OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Gigabit IDS solutions
From: Dragos Ruiu (drKYX.NET)
Date: Wed Nov 15 2000 - 18:03:08 CST

On Wed, 15 Nov 2000, Jon Gary wrote:
> Also, I have been pondering the Gigabit IDS problem for a bit here, and one
> solution that I would be trying if I were an IDS vendor is a hierarchical
> approach. We've seen systems that spread the load among multiple machines
> for examination, but wouldn't a gradual filtering approach be more
> effecient? Perhaps there is something that does this that I haven't heard
> about, but I would envision a system in which there is one main IDS machine.
> This machine does a cursory examination of all traffic, and does not do any
> serious examination. All packets that don't look the least bit interesting
> are thrown out, and the remaining packets are distributed to a few signature
> checking systems. These systems are not inundated with little packets that
> are not the least bit interesting, and the main system is using little
> enough resources that it can keep up with the load. I'd be interested to
> know if anyone has developed anything like that.

I advised a customer once that had two very polar kinds of traffic load...
mail and web... to get a commercial IDS, then augment that with two
"snorters" (as it were)... only load the mail rules on one and only load
the web rules on the other - both would run faster... And the filtering
could be done by ports on a router... CPUs have sped up to the point
where his ruleset may have been able to be handled on one CPU
these days, but the approach is useable for other scenarios...

There are probably lots of ways to slice up the traffic to multiple analysis
machines.

cheers,
--dr