[unisog] Any GigaVUE 420 opinions?

John Ives jives at security.berkeley.edu
Fri Aug 15 16:57:24 GMT 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Peter Van Epp wrote:
> 	Is anyone using a GigaVUE-420 (http://www.gigamon.com/) at 10 gigs?
> I have an application where I'd like to aggregate 3 FDX gig connections in to
> a 10 gig monitor box and this device looks to be able to do that (at least
> on the current hardware: the overhead projector of the vendor :-)). I'd 
> appreciate comments / problems / sharp edges to watch for / experiences from 
> anyone using one at any speed (but especially at 10 gigs). Experiences with 
> driving the box from passive optical taps would also be of interest (what me
> paranoid, nah :-)). It looks like it should work (certainly at gig and above
> where HDX isn't an option) but I have been bitten before most notably by early 
> SysKonnect fibre gig cards which do default to HDX and disaster on a tap
> without education in the form of a manual FDX option on the driver :-)). If 
> you reply to me I'll summarize back to the list in a week or so if I get any 
> replies. 

We have one and are rather happy with it.  So far we haven't pushed more
than 1.7 or so gigs through it at a time, but the performance has been
what we expected and being able to pre-filter the packets going to each
box has decreased the interrupt load on the IDS boxes by around 70%.  My
plan (which we have partially implemented) is to use this to make a
pseudo-cluster of snort boxes in which each box is a relatively
inexpensive off-the-shelf system, each of which is identically
configured (using cfengine or something similar to manage changes) and
only watches part of the overall bandwidth.

As for the unit itself, I have only had relatively minor issues:

  o better monitoring of load distribution so I can more easily divide
the traffic evenly amongst the 'cluster'
  o there is a non-configurable cap on the number of filters that can be
 assigned to each port.  While the cap is generally fairly reasonable, I
have a couple, places where I would like to test using a large number of
filters for a special monitoring project and that isn't currently
possible.  I have met with the engineers a few times because they are a
relatively local company and they have assured me that the number of
filters per port will be configurable in the future.
  o a bpf style filtering syntax (there syntax is adequate, but bpf is
something of a standard and I already know it)
  o rules would be easier to write if addresses/netblocks/ports could be
put in non directionally.  If, for example, I want to send all traffic
to/from 10.10.10.0 to one port, I need to write two rules.  This isn't a
big deal until you need to write large numbers of filters.
  o I think ssh should be the default method of managing the unit across
the network.  ssh is there, but you have to turn off telnet in order to
use it.

Of these the first two are the only ones that have been real issues for
me (and even there not large ones), the remaining three are more
suggestions I have made than anything.

John

- --
- -------------------------------------------------------------------------
John Ives                                           Phone (510) 642-7773
System & Network Security			     Cell (510) 229-8676
University of California, Berkeley
- -------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBAgAGBQJIpbV0AAoJEJkidK6qbywsetUH/iXGny2aJwuETKsOQSRItvZY
Ootm0QE9E3z+qqIiKGMFOCyasXBDaCqAj2Zb4BUNAW4eB3QD4iwofy7UZryHmAZS
fQutIRjgm73QDns4Z+Pg2jkBZtrhTDfiAGn8ohSo50HAIDHEcOkTOzFqTP+Xyh7x
TtLHSNSrzR7I93cfdoK8H0jhmz0iM74xOYW86yiE/V9fX//x5xCs5F2DcqgkNsgA
IAOWY4+p6JOUC8zvmbZVEo4KmhJ7ns2MfvlSvBW8Yz7IIHd5OtFrWGeUQ8c55TNh
251ch/imioMIDlG91OzS/QKwBqHBBl97fYP64/ZxCa6l+ViMG4wGbd8R4pEFh84=
=R5IF
-----END PGP SIGNATURE-----



More information about the unisog mailing list