Re: future of IDS

[Darren Reed <darrenr () reed wattle id au>]

> > With the likelihood that more and more hubs are going to
> > disappear and be replaced by switches, where does that leave the humble
> > IDS that can no longer see all the traffic it needs to, to do its job?

Something which just occurred to me, switches are `meant' to be able to
switch such that full speed communications are kept between any two nodes
on the switch without taking bandwidth away from other pairs.

If you have a switch with 24 ports for 100BaseT, can you then push 1.2Gb/s
through it ?  Or is that just the `gigabit' hubs ?  The problem is, that
if you have a single 100BaseT monitor port, either than throughput for the
entire switch is 100BaseT (serious reduction in performance) or you lose
packets on the monitor port.

> THe IDS folks have been aware of this pending problem for a while.
> The basic approaches are (1) use an explicit tap on the switch

see above.

> (2) build the IDS into the switch (or get the switch to cooperate with
> the IDS),

there are some interesting performance problems to be considered here.

> (3) get the end hosts to chip in and function as IDS sensors.

Similar to the recent COAST project announcement for AAFID ?

In environments where high speed networking is in place (HIPPI, ATM, FDDI)
I think a combination of network based and host based is going to be
necessary.

Darren