[unisog] 10 Gb IDS/IPS and IPv6

Clark Gaylord cgaylord at vt.edu
Thu Apr 14 16:47:15 GMT 2005


BACHAND, Dave (Info. Tech. Services) wrote:

>Don't think it's a full IDS, but Foundry's boxes can do S-FLO analysis
>at 10GB.  They claim it's the same technology that SNORT uses, so you
>might be able to kluge something together. 
>  
>

SFlow is definitely *not* an IDS (I'll ignore the "IPS" marketing 
blather), but there are some who use it with snort, ntop, et al.  The 
next version of SFlow (version 5) should be "flow-based" instead of 
quasi-periodic sampling, but this is still largely vaporous.  InMon 
documented the original version in an informational RFC, 3176. 
(http://www.faqs.org/rfcs/rfc3176.html)

I think SFlow is very interesting, but it really was thought of first as 
being a scalable method to do netflow-type accounting.  The use of it as 
a "security" technology is not complete.  Being sampled, however, it is 
easier to scale to high data rates, but at the loss of rare event 
information ... which is exactly the information you need for good IDS.

Another cool thing with Foundry's approach to SFlow, though, is that 
they do it in all their boxes, from Big to Edge.  Having this kind of 
"scalable visibility", if you will, at the edge is intriguing.  I'm 
quite curious about how people have found this functionality.

--ckg



More information about the unisog mailing list