Making stateful NIDS work in a completely switched network

["Kohlenberg, Toby" <toby.kohlenberg () intel com>]

Archive: http://msgs.securepoint.com/ids
FAQ IDS: http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm
FAQ NIDS: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-----------------------------------------------------------------------------
One of the arguments made against NIDS (usually it seems by vendors
of competing technologies) is that the prevalence of switched networks
has made deployment of NIDS expensive and less accurate. I don't think
that's completely true but I can see some of the arguments. 
Having said that, given a network that is completely switched (no hubs
used to handle traffic at any point), highly redundant (each server
has at least two NICs feeding into two separate switches) and made primarily
of VLANs (meaning physical proximity cannot be assured) I can see
making signature-based NIDS work, I can even see making simple protocol
analysis work, but I can't see a way to make stateful (connection-aware)
monitoring work without either;
a. tapping the entire network and feeding it into a single sensor 
b. dropping sensors at the ingress and egress points.
c. putting taps on every network drop and feeding them in groups to a 
dedicated sensor.

Any thoughts?

Toby

All opinions are my own and in no way reflect the views of my employer.