Intrusion Detection Systems: Re: Gigabit IDS

[rgula () network-defense com (Ron Gula)]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
> I know there are many good IDS products out there, but we are in need of a
> solution that can handle gigabit speeds. Are there any products out there
> that can truly handle these high speeds without dropping packets? 
When you say Gigabit - what do you mean? We have many customers who have 
Gigabit networks, but do not have 1000 Mb/s of traffic. The Dragon Sensor
can operate at very high speeds without any hardware acceleration, other
than using two CPUs and building a fairly modern system. We've also recently
ported Dragon to make use of an ATM interface and have it working at a
major university. 

I'm curious if anyone has demonstrated a NIDS working at more than 500 Mb/s
in a live environment. We've seen Dragon work comfortably in the 150 Mb/s
to 200 Mb/s range and this is the range most of our gigabit customers are
targeting. 

Another thing we've seen is that at higher data rates, there may be a
large amount of traffic which can be ignored or dedicated to one sensor
while a second sensor looks for generic attacks. Consider a root DNS server
with a sensor set up to look only for DNS attacks in 90% of the traffic
and a second sensor looking at everything else. 

Something you may want to consider is the Toplayer switch. It can take a
'sniffed' stream of traffic and load balance it across multiple interfaces.
I'm not sure how it handles port sweeps and randomized port scans, but if
you have a slower NIDS that you like or have already invested in, it could 
be a solution for you as well. 

Ron Gula, CTO
Network Security Wizards