RE: High availability design of NIDS

["Gary Halleen" <ghalleen () cisco com>]

Mike,

I sent you a document the discusses IDSLB.  

The 4200-series appliances support participation in etherchannel, and this
causes events to be load-balanced equally across however many sensors you
have in an etherchannel group.  You will not see duplicate events.

Gary
 

-----Original Message-----
From: Mike Johnson [mailto:mike () enoch org] 
Sent: Tuesday, March 01, 2005 5:30 AM
To: Gary Halleen
Cc: focus-ids () securityfocus com
Subject: Re: High availability design of NIDS

Gary Halleen wrote:
> Cisco sensors support etherchannel load-balancing.  In this scenario, 
> all IDS traffic would automatically be load-balanced to your sensors.  
> If a hardware or software issue caused a sensor to fail, then that 
> sensor would drop out of the etherchannel group and all traffic would 
> be sent to the remaining sensor(s).

Gary,

Can you provide a little more information about this?  We have a bunch of
4240s and have noted that they support etherchannel, but that's usually for
bonding multiple interfaces on the same system.  How does this work for
bonding two separate systems into the same channel?  Also, wouldn't you get
duplicate events?

Thanks!
Mike

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------