[unisog] 10 Gb IDS/IPS and IPv6
Peter Van Epp
vanepp at sfu.ca
Wed Apr 13 23:34:01 GMT 2005
Argus (while not directly an IDS) I believe with the Endance DAG cards
is reputed to be working successfully on OC192 links (although I haven't
personally done so, our first 10 gigE link isn't quite here yet, though it is
close). I pointed out some of the sharp edges in the hardware considering
gig links on argus (but applicable to all of them because it is hardware) in
an article available at:
Memory and PCI bus bandwith are the primary two although at 10 gigs procesor
power (unless you can spread the load over multiple platforms with an inverse
multiplexor of some kind) is going to be a big issue too. I expect thats why
people are saying an applience. With enough money you can do things like
interleaved high speed static memory (with an order of magnitude better cycle
time than any DRAM I'm aware of unfortunatly with a similar magnitude of
additional cost)t. You can also use some of the followon busses to PCI (I was
amused to see that the IBM channel architecture from the 80s mainframes has
now become the new PC poster boy under a new name with FC channel cables :-)).
I expect snort (or any other thing that wants to search packets) is
going to have an exciting time of it at 10 gigs. There isn't a lot of time
between packets. One possible solution as noted is run an inverse mux to
divide the 10 gigE into 10 1 gig links and run 10 IDS/IPS systems on them
(see the salesbeings pricing that movie star house in San Jose yet, but if
you are getting 10 gig links I expect you are already used to sticker shock
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
On Wed, Apr 13, 2005 at 05:04:58PM -0400, Michael Holstein wrote:
> I know some of Endance's DAG cards can do 10gE
> (http://www.endace.com/dag4.3GE.htm) and they have a daughter board
> (http://www.endace.com/dagCoPro.htm) that can do on-chip (FPGA) pattern
> matching (although only at 6.4gbps bidirectional).
> ...and for gear like that, there are Mastercards.
> Mark Newman wrote:
> >Does anyone have any information on 10 Gb IDS/IPS that actually works?
> >I've read that Snort will support up to 8 Gb but, this has to be
> >appliance based.
> >I recently sat in on a presentation by a company named MetaNetworks that
> >will be selling a 10 Gb card (a beta version will be available in a
> >couple of weeks). The card will have up to 604 'embedded' Snort
> >signatures (none of which it seems are content based) that are
> >configurable via a toolkit. My feeling is that their product is not
> >ready for prime time. I saw problems, for one thing, with the way
> >fragmentation is handled with this early rendition of their product.
> >It seems there is a scramble to get something marketable that will
> >support 10 Gb. Has anyone come across anything that looks better than
> >promising? Many of the companies I've talked with are targeting the
> >later half of FY06 for 10 Gb support. What kinds of problems does anyone
> >forsee, besides the obvious, with 10 Gb support?
> >Has anyone seen anything in the way of a mature IDS/IPS that will
> >accommodate IPv6? Snort has ~some~ capabilities. Where are the
> >IDSes/IPSes with complete support for IPv6 (i.e. excluding those that
> >just recognize IPv6 traffic) ?
> >Mark Newman
> >CISSP 67152, GCIA 729
> >Information Security Office - Technical Lead
> >University of Tennessee - Knoxville
> >unisog mailing list
> >unisog at lists.sans.org
> unisog mailing list
> unisog at lists.sans.org
More information about the unisog