------------------------------------------------

---------------------------------------------------------------------------