Hi all,
My team is looking into using the Bro IDS for monitoring of a science DMZ with a 10 Gbps network. I was wondering how to choose which network tap(s) is necessary for this type of connection and if you have any recommendations/methods for setting up the hardware for Bro. I have been looking at the passive Ixia Flex taps, specifically the LC 10G SM 50/50 split tap. Will single mode (SM) versus multi-mode (MM) make a difference for Bro? And does Bro require a 50/50 ratio, or would I be able to get away with a different ratio?
Thanks for the help,
Daniel Manzo
Bro doesnt care about any of that.
The optics going into your tap aggregator or direct into to the bro nodes need to match what ever you are using for the connection
same for the splitter
regarding splitter ratios - it depends what your light budget regarding the receive sensitivity on the ends of the actual connection and the optics feeding the bro system
Off the top of my head I was thinking 50/50 is good for data center and 70/30 for WAN
if you are running out of light once the splitter is in place you might have to move to higher powered optics all around.
One thing we ran into is some of the “lite” optics for use in data centers also have reduced sensitivity in addition to lower send power.
Another thing to consider is if it is a single 10G connection you may be able to go right to the bro box from the tap, but if you have multiple 10G connections, or need to send the signal to monitoring tools on multiple boxes you may also need to look into a tap aggregator/ load-balancer as well. If the connection is running on a specific CWDM/DWDM wavelength you may also need to check that your NICs and/or tap aggregator support the proper optics as not all do.
~Gary
It is a single 10G connection right now, but possibly expanding in the future. I’m just focusing on the single 10G at the moment, so I think I would be able to connect right to the bro box, like you mentioned. I’ll look more into tap aggregation/load-balancing later on.
Thanks,
Daniel
Depending on your actual load, you'll definitely need load balancing, whether or not you're plugged in directly. Depending on the NIC, there's various solutions - PF_RING drivers for various platforms (Intel X520 is popular), Endace DAG, Myricom - I probably left somebody out - that can do this for varying costs. DAG is fantastically expensive, but is kinda magic (except when it isn't, kernel upgrades can hose you). PF_RING is cheap - free for certain folks - but I find it a bit more annoying to configure and maintain than the DAG. Can't argue with the price though. I can't speak for the Myricom options, but I gather they're a middle ground - more expensive than X520 + PF_RING, much less expensive than a DAG. All perform reasonably well.
My own environment started out with a single Dell R710 with a DAG 9.2X2, into which I plugged a couple SPAN ports, merged them, then load balanced them back out again. For a while I ran both Snort and Bro on the same box. Later, I acquired an Arista 7150S and 720 with Intel gear, put my SPANs into that, then have it just merge my two inputs into single outputs on a couple of tap ports - an upgraded box contains the DAG for Bro, and the new 720 contains an X520 with PF_RING, which does similar load balancing for Snort. Be prepared to spend a certain amount of time up front configuring hardware + software just so. Having the Arista in the mix is nice because I can easily add more tap ports for a test environment, one-off snooping, that sort of thing.
Mike