[unisog] 10 Gb IDS/IPS and IPv6

Peter Van Epp vanepp at sfu.ca
Wed Apr 13 23:34:01 GMT 2005

	Argus (while not directly an IDS) I believe with the Endance DAG cards
is reputed to be working successfully on OC192 links (although I haven't 
personally done so, our first 10 gigE link isn't quite here yet, though it is
close). I pointed out some of the sharp edges in the hardware considering 
gig links on argus (but applicable to all of them because it is hardware) in 
an article available at:


Memory and PCI bus bandwith are the primary two although at 10 gigs procesor 
power (unless you can spread the load over multiple platforms with an inverse 
multiplexor of some kind) is going to be a big issue too. I expect thats why
people are saying an applience. With enough money you can do things like 
interleaved high speed static memory (with an order of magnitude better cycle
time than any DRAM I'm aware of unfortunatly with a similar magnitude of 
additional cost)t. You can also use some of the followon busses to PCI (I was 
amused to see that the IBM channel architecture from the 80s mainframes has 
now become the new PC poster boy under a new name with FC channel cables :-)). 
	I expect snort (or any other thing that wants to search packets) is 
going to have an exciting time of it at 10 gigs. There isn't a lot of time 
between packets. One possible solution as noted is run an inverse mux to 
divide the 10 gigE into 10 1 gig links and run 10 IDS/IPS systems on them 
(see the salesbeings pricing that movie star house in San Jose yet, but if
you are getting 10 gig links I expect you are already used to sticker shock

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

On Wed, Apr 13, 2005 at 05:04:58PM -0400, Michael Holstein wrote:
> I know some of Endance's DAG cards can do 10gE 
> (http://www.endace.com/dag4.3GE.htm) and they have a daughter board 
> (http://www.endace.com/dagCoPro.htm) that can do on-chip (FPGA) pattern 
> matching (although only at 6.4gbps bidirectional).
> ...and for gear like that, there are Mastercards.
> ~Mike.
> Mark Newman wrote:
> >Does anyone have any information on 10 Gb IDS/IPS that actually works?
> >
> >I've read that Snort will support up to 8 Gb but, this has to be
> >appliance based.
> >
> >I recently sat in on a presentation by a company named MetaNetworks that
> >will be selling a 10 Gb card (a beta version will be available in a
> >couple of weeks). The card will have up to 604 'embedded' Snort
> >signatures (none of which it seems are content based) that are
> >configurable via a toolkit. My feeling is that their product is not
> >ready for prime time. I saw problems, for one thing, with the way
> >fragmentation is handled with this early rendition of their product.
> >
> >It seems there is a scramble to get something marketable that will
> >support 10 Gb. Has anyone come across anything that looks better than
> >promising? Many of the companies I've talked with are targeting the
> >later half of FY06 for 10 Gb support. What kinds of problems does anyone
> >forsee, besides the obvious, with 10 Gb support?
> >
> >Has anyone seen anything in the way of a mature IDS/IPS that will
> >accommodate IPv6? Snort has ~some~ capabilities. Where are the
> >IDSes/IPSes with complete support for IPv6 (i.e. excluding those that
> >just recognize IPv6 traffic) ?
> >
> >Mark Newman
> >CISSP 67152, GCIA 729
> >Information Security Office - Technical Lead
> >University of Tennessee - Knoxville
> >
> >
> >_______________________________________________
> >unisog mailing list
> >unisog at lists.sans.org
> >http://www.dshield.org/mailman/listinfo/unisog
> >
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

More information about the unisog mailing list