[Oisf-users] Two questions about using suricata as IPS in production environments

Cooper F. Nelson cnelson at ucsd.edu
Fri Jan 23 19:03:36 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 1/22/2015 11:16 PM, C. L. Martinez wrote:
> a) If we made some mistake reconfiguring suricata, or appears some
> error with rules or if appears some another type of problem at
> software level, suricata stops. Then, due to this is a production
> environment, all traffic that cross this sensor, it doesn't flow. If I
> am not wrong, configuring a bridge at SO level, this problem
> disappears. Is it correct??

This is a risk with all inline network devices.  If I was deploying
suricata as an IDP I would attach it to a proxy firewall and use
dedicated hardware load-balancing and fault-tolerance.  So if anything
fails on one of the proxy devices (whether its suricata or the server
itself) there is automatic failover.

As a word of warning, I've deployed carrier-grade networking in the past
and it gets very expensive very quickly.

> b) The most important problem: a hardware failure (network interfaces
> goes down). What to do in this case?? Due to this is an
> electronic/electrical problem, what type of hardware do I need to
> use?? Commercial products as for example, Sourcefire appliances solves
> these type of problems.

http://en.wikipedia.org/wiki/Multilayer_switch

Again, I would use a proxy or gateway server with suricata attached to
it vs. a purely transparent/inline deployment.

> There is a third path to avoid a hardware problem: use virtualization
> (ESXi as a first option). But this is an important performance
> penalty.

This is more likely to cause problems as the virtualization
software/hardware can fail as well.  And you still need at least two
ESXi servers to provide full redundancy.

> Suggestions?? Ideas??

Use dedicated network hardware to implement the
fault-tolerance/load-balancing.  At a minimum, at least two suricata
proxy/gateway devices and one hardware load balancer.  Ideally, you want
at least two of everything.

> All suricata IDS sensors are installed in FreeBSD hosts ... And this
> is our first SO option. I don't want to use any Linux with systemd in
> production environments.
> 
> Many thanks for your help.
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
> 


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJUwpsIAAoJEKIFRYQsa8FWjvoH/1UApEbb745xj2o7/2UfDpmC
uF4GSV5TtgAa0YHYVqo5+iDJsgHlwZwu6bHFSt7VBCAx2Rja32WYUh1PEBEJF60V
o31DnhvdzKbS6FczWjFIyqoZmB4bA3XIuu0Z/pgeS1IRMWHCjL2JW8uHhe/fSdTm
LjlEzbM1oa8t6LP9gI/B/NDfEG2zuu9EbLUmVinFUmgyCVF37pLpaT9QeXtZEPpr
+flzr9SBo8YYcAWe5fGbqZWNGPyhpwdlCjUI1zWjaPUDqmCyVpr/bij8cqGVGpsO
rIqecl+4qIUMeQAqRvfgi/K36qsIg7J6abWrS6RbcTtYPGoIjlTJkNTor7n90vc=
=1Mn1
-----END PGP SIGNATURE-----



More information about the Oisf-users mailing list