[Snort-users] Snort in a cluster
security at ...5028...
Fri Jul 9 13:31:10 EDT 2004
Joshua Berry wrote:
> One effective way to monitor multiple segments and aggregate
> asymmetrical links while balancing the load across multiple sensors is
> with an appliance like TopLayer's IDS Balancer. Then you don't need the
> BPF filters at all, however, this solution is very pricey.
> By the way, what are some of the competitors to TopLayer's IDSB, or are
> there any? I have been having trouble finding a comparison to base
> pricing on.
I am told that Cisco equipment happily does it in the proper
configurations, apparently using etherchannel load balancing you can
balance out multiple pipes.
I think it is also acceptable to balance up to 5 tapped 100Mbs links
into a single Gbs out. Overloading is not an issue in that case, using
more and it is the risk / reward game. 50 taps is simply too much to
take risk with IMHO.
some of the netoptics equipment might be appropriate.
Radware has a IDS load balancer. It might not be cheap as it appears to
also have limited inline prevention built in.
You could also use a VACL to capture selective traffic.
I believe most switch vendors supply some form of balancing support if
they are L3 aware at all.
What is considered very pricey?
More information about the Snort-users