Slashdot Mirror

← Back to Stories (view on slashdot.org)

Intrusion Detection Systems for Gigabit Networks?

Posted by Cliff on from the keeping-that-fat-pipe-secure dept.

caelyx asks: "I've got to evaluate various IDS solutions for use on a gigabit network. While I've had experience using and configuring snort, I haven't used many of the commercial solutions (Dragon, RealSecure, ManHunt, etc). I guess I'm mostly concerned with signature quality and depth, the power of the analysis console(s) and a robust engine that won't drop packets on a busy network. What experiences have Slashdot readers had with various NIDS or hybrid NIDS/HIDS solutions? Suggestions?" Ask Slashdot last touched this topic in this discussion, but it didn't focus on the needs for a Gigabit network. How well do the solutions mentioned therein perform on such a high end network?

11 comments

  1. Snort! Sourcefire sells gigabit systems by dotslash · · Score: 4, Informative

    Sourcefire is the commercial arm of snort. Marty Roesch the original author of snort is a founder of the company. They sell apliances that run Linux and snort. The appliances are the NS3000 sensors which do gigabit.

  2. Dragon by whois · · Score: 4, Informative

    I've tested Dragon on gigabit networks. As long as you have a big machine it should do alright. Use Linux because the Solaris kernel sucks for packet performance.

    I'd expect FreeBSD would also have good performance, but they didn't produce a 6.0.1 build for FreeBSD (they told me its around the corner, but theres not much demand for it. I'm running the Solaris variant at work)

    Ultimately, I'd say contact Enterasys and ISS with you're needs and ask for a demo license. Everyones situations are different. You may decide snort fits you're needs, or you may need something else.

  3. intrusion.com by Erebus · · Score: 3, Informative

    Try Intrusion.com. (You owe me a nickel, Ward.)

  4. Check out Arbor Networks, by Mordant · · Score: 2, Interesting

    they have a pretty slick NetFlow-/capture-based anomaly-detection system (somewhat called their 'DoS' product) which does a good job of macro-analysis, helping you figure out how to steer IDS in order to keep it from getting overwhelmed by a torrent of information.

    More info here.

  5. Don't use Guardent by Gothmolly · · Score: 2, Informative

    From someone who knows. Their box is basically a cheapo generic Micro ATX (or if you are "Enterprise" you get a generic 1U ) box, running Linux w/IPSec, IPTables and Snort. No HW redundancy, off the shelf IDE drives... guess how reliable they are. No flexibility - their design requires you to change YOUR firewall (add interfaces, etc) rather than them configuring THEIR product. Yuck.

    --
    I want to delete my account but Slashdot doesn't allow it.
  6. Netscreen by austad · · Score: 2, Informative

    Netscreen has a product that will supposedly do what you want. I haven't had a chance to play with one yet, so I can't give you firsthand knowledge of it.

    One of the things you'll notice, is that with that much traffic, you are going to get amazing amounts of false alarms. The Netscreen product has some cool features to reduce or eliminate false alarms altogether.

    I used a couple of different IDS systems on a 135Mb/sec link, and ISS and Snort could not handle it. 100% CPU all the time. Netscreen is also planning on integrating their IP ASIC into the unit to give it even higher throughput.

    --
    Need Free Juniper/NetScreen Support? JuniperForum
  7. Manhunt by G+Money · · Score: 2, Informative

    Symantec Manhunt (formerly Recourse) is a commercial IDS which kicks the crap out of every other IDS I've ever used. It runs on Solaris (or Windows for the foolhardy) and looks for traffic anomolies. You can compile in snort rules for it to check against and it just flies. It will correlate events from multiple sources or Manhunt nodes and can reconfigure your routers in real time to block DoS attacks. I don't work for Symantec and don't like most of their tools, but buying Recourse gave them a slick IDS.

  8. review by Jose · · Score: 1

    Have a look at www.nss.co.uk. They do a pretty good review of gig NIDS. I think it costs like 50USD though.

    --
    The basic sleazeware produced in a drunken fury by a bunch of UCBerkeley grad students was still the core of BIND. --PV
  9. What about Counterpane? by scubacuda · · Score: 1
    If you've got a network THAT big (and important), why not go with a technology like Counterpane?

    Their prices aren't bad; you could easily justify them.

    (You can read their case studies here)

  10. ISS by NetJunkie · · Score: 1

    ISS' Real Secure Network Sensors support Gb networks. I use their sensor on some slower networks and I've been happy. They have a lot of good signatures....and have started adding a lot more "audit" signatures. The audits let you look for more than just exploits...things like P2P apps, IM (if you want), etc.