[Snort-users] Snort Deployment Suggestions

Josh Berry josh.berry at ...10221...
Wed Feb 25 21:09:01 EST 2004


I am not sure about the prices on the newer IDS Balancers but we have 4
Fiber and 4 Copper Gig connections with 8 10/100 and it cost about 30K. 
The Crossbeam was about 20K.


> I would recommend that if you're going to be watching considerable
> bandwidth... you need a system capable of polling when needed on network
> cards..  This likely means freebsd5 with a bunch of intel 100M cards...
> OR  sun v210s or 220s... etc.... the sun machines have quad gigabit
> built into them and the OS (solaris9) does polling when packets start to
> fly in high quantities.   There are other (more expensive) options such
> as the crossbeam hardware and TopLayer  devices to aggregate stuff...
> but when you consider the sun box is $3k... and a TopLayer IDS Balancer
> is around 100k... (8 gig ports, right?)... it can get very hard to
> justify.
>
>
>
> I would highly recommend NOT using mysql for this... having one
> centralized server dedicated to serving the data (on Oracle) would give
> you the best performance... this is assuming you have oracle DBAs...
> maybe build dmz just for your IDS servers (sounds like 10 or so of
> them).  And run spans from your cisco switches.
>
>
>
> Now... where the balancer comes in highly valuable is taking 1 Gigabit
> connection from a large switch or router and splitting up the VLANs or
> subnets into separate instances of snort (with their own unique rules
> based on the systems contained within each)... In this case... the 100k
> or so you'd pay for it may return its value in time saved for management
> and incident handling.... And all the enormous headaches given from a
> snort not finely tuned.
>
>
>
>
>
>
>
> -----Original Message-----
> From: Tom Riley [mailto:axtjr at ...11294...]
> Sent: Wednesday, February 25, 2004 2:17 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Snort Deployment Suggestions
>
>
>
> Greetings,
>
>
>
> I have a need for some experienced feedback/wisdom on Snort deployment.
> I have a large network (50 subnets) that we want to monitor for
> Intrusion Detection.
>
>
>
> Initally my plan was to include 3-4 Snort boxes in various strategic
> locations, such as the Backbone, behind the firewall of our core
> servers, and a couple admin specific networks, recording alerts/events
> to a local MySQL server Database, and having a batch script copying
> those various MySQL databases into a single Oracle repository for
> analysis.
>
>
>
> After discussion of my plan with management, it was suggested that we
> monitor all 50 subnets for Intrusion attempts. The only cost effective
> way I could think to do this was to have multiple servers with 2-4
> multiport NICs and setup Snort to monitor each individual subnet. I
> would have one server as a MySQL database server, have each
> multiport/MultiNIC machine report back to a local MySQL database, and as
> before, have all of these MySQL Databases write back to a single Oracle
> Repository.
>
>
>
> Snort Stack
>
> +-----------------------+
>
> |  MySQL Server  |
>
> +-----------------------+
>
> +-----------------------+
>
> |  Snort #1           |
>
> +-----------------------+
>
> +-----------------------+
>
> |  Snort #2           |
>
> +-----------------------+
>
> +-----------------------+
>
> |  Snort #3           |
>
> +-----------------------+
>
> +-----------------------+
>
> |  Snort #4           |
>
> +-----------------------+
>
>
>
> Snort #1-4 being boxes that contain 2-4 Multiport NICs, and saving all
> their alerts up to the MySQL server.
>
>
>
> This configuration will be located in 3 locations on campus, and have
> each of the three MySQL databases batch copy the records over to an
> oracle database for analysis.
>
>
>
> What advice could any of you offer for my situation? What books have you
> found to good and useful? Has anyone attempted to use multiport NICs to
> monitor multiple Networks?
>
>
>
> Any advice you can provide would be greatly appreciated! :D And, if I
> get this configuration to work, I'd be happy to document it and share
> the results.
>
>
>
> Thanks,
>
> Tom
>
>
>
> *********************************************************
> * Tom Riley                    tom.riley at ...11294... *
> * Systems Engineer          UAA/ITS Infrastructure Team *
> *                ----------------                       *
> * "What we plant in the soil of contemplation, we shall *
> *   reap in the harvest of action." -Meister Eckhart    *
> *********************************************************
>
>
>
>
>
> *********************************************************
> * Tom Riley                    tom.riley at ...11294... *
> * Systems Engineer          UAA/ITS Infrastructure Team *
> *                ----------------                       *
> * "What we plant in the soil of contemplation, we shall *
> *   reap in the harvest of action." -Meister Eckhart    *
> *********************************************************
>
>
>
>


Thanks,
Josh Berry, CISSP
CTO, VP of Product Development
LinkNet-Solutions
469-831-8543
josh.berry at ...10268...





More information about the Snort-users mailing list