Intrusion Detection Systems mailing list archives

RE: RE: IDS taps in a switched network (The right tools for the job)

From: rgula () network-defense com (Ron Gula)
Date: Sun, 31 Oct 1999 07:44:46 -0800

David Newman said:

I agree that the 12-Tap is an effective way to monitor 12 ports at a time.
But many enterprise switches (and virtually all boxes for ISPs and carriers)
have many more than 12 ports. In my opinion it's better to have
hardware-based monitoring built right into the switch.


A few comments/questions here: 

- Does anyone know if switches like the 2924 have buffering? I've always
  thought that they must. If there is buffering, then over short time
  spans, they can handle more than an aggregate of 100MB/sec. 

- Many of these switches have real nice monitoring tools that can tell you
  when the specific interfaces are dropping packets. It's also a good way
  to see if your IDS is dropping packets because you can simply compare the
  packet counts. That is if your IDS is counting packets like NFR, Dragon,
  and NetProwler.

- I saw one of ODS's products at last week's Shadowcon which had 10 100baseT
  links and a 1000baseT monitor/span/spy port. 

- As far as building IDS right into the switch, I'm all for it, but I think
  it is a radical departure for switch manufacturers. Consider Cisco's 
  attempts to put IDS onto a router card. I have not used this product, but
  the word is it that it detects <50 attacks. 

- Many vendors have contacted us to port Dragon over to silicon. Very few
  of them wanted to tackle gigabit networking and most of them wanted to
  make cheap boxes that could keep up with cable modem and DSL rates. We've
  talked to a few vendors to put Dragon into a switch and are willing to 
  talk to some more if any are on this list. 

The bottom line is you really need to know what you are doing if you want
to sniff traffic. There are many subtle 'gotchas' that can make monitoring
difficult like asymmetric routing, dropping packets on spanned ports, 
dropping packets at your IDS and so on. In many cases though, less than %100 
monitoring of packets is an acceptable risk. Very few attack or scan attempts 
are a single packet. Yes, someone cane Fin-Syn me all day with one packet an
hour, but they still risk being detected. 

//Ron

Current thread:

Re: Comparison of several IDS Vin McLellan (Oct 26)
- Re: Comparison of several IDS Herve DEBAR (Oct 27)
- IDS taps in a switched network mark.gandy () dowcorning com (Oct 27)
  - Re: IDS taps in a switched network Jackie Chan (Oct 27)
  - RE: IDS taps in a switched network David Newman (Oct 28)
    - Re: RE: IDS taps in a switched network R. Brockway (Oct 29)
    - RE: RE: IDS taps in a switched network David Newman (Oct 29)
    - RE: RE: IDS taps in a switched network Jackie Chan (Oct 30)
    - RE: RE: IDS taps in a switched network David Newman (Oct 30)
    - RE: RE: IDS taps in a switched network (The right tools for the job) Ron Gula (Oct 31)
- <Possible follow-ups>
- RE: Comparison of several IDS pcafarchio () icsa net (Oct 26)