Re: RE: Network Utilization discussion...

[rgula () network-defense com (Ron Gula)]

> What's very clear (at a minimum) from this thread and others like it is:
>
> There is no Gigabit or FDDI IDS solution.  ISPs who are sporting OC -12s and
> OC-48s cannot expect Intrusion Detection Systems to work accurately for
> them, especially if most of the IDS world cannot reliably capture DS-3
> utilitization levels.

- FDDI is mostly an interface problem. Dragon has been deployed on several
  FDDI networks through the use of dedicated media converters. Any other
  packet IDS should be able to do this. Many other NIDS can read directly
  from FDDI networks. (Read Bob Graham's IDS FAQ) FDDI is also 100 Mb/s and 
  should be able to be monitored by a wide variety of NIDS unless the data 
  rates are in access of 50-60 Mb/s. Once the data goes above those rates 
  it really depends on which NIDS you test, what your data is and how you 
  configure the NIDS. 

- OC-3, OC-12 and OC-48 interfaces require a "bump on the wire" or a passive
  tap. That is, the OC link gets plugged into a box that does "passive" IDS
  before moving the packets or some sort of silvered mirror tap (like a 
  Shomiti tap) is used to pull off the light signal. Of course more 
  sophisticated software is required to rebuild the ATM traffic. The "bump"
  approach tends to slow down any network traffic and is usually very cost
  prohibitive. It also usually fought by any WAN engineer because it is a
  single point of failure. Some high-end products use the passive tap approach
  and we will be incorporating this into future Dragon Appliance offerings.

- We're finding that most of our high bandwidth customers are using full
  duplex Ethernet (~200 Mb/s), Gigabit Ethernet or IP over SONET.

Ron Gula
Network Security Wizards