[Snort-users] Looking for recommendations for distributed Snort GiGE Sensors (network architecture described in message)

Landon Stewart lstewart at ...10705...
Mon Dec 8 23:49:04 EST 2003


Any recommendations on hardware (for now) are greatly appreciated.  Cost 
effectiveness is important so a minimum to do the job.  I don't want to get 
into load balancing on multiple 100mbit links if possible as the iron is 
too costly.

- I've seen discussion about bus speeds and the maximum data that can be 
processed with those bus speeds.  What is my minimum?  Could I get away 
with 33MHz bus?
- What if I use fiber GiGE links?

Network description (hardware/throughput):

NOC 1:
	Router - CORE1	 - Cisco 12008 GSR
		PIPE	1 Gbit/s
		AVG	140 Mbit/s
		PEAK	184 Mbit/s
	Router - CORE2	 - Cisco 12008 GSR
		PIPE	1 Gbit/s
		AVG	102 Mbit/s
		PEAK	180 Mbit/s
Both routers distribute traffic to their own distribution switches (each 
one is a CAT5513)
Visualize this at: http://nsssc.superb.net/img/dca1-fall2003.gif

NOC 2:
	Router - CORE1 - Cisco 12012 GSR
		PIPE	1 Gbit/s
		AVG	110 Mbit/s
		PEAK	130 Mbit/s
	Router - CORE2	 - Cisco 12012 GSR
		PIPE	1 Gbit/s
		AVG	200 Mbit/s
		PEAK	280 Mbit/s
Both routers distribute traffic to their own distribution switches (each 
one is a CAT4912G)
Visualize this at: http://nsssc.superb.net/img/dca2-fall2003.gif

- If you could look at the URL's listed to visualize the networks, where 
would the best place be to put mirrored sensors and what kind of hardware 
would I require?
- What kind of requirements would I need for the centralized database 
system to store the alerts given the amount of IDS data that might be 
produced?  Does it need SCSI or striped RAID?  Could I get away with a good 
SCSI drive and some good RAM?
- Other than ACID what are the other *good* analysis consoles?


I had thought maybe EACH core router (or distribution switch) would require:
	1 x fast machine like a DUAL 2.4GHz with 1GB of RAM
	1 x GiGE interface (fiber?)

- Could I get away with one sensor for each NOC and each of those sensors 
would have two GiGE interfaces or would that be too much data to 
process?  I doubt I could do two CORE routers on one machine but what do 
you think?
	
More complete network architecture information can be found at:
http://nsssc.superb.net/information/dca1net-info.php and
http://nsssc.superb.net/information/dca2net-info.php

Thank you to anyone who responds with any information!





More information about the Snort-users mailing list