There is a 'correct' way to do this, I have experience in both iSCSI and IDS systems. It's not cheap though.
You need to get a gigabit network tap (see http://www.netoptics.com/products/product_family_details.asp?cid=4&pid=1 48&Section=products&menuitem=4&tag=NetOptics), which does not introduce latency or point of failure.
This way the ids/ips device doesn't have to be physically inline to analyze traffic patterns.
Of course you'll need one of these nifty devices for every 2 links you're monitoring...This is much better than span ports in the switch (which you can drop packets at the IDS or in the switch) or an actual inline deployment of IDS (which must, by design, introduce SOME latency which is bad). My firm does IDS services
-Glenn (the other one)
-----Original Message----- From: owner-toasters@mathworks.com [mailto:owner-toasters@mathworks.com] On Behalf Of Tom Yates Sent: Thursday, March 20, 2008 10:34 AM To: toasters@mathworks.com Subject: Performance impact of in-lined firewalls/IDS
I have a bunch of filers that we use from various hosts for CIFS, NFS and iSCSI. Powers That Be are planning to put both a firewall and an adaptive IDS between my filers and my hosts.
Does anyone have any rough and ready (ir ndeed, shiny and precise) numbers about what sort of performance impact this can have, recommendations for
how to do it properly, or indeed solid data suggesting not to do it at all? Any experience with this?