Snort mailing list archives
Re: Snort in a cluster
From: Jason <security () brvenik com>
Date: Fri, 09 Jul 2004 16:30:21 -0400
Joshua Berry wrote:
One effective way to monitor multiple segments and aggregate asymmetrical links while balancing the load across multiple sensors is with an appliance like TopLayer's IDS Balancer. Then you don't need the BPF filters at all, however, this solution is very pricey. By the way, what are some of the competitors to TopLayer's IDSB, or are there any? I have been having trouble finding a comparison to base pricing on.
I am told that Cisco equipment happily does it in the proper configurations, apparently using etherchannel load balancing you can balance out multiple pipes.
I think it is also acceptable to balance up to 5 tapped 100Mbs links into a single Gbs out. Overloading is not an issue in that case, using more and it is the risk / reward game. 50 taps is simply too much to take risk with IMHO.
some of the netoptics equipment might be appropriate. http://www.netoptics.com/products/product_family.asp?cid=3&Section=products&sid=27092389.1006245&menuitem=3 http://www.netoptics.com/products/product_family_details.asp?cid=4&pid=28&Section=products&menuitem=4 http://www.netoptics.com/products/product_family_details.asp?cid=4&pid=39&Section=products&menuitem=4Radware has a IDS load balancer. It might not be cheap as it appears to also have limited inline prevention built in. http://www.radware.com/content/products/fp/default.asp
You could also use a VACL to capture selective traffic.I believe most switch vendors supply some form of balancing support if they are L3 aware at all.
What is considered very pricey? [...] ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training.Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort in a cluster Luis Claudio Rodrigues da Silveira (Jul 09)
- Re: Snort in a cluster Alex Butcher, ISC/ISYS (Jul 09)
- Re: Snort in a cluster Michael Stone (Jul 09)
- Message not available
- Re: Snort in a cluster Michael Stone (Jul 12)
- Re: Snort in a cluster Alex Butcher, ISC/ISYS (Jul 15)
- Re: Snort in a cluster Michael Stone (Jul 09)
- Re: Snort in a cluster Alex Butcher, ISC/ISYS (Jul 09)
- <Possible follow-ups>
- RE: Snort in a cluster Williams Jon (Jul 09)
- Re: Snort in a cluster Jason (Jul 09)
- RE: Snort in a cluster Joshua Berry (Jul 09)
- Re: Snort in a cluster Jason (Jul 09)
- Re: Snort in a cluster Michael Stone (Jul 09)