[Oisf-users] Two questions about using suricata as IPS in production environments

C. L. Martinez carlopmart at gmail.com
Mon Jan 26 08:54:22 UTC 2015

On Fri, Jan 23, 2015 at 7:03 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
> Hash: SHA1
> On 1/22/2015 11:16 PM, C. L. Martinez wrote:
>> a) If we made some mistake reconfiguring suricata, or appears some
>> error with rules or if appears some another type of problem at
>> software level, suricata stops. Then, due to this is a production
>> environment, all traffic that cross this sensor, it doesn't flow. If I
>> am not wrong, configuring a bridge at SO level, this problem
>> disappears. Is it correct??
> This is a risk with all inline network devices.  If I was deploying
> suricata as an IDP I would attach it to a proxy firewall and use
> dedicated hardware load-balancing and fault-tolerance.  So if anything
> fails on one of the proxy devices (whether its suricata or the server
> itself) there is automatic failover.
> As a word of warning, I've deployed carrier-grade networking in the past
> and it gets very expensive very quickly.
>> b) The most important problem: a hardware failure (network interfaces
>> goes down). What to do in this case?? Due to this is an
>> electronic/electrical problem, what type of hardware do I need to
>> use?? Commercial products as for example, Sourcefire appliances solves
>> these type of problems.
> http://en.wikipedia.org/wiki/Multilayer_switch
> Again, I would use a proxy or gateway server with suricata attached to
> it vs. a purely transparent/inline deployment.
>> There is a third path to avoid a hardware problem: use virtualization
>> (ESXi as a first option). But this is an important performance
>> penalty.
> This is more likely to cause problems as the virtualization
> software/hardware can fail as well.  And you still need at least two
> ESXi servers to provide full redundancy.
>> Suggestions?? Ideas??
> Use dedicated network hardware to implement the
> fault-tolerance/load-balancing.  At a minimum, at least two suricata
> proxy/gateway devices and one hardware load balancer.  Ideally, you want
> at least two of everything.

Ok, many thanks to all for your answers. I will some tests and after
that, I will decide.


More information about the Oisf-users mailing list