Re: Software router state of the art

[Wes Young <wcyoung () buffalo edu>]

We use them here and there (the 1Gig versions). The biggest thing to  
think about is the types of rule-sets you'll be using compounded by  
the number of flows being created / expired. Once tuned, they work  
quite well, but the balance is how fast you can pull/analyze out of  
RAM. Compiling the rules down to the card's level speeds things up a  
bit, but at the loss of using more dynamic rulesets.

If you can get the raw data to some sort of larger medium (say,  
rotating pcaps on a disk), you length the buffer-window. FWIW however,  
probably the best way to scale this is get an Xport fiber regen tap,  
populate with a few of these, tune them to monitor different segments  
based on address space or port ranges. You'll have yourself a  
relatively cheap solution, but extremely effective solution.

I've yet to test out the NinjaProbes... It's on my todo list...

On Jul 23, 2008, at 2:21 PM, Christopher Morrow wrote:

> On Wed, Jul 23, 2008 at 11:05 AM, Naveen Nathan <naveen () calpop com>  
> wrote:
> > > The Endace DAG cards claim they can move 7 gbps over a PCI-X bus  
> > > from
> > > the NIC to main DRAM. They claim a full 10gbps on a PCIE bus.
> >
> > I wonder, has anyone heard of this used for IDS? I've been looking at
> > building a commodity SNORT solution, and wondering if a powerful  
> > network
> > card will help, or would the bottleneck be in processing the  
> > packets and
> > overhead from the OS?
>
> http://www.endace.com/our-products/ninja-appliances/NinjaProbe-NIDS
>
> snort at 1g & 10g
>
> -chris

--
Wes Young
Network Security Analyst
CIT - University at Buffalo
http://claimid.com/saxjazman9

Attachment: smime.p7s
Description: