RE: Design questions...

["Wayne T Work" <securitygauntlet () snet net>]

Well,
 
First I would analyze what the traffic load on the network and T1's is. Use
Ntop, you can use the native Windows network monitoring to see that you have
going trough the gateway. Some program that just measures traffic levels.
 
Second I would look to see what different switched segments you have from an
architectural standpoint. If all the traffic traverses one point, i.e. the
firewall (which I hope you have a very good one in place) then you should
concentrate an initial effort there. 
 
Sometime its good to start off simple. Once the value is seen for the
product, then further implementation should be viable. 
As you might know there are a couple of commercial versions of appliance
based Snort IDS companies out there. Sourcefire and Silicon Defense for
example. Check them out if your Boss is into commercial endeavors. 
 
Good luck 
Wayne
 
Remember the KISS method (Keep It Simple Stupid)!! 

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Jeremy Finke
Sent: Tuesday, October 29, 2002 9:46 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Design questions...



Hi, hopefully, my email is sorted out now and this will get through... 
I have some performance questions that I hope that someone would be able to
help me out with. 
I am trying to convince my boss to start implementing snort at a serious
level. Problem is, he is a windows/closed source type of guy and I am a
unix/open source type of guy. I am trying to convince him to buy seperate
boxes for each of the sensors and then a logging box that has its own
private network to send data across. Ideally, I would have 4 snort sensors
and one of them be an ACID/PHP/MySQL log server. He does not want to pay for
all the boxes because he thinks that they are going to cost $2.5k a pop. I
think that we can go with a non major vendor (pogo linux, penguin computing,
etc....) and get it cheaper, but that is a different story. 

So, he brought up the idea of having one big box and having multiple nics.
Now, I know that this can easily be done using multiple snort processes/conf
files/etc... However, I am wondering about the performance of such a beast.
What type of horsepower do I need to monitor 2 T1s (on seperate networks)
and 2 100MB networks (also seperate)? Also, it will probably be running the
database as well, on a seperate network. Can people give me an idea of what
they are running out there? 

Thanks! 
Jeremy Finke

<<attachment: winmail.dat>>