Snort mailing list archives
RE: Snort Deployment Suggestions
From: "Josh Berry" <josh.berry () netschematics com>
Date: Wed, 25 Feb 2004 23:06:21 -0600 (CST)
I am not sure about the prices on the newer IDS Balancers but we have 4 Fiber and 4 Copper Gig connections with 8 10/100 and it cost about 30K. The Crossbeam was about 20K.
I would recommend that if you're going to be watching considerable bandwidth... you need a system capable of polling when needed on network cards.. This likely means freebsd5 with a bunch of intel 100M cards... OR sun v210s or 220s... etc.... the sun machines have quad gigabit built into them and the OS (solaris9) does polling when packets start to fly in high quantities. There are other (more expensive) options such as the crossbeam hardware and TopLayer devices to aggregate stuff... but when you consider the sun box is $3k... and a TopLayer IDS Balancer is around 100k... (8 gig ports, right?)... it can get very hard to justify. I would highly recommend NOT using mysql for this... having one centralized server dedicated to serving the data (on Oracle) would give you the best performance... this is assuming you have oracle DBAs... maybe build dmz just for your IDS servers (sounds like 10 or so of them). And run spans from your cisco switches. Now... where the balancer comes in highly valuable is taking 1 Gigabit connection from a large switch or router and splitting up the VLANs or subnets into separate instances of snort (with their own unique rules based on the systems contained within each)... In this case... the 100k or so you'd pay for it may return its value in time saved for management and incident handling.... And all the enormous headaches given from a snort not finely tuned. -----Original Message----- From: Tom Riley [mailto:axtjr () uaa alaska edu] Sent: Wednesday, February 25, 2004 2:17 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Snort Deployment Suggestions Greetings, I have a need for some experienced feedback/wisdom on Snort deployment. I have a large network (50 subnets) that we want to monitor for Intrusion Detection. Initally my plan was to include 3-4 Snort boxes in various strategic locations, such as the Backbone, behind the firewall of our core servers, and a couple admin specific networks, recording alerts/events to a local MySQL server Database, and having a batch script copying those various MySQL databases into a single Oracle repository for analysis. After discussion of my plan with management, it was suggested that we monitor all 50 subnets for Intrusion attempts. The only cost effective way I could think to do this was to have multiple servers with 2-4 multiport NICs and setup Snort to monitor each individual subnet. I would have one server as a MySQL database server, have each multiport/MultiNIC machine report back to a local MySQL database, and as before, have all of these MySQL Databases write back to a single Oracle Repository. Snort Stack +-----------------------+ | MySQL Server | +-----------------------+ +-----------------------+ | Snort #1 | +-----------------------+ +-----------------------+ | Snort #2 | +-----------------------+ +-----------------------+ | Snort #3 | +-----------------------+ +-----------------------+ | Snort #4 | +-----------------------+ Snort #1-4 being boxes that contain 2-4 Multiport NICs, and saving all their alerts up to the MySQL server. This configuration will be located in 3 locations on campus, and have each of the three MySQL databases batch copy the records over to an oracle database for analysis. What advice could any of you offer for my situation? What books have you found to good and useful? Has anyone attempted to use multiport NICs to monitor multiple Networks? Any advice you can provide would be greatly appreciated! :D And, if I get this configuration to work, I'd be happy to document it and share the results. Thanks, Tom ********************************************************* * Tom Riley tom.riley () uaa alaska edu * * Systems Engineer UAA/ITS Infrastructure Team * * ---------------- * * "What we plant in the soil of contemplation, we shall * * reap in the harvest of action." -Meister Eckhart * ********************************************************* ********************************************************* * Tom Riley tom.riley () uaa alaska edu * * Systems Engineer UAA/ITS Infrastructure Team * * ---------------- * * "What we plant in the soil of contemplation, we shall * * reap in the harvest of action." -Meister Eckhart * *********************************************************
Thanks, Josh Berry, CISSP CTO, VP of Product Development LinkNet-Solutions 469-831-8543 josh.berry () linknet-solutions com ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Deployment Suggestions Tom Riley (Feb 25)
- Re: Snort Deployment Suggestions Josh Berry (Feb 25)
- <Possible follow-ups>
- RE: Snort Deployment Suggestions Kreimendahl, Chad J (Feb 25)
- RE: Snort Deployment Suggestions Josh Berry (Feb 25)
- Snort Deployment Suggestions Tom Riley (Feb 27)