[Oisf-users] Two questions about using suricata as IPS in production environments

Cooper F. Nelson cnelson at ucsd.edu
Fri Jan 23 19:03:36 UTC 2015

Hash: SHA1

On 1/22/2015 11:16 PM, C. L. Martinez wrote:
> a) If we made some mistake reconfiguring suricata, or appears some
> error with rules or if appears some another type of problem at
> software level, suricata stops. Then, due to this is a production
> environment, all traffic that cross this sensor, it doesn't flow. If I
> am not wrong, configuring a bridge at SO level, this problem
> disappears. Is it correct??

This is a risk with all inline network devices.  If I was deploying
suricata as an IDP I would attach it to a proxy firewall and use
dedicated hardware load-balancing and fault-tolerance.  So if anything
fails on one of the proxy devices (whether its suricata or the server
itself) there is automatic failover.

As a word of warning, I've deployed carrier-grade networking in the past
and it gets very expensive very quickly.

> b) The most important problem: a hardware failure (network interfaces
> goes down). What to do in this case?? Due to this is an
> electronic/electrical problem, what type of hardware do I need to
> use?? Commercial products as for example, Sourcefire appliances solves
> these type of problems.


Again, I would use a proxy or gateway server with suricata attached to
it vs. a purely transparent/inline deployment.

> There is a third path to avoid a hardware problem: use virtualization
> (ESXi as a first option). But this is an important performance
> penalty.

This is more likely to cause problems as the virtualization
software/hardware can fail as well.  And you still need at least two
ESXi servers to provide full redundancy.

> Suggestions?? Ideas??

Use dedicated network hardware to implement the
fault-tolerance/load-balancing.  At a minimum, at least two suricata
proxy/gateway devices and one hardware load balancer.  Ideally, you want
at least two of everything.

> All suricata IDS sensors are installed in FreeBSD hosts ... And this
> is our first SO option. I don't want to use any Linux with systemd in
> production environments.
> Many thanks for your help.
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
Version: GnuPG v2.0.17 (MingW32)


More information about the Oisf-users mailing list