I monitor over 80 server sensors hIDS (RS 6.5) with RSSP. I've done extensive performance monitoring on these boxes. Some are extremely heavy web servers. They use little CPU on a daily basis.
The hidden problem is when you wish up apply an XPU. Then the CPU peeks for up to 10 seconds or so. Just trying to help, Matthew Brown, CISSP, SSCP, MCP Lake Oswego, Oregon ---- Original Message ---- From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: [ISSForum] "Why not a Switch?" Whitepaper was: SPAN portfor IDS monitoring - Cisco switches Date: Mon, 24 Mar 2003 12:31:23 -0500 >Yeah, but how much of the cpu does that utilize? Host based >intrusion >detection has always been thought of as processor intensive. Does >that >still hold true? > >At 03:03 PM 3/24/2003 +0000, you wrote: >>Well, >> >>all this mail about Span ports, monitoring, Top Layer switches, Taps >etc. >>etc. sure shows how server based is a better route! >> >>JT >> >>John Taylor | Director Security Products | Tolerant Systems Ltd | >01782 >>865026 | 07730 989255 >>This electronic message contains information from Tolerant Systems, >which >>may be privileged or confidential. The information is intended for >use only >>by the individual(s) or entity named above. If you are not the >intended >>recipient, be aware that any disclosure, copying, distribution or >use of the >>contents of this information is strictly prohibited. If you have >received >>this electronic message in error, please notify me by telephone or >email (to >>the number or email address above) immediately. >> >> >> >>-----Original Message----- >>From: Joe Magee [mailto:[EMAIL PROTECTED] >>Sent: Friday, March 21, 2003 9:29 PM >>To: 'Paul Van Gurp'; [EMAIL PROTECTED]; Fuchs Bernhard >>Subject: Re: [ISSForum] "Why not a Switch?" Whitepaper was: SPAN >port >>for IDS monitoring - Cisco switches >> >> >> >>Bernhard, you make some pretty vaild points. >> >>For more information on using a SPANS port Vs taps Vs Top Layer's >IDS >>Balancer see the following whitepaper titled "Why not a Switch?": >> >>http://www.joemagee.com/filez/Why%20not%20use%20a%20switch.pdf >> >>Hope this provides some insight. >> >>Cheers, >> >>Joe Magee >> >>---------- Original Message ---------------------------------- >>From: Fuchs Bernhard <[EMAIL PROTECTED]> >>Date: Fri, 21 Mar 2003 13:39:18 +0100 >> >> >Hi Paul, >> > >> >ok at first you have following problem. Your span post has 100mb >so if you >> >are monitoring 3 ports on it with 100mb and 40% utilisation you >are loosing >> >20% witch makes it unusable for IDS... (a lot of false positives >or false >> >negatives). and you can*t send rskills on a span port. the next >thing is, >> >you might have a retundant net so you need a sensor for each >computer >> >center. another problem is asyncronus routing on loadbalancing. >lets say >>you >> >have 2 servers that are loadbalanced. you have 2 packages comming >> >(multicast) and one package leaving -> false positive "ICMP >onsolicited >>echo >> >reply" for example... so I recommend network tabs and a >"IDS-Balancer" This >> >is kind of a switch but much better about "36gb backplane" i guess >and with >> >gigabit... so you can monitor 10x100mb on one gb sensor... pretty >cool and >> >totaly flexible to configure. i saw the toplayer and hat my >handson. but we >> >are consider to take a other brand too. keep on asking if you have >> >questions.... >> > >> >http://netoptics.com/ >> >http://www.toplayer.com "Attack Mitigator" and "IDS-Balancer" >> > >> > >> >Mit freundlichen Gr��en/ sincerely yours >> > >> > >> >Bernhard Fuchs >> >Junior System-Engineer >> >IT-Infrastruktur/IT-Security >> > >> >ITELLIUM >> >Systems & Services GmbH >> >F�rther Stra�e 205 >> >90429 N�rnberg >> > >> >Tel.: +49-911-14-27321 >> >Fax: +49-911-14-22016 >> >mailto:[EMAIL PROTECTED] >> >http://www.itellium.com >> > >> >This email is confidential. If you are not the intended recipient, >you must >> >not disclose or use the information contained in it. If you have >received >> >this mail in error, please tell us immediately by return email and >delete >> >the document. E-mails to and from the company are monitored for >operational >> >reasons and in accordance with lawful business practices. The >contents of >> >this email are those of the individual and do not necessarily >represent the >> >views of the company. The company accepts no responsibility once >an e-mail >> >and any attachments is sent. >> > >> > >> >-----Urspr�ngliche Nachricht----- >> >Von: Paul Van Gurp [mailto:[EMAIL PROTECTED] >> >Gesendet: Donnerstag, 20. M�rz 2003 15:22 >> >An: [EMAIL PROTECTED] >> >Betreff: [ISSForum] SPAN port for IDS monitoring - Cisco switches >> > >> > >> >Hi all. >> > >> >I am not a network specialist by any means so please be gentle. I >am >> >currently attempting to deploy network sensors throughout our >> >infrastructure. Since we have a switched environment, I have 2 >options >> >(that I am aware of): >> > >> >* use the SPAN port of a switch for a network IDS >> >* use network taps. >> > >> >Many of our switches have several internal interfaces that I would >like to >> >monitor...i.e. one switch will be used for traffic destined for 8 >different >> >networks. I would like to be able to plug an IDS into the SPAN >port of the >> >switch and get the networking people to configure the SPAN port to >accept >> >traffic from port 1, 3, and 8 for example because those are >critical >>network >> >segments. This would allow my IDS to monitor all 3 of those ports >at the >> >same time. The network guys say this is not possible and I can >only span >> >one port on the switch to the SPAN port. This means using the >SPAN port is >> >out of the question for our environment. I went to the Cisco site >and it >> >seems that the switches are capable of doing what I want, so I am >confused. >> > >> >Question 1: Who is right...i.e. can a SPAN port monitor traffic >over >> >multiple incoming/outgoing ports on a single switch? If not then >why not? >> >Question 2: If the network guys are right then why is the SPAN >port a >> >widely used method of deploying network IDS? >> >Question 3: If the network guys are right, what other options are >open to >> >me...I mentioned taps but don't I run into the same issues...1 tap >for 1 >> >network segment and so in my example above, I would require 8 taps >for the >> >switch with 8 ports. >> > >> >Thanks in advance. >> > >> >Paul >> > >> > >> > >> >_______________________________________________ >> >ISSForum mailing list >> >[EMAIL PROTECTED] >> > >> >TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to >> >https://atla-mm1.iss.net/mailman/listinfo >> > >> > >> >_______________________________________________ >> >ISSForum mailing list >> >[EMAIL PROTECTED] >> > >> >TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to >>https://atla-mm1.iss.net/mailman/listinfo >> > >> >> >>_______________________________________________ >>ISSForum mailing list >>[EMAIL PROTECTED] >> >>TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to >>https://atla-mm1.iss.net/mailman/listinfo >> >>-- >>-------------------------------------------------------------------- >-------- >>-------------- >>This message has been inspected by DynaComm i:mail 3.0 >>http://www.tolerant.com/products/product1.asp?product_ID=27&ProductT >ype_ID=2 >>-------------------------------------------------------------------- >-------- >>-------------- >> >>-- >>-------------------------------------------------------------------- >---------------------- >>This message has been inspected by DynaComm i:mail 3.0 >>http://www.tolerant.com/products/product1.asp?product_ID=27&ProductT >ype_ID=2 >>-------------------------------------------------------------------- >---------------------- >> >> >>_______________________________________________ >>ISSForum mailing list >>[EMAIL PROTECTED] >> >>TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to >>https://atla-mm1.iss.net/mailman/listinfo > > >_______________________________________________ >ISSForum mailing list >[EMAIL PROTECTED] > >TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.is >s.net/mailman/listinfo _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
