Re: RE: Network Utilization discussion...

[misha () insync net (Misha)]

> There is no Gigabit or FDDI IDS solution.  ISPs who are sporting OC -12s and
> OC-48s cannot expect Intrusion Detection Systems to work accurately for
> them, especially if most of the IDS world cannot reliably capture DS-3
> utilitization levels.

What would be the benefit of analyzing traffic at gigabit speeds to an
ISP? Intrusion detection is only as good as what you do with the data you
collect, and parsing traffic aggregated from hundreds of customers becomes
a pointless task. Aside from problems of getting to the traffic without
stressing backplanes of switches or routers, this is all but useless at
this point. Not only are you guaranteed to come up with a gazillion
alarms, but you also have no avenue of using those alarms for any
practical purpose.

You only see speeds approaching OC12 and OC48 at borders of most large
networks, where carefully monitored netflows would be much more useful
than intrusion detection. Our netflows allow us to track private IP
traffic bouncing around our network, abnormally large amounts of harmful
ICMP packet types, and anyting else that may alarm us to a problem an ISP
can actually respond to, such as spoofing and DOS attacks, which is much
more useful to an ISP than full blown intrusion detection.

IDS really has to be used in the context of local security policies and
network topologies of each client, where even the largest sites can deploy
IDS products that can handle 40-100mbps if they plan their strategy well
and cover all major traffic aggregation points.

I think we will see blanket IDS solutions provided by ISP's about the same
time ISP's start buying huge firewalls that protect every client equally
well.

Misha
Insync Internet Services