Software router state of the art
Wes Young
wcyoung at buffalo.edu
Wed Jul 23 19:05:30 UTC 2008
We use them here and there (the 1Gig versions). The biggest thing to
think about is the types of rule-sets you'll be using compounded by
the number of flows being created / expired. Once tuned, they work
quite well, but the balance is how fast you can pull/analyze out of
RAM. Compiling the rules down to the card's level speeds things up a
bit, but at the loss of using more dynamic rulesets.
If you can get the raw data to some sort of larger medium (say,
rotating pcaps on a disk), you length the buffer-window. FWIW however,
probably the best way to scale this is get an Xport fiber regen tap,
populate with a few of these, tune them to monitor different segments
based on address space or port ranges. You'll have yourself a
relatively cheap solution, but extremely effective solution.
I've yet to test out the NinjaProbes... It's on my todo list...
On Jul 23, 2008, at 2:21 PM, Christopher Morrow wrote:
> On Wed, Jul 23, 2008 at 11:05 AM, Naveen Nathan <naveen at calpop.com>
> wrote:
>>> The Endace DAG cards claim they can move 7 gbps over a PCI-X bus
>>> from
>>> the NIC to main DRAM. They claim a full 10gbps on a PCIE bus.
>>
>> I wonder, has anyone heard of this used for IDS? I've been looking at
>> building a commodity SNORT solution, and wondering if a powerful
>> network
>> card will help, or would the bottleneck be in processing the
>> packets and
>> overhead from the OS?
>
> http://www.endace.com/our-products/ninja-appliances/NinjaProbe-NIDS
>
> snort at 1g & 10g
>
> -chris
>
--
Wes Young
Network Security Analyst
CIT - University at Buffalo
http://claimid.com/saxjazman9
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2444 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20080723/fa1bae4a/attachment.bin>
More information about the NANOG
mailing list