Intrusion Detection Systems mailing list archives
RE: RE: IDS taps in a switched network (The right tools for the job)
From: blue0ne () igloo org (Jackie Chan)
Date: Mon, 1 Nov 1999 19:04:22 -0500 (EST)
A few comments/questions here: - Does anyone know if switches like the 2924 have buffering? I've always thought that they must. If there is buffering, then over short time spans, they can handle more than an aggregate of 100MB/sec.Even if the switch can buffer petabytes of data, it still has to exit out a spy port that operates at 100 Mbit/s. Sure, a buffer can empty out its contents and eventually trigger an alarm, but by then the vulnerable segment may well be off the air.
In the amount of time it takes the common security admin to notice the alarm, and do the leg work, it would be off the air anyhow. Buffering does help quite a bit when using the Shomiti Taps (single) in conjunction with a 2900xl series switch to pool the packets all into one vlan to be forwarded by a span port to the IDS.
A dropped-packets indicator is definitely nice to have, but hardly reassuring in the context of NIDS. Such an indicator says, in effect, "you're under attack but I can't see what form the attack is taking."
It sure makes one heck of a status mark though when comparing commercial IDS's (or shoudl that be IDSae).
- I saw one of ODS's products at last week's Shadowcon which had 10 100baseT links and a 1000baseT monitor/span/spy port.
This is a welcome departure from the traditioanl ODS Secure Switch, which was merely an over priced switch. (the same configuration that the ODS switch has can me emulated using SHomiti Taps and the Cisco Switch for 1/4th of the price) <serious opinion> If we start bottling IDS solutions in switches, then a standard should be made for IDS companies to write to, as a great Routing company may have crappy IDS code, while a crappy Routing company may have Great IDS code. There is also the problem of the "if you only buy us we will discount your stuff astronomically" when trying to balance good routing and adequate IDS. I really believe the switch companies would do us a favour if they developed the hardware that allowed the customer to choose the IDS that will be implemented. </serious opinion> blue0ne
Current thread:
- RE: RE: IDS taps in a switched network (The right tools for the job) David Newman (Nov 01)
- RE: RE: IDS taps in a switched network (The right tools for the job) Marcus J. Ranum (Nov 01)
- RE: RE: IDS taps in a switched network (The right tools for the job) Jackie Chan (Nov 01)
- IDS standards (was: IDS taps in a switched network...) David Newman (Nov 01)
- Re: IDS standards (was: IDS taps in a switched network...) Jackie Chan (Nov 01)
- Re: Re: IDS standards (was: IDS taps in a switched network...) Marcus J. Ranum (Nov 02)
- Re: IDS standards (was: IDS taps in a switched network...) Ron Gula (Nov 01)
- Re: IDS standards (was: IDS taps in a switched network...) Stuart Staniford-Chen (Nov 02)
- Re: IDS standards (was: IDS taps in a switched network...) Alexander Bochmann (Nov 09)
- RealSecure Database Issue ColFlagg () chubb com (Nov 10)
- Re: RealSecure Database Issue Jackie Chan (Nov 11)
- Re: RealSecure Database Issue mht () clark net (Nov 12)
- Tripwire Alexey Chalimov (Nov 12)
- IDS standards (was: IDS taps in a switched network...) David Newman (Nov 01)