Re: High availability design of NIDS

[Jose Maria Lopez Hernandez <jkerouac () bgsec com>]

El mar, 22-02-2005 a las 18:46 +0100, Jose Maria Lopez Hernandez
escribió:
> I've installed two snort sensors logging to a MySQL database with
> internal storage, using heartbeat, drdb and some hacks, in high
> availability. But it runs under Linux. If you are interested, post 
> another message and I will tell you how I did it, but you talk about 
> Windows, so I don't know if you are interested in the information.
>
> Regards.

As I have received four or five private emails asking about this
project I did, and I have answered privately, but still people it's
asking about information on the list I post what I have sent to
the people asking me by private email:

The system was a standard heartbeat configuration,
but using drbd to provide the internal storage
for the high availability system. The system was
a passive-active one, so it was not so difficult.
We are working now in a similar system in
active-active mode, which it's much more difficult
to achieve.

What we did was to install two snort sensors with the
same configuration in two machines, and a MySQL
database in each of the machines. We made a partition
on each of the machines for the MySQL database
storage. Then we used drbd to do a RAID-1 over
the crossover ethernet cable we used for the heartbeat
UDP. We used the C mode of drbd to assure the data
was correctly replicated. With this the passive
system had always the same data that the active one,
almost in real time.

Drbd has a module for heartbeat that allows the
passive machine to use the replicated storage when
there is a failover. And the mysql and snort daemons
where restarted by heartbeat when a failover happened.
Then the new snort starts logging to the new database
and no data it's lost. If the first machine restarts
the second machine acts like a primary drbd server and
replicates the data to the first machine. That was
the solution we used, but there are others. We had
a hub so we didn't have any ARP problems, so we just
used IP takeover.

The system used some scripts to replicate the snort
rules and some more data with rsync and some other
things, but basically it's what I have explained.

Regards.


-- 

Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac () bgsec com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"



--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------