Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] IDS Load Balancer

from [Gulfie] Network Security [Permanent Link]
Subject: Re: [Snort-users] IDS Load Balancer
Date: Mon, 27 Feb 2006 03:05:56 -0800 
On Sun, Feb 26, 2006 at 11:40:18PM -0800, Angel R wrote:

Dear Bruce,

    We've several high performance servers in the data center that each of 
their bandwidth usage reachs about 300mbps. Our DataCenter connection to our 
users is several Gigbit Ethernet Links and we've no management on users 
network. So we've two place to setup our TAPs: the first place is near 
servers with about 300mbps and the other place is our connection to users 
network with about 400-500mbps each. On both of these places, a single IDS 
sensor can not handle the traffic so I need a Load Balancer like appliance 
that can balance the traffic to IDS sensors farm.

   Please note that I want to analyze all of the traffic and no filter can be 
applied on these traffics.




        There are IDS load balancers.  I have not used them, though a good 
googling may get you enough info.

        There are other options.  Multiple taps or spans with BPF filters, or 
ruleset tuning. 

                <source>  
                          =>    IDS configured for HTTP only traffic
                          =>    IDS configured for NFS traffic 
                          =>    IDS configured for SMTP only traffic
                          =>    IDS configured for other. 
                        or
                <source>  
                          =>    BPF for 10.10.12.0/24  (IDS) 
                          =>    BPF for 10.10.13.0/24  (IDS)
                          =>    BPF for 10.10.14.0/24  (IDS)

        The traffic replication can be done with spans or regeneration taps, 
the later being better.  The 
same sort of filtering can also be done with VACLs, and  

        Another option is to pass all the traffic through routes intentionaly 
segregating traffic by net block
, then add the taps there.   Note, the routers'll need to be able to route on 
source address or use policy based routing.

                Before :

                Servers    <-------->    switch  <---> Clients  10.10.12.0/24
                                                   |-> Clients  10.10.13.0/24
                                                   \-> Clients  10.10.14.0/24
                                                        
        
                After : 

                Servers    <-->  Router                         Router  <-->  
switch    <---> Clients  10.10.12.0/24
                                    |-->  10.10.12.0/24 bits  <--|              
           |-> Clients  10.10.13.0/24
                                    |-->  10.10.13.0/24 bits  <--|              
           \-> Clients  10.10.14.0/24
                                    \-->  10.10.14.0/24 bits  <--/              
           


                Then tap between the two routers, or better yet, install an 
inline IPS which will automaticly rate limit traffic to the capacity that can 
be IDSed.  As long as clients and servers are on different networks the clients 
need never know they are behind another set of routers / ipses.  The traffic 
quantites can be to some extent adjusted via routing, or if you'd like through 
QOS on your two new routers.  
                                        

        So yes, it is possible to have multiple lower power/speed/whatever 
sensors watching a higher traffic link, however there are some nasty corner 
cases you'll have to watch out for. 

        1) Avg speed vs Bursting speed.  A gige ethernet can stustain 2 
gigabits /sec of traffic, even if the 5 minute average is only 100 Mbits/sec.  
Passive IDSes that don't do enough buffering will get flooded and blinded.  
Inline fixes that, but impacts users work by slowing the link down when it gets 
buisy.   The same corner case shows up any where you can make an IDS slow. # 
connections /sec, flowtable entries, etc. 

        2) Depending on how traffic is segregated, you may loose detection.  
The simple exmaple is a rate based alarm.  If the alarm trips at 12 events 
/sec, there are 20 eventes/sec and a single IDS, the alarm will go off.  If 
there are 3 idses sharing the load, it may not go off.  Or it may go off three 
times (bursting). 

        3) Flowbits don't work across IDSes.





                                                                Good luck. 
                                                                -gulfie
 

Thanks

"Briggs, Bruce" <Bruce.Briggs@suny.edu> wrote:     It would be helpful for 
you to tell us what you mean by  a high traffic rate.
 Is it possible to have multiple Snort sensors at lower  traffic rate 
locations in your network and still cover all traffic flows that  you desire 
to monitor?
  
 Bruce

  
---------------------------------
 From: snort-users-admin@lists.sourceforge.net  
[mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of Angel  R
Sent: Sunday, February 26, 2006 7:35 AM
To:  snort-users@lists.sourceforge.net
Subject: [Snort-users] IDS Load  Balancer


 
Dear All,

     I'm going to start a  project to implement an end to end IDS solution in 
a data center. My problem is  that high traffic rate in the data center leads 
me to use an load balancer to  balance the traffic to multiple Snort servers. 
I'll be thankful if you help me  to find a proper [including commercial] 
solution.

Thanks all
  

---------------------------------
 Yahoo! Mail
Bring photos to life! New  PhotoMail makes sharing a breeze. 

              
---------------------------------
 Yahoo! Mail
 Use Photomail to share photos without annoying attachments.



-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [Snort-users] IDS Load Balancer, Angel R
Next by Date:  Re: [Snort-users] IDS Load Balancer, barryab63-ia
Previous by Thread:  RE: [Snort-users] IDS Load Balancer, Angel R
Next by Thread:  [Snort-users] Interesting entries in BASE, CasperLinux
Indexes:  [Date] [Thread] [Top] [All Lists]