The SURFids system consists of 3 major parts:

• The logging server (surfids-logserver)
• The tunnel server (surfids-tunnel)
• The sensors (surfids-sensor)

The logging server is the part of the system that will handle the web interface, ie the visual representation of the captured data. It's also usually the place where the database is located, but you can reserve a different physical machine for the database to spread out the load on the machine.

The tunnel server is the part of the system that will handle the connections to all the sensors. It's basically the central hub of the whole system. This is the system that will either handle the detection of attacks and traffic or will distribute the traffic to other systems that will do this.

The sensors are the distributed part of the system. A sensor is a debian/debian-live OS that has the surfids-sensor package installed. It's sole function is to setup an OpenVPN tunnel to the tunnel server and redirect the traffic. The idea is to put a sensor in each network you want to monitor.

For a more detailed overview check out the Global page.

PREREQUISITES

• Port security on your switch needs to be disabled for the port that your sensor is using.
• You will need to have 2 free DHCP leases if you are using DHCP or 2 free IP addresses if you are using static IP address configuration.
• The MAC addresses of both the physical sensor and the device on the tunnel server need to be whitelisted if you are doing MAC white listing.