IDS mailing list archives

Previous By Date Next
Previous By Thread Next

RE: IDS deployment on a Cat6500 series & which Snort box?

From: "Gary Halleen" <ghalleen () cisco com>
Date: Thu, 27 May 2004 22:06:18 -0700
That is an extremely outdated page, Tony.  That is our first-generation
blade, which is no longer sold.  I've notified the product team for this so
it can be updated with current information.

The current IDS Module for the Catalyst 6500/7600 family is the IDSM-2,
while you were looking at the IDSM-1.

Here's the correct datasheet:

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_data_sheet091
86a00801e55dd.html

According to this:

Monitor 600Mbps
Monitor 500,000 concurrent connections
Up to 4,000 new TCP connections per second

Please note that in addition to the IDSM-2, we also sell many standalone
appliances, as well as a network module for the access routers.

Gary



-----Original Message-----
From: Tony Carter [mailto:tcarter () entrusion com] 
Sent: Thursday, May 27, 2004 7:08 AM
To: Carles Fragoso i Mariscal
Cc: focus-ids () securityfocus com
Subject: Re: IDS deployment on a Cat6500 series & which Snort box?


A little late but...
according to Cisco's site (  
http://www.cisco.com/en/US/products/hw/switches/ps708/ 
products_data_sheet09186a0080134014.html )
  it can only

# Monitor 100 Mbps of traffic
# Approximately 47,000 packets per second, with a new flow 
arrival rate  
of 1000 per second

-Tony

On May 23, 2004, at 2:08 PM, Carles Fragoso i Mariscal wrote:


Hi,

A customer of us is evaluating an outer IDS deployment on 

its Internet

Data
Center (IDC) core network which consists on a layer-3 

enabled Cisco  

Catalyst
6500 series. Its network traffic is under Gig speed but 

over >200Mbps.


They have been told that the best choice would be a Cisco 

IDSM2 which

is a
switch-in blade IDS because of it is a network-node IDS and 

because IOS

provides some kind of L2/VLAN ACL's which could allow them 

to capture

traffic
from/to selected sources/destinations to IDS (for instance: 

critical  

hosts
or subnets).

Cisco IDSes seems not to be as well-featured as other products:
Netscreen
IDP,
SourceFire, ISS Proventia etc.

I have been documenting on that and it seems that also exists the 
possibility on Cat6500 to do L2/VLAN ACL's to forward 

matched traffic 

to a span
port,
that
could open the chance of using any IDS on that port instead of  
switch-in
only
solution.

- Has anyone a similar deployment to described that could 

provide their

  experience on that?
- Any input regarding IDSM2 experience could also be useful.

They have also asked me if an open-source solution such as 

Snort could

deal
with Gig traffic and which computer platform would be necessary?
I have seen on NSS Group report that a dual Xeon CPU with 1 

Gig mem  

minimum
for Snort 2.x branch is recommended. I imagine that the NIC 

data bus  

with
main
board should be big enough.

- Any recommendation on which architecture could fit their possible
needs?

Thanks in advance guys for your help,



----------------------------------------------------------------------

-
-----
----
Carles Fragoso i Mariscal
Anella Cientifica RREN Incident Response Team (ERIAC) - Incident  
Handler
Communications and Operations Dept. - Supercomputing Center of  
Catalonia
eMail: cfragoso () cesca es Phone: +34 932056464 Fax: +34 

932056979 iDBA:

13041*CFM


--------------------------------------------------------------
--------- 

-----
----







----------------------------------------------------------------------

-
----



----------------------------------------------------------------------

-
----




--------------------------------------------------------------
-------------

--------------------------------------------------------------
-------------





---------------------------------------------------------------------------

---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: