IDS Performance in a Complex Modern Network: Hybrid Clouds, Segmented Workloads, and Virtualized Networks

Most modern networks are complex with workloads in both the cloud and on the premise. Monitoring these types of networks requires aggregating monitoring data from multiple, diverse locations. The following experiment tests the effects on a Snort IDS sensor when monitoring data is sent to the Snort sensor using three different methods. The first method tests direct communication from a server generating test traffic to an IP address on the Snort sensor. The second method captures test traffic from a SPAN port and directs it to an interface on the Snort sensor. The final method simulates ERSPAN by creating a GRE tunnel between the generating server and the Snort sensor and capturing traffic from that tunnel. The results showed that these methods of sending data have a significant impact on the volume of data that reaches the sensor. Also, monitoring can have cascading effects on the network and must be planned for accordingly. For example, when both ERSPAN and production traffic are sent over the same network infrastructure, excessive ERSPAN traffic can cause production traffic to be dropped by overloaded network equipment. When setting up IDS sensors in a complex network environment using SPAN or ERSPAN, it is best to slowly increase the volume of monitoring traffic and carefully measure the impact in each unique environment.