RE: future of IDS

["Choi, Byoung" <bchoi () visa com>]

some alternatives i have looked into:

1.   use switch's port mirroring (there's some issue regarding bandwidth
though - how do you mirror multiple 100Mb/s ports into a single 100Mb/s
port?  i am not sure how switches deal with it)
2.   choke the traffic into a single channel and sneak in a hub just for the
purpose of sniffing
3.   choke the traffic into a single channel and use a tap device


        ----------
        From:  Colin Campbell
        Sent:  Wednesday, October 14, 1998 7:24 PM
        To:  firewall-wizards () nfr net
        Subject:  future of IDS

        Hi,

        (may show some ignorance here so be gentle :-)

        Our firewall sits between two networks. The "external" houses lots
of
        internet-visible web servers, much as one would expect. The internal
net
        houses intranet servers. Up until recently, these nets were just
plain old
        hubs. They also suffered from consistent 10% collision rates.
Everyone was
        hurting.

        Consequently, we replaced these hubs with switches. Network
performance is
        great. No collisions, the machines that can talk at 100Mb do, all is
well
        with the world. Well, almost. I tried snooping some traffic between
two
        machines and when I saw nothing, the difference between hubs and
switches
        suddenly dawned on me.

        Now, after all this preamble, I do actually have a question for the
great
        minds to ponder. With the likelihood that more and more hubs are
going to
        disappear and be replaced by switches, where does that leave the
humble
        IDS that can no longer see all the traffic it needs to, to do its
job?

        Colin