Re: RE: Network Utilization discussion...

[rgula () network-defense com (Ron Gula)]

> > There is no Gigabit or FDDI IDS solution.  ISPs who are sporting OC -12s
and
> > OC-48s cannot expect Intrusion Detection Systems to work accurately for
> > them, especially if most of the IDS world cannot reliably capture DS-3
> > utilitization levels.
>
> What would be the benefit of analyzing traffic at gigabit speeds to an
> ISP? Intrusion detection is only as good as what you do with the data you
> collect, and parsing traffic aggregated from hundreds of customers becomes
> a pointless task. Aside from problems of getting to the traffic without
> stressing backplanes of switches or routers, this is all but useless at
> this point. Not only are you guaranteed to come up with a gazillion
> alarms, but you also have no avenue of using those alarms for any
> practical purpose.

I don't belive there is a correlation between the amount of bandwidth
and the number of hackers. There may be many more false alarms because
of higher traffic, but I don't think it will be like trying to filter out
a single successful buffer overflow during twelve simultaneous Cybercop
scans. 

We have several customers who have core gigabit networks and use gigabit
Ethernets to hook up their border routers to their switches. Baring spaning
the switch, the only place to tap is the gigabit link.

Also, many small ISPs purchase OC-3 links simply for the metered service
and not for the excessive bandwidth. having an IDS that can passively hook
into that technology can make things easier in some cases.

Ron Gula
Network Security Wizards