So there I was, faced with a strict budget and the mandate to monitor up to 400 Mbps of sustained bandwidth (which did not necessarily follow a symmetric path through the pair of core switches and three Internet routers) with an IDS system. I examined a variety of solutions to make this work—commercial and open source—and nothing worked, given the requirements and budget. I needed to build (or have someone help me build) a solution that used off-the-shelf hardware and open source software that could keep up with the monstrous volume of traffic. From this was born the IDS Distribution System (I(DS)2).
I (Christopher Gerg) am the Network Security Manager for a data center hosting company (and ISP) that has an OC-48 SONET ring connecting the data centers (there are two of them) with the telecom central offices. There are three redundant OC-3 Internet connections from the SONET ring. This traffic all collapses on a pair of large Cisco switches and from there onto our data center customers. We do not use symmetric routing; as a result, a request can come in from the Internet to one of our customers in the data center by entering in router A, passing through switch A, and then return to the client through switch B and out router C. Simply setting up a SPAN port on one of switches would potentially only allow half of the conversation to be watched. Figure 13-4 illustrates this asymmetric routing.
Figure 13-4. Asymmetric routing