Intrusion Detection Systems mailing list archives

More swicth stuff

From: rgula () network-defense com (Ron Gula)
Date: Mon, 01 Nov 1999 17:47:08 -0800



At 10:53 AM 11/1/99 -0500, you wrote:


A few comments/questions here:

- Does anyone know if switches like the 2924 have buffering? I've always
  thought that they must. If there is buffering, then over short time
  spans, they can handle more than an aggregate of 100MB/sec.


Even if the switch can buffer petabytes of data, it still has to exit out a
spy port that operates at 100 Mbit/s. Sure, a buffer can empty out its
contents and eventually trigger an alarm, but by then the vulnerable segment
may well be off the air.


This is true, but the example I was thinking of was at a network with 
multiple T3's where the links have all been tapped, sent to a dedicated 
switch and then spanned their. Lets say there were 3 T3's at 50 Mbit/s 
for a total of 150 Mbit/s of possible bandwidth. [ Of course T3's don't 
give 50 Mbit/s, I'm rounding ;) ] A switch that buffered traffic and pumped 
it out at 100Mbit/s is very useful in this case. Of course if someone pegs 
all three T3's the switch won't be able to keep up. In those bandwidth cases 
there are a few things that may be going on. One could be a network error 
of some sort causing extra traffic. In that case, it may be difficult (but 
not impossible) for an attacker to get their attack in. Another case could 
be some sort of spam, smurf or dos attack. Most IDS products should be able 
to identify that type of condition, even if they (or their swicth) are
dropping 
packets.

Unless you've discovered a way to operate Ethernet at 3.2 Gbit/s (or
whatever), then 100 Mbit/s will be the rate at which the entire IDS
operates.


Absolutely. It's still a matter of network engineering. The hardware
needs to be adequate to monitor what it is watching. 

Another thing that could confuse this conversation is if any of these
network taps from ODS/Shomiti/etc filter at the NIC/driver level. And
in Shomiti's case they do filtering and compression in their capture
devices so it becomes difficult to get exact performance specifications.

Ron Gula
Network Security Wizards

Current thread:

Re: URL for switch attack, (continued)
- - - Re: URL for switch attack Trevor Schroeder (Nov 11)
    - Re: URL for switch attack Dug Song (Nov 11)
    - THE 12th ANNUAL FIRST CONFERENCE on COMPUTER SECURITY michele sensalari (Nov 11)
  - behavior-based intrusion detection Fernando Trias (Nov 01)
  - Neural Networks Pug (Nov 02)
    - Re: Neural Networks Guy Bruneau (Nov 02)
    - RE: Neural Networks Bill Royds (Nov 03)
  - IDS Stefano Maifreni (Nov 02)
  - RE: RE: IDS taps in a switched network (The right tools for the job) Marcus J. Ranum (Nov 02)
  - Re: IDS Emmanuel Gadaix (Nov 03)
- More swicth stuff Ron Gula (Nov 01)
- RE: RE: IDS taps in a switched network (The right tools for the job) tim shea (Nov 03)
- RE: RE: IDS taps in a switched network (The right tools for the job) Greg Shipley (Nov 07)
- RE: RE: IDS taps in a switched network (The right tools for the job) Marcus J. Ranum (Nov 07)
  - The story of a small boy ... sealed envelops ... ------------ SURVEY RESULTS Max (Nov 11)
  - RE: RE: IDS taps in a switched network (The right tools for the job) Greg Shipley (Nov 11)