Snort mailing list archives
Re: IDS Load Balancer
From: Gulfie <gulfie () grotto-group com>
Date: Mon, 27 Feb 2006 03:05:56 -0800
On Sun, Feb 26, 2006 at 11:40:18PM -0800, Angel R wrote:
Dear Bruce,
We've several high performance servers in the data center that each of their bandwidth usage reachs about
300mbps. Our DataCenter connection to our users is several Gigbit Ethernet Links and we've no management on users
network. So we've two place to setup our TAPs: the first place is near servers with about 300mbps and the other place
is our connection to users network with about 400-500mbps each. On both of these places, a single IDS sensor can not
handle the traffic so I need a Load Balancer like appliance that can balance the traffic to IDS sensors farm.
Please note that I want to analyze all of the traffic and no filter can be applied on these traffics.
There are IDS load balancers. I have not used them, though a good googling may get you enough info.
There are other options. Multiple taps or spans with BPF filters, or ruleset tuning.
<source>
=> IDS configured for HTTP only traffic
=> IDS configured for NFS traffic
=> IDS configured for SMTP only traffic
=> IDS configured for other.
or
<source>
=> BPF for 10.10.12.0/24 (IDS)
=> BPF for 10.10.13.0/24 (IDS)
=> BPF for 10.10.14.0/24 (IDS)
The traffic replication can be done with spans or regeneration taps, the later being better. The
same sort of filtering can also be done with VACLs, and
Another option is to pass all the traffic through routes intentionaly segregating traffic by net block
, then add the taps there. Note, the routers'll need to be able to route on source address or use policy based
routing.
Before :
Servers <--------> switch <---> Clients 10.10.12.0/24
|-> Clients 10.10.13.0/24
\-> Clients 10.10.14.0/24
After :
Servers <--> Router Router <--> switch <---> Clients 10.10.12.0/24
|--> 10.10.12.0/24 bits <--| |-> Clients 10.10.13.0/24
|--> 10.10.13.0/24 bits <--| \-> Clients 10.10.14.0/24
\--> 10.10.14.0/24 bits <--/
Then tap between the two routers, or better yet, install an inline IPS which will automaticly rate
limit traffic to the capacity that can be IDSed. As long as clients and servers are on different networks the clients
need never know they are behind another set of routers / ipses. The traffic quantites can be to some extent adjusted
via routing, or if you'd like through QOS on your two new routers.
So yes, it is possible to have multiple lower power/speed/whatever sensors watching a higher traffic link,
however there are some nasty corner cases you'll have to watch out for.
1) Avg speed vs Bursting speed. A gige ethernet can stustain 2 gigabits /sec of traffic, even if the 5 minute
average is only 100 Mbits/sec. Passive IDSes that don't do enough buffering will get flooded and blinded. Inline
fixes that, but impacts users work by slowing the link down when it gets buisy. The same corner case shows up any
where you can make an IDS slow. # connections /sec, flowtable entries, etc.
2) Depending on how traffic is segregated, you may loose detection. The simple exmaple is a rate based alarm.
If the alarm trips at 12 events /sec, there are 20 eventes/sec and a single IDS, the alarm will go off. If there are 3
idses sharing the load, it may not go off. Or it may go off three times (bursting).
3) Flowbits don't work across IDSes.
Good luck.
-gulfie
Thanks "Briggs, Bruce" <Bruce.Briggs () suny edu> wrote: It would be helpful for you to tell us what you mean by a high traffic rate. Is it possible to have multiple Snort sensors at lower traffic rate locations in your network and still cover all traffic flows that you desire to monitor? Bruce --------------------------------- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Angel R Sent: Sunday, February 26, 2006 7:35 AM To: snort-users () lists sourceforge net Subject: [Snort-users] IDS Load Balancer Dear All, I'm going to start a project to implement an end to end IDS solution in a data center. My problem is that high traffic rate in the data center leads me to use an load balancer to balance the traffic to multiple Snort servers. I'll be thankful if you help me to find a proper [including commercial] solution. Thanks all --------------------------------- Yahoo! Mail Bring photos to life! New PhotoMail makes sharing a breeze. --------------------------------- Yahoo! Mail Use Photomail to share photos without annoying attachments.
------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- IDS Load Balancer Angel R (Feb 26)
- Re: IDS Load Balancer barryab63-ia (Feb 27)
- Re: IDS Load Balancer Jeff Coppock (Feb 28)
- <Possible follow-ups>
- RE: IDS Load Balancer Briggs, Bruce (Feb 26)
- RE: IDS Load Balancer Angel R (Feb 26)
- Re: IDS Load Balancer Gulfie (Feb 27)
- RE: IDS Load Balancer Angel R (Feb 26)
- RE: IDS Load Balancer Richard Bejtlich (Feb 27)
- Re: IDS Load Balancer barryab63-ia (Feb 27)