Software router state of the art
wcyoung at buffalo.edu
Wed Jul 23 19:05:30 UTC 2008
We use them here and there (the 1Gig versions). The biggest thing to
think about is the types of rule-sets you'll be using compounded by
the number of flows being created / expired. Once tuned, they work
quite well, but the balance is how fast you can pull/analyze out of
RAM. Compiling the rules down to the card's level speeds things up a
bit, but at the loss of using more dynamic rulesets.
If you can get the raw data to some sort of larger medium (say,
rotating pcaps on a disk), you length the buffer-window. FWIW however,
probably the best way to scale this is get an Xport fiber regen tap,
populate with a few of these, tune them to monitor different segments
based on address space or port ranges. You'll have yourself a
relatively cheap solution, but extremely effective solution.
I've yet to test out the NinjaProbes... It's on my todo list...
On Jul 23, 2008, at 2:21 PM, Christopher Morrow wrote:
> On Wed, Jul 23, 2008 at 11:05 AM, Naveen Nathan <naveen at calpop.com>
>>> The Endace DAG cards claim they can move 7 gbps over a PCI-X bus
>>> the NIC to main DRAM. They claim a full 10gbps on a PCIE bus.
>> I wonder, has anyone heard of this used for IDS? I've been looking at
>> building a commodity SNORT solution, and wondering if a powerful
>> card will help, or would the bottleneck be in processing the
>> packets and
>> overhead from the OS?
> snort at 1g & 10g
Network Security Analyst
CIT - University at Buffalo
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 2444 bytes
Desc: not available
More information about the NANOG