[unisog] 10 Gb IDS/IPS and IPv6
cgaylord at vt.edu
Thu Apr 14 16:47:15 GMT 2005
BACHAND, Dave (Info. Tech. Services) wrote:
>Don't think it's a full IDS, but Foundry's boxes can do S-FLO analysis
>at 10GB. They claim it's the same technology that SNORT uses, so you
>might be able to kluge something together.
SFlow is definitely *not* an IDS (I'll ignore the "IPS" marketing
blather), but there are some who use it with snort, ntop, et al. The
next version of SFlow (version 5) should be "flow-based" instead of
quasi-periodic sampling, but this is still largely vaporous. InMon
documented the original version in an informational RFC, 3176.
I think SFlow is very interesting, but it really was thought of first as
being a scalable method to do netflow-type accounting. The use of it as
a "security" technology is not complete. Being sampled, however, it is
easier to scale to high data rates, but at the loss of rare event
information ... which is exactly the information you need for good IDS.
Another cool thing with Foundry's approach to SFlow, though, is that
they do it in all their boxes, from Big to Edge. Having this kind of
"scalable visibility", if you will, at the edge is intriguing. I'm
quite curious about how people have found this functionality.
More information about the unisog