Snort mailing list archives

Re: Snort in a cluster

From: Jason <security () brvenik com>
Date: Fri, 09 Jul 2004 16:30:21 -0400



Joshua Berry wrote:

One effective way to monitor multiple segments and aggregate
asymmetrical links while balancing the load across multiple sensors is
with an appliance like TopLayer's IDS Balancer.  Then you don't need the
BPF filters at all, however, this solution is very pricey.

By the way, what are some of the competitors to TopLayer's IDSB, or are
there any?  I have been having trouble finding a comparison to base
pricing on.

I am told that Cisco equipment happily does it in the properconfigurations, apparently using etherchannel load balancing you canbalance out multiple pipes.

I think it is also acceptable to balance up to 5 tapped 100Mbs linksinto a single Gbs out. Overloading is not an issue in that case, usingmore and it is the risk / reward game. 50 taps is simply too much totake risk with IMHO.


some of the netoptics equipment might be appropriate.
http://www.netoptics.com/products/product_family.asp?cid=3&Section=products&sid=27092389.1006245&menuitem=3
http://www.netoptics.com/products/product_family_details.asp?cid=4&pid=28&Section=products&menuitem=4
http://www.netoptics.com/products/product_family_details.asp?cid=4&pid=39&Section=products&menuitem=4

Radware has a IDS load balancer. It might not be cheap as it appears toalso have limited inline prevention built in.http://www.radware.com/content/products/fp/default.asp


You could also use a VACL to capture selective traffic.

I believe most switch vendors supply some form of balancing support ifthey are L3 aware at all.


What is considered very pricey?

[...]



-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.

Attend Black Hat Briefings & Training, Las Vegas July 24-29 -digital self defense, top technical experts, no vendor pitches,unmatched networking opportunities. Visit www.blackhat.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort in a cluster Luis Claudio Rodrigues da Silveira (Jul 09)
- Re: Snort in a cluster Alex Butcher, ISC/ISYS (Jul 09)
  - Re: Snort in a cluster Michael Stone (Jul 09)
    - Message not available
    - Re: Snort in a cluster Michael Stone (Jul 12)
    - Re: Snort in a cluster Alex Butcher, ISC/ISYS (Jul 15)
- Re: Snort in a cluster Brian (Jul 09)
- Re: Snort in a cluster Rodrigo Ramos (Jul 09)
- <Possible follow-ups>
- RE: Snort in a cluster Williams Jon (Jul 09)
  - Re: Snort in a cluster Jason (Jul 09)
- RE: Snort in a cluster Joshua Berry (Jul 09)
  - Re: Snort in a cluster Jason (Jul 09)
  - Re: Snort in a cluster Michael Stone (Jul 09)