[Snort-users] IDS Load Balancer

Jeff Coppock jcoppock1 at ...5068...
Tue Feb 28 21:39:03 EST 2006

barryab63-ia at ...131... wrote:
> Load balancing IDS's has a lot of gotcha's that you have to look out for.
> Sourcefire has an IDS that is rated for GIGE, up to 4 GIG. 
> I'd definately try to find a solution that didn't include load 
> balancing.  No matter how you do it, you'll end up giving up something.
> Barry
> ----- Original Message ----
> From: Angel R <a_ti_92 at ...131...>
> To: snort-users at lists.sourceforge.net
> Sent: Sunday, February 26, 2006 9:35:03 PM
> Subject: [Snort-users] IDS Load Balancer
> Dear All,
>      I'm going to start a project to implement an end to end IDS 
> solution in a data center. My problem is that high traffic rate in the 
> data center leads me to use an load balancer to balance the traffic to 
> multiple Snort servers. I'll be thankful if you help me to find a proper 
> [including commercial] solution.
> Thanks all

Take a look at the Nortel Application Switch.  It has a specific mode for 
load balancing IDS servers.  This mode makes sure that all the packets for 
a client/server session get sent to the same IDS server in the farm. 
That's the key, keeping the sessions together.

You can also have multple IDS Server groups and you can filter such that 
traffic for specific applications get sent to a particular IDS Server group.


Jeff Coppock		Systems Engineer
Diggin' Debian		Admin and User

More information about the Snort-users mailing list