Hi all,
My team is looking into using the Bro IDS for monitoring of a science DMZ with a 100 Gbps network. I was wondering how to choose which network tap(s) is necessary for this type of connection and if you have any recommendations/methods for setting up the hardware for Bro. I have been looking at the passive Ixia Flex taps, but after reading the paper on bro.org about the 100G connection in Berkeley Labs, I’m not so sure this is the right direction.
Thanks for the help,
Daniel Manzo
Granted, budget will enter into the equation, but I would highly recommend following LBL’s model. I’d feed a passive 100G tap into a smarter tap/agg switch before your Bro cluster. If you setup shunting for elephant flows you’ll likely be able to get by with a small Bro cluster simply by filtering out that large traffic. This is especially true for typical ScienceDMZ traffic. You’ll want a tap/agg switch that can also load balance to the tool ports.
If you were to choose an Arista switch, the shunting code already exists.
https://github.com/ncsa/dumbno
-Dop