[Snort-users] Hardware suggestions

Martin Roesch roesch at ...421...
Fri Mar 2 01:05:18 EST 2001

"shawn . moyer" wrote:
> Martin Roesch wrote:
> > There are IDS accelerators on the horizon from a number of the
> > commercial NIDS vendors (there might even be one for Snort...) but at
> > this time I don't know of any that are actual shipping commercial
> > products.
> I didn't mention this because I've spoke with the guys who came up with
> it and I think it's mostly hype, but ISS claims to be able to do Gig,
> sorta...They use a TopLayer load balancing switch and seven Nokia IDS
> appliances, and separate the traffic by protocol -- this supposedy
> works, but since RealSecure doesn't tell you about packet loss anyway,
> it's hard to tell if it really does... All this for the low, low, price
> of @ $.5M !
> http://www.iss.net/customer_care/resource_center/realsecure_tech_center/tips_tricks/index.php

Um, yeah.....

Well, I wouldn't exactly call that a "solution", more like a kludge. 
TopLayers are frequently used by NIDS vendors to take their solutions
beyond 100Mbps with varying results.  Does anyone know if RS can
actually handle 100Mbps on a single sensor yet?  Last I heard they still
weren't in the ball park.  The TopLayer isn't really an acelerator, it
just slows specific streams down to tolerable levels for sensors that
wouldn't have a prayer otherwise.

> As far as Dragon, I haven't seen it in practice, but I believe the
> caveat was a Gig segment at 50% load, and the price was pretty close to
> what you mentioned from Network Ice.

Maybe spiking to 50% load I'd believe, but beyond that....


Martin Roesch
roesch at ...421...

More information about the Snort-users mailing list