Intrusion Detection Systems for Gigabit Networks?

caelyx asks: "I've got to evaluate various IDS solutions for use on a gigabit network. While I've had experience using and configuring snort, I haven't used many of the commercial solutions (Dragon, RealSecure, ManHunt, etc). I guess I'm mostly concerned with signature quality and depth, the power of the analysis console(s) and a robust engine that won't drop packets on a busy network. What experiences have Slashdot readers had with various NIDS or hybrid NIDS/HIDS solutions? Suggestions?" Ask Slashdot last touched this topic in this discussion, but it didn't focus on the needs for a Gigabit network. How well do the solutions mentioned therein perform on such a high end network?

Snort! Sourcefire sells gigabit systems

[dotslash]

Sourcefire [sourcefire.com] is the commercial arm of snort. Marty Roesch the original author of snort is a founder of the company. They sell apliances that run Linux and snort. The appliances are the NS3000 sensors which do gigabit.

Dragon

[whois]

I've tested Dragon on gigabit networks. As long as you have a big machine it should do alright. Use Linux because the Solaris kernel sucks for packet performance.

I'd expect FreeBSD would also have good performance, but they didn't produce a 6.0.1 build for FreeBSD (they told me its around the corner, but theres not much demand for it. I'm running the Solaris variant at work)

Ultimately, I'd say contact Enterasys and ISS with you're needs and ask for a demo license. Everyones situations are different. You may decide snort fits you're needs, or you may need something else.

intrusion.com

[Erebus]

Try Intrusion.com [intrusion.com]. (You owe me a nickel, Ward.)

Check out Arbor Networks,

[Mordant]

they have a pretty slick NetFlow-/capture-based anomaly-detection system (somewhat called their 'DoS' product) which does a good job of macro-analysis, helping you figure out how to steer IDS in order to keep it from getting overwhelmed by a torrent of information.

More info here [arbornetworks.com].

Don't use Guardent

[Gothmolly]

From someone who knows. Their box is basically a cheapo generic Micro ATX (or if you are "Enterprise" you get a generic 1U ) box, running Linux w/IPSec, IPTables and Snort. No HW redundancy, off the shelf IDE drives... guess how reliable they are. No flexibility - their design requires you to change YOUR firewall (add interfaces, etc) rather than them configuring THEIR product. Yuck.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Manhunt

[G Money]

Symantec Manhunt [symantec.com] (formerly Recourse) is a commercial IDS which kicks the crap out of every other IDS I've ever used. It runs on Solaris (or Windows for the foolhardy) and looks for traffic anomolies. You can compile in snort rules for it to check against and it just flies. It will correlate events from multiple sources or Manhunt nodes and can reconfigure your routers in real time to block DoS attacks. I don't work for Symantec and don't like most of their tools, but buying Recourse gave them a slick IDS.

review

[Jose]

Have a look at www.nss.co.uk [nss.co.uk]. They do a pretty good review of gig NIDS. I think it costs like 50USD though.

What about Counterpane?

[scubacuda]

If you've got a network THAT big (and important), why not go with a technology [counterpane.com] like Counterpane [counterpane.com]?

Their prices [counterpane.com] aren't bad; you could easily justify them.

(You can read their case studies here [counterpane.com])

ISS

[NetJunkie]

ISS' Real Secure Network Sensors support Gb networks. I use their sensor on some slower networks and I've been happy. They have a lot of good signatures....and have started adding a lot more "audit" signatures. The audits let you look for more than just exploits...things like P2P apps, IM (if you want), etc.