Deploying a Cyber Security Monitoring Fabric
In order to build a comprehensive view of threats to your network assets, you need to deploy a 100% packet capture fabric that delivers the power to see all to all of your Cyber Security applications
Endace Probes, running our Cyber Security Suite can be deployed on any network link carrying traffic right up to 40Gb/s and can be easily and quickly integrated into your existing security infrastructure thanks to the broad range of standard interfaces supported by our Probe Architecture.
Our range of Probes offer unrivalled functionality, reliability and value for money. A single Probe can monitor up to 20 x 1 Gigabit or multiple 10Gbp/s links at full line rate with 100% capture accuracy. The fabric management tools built into our central management server enable simple deployment and management of multiple Probes.
A Cyber Security Monitoring Fabric consists of:
- One or more Endace Probes running OSm and our Cyber Applications
- A Central Management Server to manage your fabric of Probes
- The Endace Security Manager dashboard, agent and server applications for managing your Intrusion Detection System deployment
Probe Configurations
Whether you are looking to deploy at the core or the edge of your network, Endace has a Probe to match. Simply select the model that matches your required throughput rate. Your Probe's throughput can be increased as your needs change by adding "Core-Up" Probes (sleds), which can scale your installation up to 10Gb/s. The Core 20, Core 40 and Core-Up Probes can be configured with either 1Gb/s interfaces OR 10Gb/s interfaces depending on your monitoring needs.
These Probes come standard with the Endace Cyber Security Suite which includes SNORT™ IDS and Endace Analytics. Deployments also require an Endace CMS server running Endace Security Manager (ESM) as part of the fabric. The CMS Server is a 3U server with up to 32TB of local storage.
| Model | EDGE10 | EDGE20 | CORE20 | CORE40 | CORE100 | CORE-UP |
|---|---|---|---|---|---|---|
| Network throughput (base config) | 1Gb/s | 2Gb/s | 2Gb/s | 4Gb/s | 10Gb/s | 2Gb/s |
| Network throughput (max) | 1Gb/s | 2Gb/s | 10Gb/s | 10Gb/s | 10Gb/s | n/a |
| 1GE Ports supported | (4) 1Gb/s | (8) 1Gb/s | (8) SFP 1Gb/s | (8) SFP 1Gb/s | n/a | (8) SFP 1Gb/s |
| Or | ||||||
| 10GE Ports supported | n/a | n/a | (2) XFP 10Gb/s | (2) XFP 10Gb/s | (2) XFP 10Gb/s | (2) XFP 10Gb/s |
| Expandability | n/a | n/a |  |
|
|
n/a |
| Disk Capacity | 4TB | 4TB | 16TB | 16TB | 16TB | None |
| Dual Power Supply | |
|
|
|
|
|
| RAID Support | |
|
|
|
|
n/a |
| Cluster |  |
|
|
|
|
n/a |
| Height | 1U | 1U | 3U | 4U | 7U | 1U |
Integrating Into Your Network
The flexible architecture of our Probes lets you configure them to monitor the full range of network types. You can configure ultra high-speed Probes at the core of your network, and more lightly configured Probes at the network edge where speeds are lower but the number of links you need to monitor may be greater.
Integrating our Endace Intrusion Detection System with existing third-party applications is easy using any of these standards:
- SNORT alerts in syslog format - for event log file integration with SIM vendors such as NetForensics
- Netflow - Probes provide a highly configurable NetFlow export module that supports multiple concurrent real-time flow collection and analysis systems. Supports 1:1 or sampled Netflow at 10Gb/s
- Packet Download - selected full-packet data can be downloaded via SOAP/XML in standard PCAP or ERF format for analysis in Wireshark or other applications
- Event Syslog - support for third-party Security Information Management (SIM) systems with alert export in standard Syslog format
- SNMP - support for SNMP traps and alerts allows you to integrate with a broad range of system and network management tools
Endace Probes support a broad range of standard data exchange interfaces, which makes them easy to integrate with existing systems and an essential source of data for a wide array of security, network monitoring and management applications.
Some of the standard data interchange formats provided by Endace Probes include:
Deployment Scenarios
The highly flexible nature of our Intrusion Detection System makes it the ideal choice if you are looking to replace or supplement existing IDS / IPS sensors that are failing under load, without replacing any of the other elements of your cyber security architecture.
Installation of high-performance Endace probes can generally be done without disrupting your existing cyber security infrastructure, and our architecture enables you to continue to scale - either by adding more probes, or by upgrading the DAG™ ports on your existing Endace Probes - as the demands of your network increase.
For any of these four common deployment scenarios Endace Probes deliver exceptional performance at unparalleled price.
- New or Replacement Deployments: if your need is for passive high-performance security monitoring infrastructure suitable for carrier-grade networks then no other platform can provide guaranteed 100% packet capture and scalability to 10Gb/s and beyond with support for every network type
- Surgical Replacement: replace failing sensors in your core network with high-performance Endace Probes and redeploy yourlow-performance sensors to the network edge. Integrate with your SIM/SIEM layer and other key systems quickly and cleanly to a single, seamless monitoring fabric
- Surgical Enhancement: supplementing existing security tools - such as IPS systems - with Endace's Cyber Security Suite running on high-performance Probes gives you a complete picture of every security event on your network at all times. Guaranteed 100% packet capture, ensures you have the ability to see and investigate any security events with access to captured data with full context
- Consolidation of existing sensors or appliances: you can replace multiple low-performance sensors or appliances with a smaller number of high-performance Endace Probes, saving valuable resources and building a scalable platform for future growth