IDS standards (was: IDS taps in a switched network...)

[dnewman () networktest com (David Newman)]

> > Even if the switch can buffer petabytes of data, it still has
> to exit out a
> > spy port that operates at 100 Mbit/s. Sure, a buffer can empty out its
> > contents and eventually trigger an alarm, but by then the
> vulnerable segment
> > may well be off the air.
>
> In the amount of time it takes the common security admin to notice the
> alarm, and do the leg work, it would be off the air anyhow.

Not if the IDS automatically triggers some action to stop an attack. For
this to happen, the IDS must be able to see the attack in the first place.
Seeing something dribbling out of a buffer 10 seconds after the fact doesn't
cut it.

> If we start bottling IDS solutions in switches, then a standard should be
> made for IDS companies to write to, as a great Routing company may have
> crappy IDS code, while a crappy Routing company may have Great IDS code.

An IDS standard is an excellent idea. Like RMON, it would give vendors (IDS
makers and box makers alike) one set of specs to write to, and eliminate the
problem of a weak IDS on a strong router or vice versa.

Big question is which standards body could do a spec in a reasonable amount
of time that covers both security and performance. The IETF would be my
first choice, but that depends on one's definition of "reasonable." ;-)

dn