Intrusion Detection System platforms

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

Mike Bailey

Member
Sep 24, 2015
34
24
8
34
New York
Note: This is somewhat of a cross between the Networking and Software Stuff boards.

Anybody have any recommendations for a hardware and/or software platform to run an IDS on?

I'm moving to a new apartment in a couple of weeks and I'm redesigning my whole network to be clean from the ground up.

As part of this, I'm adding IDS as a new feature to my network. I had the idea of mirroring inbound/outbound WAN traffic over to a dedicated appliance (router? raspberry pi? tiny x86 box?) where I could perform flow monitoring and traffic analysis.

It was basically going to look something like this:





Can anybody recommend something that's relatively affordable to run this on? I don't have any dedicated hardware to run this on at the moment, so I was looking to either pick up something like a Mikrotik to run Snort and sFlow on, or pricing out a cheap dedicated x86 box to run this.

This would be running out of a network cabinet in a closet, separate from the rack that I have the rest of my equipment in. I'd like to avoid placing the appliance inside the LAN or with the rest of equipment due to security and configuration complexity concerns.

A simple, dedicated appliance would be best for me, thought I'm not sure what hardware and/or software combination to run for this sort of thing. Any suggestions?
 

CreoleLakerFan

Active Member
Oct 29, 2013
485
180
43
C2750 based board, virtual IDS platform. If you want flexibility to run ALL THE VMS, consider a Xeon-D board as they support up to 128GB RAM while the C2x00's can take 32-64, but the 16GB modules can only be sourced from a single vendor and are priced unreasonably.
 

Mike Bailey

Member
Sep 24, 2015
34
24
8
34
New York
I have no need to run anything else on this platform, I already have dedicated infrastructure for that. I considered it, but even a D-1520 is way too much ($400 for the motherboard + proc alone).

The node I'm deploying is going to be fully exposed on the WAN so I'm looking to segregate it completely from the internal VM infrastructure.
 

Aluminum

Active Member
Sep 7, 2012
431
46
28
Home use on a budget and bang/$?

Easy, look for one of the Lenono TS140/TS440 or Dell T20 sales, <$300 and very capable. Throw in a cheap quad intel NIC and you are done.
 

PigLover

Moderator
Jan 26, 2011
3,184
1,545
113
pfSense + Suricata module. You need decent hardware or it becomes a bottleneck. c2558 is probably minimum, puts you in the $230 range for MB+CPU, probably $300+ with RAM, a case and PSU.
 
  • Like
Reactions: Patrick

Mike Bailey

Member
Sep 24, 2015
34
24
8
34
New York
I had actually thought about that and completely forgot that they sold hardware for this.. I'm looking for something that I can just set up, stuff in my network cabinet, and forget about it.

The SG-2220 would actually work perfect for what I'm looking to do. I won't be pushing more than 50 mbps in either direction so I should be able to get away with oversubscribing the link.
 

wildchild

Active Member
Feb 4, 2014
389
57
28
Why not run a virtual pfsense.
Been fiddiing around with it in my vmware cluster simply does a good job.
Would be a good idea to go into the paid subscriptions for signatures though, other wise you'll be on 3 month old definitions
 

mstone

Active Member
Mar 11, 2015
505
118
43
46
At 50Mbps the hardware basically doesn't matter, except that I still wouldn't try to use a raspberry pi. Most network monitoring tools don't scale particularly well, so good single core performance tends to be more important than a large number of cores. The network performance matters, but having large hardware buffers and multiple hardware receive queues matters a lot more than offloading features (network monitoring tends to want to see the raw packets, not an assembled stream). But again, at 50Mbps it's easier to overthink than to pick the wrong solution if using some kind of x86.
 

Aluminum

Active Member
Sep 7, 2012
431
46
28
At 50Mbps the hardware basically doesn't matter, except that I still wouldn't try to use a raspberry pi. Most network monitoring tools don't scale particularly well, so good single core performance tends to be more important than a large number of cores. The network performance matters, but having large hardware buffers and multiple hardware receive queues matters a lot more than offloading features (network monitoring tends to want to see the raw packets, not an assembled stream). But again, at 50Mbps it's easier to overthink than to pick the wrong solution if using some kind of x86.
Hence the lenono/dell "my-first-SMB-server" $ale$ recommendation, cpu with modern non-crippled haswell core also running at a very respectable 3.2Ghz, room to grow with your choice of intel NIC, still very cheap. All the smaller boxes either give up a lot of performance, price or both.

And yeah most network monitoring stuff is waaaaaay behind the curve, a lot of vendors still fake it by using special capture NICs to do the splitting/heavy lifting. They also tend to not mention how many things they disable or rate-limit at high speeds. IMO Bro is the only project that seems to have the right mindset for going past gigabit, also the only one I've witnessed deployed in a useful configuration at 10 and 40Gbps.
 

Mike Bailey

Member
Sep 24, 2015
34
24
8
34
New York
Hence the lenono/dell "my-first-SMB-server" $ale$ recommendation, cpu with modern non-crippled haswell core also running at a very respectable 3.2Ghz, room to grow with your choice of intel NIC, still very cheap. All the smaller boxes either give up a lot of performance, price or both.

And yeah most network monitoring stuff is waaaaaay behind the curve, a lot of vendors still fake it by using special capture NICs to do the splitting/heavy lifting. They also tend to not mention how many things they disable or rate-limit at high speeds. IMO Bro is the only project that seems to have the right mindset for going past gigabit, also the only one I've witnessed deployed in a useful configuration at 10 and 40Gbps.
I would throw a virtual appliance on my virtual hosts, but the way the network will end up getting segmented is going to look horrendous.

I'd rather have a dedicated appliance (that can go offline / reboot / die) that isn't wasting bandwidth in my network core, just a tiny bit at the network edge.

That's the whole reason why I want to put the device right at the firewall edge. I can do all my flow collection, traffic analysis, etc right at the WAN edge where I'm particularly interested in seeing these things.

Internally, I have monitoring via Observium (network) and PRTG (certain critical services / hypervisors). At the edge, I'd be very interested in seeing what traffic is attempting to flow in/out of the firewall.
 

Aluminum

Active Member
Sep 7, 2012
431
46
28
One thing though with that setup, do you have a tap? If you're going to do a span port or similar, you might as well go with an all-in-one setup anyways since you don't gain any reliability IMO.

Now if you got lucky like me and scored a NIB netoptics for $100 ;) then you're good to go.
 

Mike Bailey

Member
Sep 24, 2015
34
24
8
34
New York
One thing though with that setup, do you have a tap? If you're going to do a span port or similar, you might as well go with an all-in-one setup anyways since you don't gain any reliability IMO.

Now if you got lucky like me and scored a NIB netoptics for $100 ;) then you're good to go.
I'm doing it the lazy way: I have a simple switch that supports port mirroring. Check the first post, I have the L2 diagram of how it's going to be configured.

I have to do some testing still, but preliminary it looks like I can push the expected 100 mbps (50 up / 50 down) through my switch without it really breaking a sweat on the packet mirroring.