IDS mailing list archives

IDS deployment on a Cat6500 series & which Snort box?

From: "Carles Fragoso i Mariscal" <cfragoso () cesca es>
Date: Sun, 23 May 2004 20:08:01 +0200

Hi,

A customer of us is evaluating an outer IDS deployment on its Internet Data
Center (IDC) core network which consists on a layer-3 enabled Cisco Catalyst
6500 series. Its network traffic is under Gig speed but over >200Mbps.

They have been told that the best choice would be a Cisco IDSM2 which is a
switch-in blade IDS because of it is a network-node IDS and because IOS
provides some kind of L2/VLAN ACL's which could allow them to capture
traffic
from/to selected sources/destinations to IDS (for instance: critical hosts
or subnets).

Cisco IDSes seems not to be as well-featured as other products: Netscreen
IDP,
SourceFire, ISS Proventia etc.

I have been documenting on that and it seems that also exists the
possibility
on Cat6500 to do L2/VLAN ACL's to forward matched traffic to a span port,
that
could open the chance of using any IDS on that port instead of switch-in
only
solution.

- Has anyone a similar deployment to described that could provide their
  experience on that?
- Any input regarding IDSM2 experience could also be useful.

They have also asked me if an open-source solution such as Snort could deal
with Gig traffic and which computer platform would be necessary?
I have seen on NSS Group report that a dual Xeon CPU with 1 Gig mem minimum
for Snort 2.x branch is recommended. I imagine that the NIC data bus with
main
board should be big enough.

- Any recommendation on which architecture could fit their possible needs?

Thanks in advance guys for your help,

----------------------------------------------------------------------------
----
Carles Fragoso i Mariscal
Anella Cientifica RREN Incident Response Team (ERIAC) - Incident Handler
Communications and Operations Dept. - Supercomputing Center of Catalonia
eMail: cfragoso () cesca es Phone: +34 932056464 Fax: +34 932056979 iDBA:
13041*CFM
----------------------------------------------------------------------------
----





---------------------------------------------------------------------------

---------------------------------------------------------------------------

Current thread:

IDS deployment on a Cat6500 series & which Snort box? Carles Fragoso i Mariscal (May 25)
- Re: IDS deployment on a Cat6500 series & which Snort box? Tony Carter (May 27)
  - RE: IDS deployment on a Cat6500 series & which Snort box? Carles Fragoso i Mariscal (May 28)
  - RE: IDS deployment on a Cat6500 series & which Snort box? Gary Halleen (May 28)
  - Re: IDS deployment on a Cat6500 series & which Snort box? James Fields (May 29)
- <Possible follow-ups>
- RE: IDS deployment on a Cat6500 series & which Snort box? Carles Fragoso i Mariscal (May 26)
  - RE: IDS deployment on a Cat6500 series & which Snort box? Gary Halleen (May 26)