[unisog] IDS INFO

Mike Iglesias iglesias at draco.acs.uci.edu
Thu Aug 30 17:26:12 GMT 2001

> We are trying to fiugure out a way to gather IDS data via gigabit LX taps,
> but it seems that there are a number of obticles. Apparently, you will
> loose lower level errors if you use port-mirroring on a switch, not to
> mention the amount of data that is lost due to light splitting. Does any
> one have any suggestions or information as to how this might be done? 

You might want to look at the TopLayer switches, which can parcel out
flows to multiple IDS boxes on 100baseT ports.  They have a switch
with 2 gig ports and 12 100mb ports.  It does mean you need multiple
IDS boxes, but that may help handle the load in the long run and allow
you to sent certain types of packets (http for example) to a specific
IDS box.  TopLayer calls this feature "Flow Mirror".  The switch also
has some attack mitigation features to filter out common attacks such
as land, smurf, fraggle, UDP bombs, SYN floods, bogus fragment
offsets, etc.  See http://www.toplayer.com/ for more info.

Mike Iglesias                          Internet:    iglesias at draco.acs.uci.edu
University of California, Irvine       phone:       949-824-6926
Network & Academic Computing Services  FAX:         949-824-2069

More information about the unisog mailing list