I am currently required to design an IDS layout for a future e-commerce server farm. The network will be built around a Cat6513 with 3-16port fiber blades. There will be 3VLANs. I obviously want to monitor all 3 VLANs, but my dilemma is this:
The CAT 6513 has a backplane capable of 32 Gbps, and all the servers will be fiber connected. How do I monitor 3 VLAN's all with a potential of approximately 10GB's of traffic with Cisco IDS sensors? Do a place multiple 4250XL's on a given VLAN? And, if I do that, how do I evenly balance the traffic?
Second... How many IDS Sensors can I place on that Switch.... It is apparently only capable of 2 SPAN ports, but am I correct that VACLs could be written to direct traffic to any number of ports - essentially offering me the ability to add unlimited sensors?
Even the upcoming IDSM2 blade on the upcoming 4.1 version will be supporting upto 500MB performance. This blade will have 2 sniffing interface. but for your situation, IDSMs do not seem feasible.
You best bet is on the 4250XL which perform at 1GB and has 2 sniffing interfaces. You could deploy 2 of those.
As for the 10GB data, are you implying that you will be deploying 10GB lans? The 4250XL has 1000BASE-SX (fiber) and 10/100/1000BASE-TX interfaces only. Also there is no way to sagregate traffic towards each sensor. The sensor's sensing inerface is in promiscous mode and will see all traffic.
You might have already taken a look at these, but just in case;
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...